I had this little rant published on ITnews.com.au today, in response to the news yesterday of LastPass being hacked:
If I suggested you put all your brass keys in a wet paper bag labelled “All My Keys!” and tape that bag to the outside of your front door on a busy street with non-stop pedestrian traffic before you go to bed, would you feel safe?
Would you expect your car to still be there in the morning, or your office in one piece overnight?
The endless river of security bungles, vulnerabilities and exploits of the past decade has taught us that passwords for every service we use need to be both unique and strong, but of course only Rain Man can remember so many individual passwords.
Thus we entered the era of ‘password managers’, which store all those credentials in a database you access with a single ‘master password’ and which provides single-click log in to each website. They’ve been de rigueur for the tech-savvy and security conscious user alike for many years.
“…we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed,” LastPass said.
“The investigation has shown, however, that LastPass account email addresses, password reminders, server per-user salts, and authentication hashes were compromised.”
One thing we can count on is that hackers do not bother stealing per-user salts and authentication hashes without the intention of using them to unlock users’ credential databases.
If we take LastPass at its word that its investigation is complete and conclusive, perhaps the hackers hadn’t yet stolen users’ actual credential databases before the breach was discovered and closed.
Or, as is more likely given it’s only been a few days since the breach was discovered, LastPass may have not yet concluded or been able to prove a breach of user credential ‘vault’ data, so has erred on the side of early disclosure to users.
(Intrusions and theft can go undetected for days, years, or not at all, and even once discovered, investigations can take somewhat longer than just a few days).
This was not an isolated case. It’s happened before to LastPass, and last year security researchers found multiple ‘gaping’ security vulnerabilities in no less than five password manager software/systems - all of them online/cloud-based, including LastPass.
Returning to the key analogy, no rational person would expose their physical property to such a risk. So why do it with your online data and identity?
The problem with software-as-a-service password managers - where you can log in to a website and access your stored credentials - is that they’re made of the very same stuff that creates so much of our IT security angst. When it comes to security, “web technologies” are the wet paper bag.
Websites are a constantly evolving mish-mash of languages, frameworks, libraries and third-party services, and often written by programmers with too little security awareness whose focus is on the application rather than security.
A password manager service that allows you to access your passwords via the vendor’s website is absurd and self-contradictory by definition of the very problem its trying to solve - that inherently insecure web technologies require us to have unique and strong passwords for each, because they’re hacked with monotonous regularity.
So what do you do?
Go back to a hand-written piece of paper locked in a filing cabinet? No.
The solution is simple, and already exists. Not all password manager solutions insist that you accept the convenience of their centralised online solution, because some vendors understand that such an approach is antithetical to genuine security against clearly identifiable attack vectors.
It is almost infinitely easier to encrypt a single file, or folder full of files (containing all your login credentials) - and get it right - than it is to make an online service comprising dozens of ‘moving parts’, many of which are ‘software of unknown quality’, be truly secure.
Modern crypto can encrypt a file that no one on earth, not even the NSA/GCHQ/ASIO/ et.al can crack. Then, and only then, can your encrypted password database be synced across your devices but never made available via a web-based service.
Certainly there are some features cut short by this policy, but I suspect for most people they’re not deal-breakers.
There are many such password managers. My personal choice with matured and ongoing development and multi-platform support is 1Password. Other popular contenders are Dashlane, KeePass, Keeper, and Password Safe.
There are others, but the rule to remember is, if it’s a software service touting an ability to login to its website to access your passwords, give them a wide berth.