Passwords have withstood numerous cybersecurity challenges and are not going anywhere. Presently, many users utilize passwords to secure email, bank, social media, and computer accounts, often with the help of password managers.
Password managers are the best for generating cryptographically secure and unique passwords, storing them, and retrieving them when needed. As a result, cybersecurity experts have been advocating for password managers since they allow you to store credentials without remembering each password or username.
Unfortunately, hackers have managed to breach some of the most popular password managers and compromised the credentials of many users.
Norton LifeLock reported a data breach in January 2023 that affected over 6,000 customer accounts. The hackers breached the accounts using a credential stuffing technique, which involves using usernames and passwords acquired elsewhere to attempt to log into accounts on other platforms.
Norton traced the incident to December 2022, when the company first noticed numerous failed login attempts. While Norton LifeLock’s systems were not breached, the attackers could access individual accounts, with the breach potentially exposing passwords stored in the password manager.
Accordingly, Norton LifeLock resolved the issue by resetting the credentials of affected accounts and recommending that customers implement two-factor authentication.
LastPass experienced a security incident in August 2022, where a bad actor gained access to its development environment for four days.
While LastPass security teams thought that they had contained the incident at the time, LastPass discovered in December that the hacker was able to obtain sensitive information such as vault data, including unencrypted and encrypted data, account information, end-user names, company names, billing addresses, IP addresses, and telephone numbers.
Luckily, the encrypted data remains since it was encrypted using 256-bit AES encryption. LastPass zero-knowledge architecture prevents it from accessing the users’ master decryption password to decrypt the information.
Attackers targeted Passwordstate’s software in April 2021 by delivering a malicious dynamic-link library (DLL) file to users’ computers through the software’s update functionality. The DLL file extracted sensitive data, including usernames, domain names, and passwords, and exfiltrated it to a server under the attackers’ control.
In addition, the hackers conducted phishing attacks using legitimate communications between Passwordstate and its customers, which they accessed from social media platforms. The attackers sent customers phishing emails, instructing them to download a fix to mitigate the hack urgently. However, the fix installed the attackers’ malware, which spread the infection further.
Researchers from the University of York conducted a study analyzing five password managers, namely Dashlane, LastPass, Keeper, 1Password, and RoboForm, for security vulnerabilities.
They discovered that LastPass and 1Password were vulnerable to a phishing attack in which a false Google app tricked the password managers into revealing a password.
Additionally, the research found that Keeper, Dashlane, and 1Password could not limit the allowed login attempts, making them susceptible to brute-force attacks.
All the password managers, except for 1Password, allowed users to paste credentials in plain text, and this lack of security features makes it easy for malicious actors to steal the credentials.
The recent security weaknesses and attacks in various password management services highlight an essential cybersecurity aspect: no software can offer 100% security. Certainly, any code will have a weakness that attackers can compromise to gain unauthorized access to sensitive information. But password managers are much safer when creating and storing new passwords in a secure, encrypted environment.
Therefore, the crucial question is how developers protect user data and what security measures they had in mind when coding the password manager. Failure to keep security up-to-date can make a service static and easily hackable.
When choosing a password manager, the security measures implemented to protect your credentials should be the main consideration. Also, while other features are important, transparency in communicating security incidents and timely updates are essential. Moreover, free password managers are great to start with, but it is crucial to look out for new updates constantly. The software’s update history can provide insights into the level of attention given to security. Choosing software with up-to-date security features and quick response time to any breaches or attacks is advisable. Failure to do so could leave one vulnerable to cyberattacks.
On average, people without password managers use less than 10 passwords or patterns to secure more than 170 unrelated accounts, services, and sites. These passwords are often weak compared to the recommended password security standards making it easy for attackers to compromise them.
Subsequently, the hackers can use the compromised credentials to access other sites and services the user may be using. For instance, if a hacker gains access to a site where the user has used the same password and username, the hacker can use this information to access the victim’s other accounts, like bank or work accounts, without their knowledge.
Undoubtedly, password managers allow users to create strong, unique, and random passwords for each of their sites and accounts, thus preventing hackers from accessing multiple accounts with the same password from a compromised account. The tools generate strong passwords and passphrases that are generally unguessable using existing technologies. Using a trustworthy password manager is the best approach to password authentication for accounts, services, and sites that require passwords.
“The benefits of having a tool that can auto-generate strong passwords on your behalf and input them for you upon navigating to specific sites significantly increases the security at those individual sites,” notes a senior cybersecurity expert. Most password managers use advanced encryption to store your credentials to reduce the chance of threat actors gaining unauthorized access.
Password managers create strong, unique passwords for individual accounts, and combining them with recommended password security practices, such as multi-factor authentication, increases your accounts’ security.
Ultimately, password managers may be vulnerable to attacks, but they remain the safest bet that hackers will not compromise your passwords.
Creating a strong and long passphrase is vital to protecting against password hacking. The US National Institute of Standards and Technology recommends generating passwords up to 64 characters, including spaces, making them difficult to crack.
Encryption prevents threat actors from accessing your credentials. For example, password managers store all your passwords in an encrypted form. Thus, in case of a data breach, the attackers can only access the encrypted blobs, which are useless without a master decryption password.
Most password managers implement advanced encryption standards like AES 256.
Implementing two-factor authentication (2FA) as a standard is crucial to managing access to organizational resources.
With 2FA, users must confirm their identity with a one-time code sent to their mobile device or a personalized USB token, making it difficult for hackers to access an account even if they guess or crack a password.
Advanced authentication measures such as biometric verification can be added to multi-factor authentication. They utilize fingerprints, facial recognition, voice recognition, keystrokes, or even iris recognition to identify employees, making it easier for users to log in while keeping their accounts secure.
Testing your passwords’ strength is crucial to ensuring they are strong enough. Tools like Microsoft’s password strength testing tool can generate strong passwords that can’t be hacked easily.
It’s important to avoid using dictionary words as sophisticated hackers have programs that search through thousands of words. Also, use different passwords for every account to prevent other accounts with the same credentials from being easily compromised if hackers breach one account.
Pulsar Security is a team of highly trained and qualified ethical hackers whose job is to leverage cybersecurity experience and proprietary tools to help businesses defend against malicious attacks. Pulsar is a Veteran, privately owned business built on vision and trust, whose leadership has extensive military experience enabling it to think strategically and plan beyond the problems at hand. The team leverages offensive experience to offer solutions designed to help analyze and secure businesses of all sizes. Our industry experience and certifications reveal that our engineers have the industry's most esteemed and advanced on the ground experience and cybersecurity credentials.