What It Tells Us About the Password Manager Industry
If you were lucky enough to log off mentally as well as physically this holiday period, you might have missed this massive issue for American-based password manager company LastPass. Although the systems were compromised in August, this whole issue has come to a head over the Christmas period, implying that at least some people were in the office and dealing with the metric ton of backlash the company is facing.
First of all, let’s spare a thought for the security engineers at LastPass. While most people around them were tucking into Christmas dinner, they were frantically trying to figure out how to deal with this PR disaster. But, thankfully for LastPass and unthankfully for other password manager providers, this isn’t the end of the problem. This investigation and the subsequent legal problems that LastPass are facing just opens up a bigger conversation about the false faith that some cybersecurity experts have placed in these companies.
If you’re on Mastodon, you might have seen these posts by Stuart Schechter just before Father Christmas popped into his sleigh. The _secpro team has been digging into the details to deliver you a report which should make you reconsider your faith in the password managers we use every day. Because that’s exactly what security professionals need – another reason to be paranoid!
Understanding the LastPass compromise
If you are a LastPass user (or the kind of person who likes to engage in “team sports behaviour” regarding password managers and looking for ammunition for online arguments… er, I mean constructive criticism), you may remember that a security breach was announced in August. As with most breach announcements, the company came out and said that no customer information or passwords had been leaked out into the dark web.
However, what the company didn’t announce is much more worrisome. The full story only came to light over the holiday break, causing LastPass to go back on their previous announcement:
While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
Whoops! So, although LastPass’s initial announcement wasn’t incorrect, it does mean that a lot more needs to be said about the situation.
What does this mean for LastPass users?
Unlike a “conventional security breach” (if such a thing exists), this attack on LastPass’s databases implies that there is – or at least was – a backdoor into their systems. This means that, although there were no stored passwords or personal data leaked, access to master passwords was apparently possible. This shows a weak underbelly to the password manager industry – that there are people using password managers suboptimally and the password manager engineers themselves maybe aren’t collecting all the necessary data.
Are Password Managers Safe?
Here comes the heresy – maybe password managers aren’t safe. And there are two reasons for that:
- We don’t use them properly (the human error factor!), and
- The Password Managers themselves aren’t set up to protect data properly.
As noted in a research paper by Ng, Schechter, et al., most people aren’t using these services correctly. For example, 79% of Chrome password manager users create their own passwords instead of using randomly generated ones. Even more damning, 19 out of 81 respondents admitted to reusing passwords for various sites, including their master password for the password manager itself. This implies that password managers have become a box-ticking exercise for some people – they’re a convenient way to store their passwords, instead of a secure way. This implies that for the reasonably skilled threat actor that a password manager is little more than a virtual sticky note. The Luddite CEO who has his passwords written in his notebook is simply the analogue version of the enlightened cybersecurity professional who has turned his password manager into a digital logbook of the same password.
Of course, human error is always a factor for cybersecurity professionals. The best we can do is to act as best practitioners and stamp out poor practices when we discover them. But is all the blame on the password manager users?
The Password Manager Industry – the race to the bottom
In a scathing attack on password managers in general, Stuart Schechter listed a number of reasons for the poor standard of security that these managers use. They can be summed up like this:
- Use rules and meters that are used within the password manager industry are almost always designed for low-security applications.
- The advertising surrounding password managers far exceeds the capabilities of the managers themselves.
- The over reliance on a single, strong master password is undermined by how easy it is to crack a single, strong password.
- Password managers rarely (if ever) have an enforcement mechanism to stop people from reusing passwords – the exact problem they are meant to overcome.
- They often don’t measure or at least don’t release any statistics about how often user passwords are accessed, due to security architectures which aren’t designed to measure or test this.
With that in mind, a long sit down and a think about what we are encouraging the security-naïve to do is in order for secpros around the world. If we are effectively advising people to create banks of multiple passwords which are either easily accessible or using similar or the same entries for multiple applications and websites, maybe this isn’t the silver bullet to improved security. Maybe this is just a treasure trove for the adversary that hasn’t been exploited yet. Even worse, maybe it has been exploited, but the password managers haven’t been telling us.