https://arstechnica.com/gadgets/2021/04/hackers-backdoor-corporate-password-manager-and-steal-customer-data/?comments=1 Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe [ ] Close Navigate * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints Filter by topic * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Settings Front page layout Grid List Site theme Black on white White on black Sign in Comment activity Sign up or login to join the discussions! [ ] [ ] [Submit] [ ] Stay logged in | Having trouble? Sign up to comment and more Sign up ANOTHER SUPPLY-CHAIN ATTACK -- Backdoored password manager stole data from as many as 29K enterprises Compromised update mechanism for Passwordstate pushes malware that steals data. Dan Goodin - Apr 23, 2021 9:55 pm UTC Backdoored password manager stole data from as many as 29K enterprises Enlarge Getty Images reader comments 103 with 63 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit As many as 29,000 users of the Passwordstate password manager downloaded a malicious update that extracted data from the app and sent it to an attacker-controlled server, the app maker told customers. In an email, Passwordstate creator Click Studios told customers that bad actors compromised its upgrade mechanism and used it to install a malicious file on user computers. The file, named "moserware.secretsplitter.dll," contained a legitimate copy of an app called SecretSplitter, along with malicious code named "Loader," according to a brief writeup from security firm CSIS Group. [moserware-secretsplitter-loader] CSIS Group The Loader code attempts to retrieve the file archive at https:// passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip so it can retrieve an encrypted second-stage payload. Once decrypted, the code is executed directly in memory. The email from Click Studios said that the code "extracts information about the computer system, and select Passwordstate data, which is then posted to the bad actors' CDN Network." The Passwordstate update compromise lasted from April 20 at 8:33 am UTC to April 22 at 12:30 am. The attacker server was shut down on April 22 at 7:00 am UTC. The dark side of password managers Security practitioners regularly recommend password managers because they make it easy for people to store long, complex passwords that are unique to hundreds or even thousands of accounts. Without use of a password manager, many people resort to weak passwords that are reused for multiple accounts. Advertisement The Passwordstate breach underscores the risk posed by password managers because they represent a single point of failure that can lead to the compromise of large numbers of online assets. The risks are significantly lower when two-factor authentication is available and enabled because extracted passwords alone aren't enough to gain unauthorized access. Click Studios says that Passwordstate provides multiple 2FA options. The breach is especially concerning because Passwordstate is sold primarily to corporate customers who use the manager to store passwords for firewalls, VPNs, and other enterprise applications. Click Studios says Passwordstate is "trusted by more than 29,000 Customers and 370,000 Security and IT Professionals around the world, with an install base spanning from the largest of enterprises, including many Fortune 500 companies, to the smallest of IT shops." Another supply-chain attack Further Reading Backdoored developer tool that stole credentials escaped notice for 3 months The Passwordstate compromise is the latest high-profile supply-chain attack to come to light in recent months. In December, a malicious update for the SolarWinds network management software installed a backdoor on the networks of 18,000 customers. Earlier this month, an updated developer tool called the Codecov Bash Uploader extracted secret authentication tokens and other sensitive data from infected machines and sent them to a remote site controlled by the hackers. First-stage payloads uploaded to VirusTotal here and here showed that at the time this post was going live, none of the 68 tracked endpoint protection programs detected the malware. Researchers so far have been unable to obtain samples of the follow-on payload. Anyone who uses Passwordstate should immediately reset all the stored passwords, particularly those for firewalls, VPNs, switches, local accounts, and servers. Representatives from Click Studios didn't respond to an email seeking comment for this post. reader comments 103 with 63 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement 103 Reader Comments [Sort comments by...] * Page * 1 * 2 * 3 Next 1. Nowicki Ars Praefectus et Subscriptor reply Fri Apr 23, 2021 5:03 pm + Popular These supply-chain attacks are getting tedious. Every time someone this critical comes up I have to think. Crap is that on any of our clients networks. Should we blacklist it. Is there already an update. How long has it been going on, etc, etc, etc. 2021 is not a good year for software so far, but you make it a lot easier to respond accordingly Ars, and I very much appreciate it. 5319 posts | registered Jan 6, 2015 2. dogbot Ars Centurion et Subscriptor reply Fri Apr 23, 2021 5:07 pm + Popular I've just checked our installation and we don't (apparently) use the automatic update method. Saved by inaction. Jeez. Appreciate the notification, though. 2443 posts | registered Apr 26, 2019 3. mehj Smack-Fu Master, in training reply Fri Apr 23, 2021 5:22 pm + Popular Nowicki wrote: These supply-chain attacks are getting tedious. Every time someone this critical comes up I have to think. Crap is that on any of our clients networks. Should we blacklist it. Is there already an update. How long has it been going on, etc, etc, etc. 2021 is not a good year for software so far, but you make it a lot easier to respond accordingly Ars, and I very much appreciate it. They're only going to get worse, to be honest. Modern software development involves pulling in hundreds of 3rd party dependencies for even simple applications, and many (most?) of the the tools that manage those dependencies were never designed with security in mind. And even if they were designed with security in mind (via code signing or similar mechanisms), you're one developer account compromise away from a malicious update anyway. It's been [S:27:S] 37 years, and Reflections on Trusting Trust is still as relevant today as it was back then. edit: 37 years ago. God I'm old. Last edited by mehj on Fri Apr 23, 2021 5:26 pm 22 posts | registered Oct 8, 2020 4. Oteph Smack-Fu Master, in training et Subscriptor reply Fri Apr 23, 2021 5:25 pm AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. 73 posts | registered Dec 8, 2012 5. DaveSimmons Ars Tribunus Angusticlavius reply Fri Apr 23, 2021 5:30 pm + Popular Luckily there haven't been any supply chain attacks on the "notepad + text file" password manager that I use. 7622 posts | registered Aug 8, 2005 6. QuantifiableQuoll Smack-Fu Master, in training et Subscriptor reply Fri Apr 23, 2021 5:48 pm + Popular This is definitely my greatest fear for password managers, and news like this makes it harder for me to convince less tech-savvy folks, like my parents, to use one. It makes me wish that security conscious applications would come with a firewall whitelist of Domains that the app will normally need to access. Given some OS-level firewall support, the first download could pin that trusted domain profile, and any subsequent app updates needing new domains could then pop up a warning, not unlike iPhone permissions prompts. Little Snitch kind-of has the beginnings of a system like this with its Internet Access Policy. Unfortunately, firewall permissions based on domain are already too complicated for most users, and developers installing about a hundred 3rd-party libraries would have a hell of a time keeping the list up to date. Oh well, I guess two-factor will have to save us. 85 posts | registered May 26, 2017 7. AxMi-24 Ars Tribunus Angusticlavius reply Fri Apr 23, 2021 5:54 pm Oteph wrote: AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. Cross platform/cloud is what makes it a lot more vulnerable. Especially having it on phones, that are known to have joke security, it's risky as fuck. If you need some pswds on the phone (bad idea in general) make a new keepass vault just for those few so that majority stay safe on a bit more secure platform. 9520 posts | registered Jan 30, 2006 8. AxMi-24 Ars Tribunus Angusticlavius reply Fri Apr 23, 2021 5:56 pm QuantifiableQuoll wrote: This is definitely my greatest fear for password managers, and news like this makes it harder for me to convince less tech-savvy folks, like my parents, to use one. It makes me wish that security conscious applications would come with a firewall whitelist of Domains that the app will normally need to access. Given some OS-level firewall support, the first download could pin that trusted domain profile, and any subsequent app updates needing new domains could then pop up a warning, not unlike iPhone permissions prompts. Little Snitch kind-of has the beginnings of a system like this with its Internet Access Policy. Unfortunately, firewall