Password Managers: A Work in Progress Despite Popularity
The end of 2022 saw LastPass report another security incident, and as we mark a day to change passwords, Dan Raywood asks if another piece of cybersecurity software had suffered so many security incidents, would users have given up on it by now?
At the end of 2022, authentication vendor LastPass notified users and the wider world of a security incident where “an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of .. production data.”
The incident created headlines worldwide, including from Wired, which was heavily critical of LastPass’s actions – or, to be more honest – its lack of response to essential questions, accusing it of not providing “additional information to confused and worried customers.”
LastPass Breach: What, When and How
The incident occurred when a threat actor accessed a cloud-based storage environment, leveraging information obtained from an incident it had previously disclosed in August of 2022. “While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service,” LastPass said in its statement.
These two related incidents are not the first time LastPass has faced negative security headlines. Back in 2015, the company alerted users to “suspicious activity on our network”, where “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
This isn’t intended to single out LastPass, as other password manager providers have suffered security incidents in the past, but more of a question of whether password managers are fit for purpose in 2023. After all, if another piece of cybersecurity software had suffered so many security incidents, would users have given up on it by now?
Are Password Managers To Be Trusted?
In a recent Twitter poll, we asked whether, despite breaches like the one experienced by LastPass, users would still consider a password manager the best method to store passwords securely. In our poll, there were 96 respondents, and 85 per cent agreed it was the best option. Comments we received said, “the theory behind its operation is still mostly sound”, as vaults are still encrypted with the user’s master password. The options around password managers vary between local and cloud-based, although it is “a worthwhile option that can save lots of time [and] hassle, and is better than reusing passwords or just choosing bad ones.”
Per Thorsheim, founder of PasswordsCon, stated that the “very easy answer is yes, as password managers are good, and I absolutely recommend them” when we asked him if he felt that password managers are still the best option despite the number of breaches we have seen.
However, Thorsheim warns of the number of password managers, as he believes that “quite a few are ‘silicon snake oil’ in terms of security, can be on the expensive side, and the user experience might not be as easy as you would expect.
Thorsheim also stated that “a password manager doesn’t need to be a separate app, multi-device or provide instant multi-cloud sync between devices. A password manager can also be as simple as a notebook in your kitchen drawer, using the good old pencil to make those important entries there.”
Of course, we are talking here about the app format of a password manager. There is an argument to be made that a notebook of written passwords in a secure location in your home is more secure than any digital version. Still, to determine whether password managers are more secure, I asked Wendy Nather, head of advisory CISOs at Cisco, what she thought of their state of security.
She calls them “an early effort to place a programmatic interface between the user and system,” which is imperfect but can shield the user from the password problem and can be improved. Nather admits that we are currently in the early days of shielding and protecting the user in the authentication process. Passwordless technologies and standards like FIDO2 are being adopted, and we are “seeing more improvements, reliability and consistency, and all that the user lacks is consistency.”
We now often see many browsers offer to save a password. While that is another potential method for a breach to be enabled, functionality is also being added to ensure the user is warned of where their passwords may have been caught in a data breach.
Password managers are a step forward from writing them down and left in an accessible place or even on another app or using the same password for every service. Still, it’s clear that they are a work in progress when it comes to their overall security. Thorsheim says it’s a case of using them properly, and “that includes allowing them to generate a random password for every website we’ve got.”
Yet as password managers have different options available for securing your data and your account, Thorsheim said it is often up to the user “to understand, configure and use many of those options, and most people do not read the manual, and they for sure do not change any default settings!”
This caused him to comment that too many users do not understand how they use a password manager in the browser, and the main problem of “how you use them is more important than which one you choose to use, in my opinion.”
It may be the case that password managers are an emerging technology in how well-developed they are for public use. How user-friendly they are without instruction, whilst the companies who develop them are subject to the same attacks that every other endpoint in the world. Ultimately they are a treasure trove of access for a threat actor, and it makes total sense why they would be targeted.
Whilst breaches have gone on for many years, some platforms have been affected, and others are constantly implementing protections to ensure they can survive a data breach or targeted attack. We must be realistic about how much additional security they offer for password use. For too long, people have reused passwords and been told to change their passwords after a security incident; on National Change Your Password Day, maybe it’s time to change your way of thinking about password managers: Use them, understand how they work and how you’re better off with them than without them.
Strengthen Your Information Security Today
If you’re looking to start your journey to better Information Security, we can help.
Our ISMS solution enables a simple, secure and sustainable approach to information security and data management with ISO 27001 and over fifty other frameworks. Realise your competitive advantage today.