From our CTO: Password Managers

You may have recently seen news about a company that makes a very popular password manager. They had a major security incident and many people in our industry are appropriately concerned about some of the ramifications of that incident. More importantly, that company’s approach to security was concerning. There are some important things to discuss about that incident, their approach, and how we should respond.

The first thing that comes to mind is that you are correct if you are feeling like these incidents are becoming more and more common. As attacks and their effects are becoming more common, the media coverage is also increasing.

One perspective on this specific incident is that we need to evolve our approach as consumers and businesses. Breaches are going to happen, and the responsible and defensible approach is to have systems built to limit the impact of breaches and deploy systems to detect them quickly.

Responsible vendors ethically report when they do have an incident. In this case, this vendor did some things well and other things less well in their approach to disclosing this incident.. As time has gone on, it’s become clear that they cut some corners in their approach to security that left gaps which very concerning. They have also been slow to fully own the breadth of those concerns.

Does this mean we should abandon password managers and start writing our passwords on sticky notes again? I don’t think so. While our confidence in that specific vendor has been shaken, there are other password manager vendors that are trustworthy and using them is still the best approach.

Here are some more in-depth thoughts and recommendations on the topic:

• Don’t give up on Password Mangers. When responsibly implemented and managed, they are still a superior option to most of the alternatives (password re-use, Password spreadsheets, sticky notes, etc.)

  We can recommend a couple of vendors that have a more secure approach and help you implement them. The good vendors have properly implemented end to end zero knowledge encryption. Here is a good read on how 1Password approaches this topic:

  How 1Password Keeps Your Data Safe, Even In the Event of a Breach | 1Password

• Use MFA (Multi-factor Authentication) everywhere. MFA reduces the risk of a breach like this dramatically. Your password may be compromised, but the threat actor needs another variable to compromise the account.

  Whenever possible use an authenticator app (Microsoft authenticator) or a Fido 2.0 key (yubikey) instead of text message (SMS) or email MFA. Although Text Message or email-based MFA is better than no MFA, but both come with their own set of security concerns.

  Microsoft 365 and the Microsoft Authenticator app also support some great passwordless optoins including number matching with location data. This will be the default experience starting February 27th 2023:

  Microsoft 365: How to use number matching in multifactor authentication (MFA) notifications

• Use Passphrases instead of complex passwords. Longer passwords/passcodes have so many upsides and are easier to manage/remember if needed.

  Here’s a link to a comic that explains this well: xkcd: Password Strength

• Keep your passwords tidy. As a business and personally, it’s worth cleaning up your password manager on a regular basis. If the password is not in use, close the account and delete the login. Old unused passwords in your vault may be attack vectors in the case that data is stolen. Extra passwords become a liability.

  I have a feeling that many users of the password manager we mentioned before are wishing they had kept a cleaner vault. This is one of the reasons machineLOGIC deletes customer credentials as soon as projects or engagements end. That data is a liability to us and the customer.

• Never re-use passwords: This is one of the big wins that password managers facilitate and it’s critical that you only use passwords in one place and don’t re-use passwords. Ever.

  Many breaches are happening because a user uses the same password on a personal app and on a work account. When that personal app is breached, those credentials are used against corporate assets. Busy executives are often especially bad about this. Threat actors are smart and will correlate data.

• Use Role based Access: Limit access to passwords to those who need them. Apply this corporately and personally.

• Don’t store your MFA keys or TOTP codes (Time-based One Time Passwords) in the same product/solution as your passwords. Many password managers will offer to be your MFA token management solution as well. We recommend keeping them separate in a tool like Microsoft Authenticator, Google Authenticator, or stored on a YubiKey.

  Ask your IT service providers if they maintain separate solutions with separate access controls for customer password management and MFA codes. This is a critical security control.

• Be careful where you store your recovery keys. Just like MFA keys, recovery keys should be stored carefully. When you set up new accounts, you often get a recovery code that can be used in case your MFA method fails you. Don’t copy those into the notes in your password manager. This defeats the purpose of MFA when both factors are in one place. Find another secure location to store those. We often don’t even keep these codes as they are a security risk and are often not the best way to address MFA method recovery, especially in a corporate setting.

• Use Single Sign On where appropriate or available. Solutions like corporate Single Sign on with Azure AD (Office 365), Okta, or Sign on with Google/Apple for personal accounts greatly reduce the number of passwords you need to manage and reduces the risk. When properly implemented, SSO means the vendors/sites you log in to don’t store a password for your account, and you don’t either.

  Single Sign On (SSO) has many benefits especially in a corporate context as it can dramatically simplify and improve employee onboarding and offboarding processes, add security controls to tools that don’t have them, and provide security data on diverse tools to your SOC/SIEM solution. SSO also allows you add security controls like Microsoft's conditional access to tools that don't have them.

• Consider using a Fido 2.0 key (Or two!). A Fido key is a physical USB device that combines physical possession and a pin number to provide passwordless multi-factor logins. Vendors such as Yubico provide Fido 2.0 keys that are cost effective and are a great option for improving security.  We do recommend buying 2 keys in case you lose one. These methods not only reduce your exposure to password issues, but they are also hardened against some of the more common phishing attacks. 

  Setup a 2FA Key for MAXIMUM Online Security! (Yubikey Tutorial) - YouTube

  We especially recommend using fido keys for important accounts like your primary personal email address. Gmail and other solutions fully support securing those critical accounts with physical FIDO keys. This is a dramatic improvement in your security.

  The reason this is so critical is that personal accounts are the common denominator on so many things including banking, password resets, and alerts for changes. Once a threat actor has access to your personal account, there are so many directions they can pivot, including into corporate assets in some cases.

  Apple now supports security keys for login on iCloud accounts
  
  
• Password manager vendors to consider. There are a few vendors that we do recommend looking into if you are looking for a new option:
  
  
  • 1Password
    
    
  • Keeper Security
    
    
  • Bitwarden
    
    

• Keep an eye out for developments on the Passkey front. Microsoft, Apple, Google, and vendors like 1password are embracing Passkeys as a more secure way to manage access and this will be a huge win for consumers.
  

  • Passkeys—Microsoft, Apple, and Google’s password killer—are finally here | Ars Technica

  • Passkeys: the future of authentication in 1Password

  • RIP, Passwords. Here's what's coming Next:
    

The future is here. Between Fido keys, Single Sign On, and Passkeys, there is a future where we don’t have many passwords at all and that is a good thing. In fact, machineLOGIC will be eliminating passwords in Q2 of 2023 for most of our internal systems as part of embracing these changes. 

As with many things related to Cyber Security, this is a complex topic with lots of variables. Let us help you simplify your password management approach.