How safe are password managers like LastPass?

  • I use LastPass to store and use my passwords, so I do not have duplicate passwords even if I have to register four to five different accounts a day, and the passwords are long.

    How safe are password manager services like LastPass? Don't they create a single point of failure? They are very attractive services for hackers. How can I trust the people behind these services and their security mechanisms? I imagine that a third party (government, company, etc.) would be very easy to 'bribe' and get all of my passwords.

    Are there any other solutions that offer similar services with similar ease of use?

    One important point that it may be useful for you to know is that, at least in some cases, the operators of password managers don't have access to your passwords themselves. They use the credentials you provide to create a decryption key for the passwords, so without your password, they can't see them, unless of course, they lied about how they do things.

    LastPass does have an extra benefit that it helps you *think* about password security. So they build in fairly sensible warnings for password strength, recommending you use yubi keys, recommending against using multiple passwords that are the same.

    I would recommended http://masterpasswordapp.com because it does not store any passwords (apart from your master password) online or on your computer since it used an algorithm to generate the passwords. This means if you use another computer, you easily have access and you don't have to worry about loosing passwords.

    Does anyone know of any Byzantine password systems? E.g. 3 or 5 online systems, where breaking any single system would not give the cracker all of your passwords. Ideally one might be LastPass, and the other 1Password - i.e. different companies - but even just multiple independent instances of the LastPass servers would provide some extra degree of security. // Possibly Byzantine for reliability as well as security.

    For those interested in viewing how a cloud synced password manager can securely store your data, check out bitwarden.com. The entire product line is open source, so the code is readily viewable on GitHub.

    @iProgram This is good for creating unique passwords, but keep in mind that all your passwords are compromised when you lose your master password (e.g. accidentally type it in the wrong window). With a password manager you need to lose the master password and the password database.

    What is Byzantine password system?

    Every single password manager out there have flaws, but even the simplest password manager is safer than not using a manager. Your brain is way easier than any password storage, even an Excel worksheet is safer. So keep one you like and use it.

  • paj28

    paj28 Correct answer

    7 years ago

    We should distinguish between offline password managers (like Password Safe) and online password managers (like LastPass).

    Offline password managers carry relatively little risk. It is true that the saved passwords are a single point of failure. But then, your computer is a single point of failure too. The most likely cause of a breach is getting malware on your computer. Without a password manager, malware can quietly sit and capture all the passwords you use. With a password manager, it's slightly worse, because once the malware has captured the master password, it gets all your passwords. But then, who cares about the ones you never use? It is theoretically possible that the password manager could be trojaned, or have a back door - but this is true with any software. I feel comfortable trusting widely used password managers, like Password Safe.

    Online password managers have the significant benefit that your passwords are available on anyone's computer, but they also carry somewhat more risk. Partly that the online database could be breached (whether by hacking, court order, malicious insider, etc.) Also because LastPass integrates with browsers, it has a larger attack surface, so there could be technical vulnerabilities (which are unlikely with a standalone app like Password Safe).

    Now, for most people these risks are acceptable, and I would suggest that the approach of using a password manager like LastPass for most of your passwords is better than using the same password everywhere - which seems to be the main alternative. But I wouldn't store every password in there; make an effort to memorize your most important ones, like online banking.

    I know someone who won't use Password Safe and instead has a physical notebook with his passwords in obfuscated form. This notebook is obviously much safer against malware... whether it's at greater risk of loss/theft is an interesting question.

    i like your writing and the cohesion of your answer. Obv i dont use last pass for bank passwords. Your answer completely covers my question : how much trust to actually put in these programs

    Check out this answer here: http://security.stackexchange.com/questions/45066/does-the-average-user-really-need-a-password-manager @tylerl explains an overlooked security advantage of online, cloud-based password managers.

    The advantage talked about has nothing to do with online, cloud-based password managers. The important feature is a password manager with a *browser plugin*.

    I think it is worth mentioning that LastPass (and others?) encrypts and decrypts your password vault on your local machine. The important implications of that are that 1) your master password is never sent over the wire, and 2) the service provider only has access to your encrypted vault.

    @HDave client-side encryption helps against outside attack but it won't save me from client-side malware (this is true for both offline and online tools).

    Once you have client side malware isn't the game lost anyways? Assuming it isn't intrusive it will eventually capture all data that is of import regardless of using a password manager or not.

    Furthermore, we should distinguish between proprietary online solutions like LastPass and libre online solutions such as BitWarden.

    *who cares about the ones you never use?*, I login multiple times a week to the online bank where I keep my current account, but there's very little money there. I only login several times per year to the online bank where I keep my savings, which has substantially more money. Of course both use multi-factor-authentication (and from my savings bank I can only transfer to my current account and nowhere else) so even a lost password wouldn't ruin me, but some passwords I rarely use could in principle be very valuable.

    *Online password managers have the significant benefit that your passwords are available on anyone's computer*, is that benefit still relevant when users can simply install keepass on their smartphone? In the worst case they have to manually copy a password from a smartphone screen to a public computer, but many people carry a smartphone around at all times nowadays.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM