Vancord CyberSound

064 - LastPass: The Value of Password Vaults

November 08, 2022 Vancord Season 1 Episode 64
Vancord CyberSound
064 - LastPass: The Value of Password Vaults
Show Notes Transcript

Password protection management is a fundamental practice you and your organization should utilize to keep your credentials safe.

There are many password managers available, but today, Jason, Steve, and Matt dive into their preferred software, LastPass, to speak on the marriage of security and convenience this tool provides. The team stresses how incidents can prove the value of password vaults and reassures any concerns about using these platforms.

00:01

This is CyberSound. Your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl, Steven Maresca and Matt Fusaro.


Jason Pufahl  00:13

Welcome to CyberSound. I'm your host, Jason Pufahl, joining me today, as always, Matt Fusaro and Steve Maresca. 


Matt Fusaro  00:20

Hey everyone.


Steven Maresca  00:21

Hi there. 


Jason Pufahl  00:21

So we spend a lot of time talking about or talking with people about secure password management, credential management, etc. Whenever I do a security awareness presentation, the question I get 100% of the time, really every single time is, how do we know that the password manager that you're recommending us to use is more secure than writing something down on paper, putting it in an Excel spreadsheet, right, just remembering one password for everything? I usually feel like I've got a pretty defensible position when I'm talking with people, except we have recently had another LastPass security incident, right. And for those of you who may not be familiar, LastPass is one of the more popular password managers that are out there. We use it, we recommend it regularly. I think today's discussion really is, what's the impact to folks who use LastPass, do we change our position at all related to password managers and are we going to tell people not to use them? What is the incident, that's probably a good place to start, you know, what actually what happened to LastPass this time, because it isn't the first time. And is there reason for concern?


Steven Maresca  01:39

So you know, just for some background, other password managers that are common out there are Dashlane, KeePass, Keeper, 1Password, definitely not a notebook hidden under a bed, or a post it note under a keyboard. But you know, they all do the same thing. You may have heard of them, may have been told to use them, please use them. But ultimately, LastPass has been around since what, 2010? 


Jason Pufahl  02:07

Give or take, certainly 10 years or around there.


Steven Maresca  02:09

So a long 10 year, lots of people use it. It's hard to move away from a password management platform once you've started using it. So, you know, people may be long term users of any of those platforms. But that means that the breaches, the incidents, actually matter more. I think the main underpinning is that all of them are designed to be tolerant of security incidents.


Matt Fusaro  02:34

Yeah, so I think that's what's so hard about this is it's really hard to describe to people why it's not a problem if these places have breaches, right. I mean, certainly some types of breaches might expose the master passwords and stuff like that, depending on how that stuff has been stored. But if they do this correctly, which it appears LastPass is has done that and most of the popular ones do it, your master password, that one that they asked for when you log into it, that's usually not stored anywhere where they're going to be able to access it. And because of the way it operates, without that, even if an attacker stole the whole database of keys, they would never be able to get into it without that, right, it would take an extreme amount of compute power to get to any of that. But it's hard to describe that to someone who doesn't understand cryptography or doesn't understand how a password manager would actually work. And that's why I think you'll have skepticism there.


Jason Pufahl  03:30

So in the past, LastPass, they had an incident, maybe in 2021, where the credential database was stolen, and there was no impact there, right? Because it was properly encrypted, and to your point, accessible, each vault was individually accessible only via the master password. So as long as they didn't have that, it was an incident, but a non impactful incident. And in this case, it was, if I recall, it was a Source Code Disclosure, right, a source code, source code. 


Steven Maresca  03:58

Yeah, one of their developers had their credentials compromised. And that led to Source Code Disclosure, that led to you know, internal documentation leaks. So, you know, arguably, you know, any layperson would think, oh, well, they have the keys to the kingdom now. And that, it does sound that way. But when we're talking about computer programs in general, and math, to be more general about it, having a formula doesn't inherently in and of itself, give you the answer. And that wildly oversimplified statement is why at the end of the day, properly built systems like this can withstand attack.


