A Discussion on Password Managers and Keeping Secrets

Just don’t use Last Pass at all… do yourself a favor :rofl: they MAJORLY :poop: the bed.


I think I saw a headline about that recently. I didn’t read the article. I have always had this gut feeling you shouldn’t trust a password manager.

1 Like

that’s not a statement I would make. What I would say is you should always verify what it is your password manager is doing (or not)

Last year or the year before Last Pass lost their entire vault with all of everyone’s secrets. This was supposed to be ok because after all it was encrypted… Except it wasn’t a lot of the information wasn’t encrypted and the information that was in a lot of cases was encrypted using weak or old ciphers or with very few rounds of PBKDF2

Since this happened there have been bunch of proven reports where people’s vaults have been cracked and millions of dollars worth of Crypto have been stolen

Password Managers are wonderful and everyone should use them. But they should be carefully monitor and audited to make sure they aren’t getting lazy.

I went to 1Password, I also can recommend Bit Warden (FLOSS)

If you want more info as to what happened and how I recommend the following Episodes of one of my favorite podcasts.


This is virtually impossible. Particularly for the layperson just trying to keep up with cybersecurity.
Since most (if not all) people can’t effectively judge the capabilities and limitations of a password manager, it stands to reason that we should never use a password manager.

You trust 1Pass now, but how well do you know that the data is encrypted, and securely encrypted with the newest/hardest algos?

The reputable brands have regular third-party audits that check that for us normies.

We have to ask, compared to what? An Excel sheet on the desktop? A bunch of sticky notes underneath the keyboard?

We shouldn’t be arguing about how to store passwords but how fast can we get rid of them. :person_shrugging:

Like Mark said most of the reputable brands have 3rd party Audits. On a recurring schedule

And Bit Warden Similarly

This stuff isn’t rocket science and can be done well easily. LastPass got complacent originally when Joe Siegrist created it it was state of the art. But as computing evolves so does our need for more hardened encryption and security.

Bitwarden recently added Argon 2 which is a compute and memory bound algorithm which can’t be sped up and it isn’t vulnerable to side channel attacks.

However to your point how does a Lay person know these things… They don’t they rely on folks to tell them otherwise and or commercial companies doing the right thing. That’s why it is important to choose a company with a good reputation that is staying up to date in the latest or a company like Bitwarden whose secrets are an open book via Open Source

There are better alternatives out there as mark pointed out like Pass Key which gives no third party any secrets to keep but the implementation and explanation of how they work is complex and will take time.


Was last pass not a highly recommended and reputable brand… up until that last breach?

Compared to my wallet full of post its. If you have my wallet then you have my life. It’s all over… :rofl:

Absolutely! I am sure that will never come back to bite us! Seriously though, I want everything to move this way!

1 Like

I Guess Jamie Lee Curtis GIF

Well, once LastPass was purchased by LogmeIn, things started heading South.

BTW, this was true for Barracuda and Ivanti products. Once they were purchased by VC, the security was not as good.


In other words, it’s not a “set it and forget it” situation … they have to keep getting audited by reputable auditors, and we have to keep verifying that they are passing those audits

Hell, this is true for everything in IT - not just PW Managers. :person_shrugging:

RIP old Barracuda… :smiling_face_with_tear: most VC are the worst owners they ruin everything they buy there is a reason they are mocked as, “Vulture Capital”

1 Like

I tattoo everything under my arm. They’ll never find it there.

1 Like

Like so many other things, LastPass was great… until it wasn’t any more.

We’re rolling out Bitwarden Enterprise. I use the family version.

While we use Azure Key vault, Bitwarden has released a similar product.



We rolled out BitWarden Business after the first LastPass fiasco several years ago. It’s a really great service - 2FA is built right in, so you don’t need Google/MS Authenticator. You can set fine-grained permissions for sharing, there is a secure-send solution that allows you to share (optionally password-protected) notes & files from within the UI. You can store credentials in a company “collection” that is shared with select groups/users. I use this to store all of our Epicor logins so if something happens to me, all of the account information is accessible to other admins.

I haven’t tried it yet, but Bitwarden just released a secrets-management solutions that integrates with the password manager. It looks promising: The Bitwarden Secrets Manager | Bitwarden


There is another secrets manager I just heard about but they’ve been around for a few years. Never used them, but just to add to the pile:

1 Like

1 Like

I kinda have been liking Passbolt

It works with Duo. It notifies me when Passwords are shared, modified etc… Has a command line utility too, so you can store stuff like freshly generated API Keys what not.

Simple, cheap, flexible, requires local physical access. Easily the best solution of them all if you put a suitcase padlock on it!


Except in the CI/CD pipeline…