Which Password Managers Have Been Hacked?
Of the many ‘silver bullets’ out there looking to finally slay the password, none have been able to succeed. What this means is that passwords are here to stay, at least for the time being, and your best shot at both generating unique and cryptographically secure passwords and retrieving them whenever they’re needed is with a password manager. Which Password Managers Have Been Hacked?
Vulnerability of Password Manager Add-onsOne of the key pieces of advice that security experts (ourselves included) give is to take a look at whether the password management service has been hacked before or not, as well as whether it ‘features’ any security vulnerabilities that white-hat hackers have shared with the service providers. If the password management service has patched any vulnerabilities, then it could be a good choice.
To help make that decision a little easier, let’s take a look at the hacking history of some password managers. The aim isn’t a complete list, as you’ll see, but we have instead explored the most important hacks and the security vulnerabilities over years.
LastPass, My1Login, NeedMyPassword, PasswordBox, and RoboForm: Researchers at the University of California Berkeley discovered a number of vulnerabilities in a handful of password managers. “In four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites,” researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in their paper.
RoboForm: IT security consultant and tech enthusiast Paul Moore discovered one critical vulnerability in and a privacy loophole in the password management service that could allow attackers and prying eyes to obtain users’ personal data, including stored login credentials of various websites and even card payment details.
KeePass: When this program runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce (a hacking tool) decrypts the entire database and writes it to a file that the hacker can easily access. In theory this kind of hack makes all password managers vulnerable.
LastPass: An intrusion to the company’s servers was detected. While encrypted user data wasn’t stolen, cyber criminals stole LastPass account email addresses, password reminders, server per-user salts, and authentication hashes.
MyPasswords, Informaticore, LastPass, Keeper, F-Secure Key, Dashlane, Keepsafe, Avast Passwords, and 1Password: This was a busy year in terms of password management vulnerabilities. TeamSIK (Security Is Key), a group of people interested in IT security from the Fraunhofer Institute for Secure Information Technology, discovered serious security flaws in the most popular password management apps developed for the Android platform.
LastPass: Google Project Zero Hacker Tavis Ormandy discovered a critical zero-day flaw that allowed any remote attacker to compromise accounts completely.
LastPass: Tavis Ormandy discovered a vulnerability in its browser plugins, which LastPass called a “major architectural problem“. The password management service advised users to avoid using its browser plugins while it dealt with the issue.
OneLogin: An attacker had “obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the U.S.”
Keeper: Tavis Ormandy discovered that the service was exposing passwords to unreliable web pages.
Does This Mean We Should Stop Using Password Managers?
No, not at all. The recent hacks and security vulnerabilities found in these services underscore one important aspect in security: no piece of software is able to truly offer more than 99% security. Reaching 100% security is impossible with any kind of software because every piece of code will have an Achilles heel somewhere that makes it vulnerable.
The question is different in this case: what does the team of developers do to protect user data, and what attack scenarios did they have in mind when they coded the software? Of course, if a service is static and the developers don’t keep their security up to date, then it can easily be hacked.
How user data is protected should be the main consideration when picking a password manager. Other features have their importance, but this is something you should always consider before making the final decision. For example, how do the developers communicate the bad news to their users? Transparency in communication is also another important aspect.
Free password managers are great utilities to start with, just be sure to keep an eye on the updates. Check the update history of the software and if there isn’t much to check on, then it can be considered a sign to move on to the next one. A lot can happen in just a few weeks in the security industry, so the bare minimum on your list of expectations should be up-to-date software and a quick response time to any security breaches or attacks. Otherwise, you could end up vulnerable to cyber attacks, which isn’t the opposite of what you wanted in the first place.
The New Hot Job: Real-Time Password Manager
Who couldn’t use 24/7 live human help to recall how to log in?
People often wonder how the unemployment rate can remain so low in an era when manufacturing jobs have all but disappeared. Where are all these new jobs coming from?
For starters, it’s clear that at least 41.7 million Americans now work as baristas. And nearly that many work at least part-time as stand-up comics. (Research has determined that many of these are the same people.) And it is a little-known fact that an astonishing 17.1 million Americans now earn their living as personal password managers.
That’s right—these are people who literally keep track of their clients’ passwords, change the passwords when they become vulnerable and provide 24-hour live assistance in retrieving lost and forgotten passwords. If you haven’t heard of this, you’re obviously a late adopter. A late, late adopter.