Jason Pufahl  04:38

And not only, just having the formula not give you the answer, a lot of commercial tools utilize open source components, right. So software that's freely available for review, scrutiny, etc., they're utilizing that. So the idea that LastPass is a commercial company, it's not like they only have their own purely proprietary, internally developed code. So I think we need to, we need to be a little less concerned about that piece probably.


Matt Fusaro  05:07

Yeah, things that would bother me about a breach like this, especially if source code gets leaked, is, you know, there may be vulnerabilities discovered that would cause a drive by download of a person's computer. So you individually, if you don't have your computer patched, or you don't have the latest version of LastPass, or one bet, whatever it might be, that's gotten breached, there may be a vulnerability that can be exploited locally, right? So you go to a malicious site, they may be able to get into your password manager, because they've have found a vulnerability through source code they stole, right. But I mean, we have to remember we're talking about, you know, we talk about risk all the time, right? You're reducing your risk by having different passwords all over the place, you can't remember them yourself, right? That's why we use a password manager, right, you're inherently making yourself less risky, things like this, sure, they can still happen, right, if you want to really mitigate that, then start looking at something like KeePass, which is, you know, local only password manager, but you give up your convenience, right, you have to remember that.


Steven Maresca  06:10

Right. And you know, the same sort of source code access that you're talking about with this example, in particular, may still affect something like KeePass, with a local only database of credentials. Some notable past incidents have involved, you know, targeting the browser plugins extensions, for password, vaults. And if you can interact with that and pretend to be a website, you may be able to trick it into supplying a credential. All of those routes are possible, right? What I'm concerned about in terms of messaging is essentially reassurance that merely having a breach of a provider of platform like this doesn't inherently mean that everything's lost. And that has to do with the way that cryptographically the data is defended, whether it's locally stored or housed in some sort of a third party location, you can only ever access the decrypted password to supply to a site by supplying multiple components of data into an algorithm very carefully constructed to be challenging to perform at scale. And that's how the data is kept safe. So you know, it's not the end of the world. That's the most important thing.


Jason Pufahl  07:27

So, step back a second. You used the word "reassurance" a minute ago. I think that's what LastPass has done so well here, actually, in at least the last couple of incidents that they've had, right, they're very transparent, they're quick to communicate. I think they're clear in what happened. Fortunately for them, right, I don't think either event was significantly impactful to its client base, right, but they did tell you about it. They didn't, there was no one month lag before you got any information, right? And that, because that immediately makes people feel like well, you I may have been at risk for a period of time you gave me no choice. They didn't do that. They're very quick to communicate, I think that they handle that incident response piece of of this, the communication part, really well.


Steven Maresca  08:12

And they are known in the past incidents, as well as working quite well with security researchers and actually being collaborative about it, saying, hey, no help us improve our product, because that, to the point of transparency, does nothing more than improve outcomes for everybody. Other platforms are just as worthy of merit here, worthy of some sort of a nod, Keeper is a great one. They have everything about their platform in the open; reports from third parties certifying their practices, policies, procedures, it's all available to download. Some vendors have that information only, you know, disclosed under NDA, that's not the case for these password keepers. And generally speaking, that's, it's inherent with delivering trust or fostering trust.


Matt Fusaro  09:05

Yeah, I think that was a big concern, too, when, specifically for LastPass when LogMeIn bought them, I want to say, what was that three years ago or so? Maybe a little bit more. Yeah, but it's nice to see that they've kind of kept with that whole ideal of being transparent.


Jason Pufahl  09:19

So, it sounds like, at least an easier view or recommending a move away from LastPass, or maybe password managers in general. I mean, it's, there's no, there's no reason to think that this approach that we've used now for the better part of 10 years, is any less secure with the incidents that occur.


