In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application.
Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice.
As an alliance of tech giants leads a global push toward passwordless technology, security breaches like this beg the question: What is the future of password managers?
How Bad Was the LastPass Hack?
LastPass revealed details of the initial security incident on August 25, 2022, notifying customers that attackers had taken some of the company’s source code and technical information.
In November 2022, the company detected suspicious activity in a third-party cloud storage service that LastPass shares with an affiliate, GoTo. An unauthorized party used information stolen during the August incident to access some aspects of customer information.
With the investigation into the scope of the breach ongoing, Toubba sought to allay fears: “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
What is Zero Knowledge Architecture in LastPass?
Zero knowledge architecture is a design approach that ensures nobody can access secure data except the end user. LastPass uses this security model to protect sensitive data in your vault.
When you use a password manager that relies on zero knowledge, you must set up a master password. The only person that has access to your master password and data is you — even LastPass doesn’t know it!
Dustin Heywood, also known as EvilMog, is the Chief Architect for X‑Force, IBM’s cybersecurity team. He explains that “the point of zero knowledge architecture is that passwords are encrypted with a unique security key in a manner that makes it extremely difficult, expensive and, in most cases, impossible to recover the passwords without the key.”
With zero knowledge encryption, your data remains safe in the event of a security breach. Even if threat actors manage to steal encrypted data, it’s still impossible to decipher your master password.
“I believe this to be an excellent security control that all password managers should implement,” asserts Heywood. “You can’t give up knowledge that you don’t have.”
What Other Password Managers (or Other Security Providers) Rely On Zero Knowledge?
Not all password managers follow a zero knowledge architecture. However, many leading security providers trust the technology.
Here are a few notable examples:
NordPass explains that all encryption and decryption take place on your device. When the data reaches the company servers, it’s already fully secured from everybody, including the NordPass team.
1Password doesn’t rely on any single point of failure. In addition to the master password, there is a 34-character Secret Key. 1Password servers contain only the encrypted vault data. For anyone to decrypt your vault data, they would also need your account password and Secret Key.
Sync.com is a leading cloud storage platform that uses zero knowledge protection to keep your files safe.
Have Security Breaches Affected Other Password Managers?
The attacks on LastPass have caused a stir because it is arguably the best password manager in the world. But it’s not the only password security provider in the crosshairs of cyber criminals.
Several research initiatives in 2019 and 2020 sought to discover ways password managers could be hacked. The research exposed security vulnerabilities in many of the most popular password managers, including LastPass, Dashlane, 1Password, Keeper and RoboForm.
In April 2021, hackers used phishing tactics to target Passwordstate customers. As users clicked on malicious files, they exposed their login credentials. The cyber criminals then posed as customer support reps from Passwordstate’s parent company, Click Studios, to trick users into disclosing more personal information.
It’s clear that passwords are a weak link in cybersecurity. Verizon’s 2022 Data Breach Investigations Report found 80% of all global security breaches are linked to password security issues. Worryingly, 66% of Americans admit they use the same password for their email, banking and social media accounts.
And so, with human failure being a variable that is hard to control in identity and access management, security teams must consider how to build a safer digital future with more robust methods.
Is Passwordless Technology the Answer?
Passwordless authentication is a method of verifying a user’s identity without any request for a password. This technology replaces passwords with one of the following alternatives:
- Possession factors like one-time passwords, authentication app codes or a hardware token
- Biometrics including fingerprints, face recognition, retina scans or heartbeats
- A “magic” link that grants access to the user via email.
Using a passwordless approach, companies can make logging in effortless and secure. You don’t have to remember different passwords or worry about someone else discovering the password to your most sensitive accounts.
In December 2022, Google announced the arrival of passkeys for Chrome users. This creation is a product from the FIDO Alliance: a joint venture between Apple, Google and Microsoft. Passkeys use public cryptography and biometric authentication to replace text-based passwords.
In 2023, 1Password will launch a similar passwordless system, which will work on iOS, Android, Windows, Mac, Chrome OS and Linux devices. The new demo shows how easy it is for users to generate hidden passkeys through a browser extension, which has a unique pair stored on the website.
What are the Cons of a Passwordless Environment?
As passkeys technology is still in its infancy, it’s far from perfect. Here are some concerns people have about a passwordless approach:
- Users need to open an additional email application to access online accounts
- Email is an easy medium for hackers to compromise, which means hackers could intercept codes or passkeys
- Email is also a prime target for phishing links that could trick users into downloading malware or spyware.
If the passwordless technology uses SMS or push notifications instead of email, it’s a hindrance for people to use another device every time they log in. If their smartphone has no battery or coverage, they can’t gain access.
It will take time for software developers and businesses to create the resources and software development kits (SDKs) to simplify passwordless integration and make this verification method a seamless plug-and-play experience.
Will We Eventually Replace Password Managers?
Heywood explains, “the term ‘password manager’ is a bit of a misnomer; password managers are really ‘shared secrets managers’ that can hold recovery keys and passphrases, initial seed tokens, instructions for recovery and a whole lot more.”
Despite the groundswell for a more integrated, failsafe future for digital security and IAM, the reality is that many current systems are not fully connected to the internet, and many businesses are not ready to give up passwords anytime soon.
Some systems are disconnected completely, while others are in environments that have extremely limited network access. A prime example is critical infrastructure sectors, which often rely on legacy systems and operational technology (OT).
Legacy systems such as Active Directory, terminal servers and sites that still use HTTP Basic authentication and LDAP rely on shared secrets. These environments comprise firewalls, routers, switches and other devices with password-enabled recovery accounts. Even as industries shift from passwords, there remains a need for local secrets to verify user-to-machine trust or machine-to-machine trust.
“Passwords will never fully go away,” claims Heywood. “We will be using passwords long after I retire. The important thing is ensuring that secrets are managed throughout their entire lifecycle, including creation, storage, transmission and destruction. Secrets should be unique between systems and rotated often.”
We Still Need Password Managers — But How We Use Them Must Change
Every security breach of a password manager is a body blow to the integrity and trust people have in the technology. As hackers continue to circle LastPass, the clamor for change grows louder, with tech giants calling for a shift in the landscape of IAM.
A future where passwordless environments reign supreme seems inevitable, especially in key industries like finance and national security. But passwords will not vanish entirely — the nature of operational technology and critical infrastructure makes the elimination of passwords virtually impossible.
85% of IT and security professionals expect a future that combines passwordless authentication with sophisticated password management. Security teams must find ways to integrate the two principles to nullify cyber threats and ensure a safer way to manage data.
Ready to learn more about good password practices from EvilMog? Read How to Keep Your Secrets Safe: A Password Primer.