LastPass incidents and Vaultwarden as the solution

LastPass incidents and Vaultwarden as the solution

Passwords protect our infrastructure and data from third parties, and they have been around since the first internet services started being offered to netizens. With growing cases of data breaches, they are the first line of defense against malicious actors that are interested in getting access to our digital assets. Users of online services need to use a different password for each platform to protect their account data. For example: you need a different password for your Proton Mail account, another one for your WordPress powered website, a different password for your Nextcloud account and so forth. As you can imagine, it is not possible to have a different and at the same time not easy to be guessed password for each service. The reality is that the majority of users chooses simple passwords that can easily be guessed from attackers, and in many cases the same password is used for a number of services. Latest data show that netizens are ‘lazy’ and pick the same simple password for the online services they use. Below are the most used passwords in 2022 (reference):

  • password 
  • 123456
  • 123456789
  • guest 
  • qwerty 
  • 12345678
  • 111111
  • 12345
  • col123456
  • 123123

The importance of password managers

One of the best solutions is the usage of password managers, which are computer programs that allows users to store and manage their passwords for local applications and online services. A good password manager allows you to generate strong passwords for each service and fill online forms easily. These programs assist in generating complex passwords for each online platform and stores such passwords in an encrypted database, making them hard to guess from malicious actors. Many password manager platforms offer additional capabilities that enhance both convenience and security, such as storage of credit card and frequent flyer information and autofill functionality. There are many password managers that offer many features, with LastPass being one of the most well known in the industry.

The issue with LastPass

LastPass is a password manager that comes with a web interface and plugins for various web browsers and apps for many smartphones. It is a proprietary platform, which makes it impossible for third parties to audit the code and understand if there are any security issues with the software. Unfortunately, many hundreds of thousands of users trusted this proprietary platform with one of the most important elements of our online identity: passwords. It came without surprise that last year, LastPass suffered serious security incidents. User data, billing information, and vaults (with some fields encrypted and others not) were breached. This led many security professionals to call for users to change all their passwords and switch to other password managers. The consecutive incidents resulted in LastPass loosing a copy of customers’ encrypted password data to a hacker, who recently breached the company’s systems. At the time, it remained unclear what user data was ensnared, but now LastPass is confirming that the breach is serious, to say at least.  This was another case of a proprietary platform focusing more on marketing tricks to grow their user base and their quarterly earnings and less in the interest of the users that trusted them.

The solution?

It should not come as a surprise that we urge our friends, family members and business partners to always use free libre open source platforms for their digital infrastructure. Password managers are not and exception. Open source software can be audited from third parties for vulnerabilities and in general FLOSS entities make sure to take into consideration the community aspect of their operations, which usually (not always) creates checks and balances in managing the operation. One of such entities is Bitwarden, the open source password manager we highly respect for many reasons. The platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. It offers a free cloud-hosted service as well as the ability to self-host. Desktop applications are available for Windows, MacOS, and Linux. Browser extensions include those for Chrome, Firefox, Safari, Edge, Opera, Vivaldi, Brave and Tor. Mobile apps for Android, iPhone, and iPad are available. Client functionalities include 2FA login, passwordless login, biometric unlock, random password generator, password strength testing tool, login/form/app autofill, syncing across unlimited platforms and devices, storing unlimited number of items, sharing credentials, and storing variety of information including credit cards.

Bitwarden vs Vaultvarden

Our team loves Bitwarden as a service, but also for what seems to be their company culture. It is the ideal password manager for individual use and for teams. The deployment of a Bitwarded instance though requires quite a lot of server resources, which makes it impractical for a use case like ours that focuses on small/medium teams and not large corporations. After researching, we found out that Vaultwarden, the lightweight deployment of Bitwarden maintained by the community. It is ideal for our Subscribers, and that is what we propose to everyone that reaches us to us for an open source password manager solution.

Password manager for your small/medium team?

If you are running a small team and need to offer a single point solution for your operation, we are here to help. You can schedule a call with our team or email us, and we will explain to you how to manage different access levels to your different departments and onboard and offboard a team member. We also use Vaultwarden internally to manage the access to our infrastructure and have quite a lot of know-how about the platform.