There has been a lot of talk recently regarding the benefits and drawbacks of using a password manager due to the high profile, and bungled response, by one of the well known password managers. LastPass announced that in August of 2022 they were the victim of a security breach where an unauthorized party gained access to a third-party cloud storage. The attacker in August was able to access source code and technical information that was then used to target a LastPass employee to gain credentials and keys. These were used to access and decrypt cloud storage volumes of LastPass’s datacenter.
If you think this sounds complex, you would be right. To recap, an attacker was able to gain inside information months prior to a social engineering attack in order to gain access to volumes in a cloud storage location. Once the attacker had the keys they were able to decrypt and obtain customer information including names, addresses, and phone numbers of customers.
No doubt this has left many users of LastPass, myself included, wondering what the impact is to them and what to do next. In a nutshell, you’re not likely to be immediately impacted, and that is due to how LastPass handles your passwords. LastPass has stated that if you are using the default configuration to create your account and passwords, that you will not be impacted in the immediate term.
However, the attackers have the opportunity to leverage an offline attack which allows them to continue to brute force password attempts with the intention of eventually cracking the password for an encrypted volume. In short, there is a race to beat the math.
What are your next steps if you are a LastPass user? Many people are a little upset with LastPass’s response to the breach and the lack of transparency over how it unfolded over the several months between the initial identification of the breach and the more public disclosure later in the year. If you are one of those people, it’s time to look at some of the many alternatives. If you are willing to stick with LastPass, then the path forward is a bit more complicated. Here are some high-level steps:
- Reduce the amount of accounts that you manage in LastPass. This is easier said than done, but we tend to have a lot of sprawl when it comes to our accounts. Review your accounts managed by LastPass and determine whether you still need them. If so, change the password or move to a OpenId solution that allows you to “login as” (Facebook, or Google for example).
- Change each password managed by LastPass. Yes, each one. Assuming that an attacker is eventually capable of cracking the master password, they will have access to all the managed passwords in that vault.
- Change you master password. It’s good to do this periodically as a matter of course, but more so in this instance. Make sure you use a strong, long, and memorable (to you) password. This is the only one you should need to remember going forward.
How do password managers work?
Simple: they store and manage all your passwords in one convenient location. Most password managers work on various platforms (Android, Mac, Windows) and in most browsers. In general, the steps are as follows:
- User accesses a website for the first time and is prompted to create an account.
- The user can use the password manager to create a random string of text of varying size to use as a password while creating the account.
- Here is an example random password of 18 characters generated by a password manager: 795H#mkuwxV7*qnFX0
- The user enters the randomly created password as their password for that site and continues to create the account.
- Once the account is created every subsequent login to that site will leverage that uniquely generated password and will, in most cases, autofill.
- Note: there is an added benefit to the autofill. When the password manager prompts to autofill, you know you are on the correct site and not a spoofed one.
Each password manager has a different approach to managing the passwords in their care. The ones that are most sought after are the ones that follow a “trust no one” architecture. This means that only you have the ability to decrypt your vault with the master password that you create. Of course, the password is the key here (no pun intended). Sharing, losing, or otherwise having it bruteforced allows the holder of the password the same access as you.
Are password managers still relevant?
Yes. We live in a world where passwords are still the way (not the best, but still the way) to prove identity to a vast majority of the systems and software that we use. It’s not perfect, but it’s the simplest way to prove that you are who you say you are. Until we move away from passwords, password managers will be here to stay.
There are other options that allow you to use multi-factor authentication (MFA) where you can use a token that is sent to your mobile or email. These out-of-band factors are helpful in protecting against account takeovers. And while they provide another layer of protection, they are not the silver bullet.
Ultimately, as an industry, we need to look at alternatives to passwords. Initiatives like FIDO (backed by Microsoft, Google, and Apple) are looking for an alternative that leverages an already existing technology called public-key infrastructure (PKI) that uses cryptography to provide identity. With this PKI and a bit of biometrics, the user no longer needs to remember any password.
There is also some consideration of how blockchain can support authentication allowing for a decentralized method of identify. This will allow for users to manage their own passwords with no central authority ever needing to store them therefore removing the possibility of database breaches.
At any rate, passwords are still the de-facto way to manage identity on the internet and that is not likely to change in the short term. However, we should still continue to utilize password managers until a better solution comes along.