A number of security pros urge people to use password managers to keep track of passwords rather than use the same ones for several sites or keep them on sticky notes taped to monitors, where they can easily be seen.

But like any technology, password managers are susceptible to being breached. That happened last week when one of the biggest names in managers, LastPass, discovered that account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

“In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed,” the company added in a notice to users. Still, for a CISO who has told employees this is a safe solution to password overload it’s a little unnerving.

LastPass comes in free and enterprise versions, the later offering federated single sign-on access management for cloud-based services. There’s also a centralized control panel for administrators and auditors.

On the other hand, as Steve Ragan notes in a piece for CSOonline, there are two important things: First, LastPass quickly notified its users. Second, if you change the master password on your account you should be safe. The point of using a  manager is to be able to NOT repeat the same password on any site, so even if a hacker breaks one password the others are still protected.

And as Brian Krebs writes, LastPass hashed and salted the master passwords it stores, so even if a hacker gets them it will be darn near impossible to break.

But he does quote an expert who observers that the stolen password reminders and email addresses could be useful to an attacker. “But,” the expert added, “password reminders are useful for targeted attacks, not massive attacks. That means that if your password reminder or hint is not particularly revealing to someone who doesn’t know you, it probably doesn’t matter much. Except in the case of targeted phishing attacks.”

In an email James Arlen, Hamilton, Ont.-based director of risk security for Leviathan Security Group said “Lastpass was breached in kind of an ugly way … But the facts remain that all users would benefit from a password manager of some type.
From a paper based “manager” — that stays in your wallet to a web-based system like Lastpass to my preference: a local password manager that encrypts and stores in your own computer — any manager is better than the one between your ears.
You need a manager for one simple reason: never reuse the same password. If your manager auto-generates complex passwords of long length, even better. A unique per-site password is your best defense for sites that do not offer multi-factor authentication.”
So if you’re a LastPass user and hold a C-level, VP or system admin position, you might want to consider changing your password hint. And for any user of a password manager, change your master password every quarter.

Finally, to really be safe if the manager allows enable two-factor authentication. That capability should be one of the factors CISOs should consider if they recommend a password manager.

  • I Dorn

    I believe that 1Password is the best choice for password management. It meets all of the criteria mentioned in Howard Solomon’s article regarding: encryption, long gibberish passwords, the data created with it reside on your computer not on a server on the web. The backup file it creates is encrypted. Store it where you wish. On a hard drive, a usb stick, Dropbox. The software is a Canadian product! AgileBits of Toronto created it. No it isn’t free. I bought a family license years ago. That has turned into an excellent investment in security. There are apps for iOS phones and tablets. Android too Yes there is a Windows version! Make a change on any device and it is automatically updated on all devices! Wow! Please note: I am not an owner, investor, or employee of AgileBits. I am a very satisfied long term client!