Why password managers aren’t as secure as you think

Published Jan 12, 2023 by Xiph

Password managers are often touted as the best solution to help you generate strong, unique passwords as well as to manage and store all your login details. They even log you into your accounts and websites automatically. But the latest data breach impacting password manager juggernaut LastPass suggests there is still a lot to be desired in terms of data protection.

Are password managers safe?

What’s the LastPass data breach?

A series of breaches targeting LastPass’ servers and then its cloud-based storage environment in 2022 culminated in hackers infiltrating the company’s networks and obtaining a backup of customer vault data ─ where passwords are stored. Here’s how the LastPass data breach unfolded, according to the notice of security published by the company.

Timeline of LastPass cyber breaches

  • August 2022: A LastPass employee's work account was compromised to gain unauthorised access to the company's development environment which stores some of LastPass’ source code and technical information. The hackers were in the network for four days before they were spotted and kicked out.
  • November 2022: Source code and technical information stolen during the August breach were used to target another LastPass employee, this time compromising credentials and cloud storage keys. The attackers then used this to gain access to customer information.
  • December 2022: LastPass revealed the full extent of the breaches. Hackers gained access to users' encrypted password vaults, by copying information from backups including unencrypted data, such as website URLs, as well as fully encrypted sensitive fields like website usernames and passwords, secure notes, and form-filled data. The hackers were also able to obtain basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing their LastPass service.

Fortunately, encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password which LastPass doesn’t have access to as it uses a Zero Knowledge architecture. This means master passwords are never stored on external servers and aren’t accessible to staff of the company. Nevertheless, news of the breaches raised questions about whether password managers are as secure as we think.


Read more: Why your business needs Zero Trust security


How secure are password managers?

Most cloud-based password managers are secure and remain the recommended solution for keeping track of your all passwords. In fact, research from Security.org found that internet users who don’t use password managers are three times more likely to experience identity theft than those who properly use them.

A password manager allows you to generate strong, unique passwords for all your online accounts and services (that would otherwise be difficult to memorise) and stores them for you in an encrypted digital vault that only you can access from virtually any device. It also automatically pre-fills your login details for these accounts which means you don’t have to type your password every single time ─ essentially protecting you from keyloggers.

In terms of data security, password managers typically use a combination of cyber defences including military-grade AES-256 encryption which is nearly impossible to crack, Zero Knowledge security which means master passwords are never stored on external servers or accessible to staff, and multi-factor authentication (MFA) or biometric authentication.


Read more: What is encryption & how does it protect your data?


Password managers, however, aren't bulletproof. Their biggest flaw is that all your passwords are stored in one single location, which means that if your password manager is compromised ─ then all your passwords and login details are compromised. So, while password managers reduce the likelihood of your online accounts being hacked (by ensuring strong password protection), they increase the potential damage if the password manager you’re using gets hacked.

Can a password manager be hacked?

Yes, password managers can be hacked. The latest LastPass breaches are proof of that, while Passwordstate was also hacked in 2021, and various other password managers like Keeper, OneLogin, Dashlane, 1Password, and KeePass also reported several security vulnerabilities in previous phishing and vulnerability testing.

Even if you’re using a reputable password manager, there are some cyber risks to be aware of. For example, your password manager can be hacked if your device is infected with malware. Secondly, backups aren’t always possible (not all password managers offer this feature). This means you could lose access to your vault if the server your password manager runs on crashes, and you will have to wait until the server is back up to log into your accounts. You can avoid this by backing up your passwords regularly and keeping the backups somewhere safe.

Despite these concerns, password managers are still considered safe because they’re extremely difficult to compromise. Even if cyber criminals did manage to hack your password manager, they wouldn’t be able to crack your master password or other information that’s encrypted.

Cloud-based password managers vs browser-based password managers

Cloud-based password managers come with more security features and add-ons ─ making them safer than browser-based ones like Google Chrome, Edge, Firefox, Opera and Safari. While browser-based password managers are a free and convenient option for users, they aren’t the most accessible or secure. Browser-based password managers are more vulnerable to malware attacks, and don’t generate unique and customisable passwords like standalone password management tools. They also don’t allow you to switch browsers or to use those services on all your apps.

On the other hand, cloud-based password managers are designed with data security in mind and feature a host of cyber security features like end-to-end encryption, data centers dedicated to the storage of your data, Zero Knowledge architecture, secure password sharing across apps, etc. Some standalone password managers are free, while others offer free and subscription tiers. Premium features can include the ability to share vault items with multiple people and on multiple devices, dark web monitoring and emergency one-time access to a user’s vault.

Can you log into a password manager without the master password?

Generally, you can’t gain access or log into a password manager without your master password, unless you have enabled MFA or biometric authentication. If you lose or forget your master password with no backup, you’ll be locked out of your password vault (where all your passwords are stored). You can mitigate this risk by enabling MFA or biometric authentication.

How to choose a strong master password

Be sure to have a strong master password that’s not easily guessable, or better yet, create a master passphrase with multiple words which will be tougher to crack than a shorter password. Make sure it includes both upper and lowercase letters, numbers and special characters. Don’t use a common phrase or word that could be easy to guess like ‘admin’, ‘password’, ‘letmein’, ‘opensesame’, etc.  


Read more: Your complete guide to password protection


A final word

It’s important to undertake your own independent research before choosing a password manager. Pay particular attention to the platform’s security credentials, track record concerning data leaks, reputation within the market, and how it stacks up against other reputable password managers. For more information on the best password managers for personal and business use, contact us via email: enquiries@xiphcyber.com.


Posted in: Security