The most foundational aspect of protecting yourself and your business from the devastating impact of a data breach is maintaining best practices regarding account password hygiene. This remains true even if the password manager you use is impacted by a security incident.
Rightfully, there is a lot of concern about the efficacy of password vault and manager services given the recent LastPass network breaches. In August 2022, the company published a notice that some of the company’s technical information and source code were taken by threat actors. At the time, no customer data was found to be accessed; it was a ‘point-in-time’ incident.
Then in November, the company once again confirmed a breach, only this time credentials stolen in the August incident were used to move laterally throughout the system and access customer information, including encrypted password vaults and personal identifiable information (PII). Just last week, another revelation emerged: a company developer had their own corporate vault breached from which a threat actor obtained decryption keys.
A company many depend on to enhance their operational security, unfortunately, let them down.
Following multiple breaches in a few months, it is understandable why users would be uncomfortable continuing with this specific service and perhaps any password vault; however, by layering other best practices on top of a password vault and manager you need not sacrifice security.
Nonetheless, it is still wise to update your password and reinstate a cadence of credential change, regardless of whether the company suggested such action, as it is best practice.
To encourage peace of mind, the master password still hides behind encryption in what is known as a ‘zero-knowledge’ system, and if all passwords are updated regularly, there is no major cause for concern. The ability to use randomly generated, strong passwords unique to each account are additional mitigation measures in the event of a breach.
Password managers are designed to centralize all login and password credentials across every account, whether personal or work related. The average worker utilizes around 100 passwords, according to NordPass (one of many quality tools), for social media to HR accounts; without a management system, they are nearly impossible to keep organized. All details are stored within an encrypted vault, requiring a single primary password that is not typically stored anywhere but in the user’s brain. Needing to remember only one “master” password should reduce concerns of identity theft or data breach, which are extremely rare when using these tools.
For businesses, a password manager should be considered an essential purchase. There are two system types: cloud-based and locally managed. The difference between the two is in where your information is stored. A local manager maintains the database on your specific device, while a cloud-based solution maintains no copy on your device. If you prefer full management, local storage is best, though if your system access is lost, so are your credentials. Cloud storage can be used across all your devices, but without internet access, you will be out of luck. Ultimately, the best choice comes down to personal preference, with each having its own advantages and disadvantages. Ensure you have access to the most needed features at a price you can afford.
The primary reason either solution can work is that they both contribute one important layer of proper account hygiene. I recommend a password vault as company policy and then applying some key features: utilize the random password creation setting with every account; create passwords with a minimum of 12 characters, mixing numbers, letters, and symbols; set reminders to update stored passwords every three months at a minimum. The longer a password is used, the greater likelihood of it being involved in a breach and, therefore, in the hands of a threat actor seeking to enhance damage against your business.
Furthermore, account best practices include enforcing multi-factor authentication (MFA) enterprise-wide for all systems and applications that support its implementation: this is becoming a nearly universal compliance requirement anyway. The one solution is itself layered, requiring something you know (i.e., password, PIN), something you have (i.e., smartphone, laptop), and something you are (i.e., fingerprint, facial recognition). My estimation is MFA can prevent upwards of 90% of all cyberattacks and 99% of all account compromise attacks. Numerous studies support this supposition.
The final best practice to employ regarding your business accounts is regular threat intelligence assessments or audits regarding critical systems usage, like a password vault, to ensure standards of security and remediate any potential vulnerabilities.
If the implementation of a password manager—any security tool or system, for that matter—requires more technical knowledge, you can always reach out to a cybersecurity provider adept with such technology to set up a training session.
The fact of the matter is no single toolset is a panacea, including password managers and vaults. Fortunately, by layering best usage practices, you and your business can drastically enhance your cybersecurity posture.