“Passwords are hard to remember, and if you can’t punch in your ATM password while you’re hiking through the Hindu Kush you could find yourself in big trouble,” says Vixen Katmandu, founder of OMG Really Awesome Human Passwords of Brooklyn, now positioned to be the next Facebook or at least the next WeWork. “That’s why hiring a real, live human being to manage all your passwords for you 24/7 makes so much sense.”
A relieved and only slightly embarrassed public agrees. “I was using strong passwords like “ArtilleryPumasShamed689FastidiouslyBankruptCornMuffins,” says Bruno Alteari, one of OMG Really Awesome Human Password’s first customers. “But then I’d forget whether ‘puma’ was capitalized, or if it was 689 or 869, or corn muffins or blueberry muffins. And then I’d get locked out of my email account for three days while sailing across the Straits of Magellan. Now I just send a text to somebody named Tron, and my problems are solved.”
With human password managers, consumers no longer have to write their passwords on tiny strips of paper and hide them in their shoes. Sure, sophisticated types use garden-variety online apps such as 1Password and Last Pass to simply store their passwords, seemingly bypassing the need for a living, breathing password manager. But those apps won’t create millions of U.S. jobs—nor bail you out of real trouble.
“What if you’re being detained in a Manila jail and need cash fast, and you can’t remember the password you need to access your password manager, and there’s no Internet connection anyway,” asks Bree Shostakovich, CEO of Like Seriously 24/7 Human Passwords, possibly the next Uber or at least Tesla. “Want to find yourself in that situation?”
Human password managers are not, as you might think, dimwit shut-ins armed with voluminous notebooks. Rather, they are ordinary people with excellent memories who earn a good salary keeping clients’ passwords lodged in their heads where no hacker can get to them.
The average person is not going to remember ‘efghjythtq- 439876NQ’,” says Didier du Vieux Croque-Monsieur Avec Salade Verte, a minor-league hockey coach who moonlights as a password manager. “But I will. EZ-PZ.”
Despite the genius of the human password system, some people obstinately continue to use readily hackable passwords like “LSU SUCKS” and “666.”
“It defeats the whole purpose of the exercise,” says another human password manager. “But I get paid the same fee no matter what password they use.”
Critics complain that an economy dependent on so many unskilled jobs is headed for disaster. The hockey coach scoffs at that notion.
“Where does it say that being able to perform open-heart surgery is any harder than remembering a couple hundred passwords like ‘7%65ETHIOPIA 5#@ArfArf_HEREKITTY-KITTY754#@OMAHA!OMAHA!!’” asks Mr. du Vieux Croque-Monsieur Avec Salade Verte. “Don’t U dare condescend 2 ME.”
The Best Password Managers and Security Tips: How To Solve Your Login Problems
LastPass, Dashlane, 1Password and the free edition from Bitwarden all provide great ways to juggle hundreds of safe, unique passwords. But which one is right for you?
Dealing with passwords is about as pleasant as cleaning gutters or filing taxes. But it is just as important.
I hate telling people to eat their vegetables—even virtual ones. Still, if you don’t have strong, unique passwords for every online account, it’s time to dig in. Don’t wait until someone’s stolen your identity or wiped your bank account.
You’ve probably heard of password managers. They might sound complicated, but setting up your password fortress doesn’t have to be painful. These services remember all of your passwords and can generate secure new ones. When you go to a login page on a web browser and even in many apps, the manager will automatically fill in what you need to access your account. Some even comb the web to alert you if any of your information shows up in a security breach.
A significant change to one of the most popular managers, LastPass, is why I have passwords on the brain again. On March 16, LastPass Free users will need to upgrade to the service’s premium plan—typically $36 a year but currently offered to them for $27 a year—if they want to continue syncing passwords across their devices. While I’m a fan of LastPass, its free plan is no longer a good choice.
The best password managers work on as many platforms as possible—which is why we generally recommend independent services over the password savers built into browsers and operating systems. I tested the most popular ones, in a quest for high security, broad options and ease of use. Here’s What I Found:
• Easiest To Use: 1Password ($35.88 a year for individuals, $59.88 for families of up to five) has a user-friendly design and multiple layers of security baked in for a good price. 1Password doesn’t have a free tier—security is something we believe is worth paying for. “Free software almost always involves compromises,” a 1Password spokesman said. “We can focus our efforts on developing new ways to defend your data instead of collecting or exploiting it.”
Like other password managers, you can organize passwords into different collections: one for personal accounts, one for work, one for shared family logins. Travel Mode is unique to the service—it’s for people who need to hide sensitive information when traveling to countries where they fear their phone might be searched.
