LastPass Vulnerability
Recap from the November 5th, 2019 CISO/Security Vendor Relationship Podcast
by Julie McLelland
Facebook's Mark Zuckerberg, Google's Sundar Pichai, Twitter's Jack Dorsey, Spotify’s Daniel Ek, Uber’s Travis Kalanick — the list could go on for CEOs whose Twitter accounts were hacked due to poor password hygiene. Interestingly enough, executive leadership of the world's leading tech giants are just as prone to password management issues as the rest of us. However, the latest LastPass vulnerability demonstrates that password management solutions may no longer be a safe alternative for memorizing passwords.
The most recent LastPass vulnerability was reported on August 29th, 2019 by Tavis Ormandy, a researcher from Google Project Zero. Ormandy revealed a bug that could potentially allow malicious websites to access a web user’s credentials from a previously visited site. “LastPass could leak the last used credentials due to a cache not being updated,” Ormandy Tweeted. “This was because you can bypass the tab credential cache being populated by including the login form in an unexpected way!” LastPass released a blog on Sept. 13th, stating they fixed the bug.
Cons of Password Management Apps
UC Berkeley researchers revealed security flaws in five of the leading password management tools a few years ago — LastPass, RoboForm, My1login, PasswordBox (now Intel Security), and NeedMyPassword. Four of these contained exploitable vulnerabilities for stealing user credentials. The researchers reviewed their findings in a report that explained:
"The root causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model... Our study suggests that it remains to be a challenge for the password managers to be secure."
On top of numerous vulnerabilities, password managers are easy targets for cybercriminals. However, there is a solution to increase security and still use a password manager in your organization.
Solution
So what does this mean for companies? No more password managers? No, it doesn’t have to be that extreme. It really just means more education on cyber-hygiene.
Steve Prentice explained in this week’s Cloud Security Tip: “But for CISOs, this might be a good thing. Password complacency and sloppy security hygiene are the scourge of security specialists everywhere. A SaaS-based password manager that uses hashes and salts to remove the existence of physical passwords in their own vaults is still a highly proactive solution.”
Security experts recommend two-factor authentication (2FA) when using password managers. Two-factor authentication is an extra layer of security used to verify that the individual requesting access to a particular device or resource is authorized to access it. Two-factor authentication for LastPass could look like your employee using a password, and then receiving an additional code via text or email they enter into the appropriate field to complete the login.
On top of strong two-factor authentication practices, organizations should also implement a reputable VPN. OpenVPN Access Server works by providing secure access to the internal networks that house all of the tools and applications employees need to get their jobs done. Access Server also includes integration with various two-factor authentication apps such as Google Authenticator and AWS Multi-Factor Authentication, to ensure optimal protection on all levels.
