Why you can trust ZDNET
:ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission.Our process
'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
I've written a lot about password management during the past few years. Indeed, when people ask me what kind of security software they should use, my answer always starts with: "Find a good password manager and use it."
When I have those discussions IRL, I consistently hear the same questions and objections, most of which are perfectly sensible and need to be answered. This comment, posted in response to my recent post about online security, is a great example:
Speaking of password managers, I'd be a bit leery since LastPass was hacked and users' encrypted password files were leaked. Black hats have been trying to crack their master passwords and apparently succeeded in some cases, even stealing the contents of people's crypto wallets.
The natural question is, are password managers still such a great idea when this kind of thing can happen? The affected users had to spend countless hours changing their dozens or hundreds of passwords everywhere. That'd be way too much of a chore and headache.
Aside from third-party products like LastPass, can we rely on the built-in password managers in Firefox, Chrome and Edge? I suppose these have big companies behind them doing their best to keep away a massively compromising and embarrassing situation, but then I'm sure LastPass did the same.
That's an admirably concise summary of the issues with password managers that I think most people are concerned about. It also raises a whole bunch of questions about what LastPass did, exactly. So, let's start with a quick summary of what the LastPass security mess was -- and why it was uniquely awful for its customers.
What happened to LastPass?
Among online services that help you organize your passwords, LastPass was an early leader and is still a significant player. The LastPass brand was valuable enough that LogMeIn acquired the company eight years ago for $110 million. A few years later, LastPass was spun off into its own company, but was still controlled by the private equity firms that own LogMeIn. In its account of the sale, PCMag noted that those companies "specialize in trying to maximize the value of an asset for later sale."
LastPass got gobbled up by LogMeIn back in 2015. And then in 2021, LogMeIn announced it was planning to spin LastPass off as a separate company. Astute observers of the software industry know that this playbook rarely works out well. At the very best, your employees are distracted by the whole M&A song and dance. At worst … well, here we are.
Why was the latest LastPass hack so terrible?
LastPass has been the victim of multiple successful hacks since at least 2011. But the two intrusions in 2022 were especially bad. The official notification from a December 2022 LastPass blog post was blandly titled "Notice of Recent Security Incident", but the content of that post was a nightmare scenario for customers paying for an online service that promises to keep their secrets safe from outside attackers.
We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.
This attack took place after a separate successful intrusion of LastPass networks in August 2022. In that incident, the attackers obtained information they used to target a LastPass employee and were able to obtain credentials and keys they used to access and decrypt files in the online storage service, Amazon's AWS S3.
It gets worse.
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
If you're interested in the technical details of what data was stolen, read this thorough summary from Lawrence Abrams at Bleeping Computer.
The bad news is that a lot of customer data was stolen. The good news is that the password vaults were encrypted using 256-bit AES technology with a unique encryption key derived from the user's password, which was never shared with LastPass, meaning it would take an extraordinary amount of time and computing resources to crack them.
(Side note: The word you never want to read after a paragraph like that is however. Alas…)
However, LastPass did not apply the same strong encryption to other customer data, including website URLs and "certain use cases involving email addresses". That information turned out to be incredibly valuable as a way for the attackers to sort out which password vaults would be most valuable. According to security expert Brian Krebs, that targeting might explain a wave of attacks against cryptocurrency wallets that started shortly after the LastPass hack:
[T] the best practice for many cybersecurity enthusiasts has long been to store their seed phrases either in some type of encrypted container — such as a password manager — or else inside an offline, special-purpose hardware encryption device, such as a Trezor or Ledger wallet.
"The seed phrase is literally the money," said Nick Bax, director of analytics at Unciphered, a cryptocurrency wallet recovery company. "If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. And you can transfer my funds."
[Security researchers have] identified a unique signature that links the theft of more than $35 million in crypto from more than 150 confirmed victims, with roughly two to five high-dollar heists happening each month since December 2022. … [T]he only obvious commonality between the victims who agreed to be interviewed was that they had stored the seed phrases for their cryptocurrency wallets in LastPass."
Could what happened to LastPass happen to another password manager?