Matt Fusaro  09:39

Yeah, I mean, if anything, it's kind of strengthened the position of LastPass, right, where they obviously they know how to handle a breach, and that the breaches that have happened to them, they've properly separated duty so that if something like this happens, they're protecting data pretty well. So I think while it's unfortunate that it happened, it does show that they can handle these things. These are really high value targets for an attacker. So it's not like this isn't going to happen again. And I'm sure one of the other ones will be next right, or LastPass again, who knows, but knowing that they know how to deal with this, and that their pattern from information being stolen is good.


Steven Maresca  10:16

And just for those who are interested in why this is the case, structurally, these tools try to separate some of the cryptographic computations to both be server side and client side, whether it's your phone, or your browser. And what that means is that the complete secret is only accessible if both sides of that equation are completed. Those who use most of these platforms know that, you know, the browsers, for example, are really aggressively validated as being, you know, attached to you with multifactor, or something to that effect, having secondary protections, in addition to master passwords. There might be a huge number of cryptographic rounds to protect a plaintext password on the server. But there is a similar level that also occurs in the browser, and they're deliberately slow, which means that even if an adversary has both sides of that exchange, it's prohibitively, computationally intensive to compute anything in a reasonable fashion.


Jason Pufahl  11:24

So, certainly one of the takeaways that I want from today's podcast for anybody who's on the fence about whether or not to use a password manager, frankly, for anybody who has non unique credentials for any website or business that they interact with, it still is in everybody's best interest to get on the path, make sure you've got unique credentials for every site, and really just store them in a password manager. I think it's the one, is one of the one of the few security tools that I think truly marries security and convenience, right. More often than not, we're in discussions around, well, implement this security control and by the way, it's going to make your job a little bit more cumbersome. These simply make your lives easier. Their plugins, make it easier to create these complex passwords you need, it makes it easier to input usernames and passwords into fields in browsers. Certainly, to your point, Matt, it makes it accessible on PCs and phones and any variety of location. They just make your life, they make your life better. And I think properly managed with LastPass is, I think the security risks are incredibly low. So on that note, I think the good news is, an incident doesn't discourage us from using them. I think LastPass certainly handled it properly. No reason to start even considering moving away from this.


Steven Maresca  12:46

Yeah and I'd say if, if there's an incident with a particular platform you're considering, and they came out of it appropriately, it does nothing, in my opinion, but strengthen that platform as a reasonable choice.


Jason Pufahl  12:57

Right. You know, it occurrs to me, before we adjourn, there is one thing that I want to ask you guys, every time that we do a security awareness presentation, we talk about password managers. There's always the comparison of, do I need a password manager if I use my browser, Google, to save my credentials, right, it always asks to save credentials. So I'm curious what your thoughts are, as far as a browser, sort of helping you create a password or saving credentials, in comparison to a password manager? Because that is something I think that's on people's minds a lot.


Matt Fusaro  13:32

Yeah, I mean, a lot of it is convenience, some of them don't sync, you know, if they synchronize, when I say synchronize, I mean, you go to your phone, you go to the computer, or something like that. Sometimes they don't, a lot of them do now, I think both Chrome, Firefox, maybe even Edge or whatever the name is now.


Jason Pufahl  13:50

It is Edge, right?


Matt Fusaro  13:53

I think that I think they all have that now. But yeah I mean, a lot of it's just usability. Most of the time, they're just storing using passwords, sometimes credit card numbers as well. 


Jason Pufahl  14:02

So that's a good point. It is usually limited, limited purely to credentials, right, rather than you can sort of social security numbers in LastPass, and credit cards and everything, right? 


Matt Fusaro  14:10

Yep, so yeah it's a little bit of that.


Steven Maresca  14:11

But you know, generally speaking, if I had to pick, it's a reasonable middle ground choice, it certainly improves the speed. It improves the complexity of passwords and removes the psychological barrier to pursuing unique passwords, right, which is the important part, net gain.


Jason Pufahl  14:12

On that note, that's your tidbit of the day from the CyberSound podcast. As always, we're happy that people joined today. We hope you got some value out of this. Thanks, everybody, for listening. We appreciate it.


14:42

We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.