Bugs in several password managers, including the vulnerabilities discovered in LastPass in late July, have scared away some users. But such fears go too far. Millions of users rely on password managers to keep track of passwords for applications and online services, and by all indications, they work better than trying to do it on your own.
Security victories should be embraced -- including password managers, which automatically generate complex strings of characters as passwords and deploy a unique password for each site or application. Password managers solve several authentication problems, including easily-cracked passwords and password reuse.
That's why the Twitter tempest against password managers that arose shortly after Tavis Ormandy, a well-known security researcher on Google's Project Zero team, found and reported vulnerabilities in LastPass and 1Password was so perplexing.
Ormandy, who has uncovered a number of vulnerabilities in antivirus and other security software over the past few months, recently began scrutinizing popular password managers. The latest report was "a bunch of obvious vulnerabilities" in Dashlane. Some claimed these security holes proved people shouldn’t use password managers at all because the passwords could be stolen from them.
No one likes passwords, but the reality is they aren’t going away anytime soon. It was irresponsible to declare a whole class of security software should not be used simply because it has bugs, said Jessy Irwin, formerly of 1Password and self-proclaimed "security empress."
News flash: "The sky is blue, water is wet, software has bugs," Irwin said. Fix the bug and move on. All software has bugs and needs to be patched; security tools are no different.
LastPass has already patched the reported flaws, while others appear to still be in progress.
Comments equating password managers to the "next AV" imply that password managers are ineffective and useless against modern attacks, said Irwin. This was highly damaging because it confused users with conflicting information, when the case for using password managers is clear.
There's a regrettable tendency to conflate product safety and product security, Irwin says. It's important to find and fix vulnerabilities so that attackers can't break in -- that's simply product security. What often gets lost is product safety, making sure users have a way to improve how their actions to be more secure. It's still far better to use password managers with bugs, which can be patched, than to rely on memory or other methods to try to keep track of all passwords.