• Password Managers - Convenience is Not Security

Password Managers – Convenience is Not Security

Project Zero has recently disclosed that a security vulnerability left some of LastPass 16 million users exposed to the risk of credential compromise. In an ironic twist, LastPass, the supposedly secure gatekeeper of passwords, could leak the last password used to any website visited. 

The vulnerability has since been patched, but maybe it is time we asked ourselves, why the heck are we still relying on passwords in the first place?

The Demise of Passwords is Imminent 

Passwords are obsolete. The passwords will follow in the footsteps of floppy disks and other archaic technologies. It doesn’t matter if a password is used as a single factor, or as a part of a multi-factor authentication flow. Passwords have got to go.

Unfortunately, not everyone shares this notion. Many in the industry still believe that, as long as the password is strong (the definition of what that means varies between organizations), the access is secured.

Rule number one: if the user reuses the password – blame the user

Annoying password requirements:

  • must be a between 8 -16 characters long
  • must be impossible for human beings to remember
  • must be unique for every one of the thousand services the user has

Creating strong passwords is all well and good. But it seems that security experts often forget one tiny detail – that users are human.

The issue arises from the fundamental limitation of human memory and processing capacity. Passwords must be 18+ characters long, include a combination of uppercase and lowercase letters, hieroglyphics and four different “A” in Swedish. In that case – the password is strong by security standards.

But… this password is also impossible for the user to remember.

“The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it’s easy to remember, it’s something nonrandom like ‘Susan.’ And if it’s random, like ‘r7U2*Qnp,’ then it’s not easy to remember.” — Bruce Schneier

Let’s say that the user actually succeeded in coming up with a very strong password. What’s next? Now we have two new problems: 

  1. Reusing a password – The user doesn’t just use one service – they use hundreds. And the mental capacity to create a strong password for every single service simply doesn’t exist. So the users resort to reusing the same passwords over and over. This is one of the reasons credential stuffing is such a popular and successful form of attack. However, while users are often blamed for reusing the same password, password reuse is a logical consequence of pushing unrealistic password requirements onto users.
  2. Password storing – To counter password reuse, password managers such as LastPass and Keeper are becoming increasingly popular. It does sound like a great idea on paper – password managers auto-generate complex passwords, encrypt and store them, taking control over passwords completely away from the hands of the user. The only (tiny) issue with that is that no matter how many factors and encryption levels you add to defend a password, in the end, you are still defending a password. Passwords are fundamentally insecure protection that is exposed to milliard vulnerabilities both from the user side (think malware, keyloggers, phishing, social engineering) and from the vendor side, as a recent announcement from the Google project zero illustrates.

LastPass and the “Last Password” vulnerability 

The vulnerability found by Google’s team requires hackers to lure LastPass users to malicious pages where they are exposed to a JavaScript-capable of extracting the password used at the last visited page. This vulnerability has been promptly patched by the good people at LastPass, so relax, there is no need to shop for a new password management tool.

The fundamental difference between password management and Identity security 

Password managers are very common. Their popularity stems from a convenience and user-experience stance more than a security stance. When used correctly, these tools can solve password reuse and give admins an easy way to distribute passwords.

But…

Password managers are not security tools; they are management tools. Any regulatory body will confirm that using a password manager does not mean your environment is more protected. The fact that your user’s first log in into the password manager does not automatically add an additional factor. Essentially, if a hacker can log-in with just a password – you are still swimming in the dangerous waters of single-factor authentication. 

Stop defending passwords! Eliminate them!

The false sense of security given by password managers is tolerable in the consumer world, but it cannot be excused in the enterprise environment. 

In the words of Gartner, Forrester, and any security specialist “MFA Everything.” Yes, literally everything in an enterprise environment, from workstations to cloud applications, must have multi-factor authentication. 

MFA is better than a single factor. Always.  And passwordless is always better than a password-based security,  no matter how complex the password in question is. 

In previous blog posts, we have talked about the difference between 2FA and passwordless authentication. To make a long story short, here are the highlights:

  • Better user experience – Nobody likes memorizing passwords, and memorizing increasingly complex passwords is humanly impossible
  • Reduced Total Cost of Ownership (TCO) – Nothing to reset, maintain or forget – let your IT staff work on actual issues not resetting passwords 
  • Better security – as long as passwords are used as an authentication factor vulnerabilities will appear 

Don’t get me wrong; using a password manager is better than using nothing at all to counter password reuse,  but it’s only a small step towards true identity security.  

By Shimrit Tzur-David|November 13th, 2019|Categories: Articles|Tags: , , |

About the Author: Shimrit Tzur-David

mm
Shimrit holds an MSc and Ph.D. from the Hebrew University in Computer Science. Her research areas primarily focused on PKI, cryptography, anomaly detection, web attacks, DDoS and intrusion detection and prevention systems. During her Ph.D., Shimrit was a consultant for Check Point and Marvell Semiconductor and designed an intrusion detection system product there.