Password Managers Hacks
News that surfaced last week report of a security flaw that exists in the most popular password managers out there like LastPass, KeePass, and 1Password among others. Does this mean people should stop using them? No. Will people use this news as yet another excuse not to use password managers? Sure.
The Washington Post’s Geoffrey A. Fowler nails it:
I still think you should use a password manager. So do the ethical hackers with Independent Security Evaluators who came to me with news of the flaws — and other security pros I spoke to about the study, published Tuesday. You wouldn’t stop using a seat belt because it couldn’t protect you from every kind of vehicle accident. The same applies to password managers.
(emphasis at the end is mine)
I am no security expert, but it seems to me exploiting this vulnerability requires physical access. This means that someone would need to grab your computer while you’re not watching, dump your RAM into a file, and run away with it before you come back in hopes it captured the right password. This is a much lower risk than a bad guy finding your reused “super safe password” you use for everything somewhere on the dark web, log into your bank account, your email, and your phone carrier’s website, and convince your bank he’s really you. But don’t take it from me, take it from @SwiftOnSecurity.
A good point there, as well: keyloggers (or similar) are actually more likely than a memory dump because they come bundled with most RATs out there and other Trojans people download from the web every day.
But who’s going to listen anyway. I keep trying to get my partners on password managers, my family, and my friends. Almost no one buys in. My favorite argument of all time from an old classmate: “I feel safer remembering my passwords than some teenager hacker from Indonesia hacking into LastPass and stealing all my passwords.” Of which she has probably no more than 7.
Sigh.