Problems with Password Managers

Over the past few years, I’ve been a strong proponent of password managers.

My most often recommendation is LastPass (more on that later), but I think there are quite a few good options.

However, an interesting counter-view was recently expressed by Tavis Ormandy, one of the incredible security researchers in Google’s Project Zero. The weaknesses he mentioned are real, and I thought it would be useful to not only highlight them to potentional password manager users, but also point out why I am still using a password manager.

The Problem with Password Managers

In his article, Tavis is refreshingly clear with both current best security practices (“everyone needs to be using unique passwords”) as well as his specific problem (“I think ‘use a password manager’ is so vague that it’s dangerous”).

Point taken!

Tavis lays out the problems with external password managers very clearly in the article. A very brief TL;DR comes down to two main issues:

  1. Integration. Putting the password manager UI into a web site is putting a trusted UI element (your password manager UI) into a hostile environment (a potentially malicious web site).
  2. Breaking the Sandbox. As Tavis says, “Modern browsers use a sandbox architecture to isolate components that can go wrong”, and since 3rd-party password managers inject sensitive information (your password) into the sandbox, a malicious website can take advantage of that.

Tavis knows his stuff. Throughout the article, he posts links to real bugs in current password managers that have been discovered by Project Zero. The important thing to take away is that the problems he discusses are not imagined or theoretical problems.

The Solution (According to Tavis)

Tavis’ solution for these problems is simple:

Instead of using a 3rd-party password manager, use the one that is build into your browser.

Since Tavis works at Google, it’s easy to see this as biased or self-serving advice. Certainly Google Chrome doesn’t have a perfect track record for password security. Additionally, with Google’s new FLoC feature, some people may not want to use Chrome at all.

However, I don’t think this advice is offered up for a self-serving reason. I think he’s seen a large number of password manager services pop up (lured by the promise of recurring subscription fees cough) that have incredibly poor security practices and he’s giving the best, most specific advice to the broadest number of people.

Tavis even mentions some good password managers (KeePass and KeePassX). The difference between those two password managers and things like LastPass, OnePassword, etc. is that they don’t offer browser integration at all.

Why I Still Use a Password Manager

While Tavis’ recommendation of using the built-in password manager of any modern browser (Chrome, Firefox, Edge, etc) is a good one, I think it misses an important point:

The fact is, most people use multiple browsers (or are on multiple platforms). Being locked into a single browser (or platform) only because of your passwords seems like a very frustrating experience.

Imagine if you’re using a browser (like Chrome) that suddenly offers a feature that you don’t want (like FLoC). If your passwords are only in the browser, then migrating to a new browser could be incredibly frustrating.

Additionally, logging into desktop applications would be quite difficult if all your passwords are stored in your browser. With LastPass I have a standalone desktop application (separate from the browser) that synchronizes my passwords for web sites, applications, and other secure information. Additionally, LastPass has an option to export passwords as a CSV file that can then be imported into another password manager, making it easy to move out of LastPass if the need arises.

One compromise I made thanks to Tavis’ article, though, is to eliminate the LastPass autofill/notifications. This reduced the possibility of “injections” that can break the sandbox. This does mean I need to copy/paste passwords, which introduces another vulnerability (if their was a keylogger on my system) but this seems to be a good compromise to me.

To turn off “Autofill” click the LastPass toolbar icon, then go to “Account Options” → “Extension Preference” → and uncheck “Automatically fill login information”.

To turn off the notification injections, click the LastPass toolbar icon, go to “Account Options” → “Extension Preferences” → “Notifications” (on the left sidebar) → uncheck “Show autofill icon in fields”.

Addendum: LastPass

I have been using LastPass for years, and it is one of the password managers I recommend.

However, since being acquired by LogMeIn (in 2015), and then LogMeIn being acquired by a pair of private equity firms (in 2019), they have been making some choices that prioritize profit over their customer base.

While I have no idea if this has changed any of their back-end code or security practices, they are a closed-source security application. This means that they rely on user trust (and 3rd-party audits) to stay in business.

I think I’m going to be moving to an open-source alternative, since it only seems like it’s a matter of time for additional shoes to drop.