Have Password Management Services Been Hacked To Death?

It was somewhat ironic that attackers were able to compromise the systems of popular password management website, LastPass, earlier this month.

And, for its users, it was also potentially devastating, as the hackers managed to steal data that could allow them to guess weak master passwords.

Sensitive information

As a precaution, the firm, which stores account passwords in an effort to make its users’ online lives easier, prompted all of its customers to change their master passwords. But can users really continue to trust services such as LastPass to help protect their sensitive information when they themselves are so easily hacked?

Multifactor authentication is a far safer bet, say some, including Brian Spector, CEO of CertiVox. He explains: “The breach is yet another example of the danger associated with passwords in general.

“Instead, there are tried and tested technologies that would enable multi-factor authentication (MFA) with no single point of compromise such as distributed key management. The more passwords are used the more breaches like this will occur.”

However, many in the IT security sector believe password management services are still a valuable part of overall security.

And the LastPass breach certainly highlights the importance of protecting these services as best we can, according to Ken Simpson, co-founder and CEO of MailChannels.

He says: “Services like LastPass and 1Password substantially increase the security of most Internet users, as well as increasing the convenience of managing access to the hundreds of online services we use each day. Even though these services take a very serious approach to their own security, they are going to be the target of highly sophisticated attacks from cyber criminals and nation-state actors looking to gain access to the authentication credentials of users.

“This being said, it is still much a much better security posture to leverage a password manager so that you can have a different complex password for each service you access. Combining LastPass or 1Password with a second factor authentication method such as YubiKey or SMS greatly improves your security – even if we assume the password service provider is breached from time to time.”

It’s also been argued that doing away with password management services completely would be folly.

“Ditching a password manager for manual techniques, such as remembering your passwords, will likely lead to overall weaker passwords,” suggests Javvad Malik, security advocate at AlienVault. “But users should bear in mind the complexity and scale of how many passwords are needed and stored by a password manager.”

He adds: “Some people may choose to move to another password manager on the market, but this won’t change the overall risk of being hacked. For all organisations, it’s not a matter of if, but when they will be hacked.

For now, with email addresses compromised by the LastPass breach, businesses will need to remain on their guard for potential spear phishing attacks.

Having access to the email addresses could allow the hackers to build a detailed profile of their target and create a very specific attack, according to Klaus Gheri, VP of Network Security at Barracuda Networks. He adds: “After building the profile the attack is likely to come from a ‘trusted source’ and this makes the chances of a successful attack considerably higher.”

As well as putting security systems in place, businesses, employees and consumers alike need to remain vigilant and question any unexpected email, with an attachment that arrives in their inbox.

How much do you know about hacking? Try our quiz!