LastPass source code breach – do we still recommend password managers?

As you no doubt already know, because the story has been all over the news and social media recently, the widely-known and widely-used password manager LastPass last week reported a security breach.

The breach itself actually happened two weeks before that, the company said, and involved attackers getting into the system where LastPass keeps the source code of its software.

From there, LastPass reported, the attackers “took portions of source code and some proprietary LastPass technical information.”

We didn’t write this incident up last week, because there didn’t seem to be a lot that we could add to the LastPass incident report – the crooks rifled through their proprietary source code and intellectual property, but apparently didn’t get at any customer or employee data.

In other words, we saw this as a deeply embarrassing PR issue for LastPass itself, given that the whole purpose of the company’s own product is to help customers keep their online accounts to themselves, but not as an incident that directly put customers’ online accounts at risk.

However, over the past weekend we’ve had several worried enquiries from readers (and we’ve seen some misleading advice on social media), so we thought we’d look at the main questions that we’ve received so far.

After all, we regularly recommend our readers and podcast listeners to consider using a password manager, even though we’ve also written up numerous security blunders in password manager tools over the years.

So, we’ve put together six questions-and-answers below, to help you make an informed decision about the future of password managers in your own digital life.

Q1. What if my password manager gets hacked?

A1. That’s a perfectly reasonable question: if you put all your password eggs in one basket, doesn’t that basket become a single point of failure?

In fact, that’s a question we’ve been asked so often that we have a video specifically to answer it (click on the cog while playing to turn on subtitles or to speed up playback):

Q2. If I use LastPass, should I change all my passwords?

A2. If you want to change some or all of your passwords, we’re not going to talk you out of it.

(One handy thing about a password manager, as we explain in the video above, is that it’s much quicker, easier and safer to change passwords, because you’re not stuck with trying to concoct and remember dozens of new and complicated text strings in a hurry.)

By all accounts, however, this security incident has nothing to do with the crooks getting at any of your personal data, least of all your passwords, which aren’t stored on LastPass’s servers in a usable form anyway. (See Q5.)

This attack doesn’t appear to involve a vulnerability in or an exploit against the LastPass software by which crooks could attack the encrypted passwords in your password vault, or to involve malware that knows how to insinuate itself into the password decryption process on your own computers.

Furthermore, it doesn’t involve the theft of any personally identifiable “real life” customer information such as phone numbers, postcodes or individual ID numbers that might help attackers to persuade online services into resetting your passwords using social engineering tricks.

Therefore, we don’t think you need to change your passwords. (For what it’s worth, neither does LastPass.)

Q3. Should I give up on LastPass and switch to a competitor?

A3. That’s a question you will have to answer for yourself.

As we said above, as embarrassing as this incident is for LastPass, it seems that no personal data was breached and no password-related data (encrypted or otherwise) was stolen, only the company’s own source code and proprietary information.

Did you ditch Chrome when Google’s recent in-the-wild zero day exploit was announced? Or Apple products after the latest zero-day double play? Or Windows after any Patch Tuesday update in which zero-day bugs were fixed?

If not, then we’re assuming that you are willing to judge a company’s likely future cybersecurity trustworthiness by how it reacted last time a bug or a breach occured, especially if the company’s blunder didn’t directly and immediately put you at risk.

We suggest that you read the LastPass incident report and FAQ for yourself, and decide on that basis whether you are still inclined to trust the company.

Q4. Doesn’t stolen source code mean that hacks and exploits are bound to follow?

A4. That’s a reasonable question, and the answer isn’t straightforward.

Generally speaking, source code is much easier to read and understand than its compiled, “binary” equivalent, especially if it is well-commented and uses meaningful names for things like variables and functions inside the software.

As a somewhat synthetic but easy-to-follow example, compare the Lua source code on the left below with the compiled bytecode (like Java, Lua runs in a virtual machine) on the right:

Left: Readable, commented source code.
Right: Compiled Lua bytecode, as executed at runtime.

In theory, therefore, source code means it ought to be quicker and easier to determine exactly how the software works, including spotting any programming blunders or cybersecurity mistakes, and therefore vulnerabilities ought to be easier to find, and exploits quicker to devise.

In practice, it’s true that acquiring source code to go along with the compiled binaries you are trying to reverse engineer will rarely, if ever, make the job more difficult, and will often make it easier.

Having said that, you need to remember that Microsoft Windows is a closed-source operating system, and yet many, if not most, of the security holes fixed each month on Patch Tuesday were reverse engineered directly from precompiled binaries.

