Why password managers remain important safeguards, despite hacks

So, LastPass was hacked, but don’t fire the password manager just yet—the tool can still play an important, breach-stopping role, according to industry pros who spoke with IT Brew.

Despite the recent breach of the LastPass development environment, credential-handling applications are likely still a superior option to trusting employees who can frequently display a variety of bad authentication habits. (Looking at you, CEO with “QWERTY” on a Post-it note.)

“If I were to say, ‘Hey, drop that password manager today, what would you do? You’d go reset the same password for every single site and take a big step backward in [your] security posture,” said David Chase, research director for identity and access management at Gartner.

The hack

• According to an Aug. 25 blog post from LastPass, an unauthorized party compromised a developer account and took portions of source code and some proprietary technical information.
• “We have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” according to the post.

LastPass

• LastPass has more than 30 million registered users.
• The service’s password manager creates complex passwords for all logins and stores them in an encrypted vault, which can only be accessed by the registered user with their encryption key. “Without that encryption key, the stolen passwords are useless. They’re locked. So it’s like stealing a giant safe out of someone's house. If you don’t have the keys to it, you can’t break into it,” said Jason LaPorte, CTO and CISO at New York-based Power Consulting Group.

Costs: According to an early 2022 IBM report that surveyed 550 breached organizations, the cost of a data breach averaged $4.35 million. Stolen credentials were the primary attack vector in 19% of breaches in the 2022 study.

Easy as 123456. Password managers like LastPass, 1Password, or NordPass generate (and often autofill) unique, complex passwords for one’s many logins—an organized, secure practice that employees don’t always master, and employers can find difficult to implement and enforce.

A survey from Nordpass found that “123456,” “password,” and “default” were among the most common passwords used by C-level executives, managers, and business owners.

“Users are terrible at managing their individual passwords, right?” said Chase. “They don’t create very long ones. They can’t remember long, strong passwords and the sites they go with. So you end up with these weak, reused passwords.”

While any attack on identity infrastructure is concerning and should be monitored, according to Chase, additional measures like multi-factor authentication and network analysis tools can add extra support to a potentially vulnerable password manager.

“The next layer of things that we’re seeing is identity threat detection and response: The ability to apply machine learning and analytics to the user’s behavior, and then remediate the threat on the back end,” Chase told IT Brew.

And there’s always the tried-and-true 2FA.

“The most important best practice is using multi-factor authentication on top of passwords for anything you can,” LaPorte said.