Should businesses trust online password managers? The problem is that customers can’t easily judge the security of these platforms from the outside.
By John E. Dunn
In December, LastPass published a security advisory that at least some customers of the booming online password management sector must have feared might one day come to pass.
You can read the full disclosure timeline stretching back to last August on the company’s site. The gist is that during an August involving the compromise of employee credentials, a large volume of data was stolen, including company names, email addresses, IP addresses, an encrypted copy of customer password vaults, and unencrypted URLs associated with sites in the vault.
To repeat, the attackers had stolen the encrypted password vault. If you’re a LastPass customer, and even if you’re not, this would be a shock, as it was the first time anyone had managed to compromise a company in this sector on any scale after years of speculative warnings by researchers.
The stolen password vaults remain secure thanks to the master password, known only to the account holder. But the idea that an encrypted vault is now in the hands of hackers is unsettling, which is why this event will become a reference point – password manager vaults are vulnerable and what happened in this instance is the QED.
LastPass might be headlining but it is not completely alone. In January 2023, Gen Digital (formerly Symantec/ NortonLifeLock) told thousands of its customers that their NortonLifeLock password manager accounts had been breached in a mass credential stuffing attack targeting passwords re-used on other sites. More serious still, in April 2021 Click Studios' Passwordstate was hit by a supply chain attack that compromised the update feature with malware. This targeted the password vaults of an unknown number of the company's business users.
This follows years of intermittent reports by researchers of moderate security flaws in the software of several leading password managers, as well as issues with their underlying design examined by a York University duo in 2020. It would be a mistake to draw superficial parallels between different incidents – each is the result of specific circumstances - but it's clear customers should probably be asking more questions about password managers and the security of the SaaS services from which they are served.
Do password managers matter?
Within a decade, password managers have turned from niche products used mainly by expert users into a business staple. Spearheading this have been products such as LastPass, Dashlane and 1Password, with growing competition today from business and enterprise-oriented SaaS names such as Zoho Vault and ManageEngine. LastPass alone claims to serve around 33 million paid and unpaid users worldwide, including 100,000 SMBs, each of which uses the product to secure from dozens to hundreds of employees. And that’s on top of every major browser now having password manager functions built in, linked to each operator’s cloud platform of choice.
What distinguishes these from traditional password management products is that the core service is SaaS, that is a copy of the customer vault is stored in the cloud rather than only on-premise. This is where a lot of the anxiety around password managers stems from – a third party has a copy of an organization’s passwords covering applications, VPNs, Wi-Fi, and third-party websites.
The anxiety is as much psychological as technical. In principle, an attacker could target a password store anywhere. However, the important difference is that the security of an on-premise password store is something a company should have a clear site of. It is the IT department’s job. An online password manager, by contrast, is a leap of trust necessary for an online password manager to do its job. Online password managers don’t work without this concept. The customer must trust the provider is looking after security even though they can’t see that happening.
Vaults are usually encrypted using AES-256 with PBKDF2, which makes password harder to brute force, at 100,000 iterations. The vault can only be decrypted using a master password, which only the user knows, so-called ‘zero knowledge’ security. Assuming that is long and complex, it will be safe, with the same applying to stored passwords.
What is secure?
A breach of this type hands customers a pile of work. As a minimum, they must change the master password and re-check MFA policies. Arguably, they should plan to change all the passwords inside the vault too. The last item on that list will not make admins popular with employees, who will have to do much of this reset work themselves.
And yet beyond the hassle factor lies the lurking issue of how customers should assess the reliability of service providers. Granted, in an era where supply chain attacks and data breaches are becoming a standard hazard of business, it’s hardly news that service providers are vulnerable. This problem goes far beyond password managers.
The recent spate of incidents reminds us that password managers are an acute case of the black box service problem. Customers have a description of security but no deeper visibility. The box looks sealed but there are always holes that can’t be seen. That’s a risk for any data but for passwords it is doubly significant because recovery is so complex. At least one of the recent incidents was made worse by poor and ambiguous communication, but there’s no guarantee the same might not happen at any provider.
Longer term, there is the fundamental question of whether businesses should abandon passwords altogether. If password databases are now at serious risk, that would be a logical conclusion, with the most recent incidents serving as a signal that the era of the password is coming to an end after all.