Over the past month, many have written about the latest LastPass breach. If you have not kept up with the breach, you can see the disclosure from LastPass here. Since the breach was publicized, there has been a lot of focus on not only the LastPass product but also on password managers in general. Are they safe to use? Should the managers be internal instead of cloud-based? Is it better to go “passwordless”? What steps do organizations need to take to ensure they are secure? I’m going to try to unpack these questions here and put them into perspective.
In the aftermath of the breach, there are some analysts who have stated that password vaults should not be used, as they will be an obvious target of hackers. My response to this is that users will always need to retain a list of passwords someplace. I would rather my users store their passwords in a single password vault that I can monitor and control than force them to store passwords in spreadsheets, Word documents, email systems, or in notebooks stored next to their computers. Criminals know where users tend to store their passwords this and will always seek these out because they are low-hanging fruit.
The LastPass breach has also ignited discussion about where password managers should be. Should they be cloud-based, or should they be internal to an organization where the organization can directly control them and where they are not as big of a target to hackers? I feel that if a company is large enough to employ top-tier security staff that can properly monitor and secure a password manager, an internal system might be the right solution. If they do not have this staff, they should instead go with a cloud-based system. While being a LastPass customer right now may not be the most comfortable situation, at least organizations have been made aware of the breach and can take actions required to make sure passwords remain secure. If an attacker obtains access to an organization’s internal password manager and is not detected, the criminals will be able to do much more damage.
Analysts have also stated that the solution is to eliminate the need for password managers by going “passwordless”. What going passwordless means is that users authenticate solely using other evidence of their identity such as biometrics (facial scan, fingerprints, retina scanning, voice recognition, etc.), tokens (proximity badges, hardware tokens, USB devices), certificates, or mobile phone applications. If you can access your email on your phone today using an authenticator app and just your fingerprint or your face, you are using passwordless authentication. Your company is trusting that your phone has properly identified you and has accepted this “evidence” in lieu of your password.
Passwordless solutions have two primary challenges. First, many of the systems used by financial institutions just do not support passwordless authentication, meaning users still need to remember many passwords in the foreseeable future. You cannot eliminate the password manager after all! The second challenge is that hackers know that companies are moving to these technologies and are working hard to find ways to circumvent them. Hackers have found ways to trick users into unlocking systems using passwordless authentication. Hackers have also been able to reverse engineer the codes generated by authenticator apps. You are not eliminating risk by eliminating password managers, you are just transferring it to another platform which will also be a challenge to manage.
The final popular discussion stemming from the LastPass breach revolves around what organizations can do to reduce the risk of a password manager. Here is my list of actions I would recommend:
Need help or have questions in the department of reducing technology risk? Email us any time at support@bedelsecurity.com.