LastPass had an issue the other day, a rather nasty one by all accounts that under certain (undisclosed) circumstances, it looks like it could lead to someone’s password (or possibly passwords) being disclosed by virtue of a remote code execution vulnerability. This is not a good thing – nobody wants an RCE vuln in their software – but as is prone to happen with these incidents, some people went about promptly losing their minds. This prompted me to suggest the following:
Password managers don’t need to be perfect, they just need to be better than *not* using them which they unequivocally still are https://t.co/nVG5G6RAWx
— Troy Hunt (@troyhunt) April 1, 2017
The mind-losing generally centred around the premise that here was proof a password manager should never be used because it poses an unacceptable risk. It’s the same irrational response we’ve seen after previous disclosures relating to LastPass and other password managers, my favourite 1Password included in that. It’s irrational because it’s a single-dimension response: the password manager had a flaw therefore we should no longer use it. But let’s stop and think about the alternative for a moment…
Your brain is a very bad password manager. It’s incapable of storing more than a couple of genuinely random strings of reasonable length (apologies if you’re a savant and I’ve unfairly characterised you in with the rest of our weak human brains). That leads to compromises. If you’re one of these people who says “I’ve got a formula that always gives me unique passwords that are strong”, no you don’t, they probably aren’t and no they’re not. You’re making concessions on what we empirically know is best practice and you’re kidding yourself into thinking you aren’t. I’ve had this debate many times before and there’s dozens of comments raging backwards and forwards about this in my post on how the only secure password is the one you can’t remember.
And “compromises” is really where the discussion needs to be because what we should be talking about is how option A compares with option B. In this case, how does putting genuinely strong, unique passwords in a password manager which may have a security risk compare with putting weak passwords in your brain? You’re comparing a low chance of something going wrong and resulting in an impact across the breadth of your accounts with a high chance of something going wrong and impacting a smaller number of accounts. Except that last bit probably isn’t accurate because we know that the “put it in my brain and hope for the best” strategy usually results in the one weak password being reused all over the place (I’ve got a couple of billion records of proof on that too, by the way).
I really like the work Tavis is doing in finding these bugs because quite simply, it makes the software better. We all should want one of the smartest blokes in the industry hammering away at password managers and then operating under the banner of Google’s Project Zero the disclose vulns responsibly. But it’s going to make headlines too and holy cow, don’t journos love a good headline! So our challenge now is we need to take that headline, filter out all the bullshit and reach some sort of educated conclusion as to how bad it is. Then we need to compare it to the other bad thing which is not using a password manager at all. So far, we’re yet to see a vulnerability with a major password manager worthy of chucking the things out altogether and trusting our brains instead.
Let me give you a great example of the sorts of discussion we should be having: I’ve had many people share The Personal Internet Address & Password Log Book with me whilst loudly gnashing their teeth at the gall of so many passwords being stored in such a weak fashion:
But let’s actually use some common sense for a bit: We all know people for whom LastPass, 1Password and all the other ones pose insurmountable usability barriers. They might be elderly or technically illiterate or just not bought in enough to the whole password manager value proposition to make it happen. They’re doing the memory thing and failing badly at it, but then you give them the password book. They write down sites and passwords because hey, it’s a pen and paper this is something they understand well. Then they put their unencrypted, plain text passwords in a drawer. Their “threat actors” are anyone who can access that drawer and right off the bat, that’s a significantly smaller number of people than what can take a shot at logging onto online services using the usual poorly thought-out passwords people have. See how different the discussion becomes when you look at a security practice like this compared to alternatives rather than in isolation?
The UK gov’s National Cyber Security Centre put out a piece on password managers earlier this year. They rhetorically ask the question “should I use a password manager?” and reach a very simple conclusion:
Yes. Password managers are a good thing.
And then, as if it was written just to illustrate the point of this blog post, one bright spark chimes in with a comment and suggests that password mangers are a bad idea because “there is no such thing as 100% security”. Of course there isn’t! But there doesn’t have to be to justify using a password manager, it just has to be better than not using one.
Password managers are a good thing. Even when issues like the LastPass one above are found, they’re still far superior to our frail human brains when it comes to your overall security posture. Until such time as that changes and either they’re worse due to a flaw that actually causes some serious damage or we create something better again, this is where the game is at. Less sensationalism, more pragmatism.