Protecting against a password manager breach: part 1
Prepare for the inevitable to avoid digital disaster
In light of the recent breaches of LastPass’ infrastructure systems, I've been thinking: what would happen if the data in my password manager were successfully breached? And what can I do right now to reduce the impact of such a breach?
I strongly believe everyone should use a password manager given how easy they make it to protect against credential theft attacks. Being able to automatically generate and fill unique unguessable passwords for every account is the primary benefit most people are familiar with, but modern password managers are chock full of fancy features: helping developers keep plaintext secrets out of code files and environment variables and notifying you when one of your accounts is detected in a data breach are two notable examples.
While the best password managers employ strong security measures, they can only make it harder, not impossible, for attackers to steal your data (granted, they make it very hard for attackers to steal your data).
The most concerning aspects of LastPass’ recent incidents were that
a developer’s account was compromised
a third-party cloud storage system was accessed
In either case, this could have allowed the attacker to inject malicious code into LastPass’ client-side components, such as front end UI code, web browser extensions, and desktop/mobile apps. This is a viable attack path that can result in an attacker stealing decrypted user data for many, if not all of, LastPass’ customers.
This isn’t some contrived hypothetical attack scenario, either: software supply chain attacks have been on the rise in recent years, especially since SolarWinds suffered one in 2020. This also isn’t the only way an attacker could breach your password manager.
Freaked out yet? Yeah, me too. But don't fret! Let’s take a deep breath and explore all the ways you can protect your accounts even if your password manager is breached.
Driving principles for a hardened password manager setup
Reducing the impact of a password manager breach relies on two core principles:
Multi-factor authentication (MFA) needs to be enabled for all sites and apps that support it
Passwords and password equivalents, such as security questions, must be stored separately from MFA codes and MFA code equivalents, such as seed keys and recovery codes
In practice, these principles imply a few things: you'll need one app for storing passwords, a second app for actively using MFA one-time passcodes (OTPs), and a third app for storing MFA recovery codes. This ensures that if an attacker successfully compromises your primary password manager, they also need to carry out a separate attack against your secondary password manager app. The harder you make it for attackers to gain access to your online accounts, the more likely they’ll give up and focus on easier targets.
Ingredients for a hardened password manager “recipe”
Once you’ve implemented all the guidance outlined below, you’ll have a hardened and resilient password manager setup that resembles something like this:
Try not to strain your eyes too much just yet: we’ll dive into each ingredient shown above and how they work together to minimize the impact of a password manager breach.
NOTE: For the sake of simplicity and security, this guide assumes you’re only using Apple devices.
2 password manager apps
I recommend 1Password for storing passwords and password equivalents due to its rich set of features and excellent user interface.
I recommend BitWarden for storing MFA recovery codes and OTP seed keys since it’s simple enough to use for this use case. While its UI isn’t as good as 1Password’s, you shouldn't need to access your MFA recovery codes and seed keys very often.
Both use strong security measures and sync data across all major platforms and device types. You’ll need to pay for 1Password (it’s worth it) but can use BitWarden’s free version for this MFA use case.
NOTE: While many web browsers have built-in password managers, they are increasingly targeted by attackers and are not as secure as dedicated password managers. Avoid using them.
1 MFA code app
I recommend using Authy as your MFA code app (as long as you implement it in specific ways, which we’ll cover later on). It makes it easy to save, search for, and use MFA codes across your phone and/or tablet. Because computer OSes are at an increased risk of having malware installed on them (especially compared to iOS), be sure to only install Authy on a phone or tablet.
2 security keys
I recommend YubiKeys, as many security practitioners do, for hardware security keys. When “Security Key” or “Passkey” MFA (i.e. FIDO 2.0, WebAuthn, or U2F) is available for any of your accounts, you’ll want to use your YubiKeys as your MFA method. Security Key MFA “codes” can’t be intercepted by or spoofed by a remote attacker thanks to sophisticated encryption patterns established by FIDO 2.0. For maximum security, try YubiKey Bio (FIDO edition) - affordable three-factor authentication for the masses!
NOTE: you’ll want 2 YubiKeys in case one of them is lost or broken. Keep one on your keychain and another in a safe place, such as a fireproof safe (see below).
1 fireproof safe
If you’re extra cautious (i.e. paranoid), you’ll want to keep a physical copy of your 1Password Secret Key and BitWarden MFA recovery code stored separately from all of your internet-connected devices. That way, if an attacker somehow manages to compromise your 1Password account password and MFA for 1Password, they would have to physically break into your fireproof safe, too.
NOTE: FIDO 2.0-certified biometric authentication provided by Windows Hello, Touch ID, Face ID, etc. can provide similar authentication security as YubiKeys, but they aren’t portable and platform agnostic like YubiKeys are. Trade offs are hard!
While stepping through how to stick to this approach, I'm going to assume (and recommend) that you use:
Apple devices, given their strong hardware platform + OS security architecture combined with ease of use when using features such as TouchID, FaceID, and Keychain for logging into and unlocking your password manager
1Password for storing passwords and password equivalents, given its strong security architecture, additional security features like Watchtower and developer tool integrations, and excellent user interface
Authy as your default MFA code app
If you’re extra paranoid and are willing to make some usability sacrifices, try storing your MFA codes in a YubiKey and use Yubico Authenticator to access them
BitWarden (free edition) for storing MFA recovery codes or seed keys when recovery codes aren't available
That concludes part 1 of this series. Part 2 will cover written guidance on how to combine these ingredients to create a hardened password manager setup as well as password manager best practices to abide by.
UPDATE: Part 2 has been published!
I am also applying same idea but with 2 bitwarden account as password manager and recovery codes and authy for MFA.