Heartbleed: A Password Manager Reality Check

Is a password manager an effective defense against vulnerabilities like Heartbleed, or just another way to lose data to hackers?

use it for a very small number of them, yet you have scores of different places you need passwords for." In other words, there's a strong case to be made for using a password manager together with two-factor authentication.

4. Should your password manager be Web-based, cloud-based, or offline?
The answer is a bit complex. Sullivan, for example, says he only tends to use complex passwords for critical sites -- such as online banking -- which he then only accesses from his home computer. For further security, he also stores those passwords only in an offline database, so that an attacker can't remotely steal them.

For less-critical sites, however, he favors cloud-based password managers -- F-Secure makes a related KEY product -- especially for the likes of Facebook and Twitter. "It may expose you to new types of risks, but I think those risks are countered by the use of better, more secure passwords," he says. "The trick is to know which sites are critical. I only access my banking account from home."

What's the risk of using a Web-based password manager, which, by virtue of being on the Web, might be a target for hackers? That risk is tough to gauge, so like working with any cloud-based service, such as Salesforce or Amazon Web Services, the choice will likely revolve around how much you trust the vendor.

5. Password manager passwords: Change them after Heartbleed?
One persistent question in the wake of the Heartbleed discovery is whether users of password management software or services should change their master passwords. To be safe, you can go ahead and do so, although whether this is required depends on the password management service you're using. It's best to check with your provider.

In fact, many services -- including AgileBits, Dashlane, and LastPass -- have said that post-Heartbleed, their users don't need to change their password manager programs' master passwords, because they are not at risk from the OpenSSL bug, due in part to the fact that the passwords never get transmitted to their servers. In the case of LastPass, for example, passwords get concatenated with a user's email address, then put through a one-way, salted hash. Only this hash -- which can't be reverse-engineered -- gets sent to the server for authentication, after being signed by a code-signing key that's separate from the SSL key. Such security approaches make it extremely unlikely that attackers could launch practical man-in-the-middle attacks that intercept this information.

6. Password manager adoption is surging
After Heartbleed, the word about password management services appears to be getting out. The AgileBits 1Password iPhone app, for example, leapt from being a top 200 most popular paid download in the Apple App Store, to being in the top 10 last week. Dashlane CEO Emmanuel Schalit, meanwhile, says his service has seen a "ten-time increase" in demand for its products.

Erin Styles, VP of marketing for, says her company has gained almost 200,000 new users in the last 10 days. "We are happy to see the increased education and interest in password managers," she said in email interview. "We feel strongly that this increased awareness will improve overall password security."

Beyond consumers, many IT administrators at SMBs have also been inquiring about group-based password managers, Chartier says. "For many of them, Heartbleed was the last straw, so they have questions about using 1Password in a group setting, what our sharing and collaboration features are like, and whether we can support the specific sync service they have already built around."

7. To mitigate Heartbleed, start now
Post-Heartbleed, for anyone -- or any business -- not using a password manager, now is a great time to start, so you can assign a unique password to every website you use. "A password manager is the only feasible way to manage completely random and unique passwords across every website, which is pretty much a necessity in today's poor security environment to ensure that even if a site is breached, the impact to the person is limited only to that one site," Dashlane's Schalit says.

Ensuring you only use strong and unique passwords for different sites also will help mitigate the next major Heartbleed-type password-stealing vulnerability that gets discovered, thus reducing the chance that enterprising hackers will ruin your day.

"If you're using unique passwords, you've already 'compartmentalized' your risk," F-Secure's Sullivan says.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)