More sad hacking news. The password manager LastPass has recently suffered from an intrusion where some sensitive data got in the wrong hands. The incident didn’t, fortunately, leak any passwords directly. But some data that makes it easier to break the system leaked out.
Intrusions happen all the time. But this incident is remarkable because it targeted the most holy of it all. The password manager that stores all the important passwords and can open the door to every system. It’s hard to imagine anything worse than a broken password manager. Isn’t it?
But what can and should we do? Users of LastPass should change their master password promptly. But one question remains, is it a good idea to trust a password manager and put all the eggs in one basket? Some people are already telling us to only store the password database locally on our device. But that is clumsy as we need the passwords on many devices. Do we really have to dump cloud-based password managers?
First of all. Yes, you should keep using a password manager. Don’t let this incident scare you. It enables you to use stronger passwords on every service, and still be on top of it. A password manager does increase your security. But it is a component that you need to select carefully to ensure it doesn’t become the weakest link.
But what about cloud storage of the password database? Yes, storing this critical database in the cloud will introduce new risks, which was demonstrated in the LastPass case. But there is a way to eliminate these risks and still have the passwords available on all devices. The team behind F-Secure Key was very well aware of these risks and created a hybrid solution.
This product does store your encrypted password database in the cloud, but not the keys needed to decrypt it. They are only handled on your own devices, never in the cloud. We are naturally still hardening all the involved systems to make server intrusions as unlikely as possible. But even if someone manages to break in, the cloud-stored data is incomplete. That’s a pretty reliable defense.
So to conclude. Yes, keep using a password manager and worry less about compromised accounts and forgotten passwords. And if your choice is F-Secure Key, you can stop worrying about data leaks from the servers too.
Image by Hochgeladen von Colin
In less than two months, the world has seen the two biggest ransomware outbreaks ever…
July 7, 2017
UPDATE: For the latest on Petya, check this F-Secure Labs post. Are we still calling…
June 28, 2017