permissions based on domain are already too complicated for most users, and developers installing about a hundred 3rd-party libraries would have a hell of a time keeping the list up to date. Oh well, I guess two-factor will have to save us. Main problem is that MS killed off all application firewalls and now we are stuck with windows firewall where default is allow everything and anything plus accepting any installer to add rules without asking the user... 9520 posts | registered Jan 30, 2006 9. Num Lock Smack-Fu Master, in training et Subscriptor reply Fri Apr 23, 2021 6:03 pm Oteph wrote: AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. I mean, what do you want it to look like? It's not pretty and not as simple for web-based logins as solutions with browser extensions, but it works fine. I agree that it's not a good solution for multi-user or multi-device scenarios. Just keeping the same database between my work desktop and work laptop (can't always rely on having network access to the desktop in a pinch) is a PITA. And no one has the same database. 55 posts | registered Apr 15, 2016 10. boast Wise, Aged Ars Veteran reply Fri Apr 23, 2021 6:18 pm + Popular AxMi-24 wrote: Oteph wrote: AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. Cross platform/cloud is what makes it a lot more vulnerable. Especially having it on phones, that are known to have joke security, it's risky as fuck. If you need some pswds on the phone (bad idea in general) make a new keepass vault just for those few so that majority stay safe on a bit more secure platform. Wait, so you don't log into anything when using your phone? That is not common at all. 121 posts | registered Jun 24, 2011 11. PandaCheese Ars Praefectus reply Fri Apr 23, 2021 6:26 pm boast wrote: AxMi-24 wrote: Oteph wrote: AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. Cross platform/cloud is what makes it a lot more vulnerable. Especially having it on phones, that are known to have joke security, it's risky as fuck. If you need some pswds on the phone (bad idea in general) make a new keepass vault just for those few so that majority stay safe on a bit more secure platform. Wait, so you don't log into anything when using your phone? That is not common at all. Honestly in terms of sheer attack surface my phone is probably a lot more secure than my Windows 10 PC. Neither is immune to supply chain attacks like this of course, so I guess back to the day of using Post-Its as your password manager... Also, it seems very irresponsible to not have sufficient integrity check in the update mechanism to detect suspicious code, for example using signatures. Last edited by PandaCheese on Fri Apr 23, 2021 6:31 pm 5267 posts | registered Aug 28, 2008 12. trparky Seniorius Lurkius reply Fri Apr 23, 2021 6:30 pm Phone security wouldn't be a such a stinkin' joke if the Android OEMs were actually doing what we paid them to do. You know... deliver software patches on time every time. 48 posts | registered Mar 9, 2014 13. NetMage Ars Scholae Palatinae et Subscriptor reply Fri Apr 23, 2021 6:36 pm trparky wrote: Phone security wouldn't be a such a stinkin' joke if the Android OEMs were actually doing what we paid them to do. You know... deliver software patches on time every time. There's always iPhone. 1464 posts | registered Oct 21, 2007 14. trparky Seniorius Lurkius reply Fri Apr 23, 2021 6:38 pm NetMage wrote: trparky wrote: Phone security wouldn't be a such a stinkin' joke if the Android OEMs were actually doing what we paid them to do. You know... deliver software patches on time every time. There's always iPhone. I wanted to say that, but I felt that it would bring too much flame down on me. I know how there's some people around here that are Apple haters. So, I resisted saying anything like that. 48 posts | registered Mar 9, 2014 15. graylshaped Ars Legatus Legionis et Subscriptor reply Fri Apr 23, 2021 6:42 pm Oteph wrote: AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. I switched to KeePassXC last year. Much better. edit: my op said KeePassX, when XC is the fork that was the improvement. My apologies. Last edited by graylshaped on Fri Apr 23, 2021 7:28 pm 35013 posts | registered Jan 7, 2008 16. Thunderracker Wise, Aged Ars Veteran reply Fri Apr 23, 2021 6:47 pm + Popular Look guys. When talking about password managers, let's also realize that physical security is not what you think it is. There is no lock anywhere in the world that cannot be opened in a few minutes with basic tools and a little bit of skill. I should know. I have been on entry teams