Here is a picture of a basket of eggs as a sort of visual play on the concept discussed in this blog post.
"all in one basket" photo by Timothy Valentine (creative commons license)

Compartmentalisation is good for you 

Tl;dr: Stop using LastPass if it's been your password manager of choice because it suffered a massive data breach which it handled the disclosure of poorly. Also think about how you use password managers before you just dump all your secrets into another one. Segment your different account credentials into different buckets based on needs and use case and choose tools accordingly. Keep some things offline. Recommend Bitwarden and KeePassXC. Fin.

I was mostly offline and on holiday during the news cycle about the (latest) disclosed LastPass security breach. And even if I wasn't I blog so slow that I wouldn't have said much about it before now, anyway. But it's a Sunday night and a good time to avoid other life decisions, so let's talk about that.

Essentially, LastPass found itself forced to let its users know that hackers who last August had gained unauthorised access to customer data had gotten away with more than they had previously let people know about. If you were or are a user of the password manager, then hackers were able to download your encrypted password vaults and other unencrypted user account meta data

First things first...

If you're a LastPass user who somehow missed this news, then my more immediate suggestion right now is to stop reading this post and go and change the access information for any accounts you had saved in LastPass, keep that information somewhere else and close your LastPass account. Be on the lookout for phishing attempts on those accounts. Use 2-factor authentication on them all, or if you don't need them: close them. I'll wait. Either create a local, securely offline text file for now, or use Bitwarden or KeePassXC password managers (more on why I chose those two, and only those two, later on in this post.)

Background reading...

The real lesson from this...

I had left LastPass a couple of scares ago. But even with this recent news, the work team and I did some account access information rotation on accounts we had once had there just in case. It can be a big task if you're dealing with lots of different login credentials. The LastPass breach was much worse than the company had let on. To me, how they handled it couldn't be called "disclosure," it was malpractice. The hackers know your name and address, have a list of every website you've had an account for in LastPAss, and can try to brute-force into your encrypted passwords archive on their local machines, so the only thing protecting them is how strong your master password was.

This didn't just do damage to LastPass, but to the concept of using password managers. I think the company should be out of business, but I still advocate the use of password managers. Why? Because generating unique, hard-to-crack passwords for each account, and remembering them is not a human capacity. Because strong encryption works and a good password manager re-enforces good account hygiene practices. You may think you're good at creating unique, strong passwords in your head, and without knowing anything about you dear reader, I am just going to tell you that you are not. You are not.

But that's not the lesson here, and even all the technical write-ups of what LastPass did wrong are not the real lessons, either. The real lesson is not so much technical as it is about developing the right ethos when thinking about your private digital bits. Compartmentalisation is good for you. Those of us who are already predisposed to it at some extensive personal and social cost are winning at the account access game. (For American readers, I am spelling things in the British way, here. There are not so many uses of "Z," which we also pronounce as "zed.")

Compartmenalise all the things...

The web is designed to convince you to put all of your eggs in one basket. Cloud services offered by Microsoft, Google, Apple, Amazon's AWS services, etc. want all your things and offer a lot of convenience in exchange. They want your documents, your photos, your contacts, your web history, your accounts, your apps and your hard drive backups. Facebook and other social websites want your friends and relations and chats all in one easy spot as well. For many people the web is really only a small handful of services they're using the vast majority of the day. The password manager's user experience does this as well. Keeping everything in one place makes using them a lot easier, there's no getting around it. It also makes for a much juicier and more damaging target. Stop keeping all the things in one place.

There is a reason "don't put all your eggs in one basket" has survived over the years as generally good advice, and it's because its proponents generally survive longer to spread it. It sounds counter-intuitive that after just saying I recommend people use password managers for better security that I'd also say, "segment your things, damn it!" But we're going to run with the basket analogy for a while. I don't want people to just think about password managers but all of the different buckets where they have digital information. Maybe don't keep the entire archive of them in one place. Maybe keep them sorted in two places, or three places, depending on how you use them. Maybe think about them and categorise them and then store them online or offline, or in different services based on those categories. Maybe delete them if you don't need them. Don't just do what the little icons and pop-ups tell you, but think about why you're doing these things. In this way, also use password managers based on their strengths and weaknesses and according various use cases you have them. Don't just have one of them, but some different password manager accounts running for different use cases.