In other words, keeping your source code secret should never be considered to be a vital part of any cybersecurity process.

You also need to remember that many projects rely explicitly on making their source code public, not merely so that anyone can scrutinise it, but also so that anyone who wants can use it, modify it and contribute for the greater good of all.

Yet even mainstream open-source projects with liberal usage licences, and with potentially many eyes on that source code over many years, have required critical security patches for bugs that could have been spotted many times over, but weren’t.

Lastly, many proprietary software projects these days (examples include Google’s Chrome browser; Apple’s iOS operating system; the Sophos XG firewall; and thousands more widely-used hardware and software tools) nevertheless make extensive use of numerous open-source components.

Simply put, most contemporary closed-source projects include significant parts for which source code can be downloaded anyway (because licensing demands it), or can be inferred (because licensing requires its use to be documented, even if some modifications to the code were subsequently been made).

In other words, this source code leak may help potential attackers slightly, but almost certainly [a] not as much as you might at first think and [b] not to the point that new exploits will become possible that could never have been figured out without the source code.

Q5. Should I give up on password managers altogether?

A5. The argument here is that if even a company that prides itself on providing tools to lock up your personal and corporate secrets more securely can’t lock up its own intellectual property safely, surely that’s a warning that password managers are a “fool’s errand”?

After all, what if the crooks break in again, and next time it’s not the source code they get hold of, but every individual password stored by every individual user?

That’s a worry – you might almost call it a meme – that’s regularly seen on social media, especially after a breach of this sort: “What if the crooks had downloaded all my passwords? What was I thinking, sharing all my passwords anyway?”

Those would be genuine concerns if password managers worked by keeping exact copies of all your passwords on their own servers, where they could be extracted by attackers or demanded by law enforcement.

But no decent cloud-based password managers work that way.

Instead, what’s stored on their servers is an encrypted database, or “blob” (short for binary large object) that is only ever decrypted after being transferred to your device, and after you’ve provided your master password locally, perhaps with some sort of two-factor authentication involved to reduce the risk of local compromise.

No passwords in your password vault are ever stored in a directly usable form on the password manager’s servers, and your master password is ideally never stored at all, not even as a salted-and-stretched password hash.

In other words, a reliable password manager company doesn’t have to be trusted not to leak your passwords in the event of a hack of its databases, or to refuse to reveal them in the event of a warrant from law enforcement…

…because it couldn’t reveal them, even if wanted to, given that it doesn’t keep a record of your master password, or any other passwords, in any database from which it could extract them without your agreement and collaboration.

(The LastPass website has a description and a diagram – admittedly a rather basic one – of how your passwords are protected from server-side compromise by not being decrypted except on your own device, under your direct control.)

Q6. Remind me again – why use a password manager?

A6. Let’s summarise the benefits while we’re about it:

  • A good password manager simplifies good password use for you. It turns the problem of choosing and remembering dozens, or perhaps even hundreds, of passwords into the problem of choosing one really strong password, optionally reinforced with 2FA. There’s no longer any need to cut corners by using “easy” or guessable passwords on any of your accounts, even ones that feel unimportant.
  • A good password manager won’t let you use the same password twice. Remember that if crooks recover one of your passwords, perhaps due to a compromise at a single website you use, they will immediately try the same (or similar) passwords on all the other accounts they can think of. This can greatly magnify the damage done by what might otherwise have been a contained password compromise.
  • A good password manager can choose and remember hundreds, even thousands, of long, pseudo-random, complex, completely different passwords. Indeed, it can do this just as easily as you can remember your own name. Even when you try really hard, it’s difficult to choose a truly random and unguessable password yourself, especially if you’re in a hurry, because there’s always a temptation to follow some sort of predictable pattern, e.g. left hand then right hand, consonant then vowel, top-middle-bottom row, or name of cat with -99 on the end.
  • A good password manager won’t let you put the right password in the wrong site. Password managers don’t “recognise” websites just because they “look right” and have the correct-looking logos and background images on them. This helps to protect you from phishing, where you fail to notice that the URL isn’t quite right, and put your password (and even your 2FA code) into a bogus site instead.

Don’t jump to conclusions

So, there’s our advice on the issue.

We’re staying neutral about LastPass itself, and we’re not specifically recommending any password manager product or service out there, including LastPass, above or below any other.

But whatever decision you make about whether you’ll be better off or worse off by adopting a password manager…

…we’d like to ensure that you make it for well-informed reasons.

If you have any more questions, please ask in the comments below – we’ll do our best to answer promptly.