doing pen tests. Properly used, password managers are soooo much better than any extant alternatives. Emphasis on properly used. 193 posts | registered Jan 31, 2008 17. a single spicy french fry Smack-Fu Master, in training et Subscriptor reply Fri Apr 23, 2021 6:50 pm + New Poster + Popular raxadian wrote: And then people downvotes me when I say password managers are a terrible idea - -. Because you're wrong and the past 20 years have demonstrated that. 4 posts | registered Oct 8, 2018 18. trparky Seniorius Lurkius reply Fri Apr 23, 2021 7:00 pm steven95731 wrote: I don't understand why people use random password managers. Why would you worry about saving cost on something that keeps your passwords safe? I would assume that something like 1Password/LastPass is a lot more secure than most of the competition. I, myself, use BitWarden which is open source so if there's a vulnerability, someone's going to find it and fix it. 48 posts | registered Mar 9, 2014 19. J.King Ars Tribunus Militum et Subscriptor reply Fri Apr 23, 2021 7:02 pm graylshaped wrote: Oteph wrote: AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. I switched to KeePassX last year. Much better. Unless that was a typo, you may want to look at KeePassXC, as KeePassX does not appear to be maintained any longer. 2151 posts | registered Sep 10, 2015 20. Urist Ars Scholae Palatinae et Subscriptor reply Fri Apr 23, 2021 7:04 pm graylshaped wrote: Oteph wrote: AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. I switched to KeePassX last year. Much better. Yeah afaik the keepass branch is no longer really actively maintained, and hasn't been for some time. [S:KeePassX:S] KeePassXC receives regular updates and is probably in a much better state than og keepass. So PSA to anyone still using keepass. Password managers (especially paid, browser extension based ones) I feel are becoming the next anti-virus software; hundreds of overly bloated, insecure pieces of garbage software, that once reaching a critical mass of users get sold off to some shady company (or were just developed by a shady company in the first place) that will use them to push ads and malware to unsuspecting users. Has Ars' done a guide on picking a good password manager? The 2FA guide was immensely helpful and made me realize that the one I had been using was actually quite terrible. edit: Got confused about which fork I actually use myself... my opening statement is still actually wrong, but at least it is referring to the right thing. Last edited by Urist on Fri Apr 23, 2021 7:29 pm 2483 posts | registered Sep 12, 2017 21. J.King Ars Tribunus Militum et Subscriptor reply Fri Apr 23, 2021 7:13 pm Urist wrote: graylshaped wrote: Oteph wrote: AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. I switched to KeePassX last year. Much better. Yeah afaik the keepass branch is no longer really actively maintained, and hasn't been for some time. KeePassX receives regular updates and is probably in a much better state than og keepass. So PSA to anyone still using keepass. You have that backwards. KeePassX hasn't had a release since 2016, and hasn't had any commits to its code repository since 2019. KeePass proper's latest release is from January of this year, which added various new features including (finally!) built-in support for TOTPs. 2151 posts | registered Sep 10, 2015 22. antumbra Seniorius Lurkius et Subscriptor reply Fri Apr 23, 2021 7:22 pm I'd love some info on how technically challenging that exploit was. That multi-phase kind of setup, along with being run in memory suggests to me this wasn't trivial to pull off, but would love some more knowledgeable input on that. 18 posts | registered Jul 5, 2013 23. J.King Ars Tribunus Militum et Subscriptor reply Fri Apr 23, 2021 7:22 pm + Popular raxadian wrote: a single spicy french fry wrote: raxadian wrote: And then people downvotes me when I say password managers are a terrible idea - -. Because you're wrong and the past 20 years have demonstrated that. 20 years you say? [...] And I could link even more but I am already going to probably be tagged as Spam as it is. I don't think anyone would argue that using a password manager (any password manager) is a magic bullet, but for every article you can dig up about password manager compromises, you'll find ten times as many about weak passwords and password re-use. Password managers are the worst solution ever devised, save for all the others. 