The recent hack (at least 7th) of the LastPass password manager has lots of people wondering if they should use a password manager.
Password managers can be hacked lots of different ways and I’ll cover many of them in this posting.
And knowing this, you should still use a password manager.
Why You Should Use a Password Manager
The average person without a password manager has less than 10 passwords (or password patterns) that they use on over 170 unrelated sites and services. And most of those passwords are fairly weak by today’s password recommendation standards. In a given year, hackers will compromise one or more of the web sites a user belongs to (the user and site is often unaware of the compromise), and so attackers will learn one or more of a user’s passwords over time. Those passwords (or password patterns) can be used by hackers to more easily compromise the user on other web sites and services. For example, a hacker compromises the web site a victim uses to get advice on raising monkeys as a pet or buying NFTs and that same shared password is used to compromise the employee’s Amazon, bank, and work accounts.
Password managers allow users to create and use different strong and perfectly random passwords for every site and service. This prevents the compromise of one site or service from more easily leading to another compromise of the same user on a different, unrelated, site. And the strong passwords that most password managers create and use today are unguessable by any known technology.
Using a good, trusted, password manager is the best way to do password authentication for the sites and services where you must use passwords.
KnowBe4 recommends you use phishing-resistant multi-factor authentication (MFA) wherever you can to protect valuable data and systems and use a password manager anywhere you need to use a password. Get more details on KnowBe4’s recommended policy in the e-book What Your Password Policy Should Be.
Password Manager Hacks
Yes, password managers can be hacked. Anything can be hacked. But keep in mind that the operating system, browser, and other software that you use on a daily basis can not only be hacked, but is frequently hacked on a regular basis, and you still use them. Same thing applies to password managers…except they are probably hacked less. But it doesn’t hurt to understand some of the ways a password manager can be hacked and to learn if there are steps you can take to reduce the risk of a particular type of hack.
Risk-wise, first and foremost, you need to understand if the password manager you are using only stores your passwords locally where used or does it also store your passwords somewhere else (e.g., cloud, on vendor’s web site, etc.). Many password managers store your passwords somewhere else other than just on the devices where you use your password manager. This can be for safety, backup purposes, or to more easily allow password synchronization across multiple devices. If your passwords are only stored locally, then you only have to worry (mostly) about local attacks. If your passwords are stored somewhere else other than locally, then additional risks and hacks come into play. Some hacking attacks apply to both types of password managers. Here are some of the ways password managers can be hacked.
Local Hacking Attacks
Local hacking attacks against password managers can happen in a bunch of different ways, but, in general, these refer to a hacking attack where the adversary was able to successfully gain access to a desktop where the password manager is actively used. Usually, the initial access to the desktop happens because of social engineering or unpatched software. The social engineering or unpatched software may or may not be related to the password manager program.
Once an attacker is on the local desktop, if the password manager is unlocked, they can access the password manager and view the stored passwords or export all contained passwords to local file or a location on the Internet. Password manager users can reduce (but not eliminate) the risk by reducing the time that a password manager is unlocked and not being monitored by them. The reverse is true. Some password manager users configure their password manager to never automatically lock once the password manager’s master password is put in for the first time upon first use after a device reboot. This is bad. Always allow your password manager to automatically lock after a set number of minutes of inactivity. How long should the inactivity time out be? It’s up to you, but less than 60 minutes is probably a good place to start.
Alternatively, an attacker can install a keylogging trojan program which steals the user’s master password that protects the password manager and then use it later on to access the password manager when the user has not manually unlocked it. This risk can be reduced by the user using and requiring multi-factor authentication to unlock the password manager, if the password manager offers that option.
All password managers contain software vulnerabilities, which can allow an attacker to access or exploit even when the password manager is in its locked state. It is not unusual or unexpected for a password manager to have exploitable bugs, although once the bugs are known by the vendor they should be immediately patched and updates automatically to patch the vulnerabilities sent to users. You will hear some password managers bragging about not having any exploitable vulnerabilities or at least never having been exploited (so far). This isn’t a bad thing, but just because a product hasn’t had a publicly known vulnerability or hasn’t been hacked doesn’t mean it doesn’t have exploitable bugs or won’t be hacked in the future. I like vendors who brag less and show me that they strongly believe in security.
What you do want to hear from a vendor is that they train all their programmers in secure development lifecycle (SDL) programming, use secure, type-safe, programming languages, do code reviewers, do internal and external vulnerability testing, and participate in bug bounties where people discovering bugs in the product are rewarded for their efforts. I’ll take a password manager vendor’s product with these traits over one that does not have them, even if their product has been exploited in the past.
Many local attacks come under a class of attacks known as “password leaks”. With a password leak, the password manager’s product or use of your password by the product “leaks” in a way to reveal itself to an adversary. The most common type of password leak is where when your password is used by the password manager it remains in unprotected memory where anyone searching for it can find it. Some bad password managers apparently load ALL passwords they are storing into the user’s device memory the first time it is accessed. This is not good.
All passwords and all fields stored by a password manager should be encrypted using strong, industry-accepted encryption, like 256-bit AES symmetric encryption. Some password managers only store the passwords encrypted, but don’t encrypt other fields like the user’s logon name, the URL of the site being logged into, and any other notes the user stores about a website. This is bad. Any leaked information can be used against the user in a social engineering attack. Password manager vendors should encrypt everything. It isn’t hard to do.
