Password Managers: Here to stay?
Password managers have become popular solutions for businesses and individuals seeking to improve the password security of their accounts. The implementation of password management solutions within organisations has enabled security teams to securely store and manage company credentials for online and offline applications by using advanced encryption.
Nevertheless, password management enterprises remain a hugely attractive target for malicious cyber actors, due to the high value of their assets. Yet, most cyber-security specialists claim that password managers are safe to use in spite of the recent breaches of popular services LastPass and Norton respectively, falling victim to a series of hacking incidents challenges this perspective. The latter caused over a million users to be targeted, which has consequently created concerns over the safety of the infrastructure of password manager systems entirely.
Ultimately, a password manager breach could expose all participants to mass exploitation. This is obviously an issue, considering the entire reason for password managers existing is to stop incidents like this from occurring. However, this could simply be the beginning of the issues we might expect password managers to face in 2023 and beyond.
Pros and Cons
As specialists in identity and access management, it would be remiss of us not to give password managers their dues in terms of the positives they provide. Password managers are excellent at their core function: Creating complex passwords or passphrases. Systems like LastPass will render the need to develop a complex password for your banking obsolete, by providing you with an automatic one. These are then analysed to ensure that there aren’t any similar ones, or ones which have been breached on the dark web (if they have, you can go in and change them).
The problem for the LastPass breach is the fact that their core database was compromised. When I create a LastPass account, I developed a very complex password, which is then hashed by LastPass. But this core database was accessed. While the hashing of passwords (as opposed to storing them in plain text) does provide a level of protection, it does not provide fool-proof security. A sophisticated, persistent threat actor could bombard that data enough using an automated attack method such as quantum computing in order to gain access to this password and extract an entire database from a LastPass user. This means that the master password needed to be changed, as well as several other key passwords.
While this is obviously a problem, it would be naive to think that this is a problem simply related to LastPass. While the specifics of the breach – developers being breached – might suggest that LastPass should have done more in terms of multi-factor authentication, anyone with any knowledge of the security space understands one basic truth: LastPass and Norton are not the only password managers who have been breached. Threat actors well understand the treasure trove of information which password managers hold and will be actively targeting them all. LastPass are simply the manager which detected and disclosed the breach.
Conversations about the appropriateness of password managers are important for now and will remain important for the next few years. However, looking at the long-term status of a password manager’s lifecycle looks somewhat less promising.
Discussions about different, more fluid and secure methods of authentication are already very much part of the conversation. Passwordless systems, driven by Zero-Trust models, are part of the security and identity landscape, as are conversations about accountless. If an account only exists in a specific, time-sensitive window, to allow a user into the application via the ‘JIT’ (just in time) principle, and then disables once a user has access, then this account cannot be hacked by definition, as it does not exist.
Biometric identity solutions are also emerging as serious challengers to password hegemony, with technology which can assess physical or biological factors, such as the location of a device, or the gait of an individual whose phone is in their pocket, as more secure and safer forms of authentication.
In general, it is only a natural progression for identity security to move towards a passwordless approach. However, such a system requires not only good multifactor authentication (MFA) practices, but also solutions such as Privilege Access Management (PAM) and Identity Governance and Administration (IGA).
Conclusion: Not over yet
While these alternative forms of authentication make serious waves in security circles, the current truth is that password are still the most common method of authentication. This may change in five years’ time, but five years is a long time to be using insecure methods of managing these passwords. It is up to the password managers to listen to best practices for ensuring that breaches do not happen in the first place, and their customers to listen to best practices for remediation of the worst impact of a breach if they do happen.