Well, with the latest admission from LastPass regarding what happened with their systems being compromised by a malicious actor, a lot has happened. My own password manager of choice, 1Password, posted a blog about the breach from their perspective.
This is a rare occurrence as normally competitors don’t comment on another company’s breach, but I feel it is warranted as some misinformation from LastPass was used in their updated notification from above.
There certainly is a lot of technical detail in both the above blog posts, and there are a lot of things that LastPass did not do well in their product, or how they handled their security in recent years. A great post from Jeremi M Gosney over on the infosec.exchange Mastodon instance has some great points on how the LastPass team has handled security issues in the past.
Is Using A Password Managers A Bad Idea
Unfortunately not everyone will read these articles and expert opinions, and will lump all cloud-based password managers together and consider them unsafe. Are they unsafe? In general, no they are not and I do have faith in them. I’m a strong supporter of 1Password, and a lot of folks are also recommending BitWarden. Both are fine password managers in my opinion, as they are very popular. There are a lot of other cloud-based password managers out there as well, but they are not as well recognized or as popular. I personally don’t have experience with them, so I won’t offer an opinion on them either way.
So is a password manager a bad idea? No, not at all. Is a cloud-based password manager a bad idea? Not really, but it all boils down to a personal sense of risk acceptance. What do I mean by that? Simple - do you trust your passwords to some random 3rd party on the Internet, or do you think you can do a better job securing your own passwords?
Some people will just put their passwords in a spreadsheet and keep it locally on their computer. Others will use an offline password manager like KeePass for their passwords. It all boils down to your risk acceptance. For those who have trust issues due to the LastPass fiasco, an offline password manager is just fine. Even using the built-in password manager in your browser can work, but keep in mind that if you sync your browser via the web, then you are likely also synchronizing your passwords, so you’re basically trading one solution for another.
Don’t store your passwords in a spreadsheet, or you’re asking for trouble. From accidentally making it public to
If you want to use an offline password manager (KeyPass is a great solution for this), then be sure to use a strong master password! This is the same advice for cloud-based password managers, which ironically is the only thing that is keeping the LastPass attackers from getting access to those stolen vaults.
Why Should I Use A Password Manager
Some of you may not be using a password manager currently, and perhaps that’s working out fine for you. I’d guess you’re either using the same password across most sites you log into, including your email, or you use a variation on a common password, like FBpass123 for Facebook and GmailPass123 for GMail. If so, I honestly wish you luck and encourage you to reconsider.
Humans are bad at coming up with complex passwords, let alone remembering more than a handful of them. A password manager (cloud-based or local) will help come up with unique passwords for any site you use, which helps ensure you don’t lose access to other accounts that share the same password. The requirement on the user to remember a complex password boils down to one master password. This is the most important pro and con for any type of password manager, namely that you need to have a strong password. I strongly recommend using a passphrase rather than a password.
If you need to share a password, then a password manager is a great help as well. There are a few that have the ability to share passwords with family members, co-workers, etc, versus sharing passwords via email, text, or Slack/WhatsApp/etc.
Cloud vs Local Password Managers
The LastPass breach has forced a lot of people to choose to move away from cloud-based password managers because they feel they are unsafe. This is not the norm, in my opinion, and I will continue to use 1Password as I have for years. Why? Because I feel that they can do a better job at protecting my passwords than I do. If in the future I feel that to not be the case, then I will switch again.
I know other security professionals who are moving to KeePass for offline password management, and all the power to them. Some are going with a hybrid approach of using both, but more sensitive passwords will be stored locally on a USB stick, i.e. keeping them air gapped. In all honesty it boils down to your personal level of risk acceptance.
If you feel you can better protect your passwords yourself, then use a local password manager. If you want to be able to share passwords with family, co-workers, etc, then a password manager may be a better fit. Again, at the end of the day it is all about what level of risk you’re willing to accept. Just please don’t re-use passwords!
Cloud-based password managers are not all like LastPass. LastPass has handled their breach very poorly, to put it mildly. I would recommend moving away from LastPass if you use it, but at the same time, I wouldn’t stop using a password manager either. There’s far more to be gained with a password manager than not. Which one you chose to use is going to be a personal preference, but please don’t throw away the baby with the bathwater.
Schedule A Consultation
Looking for more insight into managing passwords or other security concerns? We’re happy to offer you a free 30-minute consultation where we can discuss these and other cybersecurity topics in more depth with you or your company. Book an appointment today!