Many password managers allow your passwords to be copied to the desktop “clipboard” so that it can be viewed or used by the user in an Edit/Copy/Edit/Paste scenario. This feature is not innately bad, but hackers have looked at a password manager user’s clipboard to discover stored passwords. Most password managers which allow the user of the clipboard to store user passwords temporarily will automatically clear the clipboard after a preset amount of time (say 30 seconds, etc.). This is a good defense against that type of attack.
It's also very common for password managers to have browser extensions (this is how your password manager can be automated and used in a particular browser) to have bugs and memory leaks. Browser extensions are particularly prone to bugs and memory leaks. If your password manager has browser extensions and you use them, make sure the vendor cares as much about securely coding the browser manager as they do the rest of the password manager program.
I don’t particularly blame any password manager for attacks that happen once the desktop is compromised. If your desktop is accessed by an attacker it is essentially game over and no defense is going to save you even with the very best password manager involved. The defense is easy to state – don’t let an adversary take over your desktop. You can significantly mitigate this risk by learning how not to be socially engineered (take security awareness training) and make sure all critical bugs are patched in a timely manner. And it’s good to see steps by password managers, such as auto-locking password managers, and clearing out memory and/or the clipboard, to mitigate the risk from a local-only attack.
There are many attacks that work remotely against password manager users. The most common one is the user creating and storing weak and duplicate passwords within the password manager. Most password managers will create strong and perfectly random passwords. Let the password manager do that. Don’t create your own passwords. If you have in the past, let the password manager create new ones. Make sure to allow the password manager to create as long and complex passwords as the site involved will allow. Don’t ever use the same password for any two unrelated sites. You’re just asking for trouble. If you’re going to go through all the trouble of using a password manager, let it create and manage your passwords. Get rid of any old passwords you created as soon as you can. Get rid of bad habits.
Once you start using a password manager and great passwords, make sure you change your passwords at least once a year. Yes, I know it’s a pain. But one or more of the websites you love, use, and trust will end up getting hacked and your passwords known by one or more attackers. Reduce the risk of a previous password compromise by proactively changing your password at least once a year (more if you want).
Yes, the National Institute of Standards and Technology (NIST) recommends that people no longer change their passwords unless the user (or admin) thinks the password is compromised, but this is assuming the end-user isn’t using a password manager and most site compromises are not known by the site or the user. Be proactive. Periodically change your passwords.
The risk of being socially engineered out of your password…even if you use a password manager…even if you don’t know your password…is still large. You should always use your password manager to automatically log you into your web site if the password manager has that feature. Still, I see people who try to use their password manager to automatically log into a website that they are being prompted to logon to and when the password manager unexpectedly doesn’t work to log them in, they complain and grunt, and then Edit/Copy/Edit/Paste the password from their password manager into the web site, not realizing the web site they are interacting with is a fake phishing one, and that’s why the password manager “wasn’t working” in the first place. Try to logon to all sites and services using the features of your password manager and if a particular logon doesn’t work be aware that it could be a phishing attack. A password manager will not save you if you intentionally logon to the phishing web site outside the normal password manager method.
Also, as discussed above, it is very possible, and even likely, that one or more of your passwords will be compromised by the hacker compromising the site or service where that password is used. I certainly don’t blame the password manager for that problem. Periodically change your passwords to mitigate the risk over time.
Vendor or Remote Storage Attacks
On top of all the types of local and remote attacks involving the user, the password manager vendor can be attacked and compromised. Vendor’s sites and services can be compromised by attacks. Vendor web sites and services have bugs. The sites and services they rely upon to deliver their service will have bugs and can be exploited. Vendors can have implementation or configuration weaknesses. Vendors can very poorly implement encryption. Vendor employees can be socially engineered to allow the hacker access to the source code of their program or any stored, unprotected passwords and other information. Vendors can have weakly protected APIs. Vendors can have storage locations accessed by adversaries.
Hackers can attack both password manager users, vendors, and all the software and services involved. Most (but not all) of the successful attacks directed against users can be blamed or mitigated by the end-user. If the password manager user is less likely to be socially engineered and patch all their software in a timely manner, then the odds of them being directly compromise is reduced; and vice-versa. Any attacks against the vendor are solely is the responsibility of the vendor.
So, knowing that password managers can be hacked all these different ways, should someone still use and reply upon a password manager?
Yes, password managers can be hacked. Yes, password managers can be a single point of failure. But the risks they mitigate (i.e., weak passwords reused across multiple unrelated sites and services) far outweigh the risks incurred if you don’t use a password manager. If you are worried about your password manager vendor’s cloud-based solution being compromised, use a password manager that doesn’t store your passwords anywhere else but on the devices where they are used.
Just because password managers can be hacked doesn’t mean they shouldn’t be used.
Password Manager Webinar
If you’re interested in learning more details about password managers and attacks against them consider watching my webinar on The Good, The Bad, and the Truth About Password Managers. I’ll be covering password manager features, hacks against password managers, and how to best use a password manager to get the best defense.