Passwords vs Passwordless: A Debate on Online Security
Passwords can be a source of frustration for many individuals in the digital age, often viewed as an inconvenient necessity. While they are an essential element of online security, research indicates that people frequently fail to use them correctly. Fortunately, the introduction of password managers has alleviated the burden of having to remember and create numerous strong and distinctive passwords. However, these tools are not without flaws, and some individuals still find them troublesome to use for various reasons, resulting in a reluctance to adopt them.
Perhaps the ultimate solution to our online security concerns lies in passwordless technologies, such as passkeys. With these technologies, our account security is solely entrusted to major tech companies under the auspices of the FIDO alliance, which establishes the standards that are employed. Encrypted keys are created on our devices to validate our logins, without the need for anyone to know precisely what they are. However, there are also challenges associated with this approach.
In seeking insights into the advantages and disadvantages of passwords and password managers, as well as the future of passwordless technologies - including the well-publicized LastPass breach - TechRadar Pro, a tech news publication, recently conducted an interview with Roger Grimes. As a seasoned veteran in the realm of online security and the Data-Driven Defense Evangelist at cybersecurity training firm KnowBe4, Grimes offered his professional perspective on these important issues.
An analysis of password managers
Password managers play a crucial role in our online security posture, but it is crucial to note that not all password managers are created equal. In discussing what distinguishes the best password managers from their counterparts, Grimes emphasizes the importance of companies that take secure development seriously, with all programmers trained in secure development lifecycle (SDL) to avoid common programming errors that lead to vulnerabilities.
In addition, password manager companies should conduct both internal and external code reviews and penetration testing, offer rewards for outsiders who find and report bugs, and use industry-accepted cryptography and key sizes. Grimes warns against the use of customized cryptography or weak settings, and advises that all stored information, not just passwords, should be encrypted.
Password managers must also securely protect all stored customer information, including passwords, notes, and websites involved, with strong master passwords and phishing-resistant multifactor authentication (MFA) solutions. Any security flaws discovered must be addressed in a timely and transparent manner.
While no password manager vendor is currently doing all of these things, some are implementing most of them. Grimes recommends going with password manager vendors who prioritize secure development and employ industry-accepted security measures.
Passwords in the workplace
As remote and hybrid work arrangements have become more prevalent during the Covid-19 pandemic, the need to manage credentials across multiple endpoints in various locations has become more critical than ever, underscoring the importance of password managers for enterprises.
Grimes cites 1Password, one of the most popular password managers, as an example of a solution that prioritizes security. He recommends solutions like 1Password, where the ultimate secret is only known and stored by the user, meaning that an attacker who gains access to 1Password's stored customer vaults would not be able to decrypt the data.
For example, 1Password assigns the user a random master key during installation, which is only stored on the user's devices. The master key is used to further encrypt the user's password vault, along with the normal symmetric key used by most password managers, before being stored locally or uploaded to the vendor's website. In this way, the password manager vendor's site and third-party reliances are not the weak link because they do not have enough information to decrypt the user's vault, unless they also compromise one of the user's devices where the master key is stored.
Grimes also commends Apple for its proper handling of end-to-end encryption, noting that if the FBI requests a user's information, it is encrypted in a way that Apple cannot decrypt, and only the user has the ultimate master key that can decrypt their data.
However, Grimes cautions that end-to-end encryption has a significant flaw: if the user loses their master key, the data stored at the vendor becomes useless to both the vendor and the user. Despite this, end-to-end encryption is gaining popularity due to users' increasing concerns about privacy and security. With an end-to-end master password, users can ensure that their data remains secure and inaccessible to anyone without first compromising the user's local copy.
What happened to LastPass
The LastPass breach is the most notorious example of a major password manager being hacked, with user vaults stolen. The breach was gradually disclosed, with the company itself eventually revealing the full details earlier this month.
A threat actor targeted a single devops engineer at the company, who had decryption keys for the firm's Amazon cloud S3 buckets, which contained backups of user vaults. The attacker hacked the engineer's private computer via an exploit in a piece of media software, installed a keylogger, and captured the master password to the corporate vault as it was entered, all without anyone knowing. From here, the attacker was able to access user vaults.
Grimes finds the fact that LastPass did not encrypt all stored user information and used weak and customized cryptography concerning, and assigns blame for the continuing issues to LastPass.
Grimes also notes that LastPass is average to slightly above average in terms of security compared to other password managers, some of which have weaker security. Grimes cites 1Password as the optimal password manager in this regard, noting that all password manager vendors should adopt its approach or something even better. 1Password sets the standard for secure storage of customer vaults, according to Grimes.
Could passkeys be the future of digital security?
Although passwordless systems offer better security and convenience, many experts are predicting the extinction of passwords, arguing that they are no longer fit for purpose in the ever-increasing digitization of our lives. Grimes believes in the technology to some extent, noting that passkeys are phishing-resistant because they are FIDO-enabled. However, he prefers a good password manager over passkeys, as passkeys are currently locked into one platform and can be single-factor, while password managers can do much more than passkeys, such as automatically notifying users when a website they belong to gets compromised and storing secure notes that have nothing to do with logins.
Grimes also takes issue with the purported scope of passkeys' adoption, noting that they don't work with a thousandth of one percent of the world's websites and services, at least not yet. He is more skeptical about the ease with which passwordless solutions will replace passwords, stating that the future of authentication is more diluted and murky than seamless and universal.Advertisement