Every indication is that LastPass has been running an incredibly sloppy operation for years. The employee who was targeted was one of only four DevOps engineers with access to the AWS decryption keys. You would think that anyone accessing the most sensitive customer data would have been using a dedicated PC running over a secure network, but that didn't happen here.
The engineer had been accessing those data stores from a personal computer that was also running a third-party media server, which had itself been compromised, almost certainly by the same attackers. They in turn used that exploit to capture the employee's master password for his LastPass accounts and steal encrypted notes containing access and decryption keys for LastPass customer data.
LastPass had previously increased the required length of its customers' master passwords, from 8 to 12 characters, and had also increased the number of iterations used for generating private keys from those new, stronger passwords. Unfortunately, the company hadn't required users to change existing passwords, which meant any long-time customer who was using an older password was using weak encryption that was dramatically more vulnerable to brute-force attacks.
As part of its incident follow-up, LastPass announced an extensive list of changes in its security policies, but the damage was already done.
No other well-known password manager (and there are many) has a record like this.
Isn't putting all your passwords in a single place just asking for trouble?
Yes, in theory.
But a dedicated password manager is still the only practical way for human beings with ordinary human memories to create and recall strong, unique, random passwords for every secure service they use.
To use a pointed analogy: if you had $10,000 in cash, would you rather store each hundred-dollar bill in a cheap piggy bank with a toy lock, or would you prefer to stick that wad of cash in the bank, where it's in a massive vault with state-of-the-art locks and armed security guards?
What LastPass did was akin to leaving the keys to the vault on the counter while forgetting to lock the front door.
Anyway... If you're going to put your passwords in an encrypted vault, the challenge is to protect that vault.
And here's the most important thing: strong encryption really works! Every modern password management service, including LastPass, uses a Zero Knowledge model, which means the service does not have access to your private encryption key or the master password you use to access your account.
The attackers who broke into the LastPass network had stolen backups of a (presumably large) number of password vaults and were, therefore, capable of running sustained brute-force attacks against the encrypted data. Despite that advantage, the attackers have apparently only been able to break into a few per month, and then only by targeting those they were certain contained crypto vault keys. It probably required a staggering amount of resources to do so.
It took a combination of a very determined attacker and a very sloppy operation at LastPass to allow those encrypted password vault files to be stolen. I'm not aware of any other password service that has lost that kind of customer data. If it had happened, it would have been front-page news.
If you're really worried about the possibility that someone will steal your encrypted password data, you can choose a password manager like KeePass, which allows you to store the encrypted vault in a separate location where you're more confident of its security. But a well-run password management service (not LastPass) should be able to handle this task as part of its day-to-day operations.
If someone steals my master password, don't they have access to everything in my password vault?
Not if your password management service is doing its job and requiring extra authentication on a new device, as would be the case if an attacker stole your credentials and then tried to use them from their own device.
When you access 1Password from a device that you haven't previously used, for example, you have to enter your master password and also enter your secret key, which consists of 34 letters and numbers that you -- and only you -- know. The key is generated when you set up your account for the first time, and you're encouraged to print it out or save it to a secure location, so you can access it when you set up a new device. It's never shared with the 1Password cloud. An attacker who stole your master password would not be able to access your encrypted vault because they wouldn't be able to provide that key.
In addition, most password managers allow you to set up two-factor authentication, which requires that you use a trusted device to approve any new sign-in before allowing access to your account and the vault data. Here, too, an attacker who has your master password won't be able to use it without getting your permission -- and alerting you in the process.
Can I just use a browser-based password manager?
For as long as I can remember, every browser maker has offered a set of password-filling features. Years ago, these features were rudimentary, and it made sense to choose a third-party option.
In recent years, though, all of the major developers responsible for modern browsers (Apple, Google, Microsoft, and Mozilla) have made tremendous progress with their authentication solutions, making them equal to the core feature set of a good third-party password manager. And because they're all free and use well-managed cloud storage, they're perfectly acceptable options.
Earlier this year, I wrote a lengthy article titled "How to choose (and use) a password manager". Scroll down to the "Are built-in password managers good enough?" heading for capsule reviews of what you get from Apple, Google, and Microsoft.