For many, passwords are the bane of our digital lives, an inconvenience we begrudgingly accept. Ultimately, they are good for us – as long as we use them properly, which, as research shows, we often don’t.
However, with the advent of password managers, the burden of remembering and creating countless strong and unique passwords has been lifted. But even these tools are not perfect, and are still considered troublesome enough, for whatever reasons, for many of us to avoid using them.
Perhaps, then, the real solution to our online security woes lies in passwordless technologies, such as passkeys. These place our account security solely in the hands of big tech, under the banner of the FIDO alliance (opens in new tab), which sets the standards that are implemented. Encrypted keys are created on our devices to authenticate our logins, without any need for anyone to know exactly what they are. But here too, there are problems.
TechRadar Pro sought the opinions of Roger Grimes, a seasoned veteran in the world of online security who currently holds the exotic title of Data-Driven Defense Evangelist at cybersecurity training firm KnowBe4. He discusses the pros and cons of passwords and password managers, the future of passwordless technologies – and, of course, the now-infamous LastPass breach.
Password managers
If passwords remain a key pillar in our online security posture, password managers provide the foundation. But they are not all created equal. In discussing what makes the best password managers secure, Grimes says:
“It’s a whole lot of things, starting with a password manager company that takes secure development seriously. This means all of their programmers are trained in secure development lifecycle (SDL), which teaches programmers how to avoid common programming mistakes that lead to vulnerabilities, requires the use of secure-by-default programming tools, and builds in security from the very beginning to the end.”
He adds, “Password manager companies should also do internal AND external code reviews and penetration testing. They should also offer rewards for outsiders who find and report bugs (e.g., bug bounties). Moreover, they should make sure they use industry-accepted cryptography and key sizes…no customized cryptography.”
On this issue of encryption, Grimes believes that the method used by a given password manager is “very important; vital even. All stored information, not just passwords, should be encrypted by industry-accepted cryptography and key sizes. A compromise at the vendor’s site or reliant third parties should not result in the user’s information being compromised.”
He also explains that different vendors use different methods:
“Some password manager vendors use customized, non-standard, cryptographic algorithms. Some password managers use weak settings. Some password managers don’t encrypt ALL customer information. Some password manager vendors store encrypted information in such a way that a compromise of the password vendor’s site or reliant third parties will result in the reveal of customer information. These should all be avoided.”
What’s more, Grimes says that password managers need to “securely protect ALL stored customer information, including passwords, notes, involved websites, etc. The information needs to be encrypted during storage and transport, no matter where it’s stored. Only the customer should be able to decrypt the information.”
When it comes to flaws that may be discovered later on in password manager’s usage, “the password manager vendor needs to be responsive and transparent to customer requests about security issues. The vendor needs to quickly patch any found vulnerabilities.”
And on the issue of users being able to secure their vaults properly, “Password manager logins should be protected by strong master passwords and offer login by phishing-resistant multifactor authentication (MFA) solutions,” such as those requiring the use of authenticator apps.
In a somewhat worrying conclusion, Grimes says that he isn’t aware of “any password manager vendor doing all of [the above] things, though some are doing a lot to most of these things. Go with those password manager vendors.”
Business use
With the rise in remote and hybrid working arrangements since the Covid-19 pandemic, keeping track of credentials across multiple endpoints in numerous locations has become more important than ever, in turn making password managers a must for any enterprise.
Grimes mentions 1Password, one of the most popular password managers, as an example of a solution doing the right thing by making sure credentials remain secure when they are spread far and wide:
“Do something like 1Password does, where the ultimate secret is only known and stored by the user (i.e. password manager client on the user’s behalf). An attacker gaining access to 1Password’s stored customer vaults will not be able to decrypt the data.”
“As an example, 1Password assigns the user a random “master key” during first install that is simply a long series of numbers broken up by hyphens…something like 12345-4545-7843-3245. The master key is only stored on the devices that the user has installed the password manager on and allowed the key to be stored there.”
“The master key is used to further encrypt the user’s password vault, along with the normal symmetric key that most password managers use, before the vault is stored locally or uploaded to the vendor’s website. So, that if an attacker gets the user’s vault from the vendor (as did happen in one of the recent LastPass breaches), not only can’t the attacker decrypt it, even with the user’s symmetric key, but neither can the password manager vendor.”
“It keeps the password manager vendor’s site and their third party reliances from being the weak link because they don’t have enough information to decrypt the user’s vault, unless they also compromise one of the user’s devices where the master key is stored (at which point the user’s device would be compromised and there would be no need for the password manager vendor to be involved).”
Grimes also singled out Apple as another company that handles end-to-end encryption properly:
“If the FBI comes to Apple and asks for a user’s information, it’s encrypted in a way that Apple can’t decrypt…only the user has the ultimate master key that can decrypt their data. So, Apple can handover the data to the FBI, but it would be further encrypted with the user’s key which is only stored on the user’s device.”
