Are password managers the safest way to guarantee digital security? The recent hack of market-leader LastPass has reopened a debate that many thought had been put to bed.
In theory, password managers, which let users securely store and sync their usernames and passwords so they can log into websites and services, should improve internet security.
By removing the need to use a memorable password they help prevent password reuse and encourage people to pick strong, unguessable passwords. In doing so, they prevent two of the major causes of account breaches.
However, password managers are also a fairly obvious case of putting all your eggs in one basket. If your password manager itself is compromised, the damage can be far greater than if any individual account is breached.
In a security notice to users, LastPass on Monday announced that it had “discovered and blocked suspicious activity” on its network.
Joe Siegrist, co-founder and chief executive, told users what was taken: “The investigation has shown, however, that LastPass account email addresses, password reminders ... and authentication hashes were compromised.”
He emphasised that the holy grail of LastPass - the user vaults - were not accessed.
The authentication hashes that were stolen are encrypted versions of the passphrase required to access the passwords on a specific user vault.
It is heavily hashed - a mathematical function that makes it computationally hard to derive the original passphrase from the stolen information - but a relatively fast desktop can still manage 2,500 guesses a second, according to security researcher Rob Graham.
Even so, even a medium-length password would still take years to crack at that speed.
LastPass recommends users change their master password in response to the breach, and will also begin forcing an email confirmation for any login from a previously unused IP address.
‘Asking for trouble’
Tod Beardsley, security engineering manager of security research firm Rapid7, warns users to keep an eye out for phishing attempts now that the mailing list is public.
But the LastPass breach is just the latest practical example of a risk security researchers have been warning about for years: that putting all your passwords in one place may be asking for trouble.
In 2014, a group of researchers from UC Berkeley warned:
“Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the Web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop. Given the increasing popularity of password managers, the possibility of vulnerable password managers is disconcerting and motivates our work.”
That same year, a group of researchers from Microsoft went one step further, recommending that users give up on password managers entirely. They overturned years of conventional security wisdom by advising users to choose weak passwords, and reuse them widely – but only on websites that are not high-security targets.
The rationale is obvious, in hindsight: we can only remember so many passwords. The requirement to use strong, difficult to remember passwords is at odds with the requirement to use a different password on every service, and something’s gotta give. Password managers are one solution, but a solution the researchers question.
The problem is not just large, centralised hacks of the sort LastPass is scrabbling to recover from. It is also that password managers represent a compelling target for all sorts of malware, and targeted attacks.
‘Folk-computer security’
A password manager that stores passwords on a user’s machine is vulnerable to malware such as keyloggers, backdoors and so on; while a password manager that uses any sort of cloud-based security just introduces new avenues of weakness; while the password is being sent to the remote servers; and while it is sitting there.
As a result, the researchers discounted password managers, and in effect, recommended what many people end up doing anyway - a sort of folk-computer security.
That means using a simple, easy-to-remember password for accounts they don’t mind losing to a hack (say, third-tier social networks, or e-commerce sites that do not save payment information), while picking a much stronger password for a few crucial services.
Of course, they did not phrase it like that:
“Optimally, marginal return on effort is inversely proportional to account values … Far from optimal outcomes will result if accounts are grouped arbitrarily.”
In other words, put the most effort in to remembering strong passwords for the most valuable accounts.
What is certain is any solution that lies in between those two options is the worst of both worlds. Either never write down passwords at all, or store entirely randomised strong passwords in an encrypted password manager with a trusted cloud service.
Just don’t copy the Guardian editor who proudly stores all their passwords in an Excel file on their desktop: “But the computer’s really heavy! No-one’s going to steal that.”
That, dear reader, is how not to do cyber-security.