Dashlane ($59.99 a year for individuals, $89.99 for families of up to five) is also easy to use, and is a good choice if you’re interested in additional features such as a built-in VPN (aka virtual private network) for accessing the internet more securely, and a dark-web monitoring service that keeps an eye out for hackers who might have your credentials.
I ultimately opted for 1Password, because of the price. (I also thought Dashlane’s Mac Safari browser extension, now in beta, was buggy. A Dashlane spokeswoman said the team is working on a fix.)
• Best Service With Emergency Access: It’s a tie between Dashlane and LastPass Premium ($36 a year for individuals, $48 for families of up to six). Both let you grant a trusted contact access to your vault if you’re dead or incapacitated. Features like this are important because our lives are so tied up in our digital accounts, as my colleague Joanna recently covered. If something happens to you, your designee can request access to your vault. You can set a specified delay period between three hours and 30 days, during which you can deny that access if you’re able.
LastPass Premium isn’t as sleek as Dashlane, but it’s a very capable password manager, also with dark-web monitoring, plus a gigabyte of encrypted file storage (and a good Safari browser extension). If you use Safari, and don’t need the VPN, go with LastPass.
1Password views this kind of emergency access as a security threat. In a forum post, a company employee explained that a domestic abuser, to get into a password vault, could hold a victim against his or her will. He suggests storing a printout of your secret key code and your master password in a safe-deposit box or with your attorney.
• Best Free Option:Bitwarden has a full-featured free plan for individuals and two-person businesses that syncs an unlimited number of passwords across devices. The service has many key basics: end-to-end encryption, secure password generator, two-factor login and apps for every desktop platform, browser and mobile operating system, plus access via the web.
A premium membership ($10 a year for individuals, $40 for families of up to six) is required for bells and whistles, such as an exposed-passwords report and enhanced login protection.
“We are a for-profit company, but we find it completely harmonious and compatible to offer a basic manager for free,” said Michael Crandell, Bitwarden’s CEO. Many users who start with the free plan eventually decide to upgrade, he added.
Once you’ve picked a password manager, you can manually add in all of your old passwords. If you store passwords in your computer’s Chrome browser, you can export them and then import them into your new password manager. (Apple doesn’t have a similar password export option.) If you are switching from one password manager to another, exporting passwords is usually an option, too.
Password managers will improve your digital life. But whether you get one or not, there are four simple rules of password protection you need to know.
Rule #1—Don’t rely on passwords alone.
Use two-factor authentication, also known as 2FA, wherever possible. This requires an additional code or validation sent to another device.
In general, turning on 2FA is better than not having it at all. But if you have the choice, use an app authenticator (I like Authy) over a plain text message. It works when you don’t have cellular reception, and isn’t susceptible to SIM hijacking—where a hacker, targeting someone with a valuable account, cons that person’s phone number from the wireless carrier. You can call your carrier and add a passcode to your wireless account for added security.
Rule #2—Make long passwords.
The term “password” should be retired. The new hotness is passphrase. “Password length is a more important factor than complexity, because a longer password is harder to decrypt,” said Jameeka Green Aaron, chief information security officer at customer-authentication company Auth0.
For example, the passphrase “Raccoon Doorknob Spacecraft” would take centuries to crack, according to Bitwarden’s free password-strength testing tool. Meanwhile, according to the checker, a 12-character string, with uppercase and lowercase letters, symbols and numbers, could take an attacker just three years to crack. Most password managers let you set the length of automatically generated passwords.
Rule #3—Make it unique.
Whatever you do, don’t reuse passwords. It’s the most common way accounts get hacked, Ms. Aaron said. If hackers discover your password used in one place, they try it in other places. This is where password managers come in.
Use them to create strong unique passwords and store them for all your accounts.
Rule #4—Have a backup plan for your backup plan.
The key to your password manager is a master password, along with a device to authenticate your login. A good password manager doesn’t know what your master password is—and can’t help you recover your account.
So, to be a good password parent, you need to think of the worst-case scenario: What if you lose the device your two-factor authentication codes are sent to? What if you forget your master password?
Authy syncs authenticator codes across several devices (say, your phone and your iPad), which helps if you lose one. Setting up a physical security key, such as YubiKey, as an additional authenticator is another protective measure. As for remembering your master password, the best solution is low tech: Write it down on a piece of paper and stow it away with the rest of your most important documents. It’s safer in the physical world than it is in the digital one.