LastPass breach Shouldn’t sway you away from cloud-based password managers: 3 ways to spot secure alternatives
by Trenton Thurber, on Wed 11 January 2023
Cybersecurity attacks – like the recent LastPass breach, where hackers gained access to highly-sensitive source code and encrypted (as LastPass itself claims) user data – have underscored the need to carefully review your approach to selecting and protecting your password manager.
Password managers help you take control of your digital life by storing and organizing all of your login information in one place – from sensitive accounts like banking portals to entertainment sites like social media. Users place a tremendous amount of trust in these services to ensure that stored data is safe, only to be disappointed when a security flaw is exploited by threat actors. The consequences of unauthorized access to your password manager can be devastating, and may upheave your digital health through compromised accounts, stolen information, and more.
Selecting a password manager that stores your information securely and protects your accounts and personal information from cyber threats is incredibly important. Here are three things to keep in mind when selecting a strong password manager:
HOW TO SELECT A PASSWORD MANAGER THAT IS SECURE BY DESIGN
1. Say no to human-readable credentials
Your password manager should not use any human-readable credentials (like usernames or master passwords), especially if they are used to unlock encryption keys that protect your data. If a master password is used to protect your critical data, it’s probably less safe than you realize.
Attempts to create complex passwords with numbers, letters, and symbols can potentially make them less secure. Passwords created by humans – even complex ones – are very vulnerable to being hacked. Hackers tend to try common passwords first (including common words and phrases), rather than trying all possible combinations randomly. Even if a password meets complexity requirements, it is still at risk of being hacked because of issues like password reuse and compromised accounts.
Usernames are often overlooked in security, but they too present a major vulnerability. Most usernames are not only easily guessable, but may be used across several platforms. When paired with bad password hygiene, this shared namespace makes an attacker's job a whole lot easier.
If the human-readable credentials that secure your accounts are compromised, a threat actor is one step closer to unauthorized access to the critical data secured by your password manager. Don’t settle for a password manager that uses human-readable credentials.
The PassHub password manager leverages WWPass’ authentication protocol to manage the flow of encryption keys. Human-readable credentials are never a part of the equation. Instead of ineffective tactics to slow down password cracking, WWPass authentication cuts out both of the weakest links in cybersecurity by removing usernames and passwords. WWPass authentication also takes advantage of a self-managed WWPass Key mobile app installed on a trusted device as the primary authentication factor. Authentication to PassHub with WWPass is bilateral, meaning both parties' identities are verified. Check here for a more detailed description of how WWPass authentication works: WWPass technology in depth
2. Choose a password manager whose architecture ensures your keys are never exposed or available outside of a secure channel
Encryption is the best way to secure data online. All password managers leverage some form of encryption, but not all encryption is created equally or applied correctly.
How your password manager handles encryption keys is the lynchpin to the security of the system. If the keys are ever transmitted over unencrypted channels or stored in an unsecured way, they can be easily stolen or intercepted by a threat actor. This would leave the door to your critical data wide open.
Securing keys is integral to strong, encryption-based security, but even if your keys were somehow exposed to a hacker, careful design can ensure that your data remains safe. Choose a password manager that always takes care of your keys and never compromises on security.
With PassHub, your keys are never exposed in plaintext. They will always remain encrypted and are never transmitted over unencrypted channels. PassHub features end-to-end encryption, which means that all sensitive data is ciphered with a WWPass Key in your browser. No meaningful information is accessible on the server's side, making PassHub a “Zero Knowledge” system. Diving even deeper, in PassHub, all user data is first encrypted, then fragmented. Each fragment is encrypted with its own key and then distributed to different data centers. The only way to reassemble and access the information is by using your trusted authentication device - WWPass Key. Learn more here: PassHub Security
3. Choose an open source option with proven, standard encryption
Your password manager should be openly reviewable. If the technology behind a service is good enough to keep user data safe, prove it. Reliance on the secrecy of source code is a great indicator that the password manager is not secure by design.
If a threat actor were to gain access to the source code – whether via the bad intentions of a disgruntled insider, an honest mistake from a well-intentioned employee, or an unseen vulnerability – would critical user data be secure after a breach? Can you trust a secretive organization to be forthright about vulnerabilities?
Most password managers claim to use standard encryption, but without transparency, it is impossible to know if they have implemented it properly. Don’t rely on the word of security service providers who develop in darkness. Instead, choose a password manager with a reviewable code base and standard encryption.
PassHub has a reviewable code base and is even self-hostable, which allows for code review and vulnerability analysis by security experts. It only uses NIST-approved encryption algorithms, such as AES-GCM 256 bits and RSA-OAEP, and avoids using "snake oil cryptography" or untested algorithms. The implementation and architecture of the encryption are also important factors in ensuring security. PassHub is confident in its technology and welcomes feedback from security experts to improve and stay ahead of emerging threats. See for yourself: PassHub and, PassHub and PassHub Front-end
Sign up for your free account today and experience the best in password and file storage security with client-side encryption and the added security of the WWPass Key. Get started in under a minute and securely share files with anyone, anywhere, on any device.
- Free for the first 200 records/100MB
- Max file size of 10MB