Are services like "LastPass" less secure, as they have all my passwords protected by a single password?

That's why you need to make sure you change that password regularly and make it incredible strong. (I try to surpass 128 bits)

If you don't use password managers and need to insert a lot of different passwords, you might end up re-using passwords, which is even worse. I personally always recommend to use password managers once you have to remember a lot of passwords.

Personal opinion: However I don't really like LastPass because it's web-based. Call me paranoia/conservative about it, I prefer to use a KeePass database (which is encrypted) offline or synced with Dropbox.


This concentration of password power is consubstantial with the concept of a password manager. A password manager is a tool to "remember" more passwords than what the human mind can cope with. With a password manager, it suffices to remember one password to gain access to all the others. But this means that knowing that one password is sufficient to gain access to all the stored passwords. This is unavoidable: I am just stating the obvious, twice, with two slightly distinct points of view.

To live with that, make your master password strong enough to deter attacks. 15 random letters and digits ought to be enough to thwart CPU-based attackers: if your password gets stolen, it will not be through a brute force attack. The usual rules for password hygiene still apply: generate your password(s) with randomness, not wit; don't type a password on a machine which could be infected with a key logger; beware of shoulder surfers.

Password renewal is a controversial issue. Changing your master password may "kick out" attackers would could steal your master password, but this would not change the site-specific passwords stored in the password manager, so the attacker is not totally evicted. Also, the possibility of an attacker stealing your master password is already serious enough: if the attacker got to that point, you are already in deep trouble. Password renewal is like protesting against the ambient wetness while on board the Titanic.


There are two primary problems with sharing passwords for multiple accounts. Yes, one problem is that if one password gets figured out, then it gives much more access as a single point of failure, but the bigger problem is that the same password is stored in many different places. Thus, the surface area to attack is MUCH larger. If I use my same password on every site I visit, if ANY of those sites is compromised, now all sites are compromised.

If I have a different password everywhere and/or use a single set of credentials through the use of something like OAuth, then the surface area of attack is limited to the single OAuth provider or keystore. Using a keystore means that normally only single passwords would have to be changed for a compromised site and if your keystore is compromised, you have documentation of all the accounts that you have that need changing. If you are using OAuth, then only one place has to be changed to actually change all the login credentials.

Sure, both options are weaker than pure random passwords for every site with no record linking them anywhere, but they are also far more useable and balancing usability and risk mitigation is a big part of security. The "most secure" (ie most risk mitigation) is not always the best security decision.