Since I am a massive advocate of Password Managers and have been publicly, I thought it only fair to address the elephant in the room. How do I feel now that LastPass has released details of the breach they suffered, given I have been a user for the last decade or thereabouts?
I am an optimist by nature, but I am also a pragmatist due to my now 51 years on this spherical ball we call Earth. There is no such thing as perfect security like there is no way to completely de–risk our world. Most items come down to risk reduction/management and finding a cost-benefit ratio that suits you – something you are happy with.
So, as we assess this breach, I think it is essential to look, not so much at some “ivory tower” unimplementable ideal, but, at the alternatives that a reasonable person could employ to do the same job and see how they measure up.
Using the same password for everything.
This won’t work! The number of passwords stolen from websites without security ducks in a row is crazy. This is a recipe for disaster. Also, when one website recommends a change, everything falls apart.
Tweaking the password in a way that means you have different passwords for each site, but you can still remember them.
For example, “itunesMyP@ssword”. This might work if you are a polymath, but this is a bad idea on balance, and it will start to break down the first time you are forced into a password reset. Also, in the example above, it wouldn’t take a genius to guess your Amazon password, would it?
Writing everything down.
I know several people who do this. I’m not going to lie; they are mostly older folk. This one is probably one of the better, bad methodologies. You can have good passwords and change them and keep track of them, but it has a few disadvantages that you definitely won’t need to be a polymath to see. It can be lost. Others can look at it without any logging. It’s not encrypted at all. And finally, it is hard to back up and keep abreast of changes, and you need to carry it everywhere.
Built-in Edge, Chrome or Safari password remembering.
If you aren’t prepared to pay £2 a month for a password manager, this is probably your most manageable option. However, it has some significant downsides. Firstly, it isn’t platform agnostic enough for me, negating most of the advantages, in my opinion. Second, it is a browser add–on and as such, it isn’t designed from the ground up with security in mind, but rather, it is convenience focused. If you look up getting passwords out of Google/Edge/Safari, you will see it is effortless. Also, no one logs out of their browser, so anyone on the computer can access it. Another interesting aside is that, as IT consultants, one of the most common issues related to passwords is computer corruption/failure, where passwords are in the browser and nowhere else. Once the computer is rebuilt and returned to the user, they have no idea what their passwords are. That’s because the passwords stored in the browser sometimes aren’t associated with a cloud account, e.g., Hotmail or Gmail. I would argue the £2 is well worth it for a paid password manager, and you just haven’t done the correct math.
LastPass and alternatives.
Even with the latest breach at LastPass, which is serious, the current advice is that if you followed the recommendation when setting up a master password, your password data is primarily safe for now. Most good password managers use a zero–trust model, which means they cannot see your password data. I’m using language very carefully here. There is scope for another post here on this, but for now, I’ll leave you with LastPass’ own update if you want more info.
Other essential elements aren’t getting a lot of attention. We are told that we live in a world of the assumed breach, which is confirmed. We should always be of the assumption that our data can come under attack. This must be part of the plan, but what happens if LastPass gets breached? While LastPass has been breached due to the encrypted vault, I now have time to change passwords and reduce the value of my data to any cyber–criminal. Is this a massive pain? Yes, it is. But for the most part, password managers seriously help with this and reduce the friction associated with password resets.
In almost all of the other mechanisms, bad actors would have immediate access to a chunk (if not all) of your passwords and be away from making a nuisance of themselves in your life. To be clear, I am not happy, and enough information has come out about the quality of what has gone on in LastPass since it was sold to LogMeIn to cause me to move to another password manager, but I am cautious about being breached. I have some time to manage that move, and I appreciate LastPass for that if nothing else. This may be open to some debate, although the general consensus seems to be that cracking my master password would be expensive and time-consuming.
The biggest issue caused by this incident is that it casts aspersions on Password Managers in general and will give people with no interest in security cover to keep their heads in the sand. Please don’t do that. Get yourself a good password manager and use it.
If you are one of the folks that think problems like this negate the need for securing things, whatever you do, don’t look up the Rishi Lock Pick on YouTube. If the LastPass breach has caused you not to use a password manager, the Rishi will make you unscrew your front door lock and chuck it in a skip. Just remember to plug the hole it leaves.
We live in an uncertain world, but that does not absolve us from taking reasonable steps to secure our stuff. Password managers are essential and should be used by most people. Even when breached, they represent your best chance of someone not having immediate access to your data and giving you some crucial time to reset passwords before bad actors get access.