As modern internet users, one pain point that hasn’t yet been resolved is that of passwords. With all of us using a myriad of different websites and applications, using and remembering many secure passwords is difficult. Many people revert to using one password for all their services, an obviously unsafe practice.
Another approach is to use a password manager. Services like LastPass and 1Password do a great job of helping to keep all the different services we use secure. But using those services arguably comes with a risk: we are putting all our metaphorical password eggs in one basket.
This fact was thrown into stark relief today with news from LastPass that it was breached last Friday. The company updated its users telling them that its security team discovered “suspicious activity” going on. LastPass was quick to confirm that there is no evidence that passwords themselves have been compromised, but they did confirm that email addresses, password reminders, and other technical data was compromised.
Some of this data could, at least in theory, make it possible for attackers to work out actual passwords, especially if the original passwords were weak. LasPass does point out that the protections it uses will make it “difficult to attack the stolen hashes with any significant speed.”
LastPass will force all users to set new master passwords for their password vault, and to verify their identity when logging in from a new device or IP address.
The incident, while unfortunate, will rekindle the discussion about the safety of using a centralized password system. Opponents will suggest that using one service means that a single attack vector can open up all of an individual’s applications for an attack. Proponents of the password managers will point to the fact that these vendors have a single focus – that of ensuring passwords remain safe. They suggest, with some validity, that professional password management services focus 100% on the task at hand and therefore even given the risks associated with a single point of failure, are the best way to go.
One thing that this incident does remind us of is the importance of using two-factor authentication. When using a second authentication on top of passwords, even were an attacker to gain access to a user’s master password, it would be useless without the secondary authentication device.
Advances in biometric authentication, and work being done by a host of different organizations will likely resolve these issues in the future. For now, however, we internet users walk a tightrope: all of these various services bring massive utility to our lives, but our reliance on them, introduces some new and potentially devastating risks.