Lastpass reported a security breach a month ago, which is the 8th security incident in the last 11 years. This incident was followed by a recent disclosure by a Google researcher. Many popular password managers like Dashlane, Bitwarden, and Safari can be phished.
There are many lessons that we all need to learn from these recurring incidents. This post stands to uncover few points that we have seen have not been discussed by the info-sec community.
The Catch-22 – Phish or no Phish?
LastPass warned its users of a likelihood of Phishing attacks, Credential Stuffing, or other brute force attacks on accounts associated with their LastPass vault.
This statement goes against what all the password managers like LastPass claim . “Use of password manager protects users from phishing attacks“.
In recent times there have been more incidents where password managers have been proved vulnerable to phishing attacks. You can find more details in this article Popular password managers auto-filled credentials on untrusted websites
The Impact
In their blog post, Lastpass reported that customer’s personal information like email, phone number, address, IP address have been compromised. Still, LastPass is not talking about is the additional information they collect from their users on their mobile app.
The screenshots below show the permissions that Lastpass app takes on a user’s phone.
These permissions enable the application provider like LastPass to collect more information about the user than required.
In the event of a breach, the severity and privacy impact will be catastrophic if such additional information collected from the user’s phone is involved.
The Passwords
Furthermore, LastPass has reported that customer’s vault containing clear text data, such as website url, and encrypted data of username and password were also obtained by the threat actors.
Lastpass emphasised on the use of master key, and how a threat actor can not decrypt the password vault even if they have the encrypted data, as the master key, which is a master password set by the user and is not stored on lastpass network.
While 1Password, a rival firm of Lastpass, claims through their blog that passwords of LastPass can be cracked in $100. They also talk about their superior method of using secret key and Password Authenticated Key Agreement systems, which makes their systems safer.
With the device specific keys mentioned by 1Password, syncing of the passwords across multiple devices becomes a risky affair. It requires password to be decrypted on another device and the user’s chosen master password along with the secret key from the earlier device. This problem cannot be solved without exposing the secret key or the user’s passwords in transit.
Conclusion
After a series of events involving Password Management products, enterprise must seriously think about how safe their user’s data and passwords really are.
Not to forget, server doesn’t care if the password is coming from a password vault or from an adversary, the server will authenticate as long as it can match the string. So no matter, how and where you store passwords, as long as there as passwords, Enterprises are always at risk.
For a better security, Enterprise must plan to remove passwords from their applications, servers and #GoPasswordless