Despite hacks, password managers are still an important SaaS security measure

Just three days before Christmas, the single-sign-on provider LastPass gave a very un-merry disclosure: threat actors stole customer data, including encrypted vault passwords and unencrypted email addresses.

Despite this, password managers are still superior to 20 Post-it notes that say “QWERTY.” The tools are especially valuable for companies using lots of software-as-a-service (SaaS) offerings.

“I can’t tell you the number of clients I’ve come across that are rolling out password managers because they’re using so many SaaS applications and they may not have paid the money for the corporate version,” said Sushila Nair, VP of the Greater Washington, DC, chapter of the IT governance association ISACA.

“You’ve got a load of passwords that people are managing. If you’re not careful, they’re going to use the same password for their corporate account as…this freebie SaaS account,” Nair told IT Brew.

The bad news:

• In the December disclosure, LastPass noted that threat actors obtained copies of customer-account metadata like company names, email addresses, telephone numbers, and other info that makes phishers drool.
• A backup of encrypted website usernames and passwords and form-filled data was also obtained.

The better news:

• With 256-bit AES encryption covering passwords and master passwords, cracking the code is difficult and would take a high level of computing power. With complex master passwords, the job is even more difficult.

“Anything that would cause me to press the panic button on LastPass is protected by strong encryption,” Lisa Plaggemier, executive director at the National Cybersecurity Alliance, told IT Brew.

What to do:

• Reset passwords: To defend against brute-force password guessing, LastPass has required a 12-character minimum for master passwords. In light of the breach, however, LastPass now recommends changing stored passwords.

“If you have legacy passwords that were never changed, those are more vulnerable because there’s a higher likelihood they were reused in some way. And so somebody will be able to find a breach that has your password in it,” said Sean Gallagher, senior threat researcher at the cybersecurity-services firm Sophos.

• Multi-factor authentication: Information like usernames, email addresses, and phone numbers make breaking into accounts almost child’s play for hackers. And if users aren’t practicing proper password hygiene, that information (along with birthdays or answers to security questions) can be used to attempt password resets or social engineering schemes.

In the case of LastPass, what’s to stop a phisher from using the email addresses to hunt for passwords?

“Hey, we noticed there was a breach of LastPass, and your password may be affected. Please enter your old password to gain access to the website to change your password,” Gallagher said, offering a sample scam message.

Multi-factor authentication—like Nair’s favorite option, the fingerprint-enabled YubiKey– gives phishers another hurdle to overcome, should they take advantage of all that available data.

Stayin’ SaaS-y. A late 2022 study from the SaaS-management platform BetterCloud found that organizations use 130 SaaS apps on average—an 18% increase compared to the previous year’s study. And some SaaS apps may not be part of a corporation’s identity system.

Without a password manager, that could be a lot of Post-it notes.

“I think we’ve got no choice. We have to use password managers,” said Nair, “until passwords are dead.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].