Password Managers – Convenience is Not Security
Project Zero has recently disclosed that a security vulnerability left some of LastPass 16 million users exposed to the risk of credential compromise. In an ironic twist, LastPass, the supposedly secure gatekeeper of passwords, could leak the last password used to any website visited.
The vulnerability has since been patched, but maybe it is time we asked ourselves, why the heck are we still relying on passwords in the first place?
The Demise of Passwords is Imminent
Passwords are obsolete. The passwords will follow in the footsteps of floppy disks and other archaic technologies. It doesn’t matter if a password is used as a single factor, or as a part of a multi-factor authentication flow. Passwords have got to go.
Unfortunately, not everyone shares this notion. Many in the industry still believe that, as long as the password is strong (the definition of what that means varies between organizations), the access is secured.
Rule number one: if the user reuses the password – blame the user
Annoying password requirements:
- must be a between 8 -16 characters long
- must be impossible for human beings to remember
- must be unique for every one of the thousand services the user has
Creating strong passwords is all well and good. But it seems that security experts often forget one tiny detail – that users are human.
The issue arises from the fundamental limitation of human memory and processing capacity. Passwords must be 18+ characters long, include a combination of uppercase and lowercase letters, hieroglyphics and four different “A” in Swedish. In that case – the password is strong by security standards.
But… this password is also impossible for the user to remember.
“The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it’s easy to remember, it’s something nonrandom like ‘Susan.’ And if it’s random, like ‘r7U2*Qnp,’ then it’s not easy to remember.” — Bruce Schneier
Let’s say that the user actually succeeded in coming up with a very strong password. What’s next? Now we have two new problems:
- Reusing a password – The user doesn’t just use one service – they use hundreds. And the mental capacity to create a strong password for every single service simply doesn’t exist. So the users resort to reusing the same passwords over and over. This is one of the reasons credential stuffing is such a popular and successful form of attack. However, while users are often blamed for reusing the same password, password reuse is a logical consequence of pushing unrealistic password requirements onto users.
- Password storing – To counter password reuse, password managers such as LastPass and Keeper are becoming increasingly popular. It does sound like a great idea on paper – password managers auto-generate complex passwords, encrypt and store them, taking control over passwords completely away from the hands of the user. The only (tiny) issue with that is that no matter how many factors and encryption levels you add to defend a password, in the end, you are still defending a password. Passwords are fundamentally insecure protection that is exposed to milliard vulnerabilities both from the user side (think malware, keyloggers, phishing, social engineering) and from the vendor side, as a recent announcement from the Google project zero illustrates.
LastPass and the “Last Password” vulnerability
The fundamental difference between password management and Identity security
Password managers are very common. Their popularity stems from a convenience and user-experience stance more than a security stance. When used correctly, these tools can solve password reuse and give admins an easy way to distribute passwords.
Password managers are not security tools; they are management tools. Any regulatory body will confirm that using a password manager does not mean your environment is more protected. The fact that your user’s first log in into the password manager does not automatically add an additional factor. Essentially, if a hacker can log-in with just a password – you are still swimming in the dangerous waters of single-factor authentication.
Stop defending passwords! Eliminate them!
The false sense of security given by password managers is tolerable in the consumer world, but it cannot be excused in the enterprise environment.
In the words of Gartner, Forrester, and any security specialist “MFA Everything.” Yes, literally everything in an enterprise environment, from workstations to cloud applications, must have multi-factor authentication.
MFA is better than a single factor. Always. And passwordless is always better than a password-based security, no matter how complex the password in question is.
In previous blog posts, we have talked about the difference between 2FA and passwordless authentication. To make a long story short, here are the highlights:
- Better user experience – Nobody likes memorizing passwords, and memorizing increasingly complex passwords is humanly impossible
- Reduced Total Cost of Ownership (TCO) – Nothing to reset, maintain or forget – let your IT staff work on actual issues not resetting passwords
- Better security – as long as passwords are used as an authentication factor vulnerabilities will appear
Don’t get me wrong; using a password manager is better than using nothing at all to counter password reuse, but it’s only a small step towards true identity security.
State Sponsored Identity Breaches