I wrote a blurb about this on the Fediverse today and I wanted to flesh it out a little more. Partially because formatted text is nicer to read and partially because my Fedi posts don’t live long. Here we go:
Online passwords are on my mind today. I stopped using LastPass years ago and moved to a local password manager because I finally reached a point where I just could not justify storing my passwords online any more. That’s not a decision specifically about LastPass - it’s about any system that stores passwords online.
I used LastPass for years because it has a good rep. Security experts like Steve Gibson say that LastPass does security right. I read all about how my passwords are encrypted in LastPass servers and decrypted in the browser with a key that LastPass does not have. It all sounds really good.
But the thing I could not shake was the knowledge that even with all this encryption done right, anyone could just go to lastpass.com and put in my email address and password and get all my passwords. It’s just such a woefully brutal single point of failure not just for one site, but for pretty much everything in my life.
I also slowly came to realize that there is an inverted risk ratio in password managers. Most password managers have the ability to generate long gibberish passwords for use on sites, which is a great feature. It makes it easy to ensure that your individual site passwords are strong and unique to each site. But, my actual Last Pass password was significantly less strong. It had to be because I type it a lot. I jacked down the timeout options on my account and my LastPass browser plugin so that I would not stay logged in too long and because of that, I have to type my Last Pass password a lot which means it can’t be a 32 character length string of gibberish. My only defence against that is to increae my timeouts so that I would rarely have to type that password, but that also weakens the security of my account so neither option seemed ideal.
I know there are granular security measures you can enable in LPastPass such as device whitelisting and 2FA but there’s really no guarantee that some code push won’t break those features or that some enterprising hacker won’t find a way to bypass those measures.
Around this time Tavis Ormandy turned his attention to password manager browser extensions. He showed us how trivial it is for a bad guy to craft a website that can trick a password browser extension into giving up sensitive credentials. So I stopped using the browser plugin. I still don’t use a browser extension even though I use a local password manager.
But in a particularly clever move, the report demonstrated that arbitrary strings could be injected, and one of these was enough to trick the extension into thinking it was executing on lastpass.com. By doing so, an attacker could manipulate the LastPass extension into revealing the stored data of that user, and launch arbitrary executables in the case of the binary version.1
Keep in mind that this LastPass vulnerability is a “zero day” meaning that Tavis found it, but he did not create it. Therefore, it had been around for an unspecified amount of time and it’s impossible to say if anyone else knew about it and exploited it. That is why I don’t nevessarily trust security measures employed on websites; they may be subverted already without anyone knowing about it.
In the end, I simply wasn’t able to create a risk/reward case where storing my passwords online resulted in a positive reward outcome. I still can’t today which is why I use a local password manager and while it has the ability to sync a password database online and a browser extension, I don’t use either of those features.
I recognize that some people legitimately need a way to share passwords. For example, I had to use another employee’s courier account once out of necessity and she was able to give me access to that account without divulging her password to me by using LastPass. That’s a really neat feature and my local password manager can’t do that. I also know there are teams that need to share credentials because there are lots of services and devices that don’t support SSO or LDAP or other enteprise authentication schemes. In those cases, I use LastPass because it’s the best alternative and, let’s face it, it’s work. I’m a very security minded employee but even the best of us would rather see work credentials leaked than our personal sensitive credentials leaked.
The reality is that I don’t have any need for a globally accessible password database. I have 4 devices I use on a regular basis and I have two password databases - one for work and one for personal. I avoid sync issues by designating one device to hold the authoritative database for each segment: my work-issued laptop is the authoritative source for work passwords and one of my personal devices is the authoritative source for personal passwords. That means I only ever create new passwords, or update passwords, on the authoritative devices. Then I simply need to copy the database to the other devices that need it and I can safely overwrite the database that exists on those non-authoritative machines.
Is it inconvenient? Actually, no. It probably took longer to write the last paragraph than it does to copy two databases to two other machines every few days. It just seems inconvenient because we’ve become used to our passwords being available on every device everywhere in the world all the time.
I think password managers are a good tool, but I’ve always liked the phrase “do you want security or convenience? Pick one.” Password managers are good security, browser plugins and online password storage are convenience. Password managers that offer those features are necessarily compromising security in favour of convenience. Everyone has a unique risk threshold and you may be fine with this compromise because you need the convenience. I just wanted to point out that using a password manager doesn’t have to be an “all or nothing” proposition. You can get the higher level of security if you’re willing to forgo a little convenience.