A few ways to think about cases are:

  • Some shared team access when you need to share secrets (access credentials.)
  • Your own accounts, but when you need them on the go, and maybe with a bit of mobile phone access.
  • Some local file keys, hardware access, server keys, backup 2FA codes, private encryption keys, and other information you just don't want or need in a cloud.
  • Work things.
  • Parent things.
  • Personal things.
  • Accounts you need all the time.
  • Accounts you rarely need but have to keep.
  • And many more.

For all these use cases a mix of Bitwarden and KeePassXC can do the trick. There may be others, but for the purposes of simplicity, these are the only two I ever recommend. They are open source, have good encryption, offer offline or self-hosting options, have been reviewed by security experts, have reasonably decent usability and methods of adding secondary authentication to access the data. I generally don't answer questions when people ask about 1Password, Dashlane, or anything else because that can just go on and on. They may be great. I only use and recommend the above mentioned two... subject to change when it's warranted. But what I advocate beyond any brand names is that people use a couple or more accounts, and think of how and why they're going to use them. The goal: If someone gets any one of these repositories, most importantly, they don't get all of them, so even if they hack your archive password, the whole repository to everything in your life isn't there.

Create purpose built accounts

  • If you're traveling, an offline KeePassXC file fits nicely on a USB stick or in a discrete cloud account, you can set up shop with only the minimal accounts you need for that trip.
  • If you need to share some accounts, BitWarden has some very good secure sharing tools to send access or just regular information to someone else's BitWarden account. 
  • You may have another set of data you want to keep both encrypted and offline. A KeePassXC file on a hard drive or USB stick not attached to the internet works great for this.

Before thinking of the tool, think: Where will you need it, how will you be using it, on what devices, for how long? What are the security risks?

A KeePassXC file has less of a chance of online hacking, but you need to keep track of where you put it and -- importantly -- don't forget the master password for it. There is no password reset mechanism. It has a great function for extra security, using a key file, but that too needs to be kept track of. If you leave it open on a screen, someone coming by could access it. If you lose your device where it's saved, they likely won't be able to open it if you've given it a strong password, but they can try for as long as they want. Saving it to a cloud account is a good way of using it across devices, but make sure you've secured that, too. Neat thing about KeePassXC is that you can give it a strong password, use a keyfile, store it in the cloud that also has a strong password and two-factor authentication, and then there's 4 layers of access checks to open it. It's more versatile, has more options for control, but possibly easier to lose access to.

A Bitwarden account has strong security and good features. It's in the cloud and easily integrates via apps on your mobile, laptop, etc. If you need password sharing with someone else, it's by far the better way. You could host your own Bitwarden, but no one is going to suggest you should. There is the chance of password recovery, but also the increased chance of theft if someone gets access to our device or accounts used to run it. It's another commercial cloud service. It has a cracking good security record and independent audits to back it up, but more adversaries are also looking at how to break in. Keep yourself informed of what the latest news is on the products you use.

Delete when not needed

I have a lot of data kicking around. But I delete even more. The commercial web doesn't often remind us to wipe our data. Ephemeral data is not such a growth industry. Keeping information in our accounts is a more lucrative business proposition. And it's a sometimes tedious chore. Delete data. Keep your offline and online account access repositories secure, but don't keep what you don't use. Close accounts, create new ones if you need those services again. One great thing about a password manager is how it can exactly itemise just how many online accounts you really have. How many could you kill? Every account is a thing to manage. Manage less... with some password managers more.

If this all sounds like too much, then it's probably because it is. We've backed ourselves into a complex issue, and passwords are generally not that workable of a solution. Beware of people offering easy answers to complex problems. 

Delores from the series WestWorld, at the end of season 1 when she says "Not all of us Deserve to Make it to the valley beyond."

Good night, and good luck.

This article was updated on 16 January 2023