It's been over a year since I presented LostPass at
ShmooCon, and in that time, many more bugs have been found in password
managers. The most severe of which are in browser-based password managers
extensions, like LastPass.
This should be obvious to everyone who has been paying attention:
browser-based password manager extensions should no longer be used as they
are fundamentally risky and have the potential to have all of your credentials
stolen without your knowledge, by a random malicious website you visit, or by
malvertising.
Here's the thing: when you use a browser extension password manager, you're
giving attackers an API to interact with your password manager via JavaScript
or the DOM. That's how LostPass worked, and it's how many of the new attacks
work, too. Desktop-based password managers have no such access, as they require
compromising the local machine first, which is much harder than visiting a
webpage.
Your password manager de jour might not be as bug ridden as LastPass, but it
suffers from the same risk vector if it's a browser extension. If you're using
it in a corporate environment to share passwords, now only one user of many
needs to be attacked to steal all of your passwords via a previously
undisclosed bug. If you think criminals aren't mining LastPass and others for
bugs right now, you're naive.
Alternatives
What should you use instead?
Desktop-based Password Managers
Any program which is not resident in your browser is safer than one that isn't.
There are many choices to choose from in this category, and none of them suffer
from the direct-access-via-JavaScript risk category. If you do use one, do not
install the "form filler" browser extensions. Copy and paste the passwords. I
use pass because it's simple to understand for technical folks, but I
have many friends who use KeePass.
Copying and pasting passwords into the wrong place is not a large enough risk
to use an even riskier browser password manager extension. If you accidentally
paste one password in the wrong place, it is easy to change. If you get all
your passwords stolen by a new bug, you'll never even know, and you'll have
little to no recourse.
Built-in Browser Password Managers
Every major browser now has a well designed built-in password manager that is
easy to use. These are a nice choice if you dislike copying and pasting
passwords into websites. All of them also offer mobile sync so you can have
your passwords on the go. Since two factor authentication is not available for
these, use a very strong and unique passphrase.
Chrome's Password Manager along with a good sync password
Firefox's Password Manager along with a good master password
iCloud Keychain for Safari
I recommend that non-technical users use the built-in password managers because
they're easy to use and plenty secure.
Literally anything else
An encrypted text file on your computer is safer than a browser extension
password manager. Think of how it would be compromised: someone would need to
get at least user-level access to your computer, and then either read it when
it's temporarily unencrypted, or wait for you to unencrypt it. That cannot be
done by efficient attackers at scale. And if they've compromised your machine,
you have bigger things to worry about.
The future
I don't know if these browser extension password managers will ever improve
enough for me to recommend them. The risk of having an attacker be able to
directly interact with them is just too high. Many of them are for-profit
companies who obviously have not invested a lot of resources in an in-depth
audit of their source code because of the trivial bugs that are found by
researchers in an hour.
We need less of the "military grade encryption" marketing from them and more
"here's the full source code audit report by a well known security firm". Maybe
then it'll get better.