LastPass: Are password managers still recommended?
Recently, a security vulnerability was discovered in the password manager system LastPass. This led to many questions from concerned users. We have summarized some important questions and answers here.
Last week, the well-known and widely used password manager LastPass reported a Security gap. According to the company, the security breach occurred two weeks earlier, when attackers broke into the system where LastPass stores the source code of its software. From there, the attackers stole parts of the source code and some proprietary technical information from LastPass. The cybercriminals rifled through the company's proprietary source code and intellectual property, but apparently did not get their hands on customer or employee data. This has now led to questions from concerned users: Are password managers still useful? Experts from IT security service provider Sophos comment as follows:
If I use LastPass, should I change all my passwords?
Users can, of course, change some or all of their passwords if they wish. However, according to reports, this security incident has nothing to do with the cybercriminals getting hold of personal data, let alone passwords, which are not stored in usable form on LastPass' servers anyway.
As a LastPass user, should I switch to another solution?
The fact is, according to LastPass, that neither personal nor password-related data (encrypted or otherwise) was stolen, but only source code and proprietary information of the company itself. A company's cybersecurity trustworthiness should be based on how it responds when a bug or vulnerability occurs, especially if the company's mistake did not directly and immediately endanger users. It is recommended that the LastPass incident report and the FAQ read and decide on further trust on this basis.
Doesn't stolen source code mean that hacks and exploits are bound to happen?
Source code is much easier to read and understand than a compiled, "binary" equivalent, especially if it is well commented and uses meaningful names for things like variables and functions within the software. In other words, this source code leak might help potential attackers a little, but firstly almost certainly not as much as one might initially think, and secondly not to the extent of enabling new attacks that could never have been figured out without the source code.
Should I dispense with password managers altogether?
Fundamental concerns would be justified if password managers stored exact copies of all passwords on their own servers, where they could be read by attackers or queried by law enforcement. But no reasonable cloud-based password manager works that way.
Why should I use a password manager?
- A good password manager simplifies the use of passwords. It solves the problem of choosing and remembering dozens or maybe even hundreds of passwords - optionally reinforced by 2FA.
- A good password manager will not allow the same password twice. This is because when cybercriminals find out a password, for example by compromising a website, they use it or similar passwords to try to gain access to other accounts.
- A good password manager can generate and store hundreds or even thousands of long, pseudo-random, complex and completely different passwords.
- A good password manager will not allow the correct password to be entered on the wrong page. This protects users from phishing, for example.
Editor's note: A detailed blog post from Sophos security expert Paul Ducklin with in-depth answers to the questions is available on Sophos Naked Security to find.
