Light Dark
January 17, 2023 By C.J. Haughey 5 min read
Identity & Access
Risk Management

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application.

Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice.

As an alliance of tech giants leads a global push toward passwordless technology, security breaches like this beg the question: What is the future of password managers?

How bad was the LastPass hack?

LastPass revealed details of the initial security incident on August 25, 2022, notifying customers that attackers had taken some of the company’s source code and technical information.

In November 2022, the company detected suspicious activity in a third-party cloud storage service that LastPass shares with an affiliate, GoTo. An unauthorized party used information stolen during the August incident to access some aspects of customer information.

With the investigation into the scope of the breach ongoing, Toubba sought to allay fears: “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”

What is zero knowledge architecture in LastPass?

Zero knowledge architecture is a design approach that ensures nobody can access secure data except the end user. LastPass uses this security model to protect sensitive data in your vault.

When you use a password manager that relies on zero knowledge, you must set up a master password. The only person that has access to your master password and data is you — even LastPass doesn’t know it!

Dustin Heywood, also known as EvilMog, is the Chief Architect for X‑Force, IBM’s cybersecurity team. He explains that “the point of zero knowledge architecture is that passwords are encrypted with a unique security key in a manner that makes it extremely difficult, expensive and, in most cases, impossible to recover the passwords without the key.”

With zero knowledge encryption, your data remains safe in the event of a security breach. Even if threat actors manage to steal encrypted data, it’s still impossible to decipher your master password.

“I believe this to be an excellent security control that all password managers should implement,” asserts Heywood. “You can’t give up knowledge that you don’t have.”

What other password managers (or other security providers) rely on zero knowledge?

Not all password managers follow a zero knowledge architecture. However, many leading security providers trust the technology.

Here are a few notable examples:

  • NordPass explains that all encryption and decryption take place on your device. When the data reaches the company servers, it’s already fully secured from everybody, including the NordPass team.
  • 1Password doesn’t rely on any single point of failure. In addition to the master password, there is a 34-character Secret Key. 1Password servers contain only the encrypted vault data. For anyone to decrypt your vault data, they would also need your account password and Secret Key.
  • Sync.com is a leading cloud storage platform that uses zero knowledge protection to keep your files safe.

Have security breaches affected other password managers?

The attacks on LastPass have caused a stir because it is arguably the best password manager in the world. But it’s not the only password security provider in the crosshairs of cyber criminals.

Several research initiatives in 2019 and 2020 sought to discover ways password managers could be hacked. The research exposed security vulnerabilities in many of the most popular password managers, including LastPass, Dashlane, 1Password, Keeper and RoboForm.

In April 2021, hackers used phishing tactics to target Passwordstate customers. As users clicked on malicious files, they exposed their login credentials. The cyber criminals then posed as customer support reps from Passwordstate’s parent company, Click Studios, to trick users into disclosing more personal information.

It’s clear that passwords are a weak link in cybersecurity. Verizon’s 2022 Data Breach Investigations Report found 80% of all global security breaches are linked to password security issues. Worryingly, 66% of Americans admit they use the same password for their email, banking and social media accounts.

And so, with human failure being a variable that is hard to control in identity and access management, security teams must consider how to build a safer digital future with more robust methods.

Is passwordless technology the answer?

Passwordless authentication is a method of verifying a user’s identity without any request for a password. This technology replaces passwords with one of the following alternatives:

  • Possession factors like one-time passwords, authentication app codes or a hardware token
  • Biometrics including fingerprints, face recognition, retina scans or heartbeats
  • A “magic” link that grants access to the user via email.

Using a passwordless approach, companies can make logging in effortless and secure. You don’t have to remember different passwords or worry about someone else discovering the password to your most sensitive accounts.

In December 2022, Google announced the arrival of passkeys for Chrome users. This creation is a product from the FIDO Alliance: a joint venture between Apple, Google and Microsoft. Passkeys use public cryptography and biometric authentication to replace text-based passwords.

In 2023, 1Password will launch a similar passwordless system, which will work on iOS, Android, Windows, Mac, Chrome OS and Linux devices. The new demo shows how easy it is for users to generate hidden passkeys through a browser extension, which has a unique pair stored on the website.

What are the cons of a passwordless environment?

As passkeys technology is still in its infancy, it’s far from perfect. Here are some concerns people have about a passwordless approach:

  • Users need to open an additional email application to access online accounts
  • Email is an easy medium for hackers to compromise, which means hackers could intercept codes or passkeys
  • Email is also a prime target for phishing links that could trick users into downloading malware or spyware.

If the passwordless technology uses SMS or push notifications instead of email, it’s a hindrance for people to use another device every time they log in. If their smartphone has no battery or coverage, they can’t gain access.

It will take time for software developers and businesses to create the resources and software development kits (SDKs) to simplify passwordless integration and make this verification method a seamless plug-and-play experience.

Will we eventually replace password managers?

Heywood explains, “the term ‘password manager’ is a bit of a misnomer; password managers are really ‘shared secrets managers’ that can hold recovery keys and passphrases, initial seed tokens, instructions for recovery and a whole lot more.”

Despite the groundswell for a more integrated, failsafe future for digital security and IAM, the reality is that many current systems are not fully connected to the internet, and many businesses are not ready to give up passwords anytime soon.

Some systems are disconnected completely, while others are in environments that have extremely limited network access. A prime example is critical infrastructure sectors, which often rely on legacy systems and operational technology (OT).

Legacy systems such as Active Directory, terminal servers and sites that still use HTTP Basic authentication and LDAP rely on shared secrets. These environments comprise firewalls, routers, switches and other devices with password-enabled recovery accounts. Even as industries shift from passwords, there remains a need for local secrets to verify user-to-machine trust or machine-to-machine trust.

“Passwords will never fully go away,” claims Heywood. “We will be using passwords long after I retire. The important thing is ensuring that secrets are managed throughout their entire lifecycle, including creation, storage, transmission and destruction. Secrets should be unique between systems and rotated often.”

We still need password managers — but how we use them must change

Every security breach of a password manager is a body blow to the integrity and trust people have in the technology. As hackers continue to circle LastPass, the clamor for change grows louder, with tech giants calling for a shift in the landscape of IAM.

A future where passwordless environments reign supreme seems inevitable, especially in key industries like finance and national security. But passwords will not vanish entirely — the nature of operational technology and critical infrastructure makes the elimination of passwords virtually impossible.

85% of IT and security professionals expect a future that combines passwordless authentication with sophisticated password management. Security teams must find ways to integrate the two principles to nullify cyber threats and ensure a safer way to manage data.

Ready to learn more about good password practices from EvilMog? Read How to Keep Your Secrets Safe: A Password Primer.

 |  |  |  |  |  |  |  |  | 
C.J. Haughey
Tech Writer

More from Identity & Access
April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature