In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious…

  • bh11235@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Yes, definitely. It instigated a lot of turmoil and a gamut of spicy takes regarding the fundamental question of whether password managers as a model “work”. On the one hand some people laughed at the idea of putting your password on the cloud and touted post-it notes for being a more secure alternative. On the other hand people extolled the virtues of the cryptographic model at the base of password managers, claiming that even if tomorrow the entire LastPass executive org went rogue, your password would still be safe.

    As far as I understand, the truth is more nuanced. Consider that this breach took place 9 months ago, but you’re only reading about cracked passwords now. It seems like the model did what it was supposed to do, and people behind the breach had to patiently brute-force victim master passwords. This means they got to the least secure passwords first: If you picked “19 deranged geese obliterating a succulent dutch honey jar at high noon” or whatever, you’re probably safe. But it doesn’t strike me as too wise to get complacent on account of this, either. Suppose next time the attackers get enough access to “tweak” the LastPass chrome extension to exfiltrate passwords. Now what?

    The thing is we’re stuck between a rock and a hard place with passwords. We already know it’s impractical to ask users to remember 50 different secure passwords. So assuming we solve this using a password vault, there’s no optimal place to keep it. On the cloud you get incidents like this. Outside of the cloud one day you’re going to lose your thumb drive, your machine, your whatever. “So keep a backup” but who out of your normie relatives is honestly going to do this, and do you really trust a backup you haven’t used in 5 years to work in the moment of truth? I don’t know if there is any proper solution in the immediately visible solution space, and if there is, I don’t know if anyone has the financial incentive to implement it, sell it, buy it. People say the future is in passwordless authentication, FIDO2 etc, but try to google actually using one of these for your 5 most-used accounts, you’re not going to come out of the experience very thrilled.