I’ve been asked a lot of questions about password managers, especially due to the LastPass hack that started in 2022 and was fully disclosed in 2023. Before getting too far into this, let me be clear that I’m still pro password manager. Password managers, while not spelled out in the original Greek, are most certainly part of “the way, the truth, and the life” in John 14:6. LastPass was not compromised because they had poorly written code or because their product was inferior. LastPass was compromised because a software engineer fell for a security trick that tricked him into giving access to his personal computer to a bad actor. The software engineer used his personal computer to access sensitive LastPass data as it was part of his job. Once the bad actors had access to the computer, they were able to steal encrypted backups of LastPass user’s password vaults.
Human Error: the Security Trick That Breached LastPass
While there are a lot of things the LastPass employee should have done differently, it is important to note that LastPass was not breached because a hacker was able to get in through their defenses or bad code. The data breach happened due to human error.
Incidents like this are one reason some are against cloud-based password managers. However, it is important to recognize that human error is everywhere, in cloud-based systems and in non-cloud-based options. Whether your password data is stored in the cloud, or in an encrypted file that only exists on your local computer, human error can make both equally vulnerable due to a security trick. Regardless of which password manager option you choose, it is important that you choose one.