Keep using password managers -- bugs and all

A furor over bugs in password managers left users in a jam. Self-proclaimed security empress Jessy Irwin clears up the confusion

Bugs in several password managers, including the vulnerabilities discovered in LastPass in late July, have scared away some users. But such fears go too far. Millions of users rely on password managers to keep track of passwords for applications and online services, and by all indications, they work better than trying to do it on your own.

Security victories should be embraced -- including password managers, which automatically generate complex strings of characters as passwords and deploy a unique password for each site or application. Password managers solve several authentication problems, including easily-cracked passwords and password reuse.

That's why the Twitter tempest against password managers that arose shortly after Tavis Ormandy, a well-known security researcher on Google's Project Zero team, found and reported vulnerabilities in LastPass and 1Password was so perplexing.

Ormandy, who has uncovered a number of vulnerabilities in antivirus and other security software over the past few months, recently began scrutinizing popular password managers. The latest report was "a bunch of obvious vulnerabilities" in Dashlane. Some claimed these security holes proved people shouldn’t use password managers at all because the passwords could be stolen from them.

No one likes passwords, but the reality is they aren’t going away anytime soon. It was irresponsible to declare a whole class of security software should not be used simply because it has bugs, said Jessy Irwin, formerly of 1Password and self-proclaimed "security empress."

News flash: "The sky is blue, water is wet, software has bugs," Irwin said. Fix the bug and move on. All software has bugs and needs to be patched; security tools are no different.

LastPass has already patched the reported flaws, while others appear to still be in progress.

Comments equating password managers to the "next AV" imply that password managers are ineffective and useless against modern attacks, said Irwin. This was highly damaging because it confused users with conflicting information, when the case for using password managers is clear.

There's a regrettable tendency to conflate product safety and product security, Irwin says. It's important to find and fix vulnerabilities so that attackers can't break in -- that's simply product security. What often gets lost is product safety, making sure users have a way to improve how their actions to be more secure. It's still far better to use password managers with bugs, which can be patched, than to rely on memory or other methods to try to keep track of all passwords.

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleNewsTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place