2151 posts | registered Sep 10, 2015 24. Oz7 Ars Scholae Palatinae et Subscriptor reply Fri Apr 23, 2021 7:24 pm Urist wrote: graylshaped wrote: Oteph wrote: AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. I switched to KeePassX last year. Much better. Yeah afaik the keepass branch is no longer really actively maintained, and hasn't been for some time. KeePassX receives regular updates and is probably in a much better state than og keepass. So PSA to anyone still using keepass. Password managers (especially paid, browser extension based ones) I feel are becoming the next anti-virus software That may be true of third party password managers, esp those offered by smaller outfits- but cross platform browser or OS based password management is now baked into Mac OS/ iOS, MS edge, or chrome/chrome OS. I doubt that they will be as easily hacked, and the implementation should be reasonably secure. Now trusting the companies behind them - that's a different story... of the three, Apple would be your best bet for privacy, assuming one can afford the ecosystem 1067 posts | registered Nov 17, 2012 25. Urist Ars Scholae Palatinae et Subscriptor reply Fri Apr 23, 2021 7:25 pm J.King wrote: Urist wrote: graylshaped wrote: Oteph wrote: AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. I switched to KeePassX last year. Much better. Yeah afaik the keepass branch is no longer really actively maintained, and hasn't been for some time. KeePassX receives regular updates and is probably in a much better state than og keepass. So PSA to anyone still using keepass. You have that backwards. KeePassX hasn't had a release since 2016, and hasn't had any commits to its code repository since 2019. KeePass proper's latest release is from January of this year, which added various new features including (finally!) built-in support for TOTPs. Ah, you are right I was thinking of KeePassXC, which I think is the active fork of KeepPassX? 2483 posts | registered Sep 12, 2017 26. a single spicy french fry Smack-Fu Master, in training et Subscriptor reply Fri Apr 23, 2021 7:26 pm + New Poster + Popular raxadian wrote: a single spicy french fry wrote: raxadian wrote: And then people downvotes me when I say password managers are a terrible idea - -. Because you're wrong and the past 20 years have demonstrated that. 20 years you say? https://arstechnica.com/information-tec ... n-account/ https://arstechnica.com/information-tec ... erability/ https://arstechnica.com/information-tec ... -managers/ https://arstechnica.com/information-tec ... d-manager/ https://arstechnica.com/information-tec ... -en-masse/ https://arstechnica.com/information-tec ... passwords/ https://arstechnica.com/information-tec ... g-attacks/ https://arstechnica.com/gadgets/2008/12 ... -security/ https://arstechnica.com/information-tec ... 6/11/6067/ And I could link even more but I am already going to probably be tagged as Spam as it is. Hey quick question: how many accounts were compromised by all of those, versus how many were compromised via reused and weak passwords? 4 posts | registered Oct 8, 2018 27. graylshaped Ars Legatus Legionis et Subscriptor reply Fri Apr 23, 2021 7:26 pm Thunderracker wrote: Look guys. When talking about password managers, let's also realize that physical security is not what you think it is. There is no lock anywhere in the world that cannot be opened in a few minutes with basic tools and a little bit of skill. I should know. I have been on entry teams doing pen tests. Properly used, password managers are soooo much better than any extant alternatives. Emphasis on properly used. If a bad guy gets physical access to your system, yeah. There are two things I learned in my time rubbing shoulders with security people. First, if a smart, patient, dedicated individual wants to cause you problems, he or she will more than likely be able to do it no matter how good your systems are. Second, locks mostly serve to keep honest people honest. And, for the record, my password manager has a stupidly complicated password on it, and I don't have any of the autofill options activated. If that means I need to type in that stupidly long password a few times a day, so be it. 35013 posts | registered Jan 7, 2008 28. graylshaped Ars Legatus Legionis et Subscriptor reply Fri Apr 23, 2021 7:27 pm Urist wrote: J.King wrote: Urist wrote: graylshaped wrote: Oteph wrote: AxMi-24 wrote: This is why God himself, in his infinite wisdom, invented keepass and application firewall to make sure it stays offline. The UX of keepass is so bad that users will instead keep using the same password for everything. Especially in the days where everyone has multiple devices, having seamless cross platform support is paramount. I switched to KeePassX