A few months ago, LastPass suffered a significant breach. Hackers got both the source code and user data, including encrypted secret vaults and plaintext metadata. This is not the first breach LastPass had suffered.
This breach put me in a weird situation. I'd been a champion of using secret vaults for a few years now. After a brief period of trial and examination, I chose LastPass even though it had been breached before. Being happy with the experience despite its quirks and a trying onboarding, I recommended its use to anyone I cared about — my family, friends, and colleagues. I helped them onboard and generate random passwords, install the app everywhere, and come up with a really good master password. In some cases, this wasn't easy and took a lot of guidance and convincing on my part.
The obvious fact I had failed to realize at the time was that a recommendation as strong as that comes with an implicit responsibility. When those people see a major news article about their passwords belonging to hackers now, they reach out to me for questions. They are right — I got them into this mess, didn't I?
Why Evangelize Secret Managers?
I was not always convinced secret managers were a good idea, especially commercial ones with their own cloud infra. As a teen, I started off where more people do, using one "good password" for everything, appending a service-specific prefix or suffix to avoid straight password duplication. I also had the unfortunate experience of working in an enterprise that forced me to change my password every 30 days. The number appended to the end of your password was a token of seniority in that org. I reached some number in the 40s and was really proud of myself and how experienced I was. Of course, when you're proud of something, you really want to share it. And so we did.
I always knew that sharing the chunky part of my password across services was a bad idea. That knowledge became a reality when I started to understand how hackers leverage these common yet faulty tactics to their advantage. Appending two letters to your "good password" does nothing to stop an attacker from compromising one service based on a compromised password for the other. It only makes you feel good about complying with a bad policy. Fortunately, monthly password changes are now passe.
But my first attempt at solving my password problem was using my dad's custom-built bare C based password manager. It was very basic: encrypt and decrypt a text file. You pop the encrypted file on a shared drive and congrats, you have a secret manager! Of course, this has clear downsides, like no mobile support, auto-fill, or password generation. I also wrote my own cli-based interface on top of cloud and native keyvaults. It was great, but still, no utilities. I used these two options for a long while. I was still looking for solutions with those utility features, but anything with the word "cloud" in it was denied at the doorstep.
Then I took an advanced crypto course as part of a masters in computer science. The beauty of Merkel trees and zero knowledge proofs excited my imagination and made me devour the Web in search of real-world applications. I encountered a scientific paper describing secret vaults, and the idea just clicked. Of course, it makes perfect sense! The only way for my passwords to be truly secure is to assume the vault provider is malicious and still be confident that they can't accomplish anything significant. I had reached the conclusion that a password manager that follows the theory would be safe to use.
The other threat vector to get my password is a malicious vendor or party within that vendor. They could, for example, steal my master password from the client application, making the theorized protections irrelevant. After reading through reviews putting different password manager clients under scrutiny, I became convinced that the implementations are up to standards and it's time to migrate.
Several years afterwards, I found myself with hundreds of auto-generated passwords managed by my password manager. I had also been able to convince the people I care about to go through that journey too. I was really happy about it.
What If My Vault Gets Breached?
If hackers actually get access to my plaintext passwords, I will be in a world of hurt. I do have MFA enabled on anything important, but MFA-anyway is notoriously hard to pull off. Just thinking about rolling all those passwords manually gives me a headache. I don't see myself being able to convince my family to do it for their accounts too.
In short, this scenario would be catastrophic.
Wait, Didn't Your Password Manager Just Get Breached?
Well yes, most definitely. One colleague who chose LastPass on my advice recently asked me two questions after reading a concerning article. What happened? and How should he react?
My answer for the first question couldn't be worse. Hackers compromised both code and data. Data contains our vaults, with plaintext metadata including email addresses and our encrypted passwords.
My answer to the second question was very different. There is no indication of the hackers stealing master passwords by abusing the client. We can assume that didn't happen or we would see a whole host of reproductions across the industry. So if your master password is strong enough not to be cracked and you have MFA on everything that matters, you are fine. If you still feel iffy, roll your important passwords.
Concrete steps to take if you were affected by the breach:
- Roll your master password.
- Enable MFA and roll passwords everywhere that matters.
- If your master password was weak, I strongly advise you to roll all of your passwords.
How Can That Be? Aren't Those Answers Contradictory?
The seemingly contradictory nature of these two answers shows just how powerful avoiding storage of sensitive data is.
LastPass got breached. Repeatedly. Attackers took everything there is to take. The impact is severe, but not catastrophic at least given what we know now. That's a brilliant property of the system's design.