Last week, password wallet vendor LastPass experienced an outage. All LastPass systems and services have since been restored and are up and running. It is worth noting that this is not the first incident involving password wallet products. Past incidents include:
Last week’s outage at LastPass highlighted ongoing concerns around password management technologies, namely:
- Dependence on a single vendor’s solution for being able to log into personal and enterprise platforms creates risk. If the password manager infrastructure or vendor you trusted your passwords (or FIDO passkeys) with is unavailable, you are dead in the water, especially if you chose hard-to-crack and, thus, hard-to-remember long passwords.
- Password management solutions and their databases are natural hacker honeypots. Hackers try to attack password repositories because they want to extract access credentials that allow for access to sensitive data, lateral movement, and other exploits.
- Running device-side components increases the attack surface. Most password managers (including LastPass) have an on-device component that allows for caching and synchronizing credentials on the client side and providing Windows login functionality for enterprise deployments in case network connectivity is not available. Monitoring and the password manager on-device component’s binary integrity, memory use, and file access require additional, specialized knowledge that endpoint detection and response solutions do not cover. This leaves users’ on-device stored passwords vulnerable to device-side attacks.
- Passwords are insufficient protection for sensitive resources. Regardless of whether you use a password manager solution and a very strong password stored in it, strong passwords can be snooped during transit on the network to be replayed later in a “man in the middle” attack. This is why orgs should prioritize replacing passwords with phishing-resistant multifactor authentication whenever possible.
Forrester recommends transitioning to FIDO U2F and passkey-based, passwordless authentication methods for business user, customer, and privileged/non-human (machine) identity authentication. Even sending SMS texts or email messages with one-time passwords or links is a better solution than using passwords. Mobile app-based authenticator apps also present reasonable (stronger than password) authentication strength.
