IR Hotline Numbers:

+44 20 3318 1470
+60 154 877 0076
+61 2 7908 1745
+65 3165 8788
caution icon

Experienced a breach? Reach us now

company logo
Lastpass Hack: What Does It Mean for the Future of Password Managers?

LastPass Hack: What Does it Mean for the Future of Password Managers?

Does the LastPass hack mean the end of password managers as we know them? Is it possible to recover from such a breach? What does this breach mean in terms of user trust?

Password Managers Aren’t Going Anywhere

Firstly, we must acknowledge the persistence of passwords as an authentication method despite ever growing research in the effort to replace them - passwords are here to stay. With that assumption in place, we must consider how to use them effectively.

One of the core problems with passwords is that a user needs to remember them. If they do not remember their password or have them somewhere secure and accessible, they lose access to the resource. Stefan Thomas, the man who forgot the password to his wallet containing 7002 bitcoins, is a testament to this – and he only has two tries left until his password manager seizes up and encrypts everything forever.

Compounding this core problem of remembering is the issue that it is generally encouraged to use different passwords for different resources because if one resource is compromised, any other resources using that same password may also be compromised.

Years ago, it was much easier to remember these passwords, but these days technology is so ubiquitous in our lives that the problem of password memorisation is continuing to conflate. Enter password managers – suddenly, we have the ability to secure many passwords using just one extremely strong password.

Password managers are software applications that securely store and manage login credentials for different websites and applications. These tools allow users to generate and store complex and unique passwords, making it easier to remember a single master password to access all their other login credentials. This makes it easier for users to remember their passwords and more difficult for hackers to access multiple accounts in case one password is compromised.

New Risks

However, this extra layer of convenience and security comes with its problems. The attack surface changes because hackers can no longer hack one website and get access to a user's whole set of digital resources. The password manager is a much more attractive target, and there will be increased efforts to compromise password managers because they are lucrative targets.

So now we must consider other alternatives to password managers that accomplish the same thing without the same risk. Other options do similar things, such as Federated Identity Management (FIM), which authenticates a user to a resource using an Identity Provider (like Facebook, Google, Apple, etc.).

So now we must consider other alternatives to password managers that accomplish the same thing without the same risk. Other options do similar things, such as Federated Identity Management (FIM), which authenticates a user to a resource using an Identity Provider (like Facebook, Google, Apple, etc.).

In the case of LastPass, the passwords themselves were encrypted, and there is no evidence that these were compromised. Similarly, with FIM, an Identity Provider could be breached, but connected resources are not necessarily compromised to a solid defence-in-depth strategy.

Where Do We Go From Here?

When managing our login credentials for all our online accounts, we're faced with a bit of a conundrum: On the one hand, we need a centralised authentication method to access all of our resources easily. On the other hand, if that centralisation is ever compromised, the consequences can be dire. Think of it like a digital house of cards- it may seem convenient initially, but one small slip-up can bring the whole system crashing down. So, how do we balance ease of access and security? This question continues to be a challenge for the industry and individual users alike.

Password managers are here to stay, as they provide that centralisation, and other solutions operating in practice so far also have similar risks. Any concrete changes that can be made may further mitigate the risks, but so long as the paradigm remains the same, the risk will still exist.

What does this mean for LastPass and its users?

As LastPass is supposed to be that highly trusted central authentication method, it won’t be easy to recover trust fully. The only function of LastPass is security related. For example, if Facebook or Google get compromised, they offer services that will still attract the market. When a security solution, whose primary goal is to provide security, will be difficult for them.

LastPass has had a history of data breaches, with the most recent occurrence just last year. Initially, the company reassured its customers that the incident had not affected them, but later updates revealed otherwise. Customer data, including personal information like billing addresses, telephone numbers, and IP addresses, were stolen, along with unencrypted vault data.

In light of the company’s history of breaches, it's crucial to take steps to secure your passwords. Here are Pragma’s five recommendations on how to do that:

  1. Consider switching to a new password manager. This will help you to have a fresh start and start over with a new, secure solution without a history of breaches. Here is a list of password managers’ security breaches so far.
  2. Review your master password to ensure it is strong and memorable. Keeper and LastPass themselves provide specific advice.
  3. Ensure your passwords are not shared across critical services. This includes banks, financial institutions, tax preparation, government programs, and anything else that could be ruinous if someone got hold of those accounts. In addition, pay particular attention to passwords needing to be more easily guessable for critical services.
  4. Audit the rest of your passwords, starting with those that have more sensitive information stored. This includes personal information such as physical addresses, birth dates, and credit card numbers. Suppose a password manager does not manage these services. In that case, it is likely shared passwords are being used across these services – consider moving these to a centralised solution so that you are not sharing credentials across accounts.
  5. Reflect on your digital information posture. Are you giving away information that malicious actors can leverage? For example, in exploiting memorable information questions commonly used on websites. Maybe it’s time to consider your online privacy more deeply.

In conclusion, the recent data breaches in password managers serve as a reminder that our digital age comes with its own security challenges. While password managers make it easier to manage our login credentials, they also present a lucrative target for hackers and bad actors. The compromise of a password manager can lead to a large-scale data breach, putting personal information and account access at risk.

However, it's important to note that this is just the tip of the iceberg regarding the potential threats we face in the digital world. Hackers and bad actors are constantly finding new ways to exploit vulnerabilities, and it's crucial for individuals and organisations to be vigilant and stay informed about the latest threats. This includes keeping software and systems updated, using strong and unique passwords, and being aware of phishing and other social engineering tactics. In short, always being on guard and taking proactive measures is key to protecting our online identities and sensitive information.


Tags:

LastPass
Password managers
Data breach
User trust
Authentication
Centralized authentication
Password memorization
Unique passwords
Hacker targets
Alternatives to password managers
Federated Identity Management (FIM)
Encryption
Risk mitigation
Centralization vs. security
Ease of access
Industry challenges
LastPass users
Recovering trust
Security breaches
Customer data
Password security
Recommendations
Master password
Shared passwords
Audit passwords
Digital information posture
Online privacy
Data breaches
Security challenges
Hackers
Bad actors
Data breach consequences
Personal information protection
Account access security

Join the Pragma Community Today

Email


Solutions

Cyber Advisory

Technology Risk

Compliance, Conduct, and Regulatory Risk

IT Audit

Insights

Pragma Logo

Terms & conditions

Privacy Policy