The recent LastPass breach reminds us there is no way to stay 100% safe online and highlights some of the risks associated with using a central vault to store passwords and other secrets. However, password managers (PMs) remain the most secure way to protect passwords, even though they are not perfect.
PMs allow you to store strong, unique passwords for all the dozens or hundreds of websites, web applications, and services a user utilizes regularly. Additionally, PMs:
- Enable the user to log in without typing the password every time, protecting them from keyloggers.
- Allow users to utilize stronger passwords that don’t need to be written down.
- Encourage users to use different passwords for every account.
- Provide some protection against credential harvesting phishing emails, as they will not populate credentials into spoofed sites.
While keeping all your passwords in one location is an inherent risk with PMs, the trade-off is worth the risk. Most PMs utilize 256-bit Advanced Encryption Standards, zero trust (your master password is encrypted before leaving your device), and two-factor authentication (2FA) to protect password vaults.
Types of Password Managers
There are three types of PMs: device-based, cloud-based, and on-premise. Each class is an exercise in balancing the equation of security and convenience.
- Device-based solutions run locally on a device that limits sharing the password vault on multiple devices, do not detect weak or reused passwords, and do not have the security controls a commercial PM does.
- Cloud solutions work with multiple devices and detect weak or reused passwords; however, your data is on someone else’s server.
- On-premise solutions may appear to be the safest option, but they provide complications in maintaining in-house IT infrastructure and data backups which may increase the cost.
Note: Using your browser's “Save Password” feature to save passwords is not considered a safe or recommended way to store passwords.
While some inherent risk stems from the mere use of any PM solution, understanding the risk of each solution should be obtained during the due diligence and vendor management process. Any risk remaining after the solution selection should be addressed in the IT risk assessment to ensure the solution’s risk score is acceptable to your organization’s risk appetite.
Things to Consider When Changing Password Managers
If your organization currently utilizes LastPass as a password management solution, it is absolutely appropriate to evaluate alternate PM products and solutions, as there are many viable password management vendors in the market. However, it is recommended that your organization only switches PM providers after doing your homework.
Keep in mind your current investment with the incumbent provider. For example, even if you believe it’s in your organization’s best interest to switch PM providers, what does that transition look like? Does your current PM provider make it easy for you to transition all your sites and passwords to another platform, or will that transition be time-consuming and complicated?
Alternatively, your organization may wish to shift from a cloud-based password manager to a device-based or on-premise version. Still, it is recommended that you evaluate the pros and cons of making such a switch. For example, if you currently have users utilizing a cloud-based PM and want to shift to an on-premise PM, what functionality will your users lose in that switch?
If you are evaluating your password management solution, it is recommended that you do the proper homework (vendor due diligence and IT risk assessment) on alternative PM solutions to ensure appropriate security controls and risk mitigation measures are in place. Only once you’ve done the appropriate homework can you determine the best path forward for your organization based on an informed business decision.
** SBS CyberSecurity does not partner with nor endorse any password management vendors or solutions.**
Shane Daniel, SVP Information Security Consultant/Regional Director - SBS CyberSecurity
Terry Kuxhaus, Senior Information Security Consultant - SBS CyberSecurity
- Behind the Hack: How Password Reuse Led to Admin Access: During a recent customer internal penetration test, SBS CyberSecurity’s network security team found several administrative accounts used by the client’s MSP which reused the same password. Read the blog for a brief overview of how the issue was identified and the resulting impact to this client’s network.
- Password Tips: It’s important to create strong, complex passwords for your systems. That’s why we’ve put together these best methods for stronger passwords to help you train your employees. Keep in mind, though, that based on the risk of each system, these standards may fluctuate.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.