Heartbleed: A Password Manager Reality Check

Is a password manager an effective defense against vulnerabilities like Heartbleed, or just another way to lose data to hackers?

Mathew J. Schwartz, Contributor

April 18, 2014

6 Min Read

Should the OpenSSL Heartbleed bug serve as a wake-up call for people not using a password management application or service to manage their passwords? Consider who are at the greatest risk of having their passwords stolen by Heartbleed-targeting hackers: People who reuse their passwords across multiple sites. That's because an attacker only needs to hack into one site -- say, a social network -- to obtain a password that works across multiple sites, such as your banking website.

Faced with that reality, some users have opted to tap a purpose-built security tool for generating and storing strong passwords. "If you don't use a password manager, you will end up using the same password on multiple sites. That password, becomes a 'basket' in which your security for all of the sites you use it for are stored," said David Chartier at AgileBits, which develops 1Password, via email. "So if you use the same password on Amazon, eBay, Facebook, MyCatPictures, and others, then all of those sites are in the same basket. And that basket is extremely fragile. A breach of one of those sites is a breach for all."

Here are some facts to consider if you're wondering whether one of the many different password managers that are available is right for you or your organization:

1. Your own "password manager" might be lacking
When weighing password managers, the first question should be: What are you doing now? How many people have a Word document -- perhaps named "passwords.docx" -- tracking all of their passwords? If so, watch out for malware infections. Harvesting files with interesting-sounding words is child's play for hackers.

2. Security experts swear by password managers
Consider leading information security experts' opinions about password managers. For example, to manage the challenge of safely storing strong, long, and unique passwords, while keeping them easily at hand, Bruce Schneier long ago built and released his own password management application, which is now an ongoing, open-source Windows -- and soon, Linux -- project. Like other password managers, it requires users to enter a master password, which then unlocks the password safe.

Figure 1:(Image: Dev.Arka via Flickr)(Image: Dev.Arka via Flickr)

One of the upsides of using password managers is practicality: Many different passwords can be securely stored in one place. Some password management tools, furthermore, will even store website URLs and automatically populate website username and password fields, thus creating both a more secure and more automated log-in process.

"I can't imagine life without a password manager," said Sean Sullivan, security advisor at F-Secure Labs, via email. "I have far too many sites to manage otherwise."

3. A password manager: single point of password failure?
On the other hand, some would-be users worry about gathering all of their passwords in a single place, even if that repository itself gets encrypted and protected by a master password. "I've started using two-step authentication, but was avoiding the password generator/keeper programs because those seem like they could be a huge problem if they get hacked," one DarkReading reader recently emailed. "Do you have an expert opinion?"

"This is a great question," AgileBits' Chartier says. "Regarding two-step authentication, let me ask in return how many different sites and services do you plan to use it for? Two, three, one hundred? My guess is that you will use it for a very small number of them, yet you have scores of different places you need passwords for." In other words, there's a strong case to be made for using a password manager together with two-factor authentication.

4. Should your password manager be Web-based, cloud-based, or offline?
The answer is a bit complex. Sullivan, for example, says he only tends to use complex passwords for critical sites -- such as online banking -- which he then only accesses from his home computer. For further security, he also stores those passwords only in an offline database, so that an attacker can't remotely steal them.

For less-critical sites, however, he favors cloud-based password managers -- F-Secure makes a related KEY product -- especially for the likes of Facebook and Twitter. "It may expose you to new types of risks, but I think those risks are countered by the use of better, more secure passwords," he says. "The trick is to know which sites are critical. I only access my banking account from home."

What's the risk of using a Web-based password manager, which, by virtue of being on the Web, might be a target for hackers? That risk is tough to gauge, so like working with any cloud-based service, such as Salesforce or Amazon Web Services, the choice will likely revolve around how much you trust the vendor.

5. Password manager passwords: Change them after Heartbleed?
One persistent question in the wake of the Heartbleed discovery is whether users of password management software or services should change their master passwords. To be safe, you can go ahead and do so, although whether this is required depends on the password management service you're using. It's best to check with your provider.

In fact, many services -- including AgileBits, Dashlane, and LastPass -- have said that post-Heartbleed, their users don't need to change their password manager programs' master passwords, because they are not at risk from the OpenSSL bug, due in part to the fact that the passwords never get transmitted to their servers. In the case of LastPass, for example, passwords get concatenated with a user's email address, then put through a one-way, salted hash. Only this hash -- which can't be reverse-engineered -- gets sent to the server for authentication, after being signed by a code-signing key that's separate from the SSL key. Such security approaches make it extremely unlikely that attackers could launch practical man-in-the-middle attacks that intercept this information.

6. Password manager adoption is surging
After Heartbleed, the word about password management services appears to be getting out. The AgileBits 1Password iPhone app, for example, leapt from being a top 200 most popular paid download in the Apple App Store, to being in the top 10 last week. Dashlane CEO Emmanuel Schalit, meanwhile, says his service has seen a "ten-time increase" in demand for its products.

Erin Styles, VP of marketing for LastPass.com, says her company has gained almost 200,000 new users in the last 10 days. "We are happy to see the increased education and interest in password managers," she said in email interview. "We feel strongly that this increased awareness will improve overall password security."

Beyond consumers, many IT administrators at SMBs have also been inquiring about group-based password managers, Chartier says. "For many of them, Heartbleed was the last straw, so they have questions about using 1Password in a group setting, what our sharing and collaboration features are like, and whether we can support the specific sync service they have already built around."

7. To mitigate Heartbleed, start now
Post-Heartbleed, for anyone -- or any business -- not using a password manager, now is a great time to start, so you can assign a unique password to every website you use. "A password manager is the only feasible way to manage completely random and unique passwords across every website, which is pretty much a necessity in today's poor security environment to ensure that even if a site is breached, the impact to the person is limited only to that one site," Dashlane's Schalit says.

Ensuring you only use strong and unique passwords for different sites also will help mitigate the next major Heartbleed-type password-stealing vulnerability that gets discovered, thus reducing the chance that enterprising hackers will ruin your day.

"If you're using unique passwords, you've already 'compartmentalized' your risk," F-Secure's Sullivan says.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights