LastPass hacked – can password managers be trusted?

Threats & Hacks

More sad hacking news. The password manager LastPass has recently suffered from an intrusion where some sensitive data got in the wrong hands. The incident didn’t, fortunately, leak any passwords directly. But some data that makes it easier to break the system leaked out.

Intrusions happen all the time. But this incident is remarkable because it targeted the most holy of it all. The password manager that stores all the important passwords and can open the door to every system. It’s hard to imagine anything worse than a broken password manager. Isn’t it?

But what can and should we do? Users of LastPass should change their master password promptly. But one question remains, is it a good idea to trust a password manager and put all the eggs in one basket? Some people are already telling us to only store the password database locally on our device. But that is clumsy as we need the passwords on many devices. Do we really have to dump cloud-based password managers?

First of all. Yes, you should keep using a password manager. Don’t let this incident scare you. It enables you to use stronger passwords on every service, and still be on top of it. A password manager does increase your security. But it is a component that you need to select carefully to ensure it doesn’t become the weakest link.

But what about cloud storage of the password database? Yes, storing this critical database in the cloud will introduce new risks, which was demonstrated in the LastPass case. But there is a way to eliminate these risks and still have the passwords available on all devices. The team behind F-Secure Key was very well aware of these risks and created a hybrid solution.

This product does store your encrypted password database in the cloud, but not the keys needed to decrypt it. They are only handled on your own devices, never in the cloud. We are naturally still hardening all the involved systems to make server intrusions as unlikely as possible. But even if someone manages to break in, the cloud-stored data is incomplete. That’s a pretty reliable defense.

So to conclude. Yes, keep using a password manager and worry less about compromised accounts and forgotten passwords. And if your choice is F-Secure Key, you can stop worrying about data leaks from the servers too.

 

Safe surfing,
Micke

 

Image by Hochgeladen von Colin

 

7 Comments

You state that “This product does never store your most precious database in the cloud.” however the product page (https://www.f-secure.com/en_GB/web/home_gb/key) states that “All the data is encrypted and stored both on your device(s) and on our servers hosted in Finland, Europe, under European data protection laws.”

So would password databases be store on your servers in Finland, or not?

Thanks for pointing this out. The original wording in the post was misleading due to a misinterpreted technical document. My bad, sorry. The text has been updated to state that we indeed store encrypted passwords but not keys needed to decrypt them.

There are complicated engineering trade-offs between the design decisions of these products. Compared to using or not using a password manager, the differences are puny. I’m a LastPass user and I’m sure F-Secure Key users are about as safe as I am. I’m sure it’s a good product.
FWIW, to me the LastPass breach just demonstrated the depth and strength of their security practices. Users who have not changed master passwords have an increased risk of compromise, but even with all the data they stole, the attackers have a lot of work ahead of them to hack any individual user. And if the user uses two-factor authentication, which password manages make easier to do, then they’re still safe in any case.
It’s a shame that password manages are still complicated for the average user. People who use them conscientiously are far, far more secure than those who don’t.

Yes, I agree. It is a sign of good design when a breach like this still doesn’t leak out the passwords.

I don’t mean to underestimate or belittle “the average user”, but IMHO the password managers are really not that complicated. Perhaps the average users would gain a much better idea about the software if they only spared a few more minutes to learn about the soft they use. There is only so much password manager developers can do to make their product as effortless as the average users seem to expect. As a user, I am aware of the fact that it is I that is most interested in keeping my stuff safe, and therefore I do not mind sparing a little time to learn how to use an application developed to help me. Or, alternatively, and much more expensively, I could hire someone to manage all my IT stuff for me so that I didn’t have to know anything about it at all. Sorry, that does sound like a very stupid idea.
… Here’s an entirely different topic: should I decide to purchase, say, three different products from F-Secure (since I have not found one product containing all necessary features), is there a chance of a discount? I’m talking about F-Secure SAFE + F-Secure Freedome + F-Secure Key for 3 devices.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like