Learning that the world’s largest password manager suffered a security breach can unsettle us all. Last week, LastPass informed customers of a security breach, stating that attackers gained access to their development environment and stole “portions of source code and some proprietary LastPass technical information.”
Full disclosure: I’m a long-time user of LastPass. As a customer, I am concerned by the news, worried this could lead to the compromise of my data.
LastPass assures customers like me that no personal data was compromised. The company FAQs explain, “We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password.” This is somewhat reassuring. But the company continues to investigate, and security experts expect more revelations to come.
At Transmit Security, we take no pleasure in this news. It raises security concerns for everyone when an attacker targets a password manager. This breach is a harsh reminder that our accounts will not be safe until we eliminate passwords completely. Until then, there are some valuable takeaways from this event that can show us where to go from here.
Cybercriminals are highly motivated to hack into password managers — so they can monetize a treasure trove of credentials. Since 2011, LastPass has endured seven security breaches. In a much more serious 2015 hack, attackers accessed their network, and customers like me were advised to change master passwords.
To be clear, LastPass is not alone. In 2021, Australian-based password manager Passwordstate was breached by hackers who inserted malware in a software update, much like the SolarWinds attack. Customers who downloaded the update exposed all of their passwords. Cybercriminals work hard to find security gaps, and in this case, their efforts paid off in spades.
In 2014, researchers at the University of California at Berkeley discovered security flaws in LastPass and four other password managers: RoboForm, My1login, PasswordBox (now Intel Security), and NeedMyPassword.
Here’s a tough lesson we need to accept: it’s not just password managers at risk. The bad guys go after passwords wherever they can be found. The majority of compromised passwords come from breaches of websites and from phishing or other techniques that trick users into exposing their passwords. Cybercriminals harvest and sell passwords to be used for account takeover and theft of private information (PII).
The more important lesson here is not intended for the users of password managers. In fact, I will continue to use LastPass because I must still use passwords for so many sites. Good password managers like LastPass provide a very valuable service, but it’s a service that should not need to exist much longer.
Instead, this lesson is for businesses that require their customers to use passwords. The issue here is not simply a matter of poor security. Passwords make it harder for prospects to register a new account and for customers to log in and do business with you. Ultimately, they tarnish your brand.
Consider these data points:
It’s time to stop requiring passwords.
Many passwordless authentication methods provide a much higher level of assurance for services and their users. But one in particular is especially effective: FIDO2-based biometric authentication, which uses fingerprint or facial biometrics to achieve strong multifactor authentication with exceptional ease of use.
Most of us already use biometrics to unlock our smartphones or laptops; FIDO2 authentication leverages those same biometrics to unlock a cryptographic key on your device to securely log you into a web site or an app. It solves the problem of weak security and poor customer experience at the same time. Read more on password alternatives.
Keep in mind, passwordless is much more than FIDO2 and biometrics. Companies often offer a range of passwordless authentication options for those who are not ready or able to use biometrics. Magic links, time-based one-time passcodes (TOTPs), SMS OTPs and social logins are all forms of passwordless (or password-less) authentication that most anyone can use.
These methods offer varying degrees of security assurance, but they are generally stronger than reusable passwords and enable companies to eliminate their greatest customer account takeover risk.
To learn more about passwordless security, I recommend our passwordless buyers guide.