Of the many ‘silver bullets’ out there looking to finally slay the password, none have been able to succeed. What this means is that passwords are here to stay, at least for the time being, and your best shot at both generating unique and cryptographically secure passwords and retrieving them whenever they’re needed is with a password manager.
This is what security experts have been advocating for years because these tools create a safe environment in which users can store all of their credentials and financial data without the hassle of remembering each and every username and password. But how do you pick the best password management service?
One of the key pieces of advice that security experts (ourselves included) give is to take a look at whether the password management service has been hacked before or not, as well as whether it ‘features’ any security vulnerabilities that white-hat hackers have shared with the service providers. If the password management service has patched any vulnerabilities, then it could be a good choice.
To help make that decision a little easier, let's take a look at the hacking history of some password managers. The aim isn’t a complete list, as you'll see, but we have instead explored the most important hacks and the security vulnerabilities over years.
- LastPass, My1Login, NeedMyPassword, PasswordBox, and RoboForm: Researchers at the University of California Berkeley discovered a number of vulnerabilities in a handful of password managers. “In four out of the five password managers we studied, an attacker can learn a user's credentials for arbitrary websites,” researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in their paper.
- RoboForm: IT security consultant and tech enthusiast Paul Moore discovered one critical vulnerability in and a privacy loophole in the password management service that could allow attackers and prying eyes to obtain users' personal data, including stored login credentials of various websites and even card payment details.
- KeePass: When this program runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce (a hacking tool) decrypts the entire database and writes it to a file that the hacker can easily access. In theory this kind of hack makes all password managers vulnerable.
- LastPass: An intrusion to the company’s servers was detected. While encrypted user data wasn't stolen, cyber criminals stole LastPass account email addresses, password reminders, server per-user salts, and authentication hashes.
- MyPasswords, Informaticore, LastPass, Keeper, F-Secure Key, Dashlane, Keepsafe, Avast Passwords, and 1Password: This was a busy year in terms of password management vulnerabilities. TeamSIK (Security Is Key), a group of people interested in IT security from the Fraunhofer Institute for Secure Information Technology, discovered serious security flaws in the most popular password management apps developed for the Android platform.
- LastPass: Google Project Zero Hacker Tavis Ormandy discovered a critical zero-day flaw that allowed any remote attacker to compromise accounts completely.
- LastPass: Tavis Ormandy discovered a vulnerability in its browser plugins, which LastPass called a “major architectural problem“. The password management service advised users to avoid using its browser plugins while it dealt with the issue.
- OneLogin: An attacker had “obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the U.S.”
- Keeper: Tavis Ormandy discovered that the service was exposing passwords to unreliable web pages.
Does This Mean We Should Stop Using Password Managers?
No, not at all. The recent hacks and security vulnerabilities found in these services underscore one important aspect in security: no piece of software is able to truly offer more than 99% security. Reaching 100% security is impossible with any kind of software because every piece of code will have an Achilles heel somewhere that makes it vulnerable.
The question is different in this case: what does the team of developers do to protect user data, and what attack scenarios did they have in mind when they coded the software? Of course, if a service is static and the developers don't keep their security up to date, then it can easily be hacked.
How user data is protected should be the main consideration when picking a password manager. Other features have their importance, but this is something you should always consider before making the final decision. For example, how do the developers communicate the bad news to their users? Transparency in communication is also another important aspect.
Free password managers are great utilities to start with, just be sure to keep an eye on the updates. Check the update history of the software and if there isn’t much to check on, then it can be considered a sign to move on to the next one. A lot can happen in just a few weeks in the security industry, so the bare minimum on your list of expectations should be up-to-date software and a quick response time to any security breaches or attacks. Otherwise, you could end up vulnerable to cyber attacks, which isn’t the opposite of what you wanted in the first place.
Best Password Managers of 2019
|Editor's Choice 2019|
- How Does a Password Manager Work?
- How Often Should I Change My Passwords?
- iCloud Keychain
- Is a Password Manager Safe?
- Is a Password Manager Worth It?
- Is it Safe to Use Random Password Generators?
- Is It Secure to Save Passwords in My Browser?
- Should I Use a Password Manager?
- What Is a Password Manager?
- What to Do If Your Password Manager Is Hacked?
- Which Password Manager Should I Use?
- Which Password Managers Have Been Hacked?