What is the future of password managers?

In November 2022, LastPass experienced its second security breach in four months. Although the company’s CEO, Karim Toubba, assured customers they had nothing to worry about, the incident did not inspire confidence in the world’s leading password manager app.

Password managers have a vital job: keeping your sensitive login credentials secret, so your accounts stay secure. When hackers compromise these software applications, the entire identity and access management (IAM) industry takes notice.

As an alliance of tech giants leads a global push toward passwordless technology, security breaches like this beg the question: what’s the future of password managers?

How bad was the LastPass hack?

LastPass revealed details of the initial security incident on August 25, 2022, notifying customers that attackers had taken some of the company’s source code and technical information.

In November 2022, the company detected suspicious activity in a third-party cloud storage service that LastPass shares with an affiliate, GoTo. An unauthorized party used information stolen in the August incident to gain access to certain aspects of customer information.

While the investigation into the extent of the breach is ongoing, Toubba sought to allay fears: “Our customers’ passwords remain securely encrypted thanks to LastPass’ Zero Knowledge architecture.”

What is Zero Knowledge Architecture in LastPass?

Zero Knowledge Architecture is a design approach that ensures that no one can access secure data except the end user. LastPass uses this security model to protect sensitive data in your vault.

When using a zero-knowledge password manager, you must configure a master password. The only person who has access to your master password and data is you — not even LastPass!

Dustin Heywood, also known as EvilMog, is the chief architect of X‑Force, IBM’s cybersecurity team. He explains that “the point of zero-knowledge architecture is that passwords are encrypted with a unique security key in a way that makes it extremely difficult, expensive, and in most cases impossible to recover the passwords. password without the key”.

With zero-knowledge encryption, your data stays safe in the event of a security breach. Even if threat actors manage to steal encrypted data, it is still impossible to crack your master password.

“I think this is a great security control that all password managers should implement,” Heywood says. “You can’t give up knowledge you don’t have.”

What other password managers (or other security vendors) rely on Zero Knowledge?

Not all password managers follow a zero-knowledge architecture. However, many leading security vendors trust the technology.

Here are some notable examples:

  • NordPass explains that all encryption and decryption takes place on your device. When the data reaches company servers, it is already completely secure for everyone, including the NordPass team.

  • 1Password does not rely on any single point of failure. In addition to the master password, there is a 34-character secret key. 1Password servers only contain encrypted vault data. For anyone to decrypt your vault data, they would also need your account password and secret key.

  • Sync.com is a leading cloud storage platform that uses zero-knowledge protection to protect your files.

Have security vulnerabilities affected other password managers?

The attacks on LastPass caused a stir because it is arguably the best password manager in the world. But it’s not the only password security provider in the crosshairs of cybercriminals.

Several research initiatives in 2019 and 2020 sought to uncover how password managers could be hacked. The research revealed security vulnerabilities in many of the most popular password managers, including LastPass, Dashlane, 1Password, Keeper, and RoboForm.

In April 2021, hackers used phishing tactics to target Passwordstate customers. When users clicked on malicious files, they exposed their login credentials. The cybercriminals then posed as customer service representatives from Passwordstate’s parent company, Click Studios, to trick users into disclosing more personal information.

Clearly, passwords are a weak link in cybersecurity. Verizon’s 2022 Data Breach Investigation Report found that 80% of all global security breaches are related to password security issues. Worryingly, 66% of Americans admit they use the same password for their email, banking, and social media accounts.

So, with human failure being a hard-to-control variable in identity and access management, security teams need to think about how to build a safer digital future with more robust methods.

Is passwordless technology the answer?

Passwordless authentication is a method of verifying a user’s identity without requiring a password. This technology replaces passwords with one of the following alternatives:

  • Possession factors such as one-time passwords, authenticator app codes, or a hardware token
  • Biometrics, including fingerprints, facial recognition, retina scans or heartbeats
  • A “magic” link that grants access to the user via email.

By using a passwordless approach, businesses can make logging in effortless and secure. You don’t have to remember different passwords or worry about someone else finding out the password for your most sensitive accounts.

In December 2022, Google announced access keys for Chrome users. This creation is a product of the FIDO Alliance: a joint venture between Apple, Google and Microsoft. Access keys use public cryptography and biometric authentication to replace text passwords.

In 2023, 1Password will launch a similar passwordless system that will work on iOS, Android, Windows, Mac, Chrome OS, and Linux devices. The new demo shows how easy it is for users to generate hidden passwords through a browser extension, which has a unique pair stored on the website.

What are the disadvantages of a passwordless environment?

As security key technology is still in its infancy, it is far from perfect. Here are some concerns people have about a passwordless approach:

  • Users need to open an additional email app to access online accounts
  • Email is an easy way for hackers to compromise, which means hackers could intercept passcodes or keys
  • Email is also a prime target for phishing links that could trick users into downloading malware or spyware.

If passwordless technology uses text messages or push notifications instead of emails, it prevents people from using another device every time they log on. If their smartphone doesn’t have a battery or cover, they can’t access it.

It will take time for software developers and businesses to create the resources and software development kits (SDKs) to simplify passwordless onboarding and make this method of verification a seamless plug-and-play experience.

Will we eventually replace password managers?

Heywood explains, “The term ‘password manager’ is a bit of a misnomer; Password managers are really “shared secret managers” that can contain recovery keys and passphrases, initial seed tokens, recovery instructions, and more. »

Despite the groundswell for a more integrated and secure future for digital security and IAM, the reality is that many systems today are not fully internet-connected and many enterprises are not ready to give up on passwords anytime soon.

Some systems are completely disconnected, while others are in environments with extremely limited network access. A prime example is critical infrastructure sectors, which often rely on legacy systems and operational technology (OT).

Legacy systems such as Active Directory, terminal servers, and sites that still use HTTP Basic and LDAP authentication rely on shared secrets. These environments include firewalls, routers, switches, and other devices with password-enabled recovery accounts. Even as industries move away from passwords, there remains a need for local secrets to verify trust between user and machine or trust between machines.

“Passwords will never completely disappear,” says Heywood. “We will be using passwords long after I retire. The important thing is to ensure that secrets are managed throughout their life cycle, including creation, storage, transmission and destruction. Secrets should be unique between systems and rotated often. »

We Still Need Password Managers, But How We Use Them Must Change

Every breach in a password manager’s security is a blow to the integrity and trust people have in the technology. As hackers continue to surround LastPass, the demand for change is growing, with tech giants calling for a change in the IAM landscape.

A future where passwordless environments reign supreme seems inevitable, especially in key industries like finance and national security. But passwords won’t disappear entirely – the nature of operational technology and critical infrastructure makes eliminating passwords nearly impossible.

85% of IT and security professionals expect a future that combines passwordless authentication with sophisticated password management. Security teams must find ways to integrate the two principles to nullify cyber threats and provide more secure data management.

Ready to learn more about EvilMog’s password best practices? Read How to Keep Your Secrets Safe: An Introduction to Passwords.

Leave a Reply