In the wake of the recent LastPass data breach, Sachin Bhatt assesses the safety and reliability of password managers and discusses what more we can do to protect our personal information.
We all have at least a few dozen - if not what seems like hundreds - of them. They seem to have become an inescapable consequence of every aspect of functioning society. Whether you are unlocking your phone, logging into your work computer, trying to speak to your bank or simply wanting to order goods from your favourite online shopping platform, there is no getting away from it: passwords are everywhere.
With this increase in the need for passwords to go about our daily lives in our digital-first world, have come novel ways to remember them all. Enter the password manager, for which users need to simply remember a single password to access multiple accounts. But are these a cyber-criminals' idea of heaven? And should we be worried?
The password evolution
Although the daily use and function of passwords is associated with technology, the internet and modern day living, they have in face been around for centuries. Dig a bit deeper and you will soon discover that passwords were used for millennia in ancient civilizations; to gain entry to Roman fortresses and in all manner of historic military operations. Clearly, they've played a vital role in history - but why is it that today, they all seem to be getting breached or hacked?
Computer systems were never designed with security in mind. Security was reserved for locks on doors which housed some of the very first room-filling computer systems. These were, of course, instruments on which mathematical calculations could be performed. As advances in computer technology took hold and scaled to become devices people could afford in their home, things changed. Computer systems were no longer bound to university type facilities, and they could now store a heathy degree of information on them. Business transactions, confidential work and research were being conducted on these new computers - all of which now needed protecting. Cue the password.
Whilst still an optional add on feature rather than a mainstay in personal computers (PCs), the accessibility of the internet and online platforms pushed the use of passwords to be taken up more dramatically. Many users created passwords that were easy to remember and repeated throughout various systems of access. In fact, many companies at the time would be unable to accept passwords longer than 8 characters.
How complex should passwords be?
Times have changed since and nearly everyone is now aware that selecting a weak password is bad practice. Having the same password reused over multiple accounts and systems is likewise a pointless exercise, and writing it down on a sticky note next to your device - well, why bother at all?
As computing power increases and vulnerability are exploited in the way passwords are used, it has become easier to crack them - which means today, there is a greater need for more complex passwords. The common best practice for passwords currently is having a phrase consisting of three or more words. Each word being of reasonably long length and disassociated to the other words. Adding numbers, upper-case and lower-case characters, as well as special characters, only strengthens it.
How password managers are changing the game
The issue with having access to so many devices, accounts and platforms is a person's ability to record and create new and good, unique passwords. That is where password managers have found a niche and tried to fill it.
A password manager is essentially an application which remembers your login details (username and password) and can generate new random passwords for you as well. The concept of password managers isn't new but how they now operate with secure cloud storage - and sometimes independently of other operating systems' specific product applications - is.
Essentially, rather than having to remember hundreds of passwords and login details used to access various accounts and services, the applications hold an encrypted vault of all your passwords which can be copied and pasted on websites when required. All you are required to do is create an account and remember one really strong, master password to access them all.
A double-edged sword?
In trying to secure users' passwords and helping to provide a system of managing them, password managers have also painted a very large target on their back. They have been a treasure trove for hackers and cyber criminals wanting to gain access to everything you have; everything anyone else using the same service has. The criminals exploit these accounts on mass and then sell off credentials on underground dark web marketplaces.
Recently, LastPass - a popular password management service - became the victim of a cyber-attack which led to a breach of the company's internal systems. Hackers were able to exfiltrate all backup copies of its customers master vaults. That is an astounding 25 million users' password vaults, each vault containing numerous passwords and login details. This has understandably caused panic and worry, not only amongst users of LastPass but also around the whole concept of password managers.
It should be noted that whilst hackers are in possession of the vaults, these are encrypted to what is known as AES 256-bit encryption; of the most advanced - and strongest- encryption standards currently in use. whilst this doesn't guarantee hackers will never be able to read the contents of the vault, it gives a small shred of assurance that passwords are not immediately exposed in plain text. Of course, if vulnerabilities in the standard were found, that would be a whole different story.
The risk to LastPass users comes from readable information being sold on and used to mount secondary attacks to trick users to revealing their password. This could be, for example, sending a phishing email once they know certain users have accounts with a given bank, or capitalising on the fact the breach is in the media. Sending a SMS phishing text claiming your use of LastPass was associated with the breach, and that you are required to click a link to change your password, is an opportunistic method a cyber-criminal may deploy.
So where does this leave us? Well, we certainly cannot go back to creating passwords manually and remembering them all. Password managers aren't perfect. There is always the aggregated risk that if someone gets hold of your vault or master password, they will have the keys to everything,
However, a password should not be the be all and end all of security. Two factory authentication (2FA) and multi-factor authentication (MFA) are two of the most important mechanisms we can enable on all accounts that allow them to keep things secure. It adds yet another layer of security top our arsenal that doesn't rely solely on a password. Whilst the LastPass breach is worrying and unfortunate, it shouldn't be reason enough to discourage the use of password managers altogether. Remembering a hundred different passwords is no easy feat - we're only human after all.
Sachin Bhatt is an experienced cyber security expert, former CISO and Head of Incident Management who works at Schillings to protect individuals and global businesses from complex cyber threats including strategic cyber security risks, and specialises in providing incident preparedness, post incident advice, and helping clients build strong security practices and resilience. He previously served as an incident management lead in CERT-UK and the UK's National Cyber Security Centre complemented by over a decade long career in Government.