Over the past month, many have written about the latest LastPass breach. If you have not kept up with the breach, you can see the disclosure from LastPass here. Since the breach was publicized, there has been a lot of focus on not only the LastPass product but also on password managers in general. Are they safe to use? Should the managers be internal instead of cloud-based? Is it better to go “passwordless”? What steps do organizations need to take to ensure they are secure? I’m going to try to unpack these questions here and put them into perspective.
In the aftermath of the breach, there are some analysts who have stated that password vaults should not be used, as they will be an obvious target of hackers. My response to this is that users will always need to retain a list of passwords someplace. I would rather my users store their passwords in a single password vault that I can monitor and control than force them to store passwords in spreadsheets, Word documents, email systems, or in notebooks stored next to their computers. Criminals know where users tend to store their passwords this and will always seek these out because they are low-hanging fruit.
The LastPass breach has also ignited discussion about where password managers should be. Should they be cloud-based, or should they be internal to an organization where the organization can directly control them and where they are not as big of a target to hackers? I feel that if a company is large enough to employ top-tier security staff that can properly monitor and secure a password manager, an internal system might be the right solution. If they do not have this staff, they should instead go with a cloud-based system. While being a LastPass customer right now may not be the most comfortable situation, at least organizations have been made aware of the breach and can take actions required to make sure passwords remain secure. If an attacker obtains access to an organization’s internal password manager and is not detected, the criminals will be able to do much more damage.
Analysts have also stated that the solution is to eliminate the need for password managers by going “passwordless”. What going passwordless means is that users authenticate solely using other evidence of their identity such as biometrics (facial scan, fingerprints, retina scanning, voice recognition, etc.), tokens (proximity badges, hardware tokens, USB devices), certificates, or mobile phone applications. If you can access your email on your phone today using an authenticator app and just your fingerprint or your face, you are using passwordless authentication. Your company is trusting that your phone has properly identified you and has accepted this “evidence” in lieu of your password.
Passwordless solutions have two primary challenges. First, many of the systems used by financial institutions just do not support passwordless authentication, meaning users still need to remember many passwords in the foreseeable future. You cannot eliminate the password manager after all! The second challenge is that hackers know that companies are moving to these technologies and are working hard to find ways to circumvent them. Hackers have found ways to trick users into unlocking systems using passwordless authentication. Hackers have also been able to reverse engineer the codes generated by authenticator apps. You are not eliminating risk by eliminating password managers, you are just transferring it to another platform which will also be a challenge to manage.
The final popular discussion stemming from the LastPass breach revolves around what organizations can do to reduce the risk of a password manager. Here is my list of actions I would recommend:
- Implement MFA as a requirement to log into any critical system, and train users to be alert for signs that someone is trying to trick them into providing MFA responses. Having a password alone should never be considered adequate security for anything critical.
- Remind users that they should never reuse the master password that is used to access their password manager. If they do and the other site is breached, the attacker may be able to use the shared password to gain access to the password manager data without needing to crack the password.
- Access to a password manager should always require a strong form of multifactor authentication in addition to a long, complex password. This should be the only password that a user needs to remember, so they can spend some time memorizing it!
- Password managers should be configured to alert users and administrators of any suspicious activity, and this activity should be quickly investigated.
- Users should be reminded to never share their password manager master password with anyone.
- Administrators of password managers should carefully review settings of the system to ensure that they reflect current best practices for the password manager.
- Administrators should understand which data in a password manager is encrypted and which information is not. This information may not be readily available, so administrators may need to speak with the vendor to gain this knowledge. If data that is not encrypted is a concern, the organization may want to switch password managers.
- While going passwordless is not truly attainable today, it may be in the future when combined with zero-trust practices that will not rely on only one factor of authentication. Organizations should continue to stay abreast of passwordless technology so that they can move to it as it matures.
Need help or have questions in the department of reducing technology risk? Email us any time at support@bedelsecurity.com.