last year. Much better. Yeah afaik the keepass branch is no longer really actively maintained, and hasn't been for some time. KeePassX receives regular updates and is probably in a much better state than og keepass. So PSA to anyone still using keepass. You have that backwards. KeePassX hasn't had a release since 2016, and hasn't had any commits to its code repository since 2019. KeePass proper's latest release is from January of this year, which added various new features including (finally!) built-in support for TOTPs. Ah, you are right I was thinking of KeePassXC, which I think is the active fork of KeepPassX? Sorry--you are correct. I am now using KeePassXC, which was the big improvement. Thanks for catching it. 35013 posts | registered Jan 7, 2008 29. M E Smack-Fu Master, in training et Subscriptor reply Fri Apr 23, 2021 8:11 pm Always a bad look for a security-focused product/service/company to get hacked - the reputational hit is hard to recover from. I will never trust password managers for really important passwords like for important e-mail accounts and financial websites. I still use the old noggin' to remember those. I do use KeyPassX in an offline database for less important accounts. It's not as convenient as the cross-platform cloud-synced alternatives, but it does the job and I don't have to worry about upstream security. 13 posts | registered Jan 3, 2021 30. Wiskers69 Ars Centurion et Subscriptor reply Fri Apr 23, 2021 8:11 pm graylshaped wrote: Thunderracker wrote: Look guys. When talking about password managers, let's also realize that physical security is not what you think it is. There is no lock anywhere in the world that cannot be opened in a few minutes with basic tools and a little bit of skill. I should know. I have been on entry teams doing pen tests. Properly used, password managers are soooo much better than any extant alternatives. Emphasis on properly used. ..... . And, for the record, my password manager has a stupidly complicated password on it, and I don't have any of the autofill options activated. If that means I need to type in that stupidly long password a few times a day, so be it. Me too, until I switched to using a physical key to unlock my vault. Of course I'm just waiting for the Ars article about how ubikey has just been hacked. [?] 264 posts | registered Jul 12, 2014 31. Wiskers69 Ars Centurion et Subscriptor reply Fri Apr 23, 2021 8:27 pm M E wrote: Always a bad look for a security-focused product/service/company to get hacked - the reputational hit is hard to recover from. I will never trust password managers for really important passwords like for important e-mail accounts and financial websites. I still use the old noggin' to remember those. I do use KeyPassX in an offline database for less important accounts. It's not as convenient as the cross-platform cloud-synced alternatives, but it does the job and I don't have to worry about upstream security. I suspect if you can actually remember them then they aren't that secure. 264 posts | registered Jul 12, 2014 32. PokemonPets Ars Centurion reply Fri Apr 23, 2021 8:31 pm I hope that same thing don't happen to Google Chrome password manage system (they don't get hacked) Pretty much my all passwords are saved there 293 posts | registered Jun 25, 2016 33. Superfreq Smack-Fu Master, in training et Subscriptor reply Fri Apr 23, 2021 8:36 pm + New Poster On the bright side though, good password managers make it easy to reset all your passwords at once. 7 posts | registered Apr 6, 2020 34. Graeme K Ars Legatus Legionis et Subscriptor reply Fri Apr 23, 2021 8:41 pm steven95731 wrote: I don't understand why people use random password managers. Why would you worry about saving cost on something that keeps your passwords safe? I would assume that something like 1Password/LastPass is a lot more secure than most of the competition. This isn't a random password manager and it doesn't compete in the same space as 1Password, which we also use. This is an API-driven central store for enterprise. Thankfully our install was not affected. 14644 posts | registered Aug 15, 2004 * Page * 1 * 2 * 3 Next You must login or create an account to comment. Channel Ars Technica - Previous story Next story - Related Stories Sponsored Stories Powered by Today on Ars * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints Newsletter Signup Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up - CNMN Collection WIRED Media Group (c) 2021 Conde Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1 /20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices