Norton LifeLock and LastPass Breaches Raise Doubt about the Security of Password Managers  

But are the Wrong Questions Being Asked?

Recent news of cyber-attacks on two major security companies has many asking, “Are password managers secure enough to protect our data?” But perhaps there’s a more important question that needs to be addressed.

This week, news came of a cyber-attack on Norton LifeLock. Several thousand customers were reportedly victims of credential-stuffing attacks which compromised their personal data. The story broke not long after the successful attack on another password management solution, LastPass, in which the company’s cloud storage was hacked and millions of customers’ encrypted vaults were stolen. These and several other incidents over the past few years have raised serious questions about the security of platforms like these that were designed to protect personal information.

Details of the Norton LifeLock Attack

According to sources at Norton LifeLock’s parent company, Gen Digital, customers reported credential stuffing attacks as early as December 1 of last year. Norton LifeLock sent data breach notices on December 12 to 6,450 customers, warning that usernames and passwords had been compromised, allowing access to personal information. More specifically, they said, user credentials had been obtained from third-party accounts and potentially used to gain access to users’ personal password vaults. The same announcements stated that, while credentials had been compromised, Norton systems had not. Gen Digital said 925,000 accounts were locked down in response to an unusually high number of login attempts.

Users most affected are those whose master passwords for vault access were similar to those used for other accounts.

Are password managers safe to use?

Understandably, the news about LastPass and Norton LifeLock, along with earlier incidents, has the industry buzzing. And cyberspace is aflutter with questions about the security of password managers.

At the same time, executives from password management solutions have come out in response to negative sentiment, to insist that “not all password managers are created equal.” … It comes down to choosing the ‘right’ company to trust with their data, they say.

Many discourage the use of browser-based password managers, as we’ve mentioned before. They are particularly vulnerable because most don’t employ even two-factor authentication or strong encryption. Once in, a bad actor could have access to all user accounts.

Others recommend finding a password manager where your information is ‘unlockable’ except by using a password that is only known by you, not by any third party – even the password manager.

As remote workforces prevail and users continually access company resources from personal devices, the question of how to protect digital valuables will be challenging for tech leaders.

It’s clear that something needs to change

Along with the damage to individual users, both affected companies may suffer significant reputational and financial loss due to these attacks. (Just a few weeks ago, a class-action suit was filed against LastPass for failing to disclose the full extent of the attack.)

Is Poor Password Etiquette the Real Culprit?

While people question password managers, many – including Norton – have pointed to the improper use of passwords as the main cause behind these kinds of attacks.

Experts insist that passwords should be stronger, more complicated, unknown to everyone but the user, … never shared or reused. And the list of proper password etiquette goes on.

According to a recent Ipsos report, despite increased awareness about proper password security practices, users are still not getting it right when it comes to password use.

• 65% report reusing passwords across multiple accounts
• One in five use passwords that are common or easy to guess
• 52% incorporate personal information like names and birthdays into their passwords
• Roughly one in three share passwords or have access to others’ credentials
• 62% change their passwords only when necessary

With the difficulty in remembering the myriad strings of characters for different accounts and the increasingly complicated rules for password creation, it’s no wonder behavior is subpar.

The mistakes people make with password managers are no different. In theory, using a password manager secured with a strong password is more secure. But in practice, it’s not always the case. Once the master password is compromised, all passwords in that vault can be easily compromised.  

It’s important to note that, as technology evolves, so does cybercrime. Automated credential cracking and credential stuffing tools are readily available to hackers for as little as $500 and can quickly check hundreds of thousands of email and password combinations against multiple websites.

So, with all that we know, perhaps the most important question to ask is this one:

Why are we Using Passwords to Protect Passwords?

We Shouldn’t.

And We Don’t Have to.

While we know that Passwordless is the future (over 80% of data breaches are due to weak or stolen credentials – passwords, OTPs … any Phishable or shareable secrets), we also know that passwords are still required for access to many accounts, and their storage must be properly managed. Password managers are still the safest way.

However, we believe the master password must go. Now you can ditch the master password and use passwordless multi-factor authentication (MFA) for access instead.

Passwordless Phishing-Resistant MFA for Access to Your Password Vault

Modern times mean superior technology and solutions that are more secure, easier to use, more easily adoptable, less time-consuming, and cost-effective.

Passwordless MFA that eliminates the factors used by bad actors to gain unwanted access will vastly enhance your security posture, simplify login, and save on support costs.

What to look for in a Passwordless MFA solution:

• MFA and Single-Sign-On (SSO) combined for simpler and more secure access to all applications from a single console.
• Eliminate Phishable factors for login. COMPLETELY. 
• MFA is native to the solution, not simply layered on top of a password-based system. This means no fallback on insecure phishable factors and reduced friction for users and admins.
• Interoperable with Your Identity Provider/acts as IDP
• Easy to deploy, use, and manage for users and admins
• Seamless and ‘delightful’ user experience
• Meets industry standards for security and privacy

TraitWare’s patented MFA solution provides all of the above for simple secure passwordless login for the enterprise.

TraitWare works with Keeper and other password management solutions – providing passwordless MFA access to your password vault for optimal security and ease of use. 

For more information, contact us any time. We’ll show you how it works in just a few minutes.

For a quick peek now, visit our youtube channel.

Or take TraitWare for a test drive yourself with a Free Trial or Demo account.