Wednesday, July 27, 2016

Blargh! Password managers losing passwords?!

Are password managers bad? Should I stop using one?  These are questions I get from Rendition Infosec clients every time there's a vulnerability discovered in a password manager.  The answer is probably "it depends" for most organizations.  Overall, most organizations will see an uplift in security by using password managers, but you should consider where the password manager stores your passwords and who (if anyone) has performed vulnerability assessments on the storage and transmission of the passwords.

I bring this up because today Tavis Omandy has discovered and responsibly disclosed a vulnerability in LastPass.  The bug is reported as a full remote compromise.

It's not the first to be discovered.  Mathias Karlsson also previously discovered a critical vulnerability in LastPass that caused it to reveal passwords.

But as to whether you should use password manager at all?  Most organizations are filled with people who absent a password manager will store their passwords in a spreadsheet named passwords.xls (looking at you Sony).  Or passwords.txt.  Practically any storage is better than that.  Or they'll reuse passwords.  And sooner or later some website using the shared username and password will end up compromised.  With our luck they'll be storing passwords in plaintext.

If you are going to use a password manager, keep it up to date and ensure that you enable two factor authentication if it's available.  If two factor isn't available, you need a new password manager.  Don't let one or two bad outcomes scare you away from something that's a great thing for security.  That's how the antivax movement got started after all.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.