Password management tools in brief
Password management tools, also referred to as password managers and password vaults, are software solutions that help users store all their passwords in a centralized place. The general formula for many of these platforms is for users to store all their passwords in a vault that is protected by a master password in addition to any other authentication controls in use, such as multifactor authentication. This solution is attractive for users since they need to remember only one password to quickly gain access to all their other account passwords.
Other than ease of access, using a password management tool offers other significant benefits. Since users do not have to remember multiple passwords, they can set their old and new account passwords to be very long and complex. Such complexity further strengthens the security of all their accounts with no extra hassle. At the enterprise level, many password management platforms allow the secure sharing of passwords, which prevents accidental disclosure.
Additionally, many of the most common password management tools support storing other types of sensitive data such as financial information and identification documents. However, password managers meant to help keep users’ accounts secure have been making headlines in the cybersecurity community.
LastPass breaches
In 2022, the popular password manager LastPass experienced two different security breaches. In the most recent LastPass breach, DevOps engineers were targeted and ultimately compromised, resulting in the exfiltration of LastPass user password vaults and other private customer data.
This alarming news from the LastPass team prompted many questions about the security and safety of the LastPass password manager and of password management tools in general. While these concerns are valid, the breach and exfiltration of data from LastPass isn’t as frightening for users as one might think. In fact, because of the underlying technology of LastPass and other comparable password management tools, users’ passwords are typically still safe from the prying eyes of the attackers responsible for breaching password manager databases.
Underlying technology
LastPass and other password management tool providers use encryption to keep users’ passwords safe from everyone – including themselves. This process works by locally encrypting all passwords and data with AES-256 on users’ devices using their master passwords as encryption keys. After the passwords or data in the password manager are encrypted locally, they are sent up to cloud servers to be synchronized across all the users’ devices. In short, LastPass stores passwords but only in encrypted form so it cannot see what has been uploaded in cleartext.
Additionally, LastPass has no way of decrypting anything stored on its servers. It has no visibility into any of its users’ master passwords because it relies on a zero-knowledge model. Essentially, users can create LastPass accounts and log in to those accounts without LastPass ever seeing their master passwords. Further, only users can decrypt anything they store in LastPass by using master passwords that only they know.
This trustless system prevents any passwords or sensitive data exfiltrated from users’ vaults from being useful to the attackers. However, it is important to note that because the master password is the key to unlock everything, the vault is only as secure as its master password set by the user. Zero-knowledge models like the one used by LastPass are also used by many of the most popular password managers such as Bitwarden, 1Password, and Dashlane.
Still a great idea
Password management tools are just like any other solution, in that their cybersecurity maturity is constantly evolving. Since being breached, LastPass has implemented more security controls to further strengthen its platform to prevent future breaches from occurring. Though the breaches in 2022 caused concern, it is important to remember that their underlying zero-knowledge technology works.
Zero-knowledge technology prevents any user passwords from being disclosed because it stores encrypted versions of user data. Ultimately, trusting zero-knowledge technology requires understanding the current standard of encryption, AES-256. As it stands, AES-256 cannot be brute-forced using current computational abilities. In fact, it would take a significant number of years to break a single piece of AES-256 encrypted data, so any encrypted data exfiltrated from the LastPass breach is likely unusable, assuming the master password used to encrypt the data can’t be easily guessed.
Despite the recent breaches, password management tools, including LastPass, are an excellent strategy for organizations or individual users wanting to improve the security of their password-protected accounts. Most of the everyday services people use are in some way linked to a password-protected account. Without a password manager, users are left having to remember all their passwords, reusing the same password for many accounts, or storing their passwords insecurely.
Insecure password storage is often in the form of the classic sticky note on the desk or an easily accessible spreadsheet on the desktop. Password managers are a far more secure and efficient way to consolidate passwords in one place and make each account more secure, too. Most of the common platforms have a built-in random password generator that enables users to seamlessly create complex passwords for their accounts and store them on the fly. Ideally, this creates a system in which users can easily create 16-character passwords with complexity for each of their accounts, resulting in unique and unguessable passwords.
Privileged access management solutions
PAM solutions are another tool enterprises can implement for password and account management. PAM solutions have similar functionality to password management tools, but they place more control in the hands of the IT and IS administrators.
PAM platforms are usually internally hosted systems that are directly managed by the organization, and they enable organizations to centrally manage their users’ passwords with more controls such as enforcing password rotations, setting expiration requirements, or creating complexity requirements.
These platforms often integrate well with Microsoft Windows™ Active Directory™ environments, and they make it easy to manage levels of access or privilege for the applicable accounts stored in the PAM password vault. PAM solutions are another step organizations can take to add more granular controls and environment integration than common cloud-hosted password managers like LastPass.
Proactive protection is critical
Overall, the key takeaway here is that using either a cloud-hosted password management tool or a PAM solution still makes sense. The recent LastPass breach, although worrying, is not a reason to totally condemn LastPass, nor is it a reason to avoid password management solutions altogether.
From a security perspective, password management tools and PAM solutions can increase cyber resilience and enhance the protection of user accounts by creating an easier and safer alternative to the insecure but quite common methods of managing passwords.