He also explained one of the big flaws of this approach, though:
“If the user loses their master key (example, suppose the user’s device completely crashes), then the data stored at the vendor will not be of use to either the vendor or the user. The master key encrypted data would be lost forever.”
Despite this, Grimes claims that “end-to-end encryption is becoming more popular and requested by users for privacy and security reasons. With an end-to-end master password you can make sure no one else can get at your data…not the vendor…not an attacker…not law enforcement, without first compromising the user’s local copy…which if compromised is game over for the user anyway.”
The LastPass incident
And so we come to the incident with LastPass, the most infamous case of a prominent password manager being hacked and user vaults stolen. Information about the breach trickled out in stages, until earlier this month, the full truth behind the incident was revealed by the company themselves.
Essentially, a threat actor targeted a single devops engineer at the firm, who had decryption keys for the firm’s Amazon cloud S3 buckets, which contained backups of user’s vaults. They hacked the engineer’s private computer via an exploit in a piece of media software that was on their device, installed a keylogger and successfully captured the master password to the corporate vault as they entered it, all without anyone knowing. From here, it was game over.
“The fact that LastPass didn’t encrypt all stored user information is concerning. The fact that LastPass uses weak and customized cryptography is concerning. Yes, LastPass is to blame for all those continuing issues,” says Grimes.
Perhaps more concerning, though, is Grimes’ assessment of other password managers relative to LastPass:
“LastPass is probably average to slightly above average as far as all password managers go. There are dozens of password managers, and many of them absolutely have weaker security than LastPass.”
Again, though, Grimes singles out 1Password as optimal in this regard: “What we want is all password manager vendors to do something like what 1Password does or even better. 1Password is the acceptable standard bearer right now. They are showing how the secure storage of customer vaults really should be done.”
Are passkeys the future?
Looking ahead, however, many experts are predicting the extinction of passwords altogether, arguing that they are no longer fit for purpose in the ever-increasing digitization of our lives, whereas passwordless systems offer much better security and convenience. Grimes does believe in the technology to an extent:
“I think passkeys are a good thing… I’m for any authentication method that is phishing-resistant. Most authentication, including the vast majority of MFA, is as easy to phish as a password.”
“Passkeys are phishing-resistant because they are FIDO-enabled. The reason why FIDO-enabled solutions are phishing-resistant is that the first server response to any new client connection includes a digitally signed direct https: URL connection to the server they are trying to connect to.”
“Thus, if a client was tricked into connecting through a man-in-the-middle site, the new URL tells the client where to connect from then on…removing the MitM site out of the communication’s stream.”
“As an example, suppose the client was tricked into connecting through malicious mitm.com to legitimate server.com. FIDO would tell the client to connect directly to server.com for the next connection, dropping mitm.com out of the connection stream. Anything can be hacked and involved in social engineering, but FIDO removes the most popular type of social engineering involving MFA and passwordless connections.”
But when comparing passkeys to passwords secured with password managers, Grimes takes a somewhat surprising position:
“In general, I like a good password manager better. Why? For one, passkeys are currently locked into one platform. If you use passkeys on Microsoft Windows, that implementation only works with Microsoft Windows and products. Passkeys on Google products only work with Google products. Passkeys on Apple only work with Apple products. If you use multiple platforms you’ll need to store, operate, and update your passkeys separately even if you are connecting to the same websites. Meaning if you set a passkey on a website using Microsoft it won’t automatically be there to use if you go to the same website on your Apple product; and vice-versa. That’s a problem in today’s multi-platform world.”
“I also like true multifactor authentication products. Passkeys can be single-factor. I don’t like single-factor products as much as I like MFA products. And password managers can do so much more than what passkeys can do. My password manager automatically notifies me when one of the websites I belong to gets compromised. It allows me to store secure notes that have nothing to do with logins, like my will. I can store my credit card information separately from my browsers. I can store electronic licenses and passports. I think there is a VERY GOOD CHANCE that all of us will be using lots of passwords, lots of MFA options, a password manager, and passkeys in the near future.”
Grimes also takes issue with the purported scope of passkeys’ adoption:
“I think it’s wishful thinking that any one of these technologies will completely replace all the others. And passwords aren’t going away anytime soon, if ever. Passwords will be with us for at least another decade, if not forever. Not all websites work well with password managers either.”
He also adds that “if you added up all the MFA solutions in the world, they don’t work with 2% of the world’s sites and services. And passkeys, great as they are, don’t work with a thousandth of one percent of the world’s websites and services, at least not yet.”
In summation, it’s fair to say that Grimes takes a more skeptical approach to the apparent ease with which passwordless solutions will supplant passwords: “The future of authentication is more diluted and murky than seamless and universal. It’s unfortunate, but so far, I’ve not seen any signs of any technology better than passwords taking over anytime soon. I wish I was wrong.”