Using Password Managers

There has been a lot of talk recently regarding the benefits and drawbacks of using a password manager due to the high profile, and bungled response, by one of the well known password managers. LastPass announced that in August of 2022 they were the victim of a security breach where an unauthorized party gained access to a third-party cloud storage. The attacker in August was able to access source code and technical information that was then used to target a LastPass employee to gain credentials and keys. These were used to access and decrypt cloud storage volumes of LastPass’s datacenter.

If you think this sounds complex, you would be right. To recap, an attacker was able to gain inside information months prior to a social engineering attack in order to gain access to volumes in a cloud storage location. Once the attacker had the keys they were able to decrypt and obtain customer information including names, addresses, and phone numbers of customers.

No doubt this has left many users of LastPass, myself included, wondering what the impact is to them and what to do next. In a nutshell, you’re not likely to be immediately impacted, and that is due to how LastPass handles your passwords. LastPass has stated that if you are using the default configuration to create your account and passwords, that you will not be impacted in the immediate term.

However, the attackers have the opportunity to leverage an offline attack which allows them to continue to brute force password attempts with the intention of eventually cracking the password for an encrypted volume. In short, there is a race to beat the math.

What are your next steps if you are a LastPass user? Many people are a little upset with LastPass’s response to the breach and the lack of transparency over how it unfolded over the several months between the initial identification of the breach and the more public disclosure later in the year. If you are one of those people, it’s time to look at some of the many alternatives. If you are willing to stick with LastPass, then the path forward is a bit more complicated. Here are some high-level steps:

  • Reduce the amount of accounts that you manage in LastPass. This is easier said than done, but we tend to have a lot of sprawl when it comes to our accounts. Review your accounts managed by LastPass and determine whether you still need them. If so, change the password or move to a OpenId solution that allows you to “login as” (Facebook, or Google for example).
  • Change each password managed by LastPass. Yes, each one. Assuming that an attacker is eventually capable of cracking the master password, they will have access to all the managed passwords in that vault.
  • Change you master password. It’s good to do this periodically as a matter of course, but more so in this instance. Make sure you use a strong, long, and memorable (to you) password. This is the only one you should need to remember going forward.

How do password managers work?

Simple: they store and manage all your passwords in one convenient location. Most password managers work on various platforms (Android, Mac, Windows) and in most browsers. In general, the steps are as follows:

  • User accesses a website for the first time and is prompted to create an account.
  • The user can use the password manager to create a random string of text of varying size to use as a password while creating the account.
    • Here is an example random password of 18 characters generated by a password manager: 795H#mkuwxV7*qnFX0
  • The user enters the randomly created password as their password for that site and continues to create the account.
  • Once the account is created every subsequent login to that site will leverage that uniquely generated password and will, in most cases, autofill.
    • Note: there is an added benefit to the autofill. When the password manager prompts to autofill, you know you are on the correct site and not a spoofed one.

Each password manager has a different approach to managing the passwords in their care. The ones that are most sought after are the ones that follow a “trust no one” architecture. This means that only you have the ability to decrypt your vault with the master password that you create. Of course, the password is the key here (no pun intended). Sharing, losing, or otherwise having it bruteforced allows the holder of the password the same access as you.

Are password managers still relevant?

Yes. We live in a world where passwords are still the way (not the best, but still the way) to prove identity to a vast majority of the systems and software that we use. It’s not perfect, but it’s the simplest way to prove that you are who you say you are. Until we move away from passwords, password managers will be here to stay.

There are other options that allow you to use multi-factor authentication (MFA) where you can use a token that is sent to your mobile or email. These out-of-band factors are helpful in protecting against account takeovers. And while they provide another layer of protection, they are not the silver bullet.

Ultimately, as an industry, we need to look at alternatives to passwords. Initiatives like FIDO (backed by Microsoft, Google, and Apple) are looking for an alternative that leverages an already existing technology called public-key infrastructure (PKI) that uses cryptography to provide identity. With this PKI and a bit of biometrics, the user no longer needs to remember any password.

There is also some consideration of how blockchain can support authentication allowing for a decentralized method of identify. This will allow for users to manage their own passwords with no central authority ever needing to store them therefore removing the possibility of database breaches.

