7 min read

From our CTO: Password Managers

By Nathan Taylor on Feb 9, 2023 9:05:53 AM

You may have recently seen news about a company that makes a very popular password manager. They had a major security incident and many people in our industry are appropriately concerned about some of the ramifications of that incident. More importantly, that company’s approach to security was concerning. There are some important things to discuss about that incident, their approach, and how we should respond.

The first thing that comes to mind is that you are correct if you are feeling like these incidents are becoming more and more common. As attacks and their effects are becoming more common, the media coverage is also increasing.

One perspective on this specific incident is that we need to evolve our approach as consumers and businesses. Breaches are going to happen, and the responsible and defensible approach is to have systems built to limit the impact of breaches and deploy systems to detect them quickly.

Responsible vendors ethically report when they do have an incident. In this case, this vendor did some things well and other things less well in their approach to disclosing this incident.. As time has gone on, it’s become clear that they cut some corners in their approach to security that left gaps which very concerning. They have also been slow to fully own the breadth of those concerns.

Does this mean we should abandon password managers and start writing our passwords on sticky notes again? I don’t think so. While our confidence in that specific vendor has been shaken, there are other password manager vendors that are trustworthy and using them is still the best approach.

Here are some more in-depth thoughts and recommendations on the topic:

  • Don’t give up on Password Mangers. When responsibly implemented and managed, they are still a superior option to most of the alternatives (password re-use, Password spreadsheets, sticky notes, etc.)

    We can recommend a couple of vendors that have a more secure approach and help you implement them. The good vendors have properly implemented end to end zero knowledge encryption. Here is a good read on how 1Password approaches this topic:

    How 1Password Keeps Your Data Safe, Even In the Event of a Breach | 1Password

  • Use MFA (Multi-factor Authentication) everywhere. MFA reduces the risk of a breach like this dramatically. Your password may be compromised, but the threat actor needs another variable to compromise the account.

    Whenever possible use an authenticator app (Microsoft authenticator) or a Fido 2.0 key (yubikey) instead of text message (SMS) or email MFA. Although Text Message or email-based MFA is better than no MFA, but both come with their own set of security concerns.

    Microsoft 365 and the Microsoft Authenticator app also support some great passwordless optoins including number matching with location data. This will be the default experience starting February 27th 2023:

    Microsoft 365: How to use number matching in multifactor authentication (MFA) notifications
  • Use Passphrases instead of complex passwords. Longer passwords/passcodes have so many upsides and are easier to manage/remember if needed.

    Here’s a link to a comic that explains this well: xkcd: Password Strength

  • Keep your passwords tidy. As a business and personally, it’s worth cleaning up your password manager on a regular basis. If the password is not in use, close the account and delete the login. Old unused passwords in your vault may be attack vectors in the case that data is stolen. Extra passwords become a liability.

    I have a feeling that many users of the password manager we mentioned before are wishing they had kept a cleaner vault. This is one of the reasons machineLOGIC deletes customer credentials as soon as projects or engagements end. That data is a liability to us and the customer.

  • Never re-use passwords: This is one of the big wins that password managers facilitate and it’s critical that you only use passwords in one place and don’t re-use passwords. Ever.

    Many breaches are happening because a user uses the same password on a personal app and on a work account. When that personal app is breached, those credentials are used against corporate assets. Busy executives are often especially bad about this. Threat actors are smart and will correlate data.

  • Use Role based Access: Limit access to passwords to those who need them. Apply this corporately and personally.

  • Don’t store your MFA keys or TOTP codes (Time-based One Time Passwords) in the same product/solution as your passwords. Many password managers will offer to be your MFA token management solution as well. We recommend keeping them separate in a tool like Microsoft Authenticator, Google Authenticator, or stored on a YubiKey.

    Ask your IT service providers if they maintain separate solutions with separate access controls for customer password management and MFA codes. This is a critical security control.

  • Be careful where you store your recovery keys. Just like MFA keys, recovery keys should be stored carefully. When you set up new accounts, you often get a recovery code that can be used in case your MFA method fails you. Don’t copy those into the notes in your password manager. This defeats the purpose of MFA when both factors are in one place. Find another secure location to store those. We often don’t even keep these codes as they are a security risk and are often not the best way to address MFA method recovery, especially in a corporate setting.

  • Use Single Sign On where appropriate or available. Solutions like corporate Single Sign on with Azure AD (Office 365), Okta, or Sign on with Google/Apple for personal accounts greatly reduce the number of passwords you need to manage and reduces the risk. When properly implemented, SSO means the vendors/sites you log in to don’t store a password for your account, and you don’t either.

    Single Sign On (SSO) has many benefits especially in a corporate context as it can dramatically simplify and improve employee onboarding and offboarding processes, add security controls to tools that don’t have them, and provide security data on diverse tools to your SOC/SIEM solution. SSO also allows you add security controls like Microsoft's conditional access to tools that don't have them.

The future is here. Between Fido keys, Single Sign On, and Passkeys, there is a future where we don’t have many passwords at all and that is a good thing. In fact, machineLOGIC will be eliminating passwords in Q2 of 2023 for most of our internal systems as part of embracing these changes. 

As with many things related to Cyber Security, this is a complex topic with lots of variables. Let us help you simplify your password management approach.

Nathan Taylor

Written by Nathan Taylor