What is the Future of Password Managers? – Security Intelligence

What is the Future of Password Managers?
In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application.
Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice.
As an alliance of tech giants leads a global push toward passwordless technology, security breaches like this beg the question: What is the future of password managers?
LastPass revealed details of the initial security incident on August 25, 2022, notifying customers that attackers had taken some of the company’s source code and technical information.
In November 2022, the company detected suspicious activity in a third-party cloud storage service that LastPass shares with an affiliate, GoTo. An unauthorized party used information stolen during the August incident to access some aspects of customer information.
With the investigation into the scope of the breach ongoing, Toubba sought to allay fears: “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”
Zero knowledge architecture is a design approach that ensures nobody can access secure data except the end user. LastPass uses this security model to protect sensitive data in your vault.
When you use a password manager that relies on zero knowledge, you must set up a master password. The only person that has access to your master password and data is you — even LastPass doesn’t know it!
Dustin Heywood, also known as EvilMog, is the Chief Architect for X‑Force, IBM’s cybersecurity team. He explains that “the point of zero knowledge architecture is that passwords are encrypted with a unique security key in a manner that makes it extremely difficult, expensive and, in most cases, impossible to recover the passwords without the key.”
With zero knowledge encryption, your data remains safe in the event of a security breach. Even if threat actors manage to steal encrypted data, it’s still impossible to decipher your master password.
“I believe this to be an excellent security control that all password managers should implement,” asserts Heywood. “You can’t give up knowledge that you don’t have.”
Not all password managers follow a zero knowledge architecture. However, many leading security providers trust the technology.
Here are a few notable examples:
The attacks on LastPass have caused a stir because it is arguably the best password manager in the world. But it’s not the only password security provider in the crosshairs of cyber criminals.
Several research initiatives in 2019 and 2020 sought to discover ways password managers could be hacked. The research exposed security vulnerabilities in many of the most popular password managers, including LastPass, Dashlane, 1Password, Keeper and RoboForm.
In April 2021, hackers used phishing tactics to target Passwordstate customers. As users clicked on malicious files, they exposed their login credentials. The cyber criminals then posed as customer support reps from Passwordstate’s parent company, Click Studios, to trick users into disclosing more personal information.
It’s clear that passwords are a weak link in cybersecurity. Verizon’s 2022 Data Breach Investigations Report found 80% of all global security breaches are linked to password security issues. Worryingly, 66% of Americans admit they use the same password for their email, banking and social media accounts.
And so, with human failure being a variable that is hard to control in identity and access management, security teams must consider how to build a safer digital future with more robust methods.
Passwordless authentication is a method of verifying a user’s identity without any request for a password. This technology replaces passwords with one of the following alternatives:
Using a passwordless approach, companies can make logging in effortless and secure. You don’t have to remember different passwords or worry about someone else discovering the password to your most sensitive accounts.
In December 2022, Google announced the arrival of passkeys for Chrome users. This creation is a product from the FIDO Alliance: a joint venture between Apple, Google and Microsoft. Passkeys use public cryptography and biometric authentication to replace text-based passwords.
In 2023, 1Password will launch a similar passwordless system, which will work on iOS, Android, Windows, Mac, Chrome OS and Linux devices. The new demo shows how easy it is for users to generate hidden passkeys through a browser extension, which has a unique pair stored on the website.
As passkeys technology is still in its infancy, it’s far from perfect. Here are some concerns people have about a passwordless approach:
If the passwordless technology uses SMS or push notifications instead of email, it’s a hindrance for people to use another device every time they log in. If their smartphone has no battery or coverage, they can’t gain access.
It will take time for software developers and businesses to create the resources and software development kits (SDKs) to simplify passwordless integration and make this verification method a seamless plug-and-play experience.
Heywood explains, “the term ‘password manager’ is a bit of a misnomer; password managers are really ‘shared secrets managers’ that can hold recovery keys and passphrases, initial seed tokens, instructions for recovery and a whole lot more.”
Despite the groundswell for a more integrated, failsafe future for digital security and IAM, the reality is that many current systems are not fully connected to the internet, and many businesses are not ready to give up passwords anytime soon.
Some systems are disconnected completely, while others are in environments that have extremely limited network access. A prime example is critical infrastructure sectors, which often rely on legacy systems and operational technology (OT).
Legacy systems such as Active Directory, terminal servers and sites that still use HTTP Basic authentication and LDAP rely on shared secrets. These environments comprise firewalls, routers, switches and other devices with password-enabled recovery accounts. Even as industries shift from passwords, there remains a need for local secrets to verify user-to-machine trust or machine-to-machine trust.
“Passwords will never fully go away,” claims Heywood. “We will be using passwords long after I retire. The important thing is ensuring that secrets are managed throughout their entire lifecycle, including creation, storage, transmission and destruction. Secrets should be unique between systems and rotated often.”
Every security breach of a password manager is a body blow to the integrity and trust people have in the technology. As hackers continue to circle LastPass, the clamor for change grows louder, with tech giants calling for a shift in the landscape of IAM.
A future where passwordless environments reign supreme seems inevitable, especially in key industries like finance and national security. But passwords will not vanish entirely — the nature of operational technology and critical infrastructure makes the elimination of passwords virtually impossible.
85% of IT and security professionals expect a future that combines passwordless authentication with sophisticated password management. Security teams must find ways to integrate the two principles to nullify cyber threats and ensure a safer way to manage data.
Ready to learn more about good password practices from EvilMog? Read How to Keep Your Secrets Safe: A Password Primer.
With a passion for creative writing and an unquenchable thirst to learn about futuristic tech, Christopher John Haughey segued from a journalism degree into …
4 min readAs with many other aspects of life and business, 2022 held fewer overall surprises in cybersecurity than in recent years — thank goodness. Instead, many trends brewing over the past few years began to take clearer form. Some were unexpected,…
5 min read2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets…
4 min readThe RomCom RAT has been making the rounds — first in Ukraine as it went after military installations, and now in certain English-speaking countries such as the United Kingdom. Initially a spear-phishing campaign, the RomCom attack has evolved to include…
This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…
Twitter has been verifiably bonkers since electric car and rocket mogul Elon Musk took over and reworked the social network’s long-standing verification system. This provides a valuable lesson about the link between verification or authentication and between security and usability. It all started in early October when Musk closed the Twitter deal and claimed that the purchase would accelerate the creation of an “everything app” called “X”. Based on Musk’s history and statements, it appears that “X” would be a…
There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don’t know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…
The password isn’t going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.