How Password Manager Services like 1Password and LastPass Work
How vulnerable are these services in a data breach?
Recently, a very popular password management service by the name of LastPass has suffered from a security breach. The breach originally took place in August of 2022, and the attacker managed to obtain backup copies of LastPass’ user vaults. That’s not great, but not terrible.
Millions of people rely on services like LastPass to manage their passwords, and while these services promote good security hygiene by using a different password for every site, having a user’s master password leak would be handing an attacker the key to their digital kingdom.
In this article, we’ll dive into how these services operate, and how they — likely — protect their user’s data. Note that I am not affiliated, employed, or otherwise engaged with any of these services. What is described here is an approximation, based on my own experience and the consensus of the broader security community.
The Master Password
The key to the kingdom. First of all, it’s important to note that virtually all companies that offer a commercial password management option operate on what is known as a Zero Knowledge Architecture. Similar to a Safe Deposit Box, the holder of the box does…