Yesterday, the Washington Post ran an article about some important security research on password managers, describing a number of serious vulnerabilities in some of the most popular products in this space. However, the author of the piece urged readers to keep using password managers, as the risk of badly constructed, duplicate, easy to guess passwords is way higher than the risk posed by these vulnerabilities. Here’s why I agree:
Bad passwords are much easier and more profitable for attackers to target than these vulnerabilities. If you are not the target of a “highly sophisticated nation state” or their minions, attackers are probably not going to bother trying to get at your password manager (yet). Since so few users have password managers installed and so many users’ passwords are either available in password dumps on the Internet or easily guessed, it makes economic sense for hackers to just keep doing what they are doing today.
These vulnerabilities will be fixed toot sweet. This report is highly embarrassing and threatens the revenues of these vendors. I would be shocked if we did not see new, patched versions of all of the products listed within a week.
There are steps you can take to protect yourself. First and foremost, if you are not using two factor authentication with your password manager, start doing so. And while you are at it, if your password manager allows you to limit the devices used to log in or the countries they can log in from, set these protections up as well. None of these protections alone will stop Vladimir Putin from reading your email or posting to your Facebook account, but each road block you set up will encourage attackers to move on to an easier target.
So, if you are using a password manager, look for (and install) the inevitable updates that will be coming your way in the coming days. If you don’t see an update for your chosen service, it may be time to think about switching to a more security responsive service.
If you are not using a password manager, don’t be scared off – it is still one of the most important security measures you can take to protect your online life.
ALL SOFTWARE HAS VULNERABILITIES. They key to living safely in a connected world is to be aware of, mitigate and repair those vulnerabilities in a timely fashion. Software security researchers are the “immune system” of our connected world and work like this is a net positive in keeping us all safer.
Some of the described flaws have already been fixed. A LastPass spokesperson told The Register it had sorted the memory disclosure issues described in its products, and that even when the flaw was present, a real-world exploit would require the attacker to have local access to the machine with admin clearance.The Register
I like LastPass, both from a features point of view and for their responsiveness to security issues. And no, they don’t pay me to say that.