Unsurprisingly given the high-value data available, malware is starting to target password managers more often and in February this year, LastPass announced it suffered a data breach. So, what does that mean for users? Should we still use password managers?
The password manager global market value was calculated as under $2B in 2022 but expected to be a $6B-$7.8B market in the coming years. Many long-time cybersecurity experts now use and recommend password managers as password managers make it easy to create and use strong passwords unique for every site, service or application.
A password manager stores all your passwords in what is often called a vault. A vault is usually just a regular computer file, but it can be a database file or a few other formats. The file is usually stored on the device where the password manager is installed, but on some password managers, the vault can be located somewhere else such as on removable media.
Stored passwords may be replicated to other non-local storage areas, such as at the vendor’s site or a cloud storage. No matter how a password manager stores the passwords, they are all accessible from the program.
If a password manager gets compromised, then an attacker has the ability to access all the stored passwords all at once, instead of perhaps only learning one or a few passwords right away (using observation or keylogging trojans) as the user types them in. Password managers have always been hotly debated between practitioners over whether they are worth the risk. Are the big risks they offset, namely weak and reused passwords, worth the potentially catastrophic single-point-of-failure risk?
Should You Still Use a Password Manager?
Yes! The huge risks that password managers mitigate (that of weak and/or shared passwords) far outweigh the risk of a user’s password manager being compromised. Yes, we are seeing more password manager-targeting malware, but the way in which the malware compromises password managers would be equally harmful to the user even if no password manager were used.
Almost all password-stealing trojans, of which there are many, require that the user’s desktop be “locally” compromised, and in most cases, the user’s browser also be compromised. The malware then records passwords as the user uses them. This keylogging functionality is usually identical regardless of whether a password manager is involved or not.
There is an increased risk that a manual hacker could extract all stored passwords all at once over and beyond what automated malware currently does, but again, manual, human adversaries are but a fraction as compared to the automated stuff. And the hacker can only extract the passwords if your password manager is open and unlocked, further mitigating the risk.
Defenses Against Password Manager-Targeting Malware
The clear number one answer is do not get socially engineered into installing a password-stealing trojan. Nearly all password stealing trojans get installed by an end user getting tricked into running something they should not have opened or executed.
The second most likely way you are to end up with a password-stealing trojan on your computer (and it is a distant second) is due to unpatched software. Make sure you check for and install all critical patches.
Use phishing-resistant MFA or passwordless options when and where you can. This is not only to protect your password manager (instead of using a master password), but use it on all your most important sites and services. Unfortunately, if you added up all the possible MFA and passwordless authentication solutions all together, they could not be used on over 2% of the world’s websites and services.
So, you are going to need to use passwords. Use a good password manager, with a vendor that has a true commitment to security to create and use strong passwords. You are far more likely to get compromised by using weak or shared passwords.