Don’t upload your passwords to the cloud

December 23, 2022

Well, it finally happened: The cloud store of popular password manager LastPass was breached, and all user password vaults are now in the hands of hackers.

While this is not the nightmare scenario (the vaults are still encrypted), it’s pretty close to it. Hackers now have users’ vaults on their drives, and they can brute-force their main passwords at their leisure. Guessing the main password will unlock the entire vault and grant hackers access to all the passwords—and TOTP second factors—in it. Remember: the encryption is only as strong as the main password, and some users may have chosen hunter22 for all we know. With 33 million customers’ data available, hackers only have to unlock a tiny fraction of the vaults to make it worth their while.

I continue to believe that it’s irresponsible for password managers to encourage regular people to upload their vaults to a central cloud. Companies like LastPass and 1Password expose their customers to risks that most of them don’t understand.

My advice? Never upload your password vaults to a central cloud—those storage locations attract hackers because they promise huge payoffs. Instead, keep local copies, replicate them across multiple devices, and back them up to an offsite location. Even keeping a local vault on one computer or phone and keeping good backups of that one device is better than uploading your data to the cloud.