I have argued against the use of cloud-based password managers, citing the cloud storage of the password vault as a weak point subject to hackers. Other security experts have dismissed my concerns, claiming that password managers such as LastPass are more secure than managing your own passwords. I believe this is debatable. I agree many people fail at password security, but I maintain that diligently managing your own passwords is far more secure, if you have the discipline.
This past August (2022), LastPass disclosed a breach of their systems. LastPass downplayed the severity of the break-in then, claiming that the breach affected only one developer account and the attackers absconded with only some source code and technical data. The company claimed that customers’ master passwords, encrypted passwords, personal information, and other customer data weren’t affected. However, on December 22, LastPass updated the revelation to admit that a great deal of customer data, including backups of encrypted customer vaults.
This means that the criminals now have a great deal of customer data, including passwords. The data inside the encrypted vaults remains hidden, being encrypted with AES 256 encryption, but depending on the criminal’s resources and motivation, that layer of protection may fall.
AES 256 is a very strong encryption algorithm and it would be quite difficult to break it. In fact, we consider it to be secure against all known attacks, including brute force attacks. But every security mechanism has its limits, and it’s important to understand that encryption only protects the contents if the master password is strong. Should an attacker get the master password through other means, such as phishing or social engineering, they can access the password vault without needing to break the encryption.
I have written articles on password security. A recent one is on my Blog here: https://www.nathangregoryauthor.com/post/some-passwords-are-more-equal-than-others
The astute reader of my blog will note that I recommend Bitwarden, if you are going to use a password manager. Bitwarden allows cloud storage of the password vault, but it also allows local self hosting. I recommend local self-hosting instead of cloud storage. I promise to write a blog entry soon that will go into this in more detail.