At any rate, passwords are still the de-facto way to manage identity on the internet and that is not likely to change in the short term. However, we should still continue to utilize password managers until a better solution comes along.

Security education is the foundation to product security

Give a person a fish and they will eat for a day. Teach a person how to fish and you’ll feed them for a lifetime. We’ve all heard variations of this phase or proverb over the years. The concept is simple. When you teach an individual how to do something, you are giving them the means to continue to provide themselves with the sustenance that they require. In the case of the proverb, food.

This concept isn’t far fetched when it comes to cybersecurity. Security teams are often overstretched, overworked, and overstimulated with crisis and alerts. This often leads to a security team that is fighting fires across the organization with the inability to dive deep into the trenches of the daily ins-and-outs of an engineering team’s pain points.

Bring on the education

Where does this leave organizations looking to leverage their security team to reduce the overall risk? Often, the security team is the one that discovers, triages, and prioritizes security vulnerabilities as they are discovered through the various tools and assessments that they have available to them. The security team will work closely with the engineering team to attempt to reduce the overall risk by devising a remediation or mitigation strategy.

But what if the organization instead focuses on creating an environment in which the engineering teams have the knowledge to remediate or mitigate a possible vulnerability before it reaches the security team?

This is where raising the security IQ of the engineering organization can be helpful

I have taught security related content in organizations and at the university level. I’ve taught security awareness to parents, and children. Although each of these settings and audience are different, the underlying theme is the same: bring security awareness to as many people as possible. Doing this means that we can begin to democratize security across the user base. The best part about that? Security education is cheap and can scale well. Probable the two most sought after qualities in any security initiative.

It’s more than just compliance

Organizations often think of security training as the annual, check-the-box activity that we all go through in order to learn about not clicking on links, keeping sensitive data secure, and ensuring that we are not exacerbating the security complexities that the organization faces. This training is often used to meet some compliance requirement and can be seen as a compliance activity.

However, providing education to an engineering organization takes a bit more than just a series of videos and gamifying assessments. It takes building in secure concepts early in the development lifecycle so that engineers learn the muscle memory to avoid coding habits that bring about security vulnerabilities.

This can be as simple as lunch-and-learns and conferences. Or online and in-person training. It can also be as complex as micro-learning and just-in-time training. Each of these will have varying effects on the engineering organization. However, the goal is to have a well-rounded approach to bringing security education to the engineering organization. Which means leveraging several or all of the options.

Integrating training in the organization

Starting with the basics, the organization can leverage a learning management system (LMS) to deliver training that is comprehensive and able to reach a large audience. Its ability to be automatically assigned to new and existing employees allows for the training to be widely applied. Additionally, the organization can create its own content, or leverage existing content within the LMS in order to deliver training.

Although not quite as scalable, in-person training is helpful in providing very tailored content to the audience. Whether the training is developed internally within the organization or brought in from an external vendor, often the content can be focused on what the organization values the most. For instance, perhaps the organization is struggling with specific issues related to authentication and authorization. In-person training with hand-on activities that are in the context of the organizations technology stack and how to approach common authentication and authorization patterns will go a long way.

Conferences and lunch-and-learns (where the organization hosts a talk from an internal or external speaker) are great ways to augment the overall training program. These events allow for the attendee to get information, often from expert sources, about specific security topics. Many of them tend to relate their content to trendy or current topics that may be relevant to the organization. Although these are helpful in bringing new ideas and concepts to the organization, conferences are infrequent and often expensive. Also, getting external speakers for a lunch-and-learn can be challenging given logistical and potential costs constraints.

Lastly, two of the more targeted and scalable training concepts are microlearning and just-in-time training. These can be used to deliver training at the moment and time that it is needed and where it can be most effective. Even better, they can often be integrated with tools that the organization is using to track defects and vulnerabilities. This works well in a DevOps model where automation and a constant feedback loop are critical for the development team to be able to move fast.

How does this help?

Training can be a powerful force multiplier for a security team that is working at maximum capacity. The simple math is that an organization that introduces fewer vulnerabilities is spending less time later in the lifecycle protecting and otherwise mitigating vulnerabilities. Of course, new vulnerabilities will become known and will require the organization to react, however, building in secure knowledge early in the development lifecycle allows the organization to reduce the effort spent on mitigating vulnerabilities that could have been prevented.