What the LastPass Hack Says About Modern Cybersecurity
Online password managers are meant to help users keep track of the long and complex passwords often required by most applications. The one big drawback to using one is the possibility of a bad actor managing to hack the master password vault and access user passwords. Unfortunately, that’s precisely what happened to LastPass, a password management service. The LastPass hack resulted in cybercriminals making off with copies of its customers’ password vaults.
What the LastPass Hack Means for Cybersecurity
Companies have increasingly made users adopt more complex passwords to make things harder for hackers. The problem with that is that users often needed help recalling them when they tried to log into an application. Password managers offered a way for users to keep up with their information in one place.
As the LastPass vault hack showed, storing your password anywhere can make you a target. The software meant to make things easier ended up putting millions at risk of having their accounts hacked. Even if the passwords are changed, the cyber thieves now have what they need to execute brute-force attacks against known UserIDs to obtain more valuable information.
Thanks to the ongoing presence of bad actors and our evolving security needs, maintaining passwords in any form has become a big issue. The introduction of Web 2.0 made it possible for companies to create more interactive experiences for users. However, the growing use of technology like Software as a Service (SaaS), websites containing interactive elements built using JavaScript, and API connections exposed a lot of the vulnerabilities of Web 2.0 technologies.
Drawbacks of Continued Password Use
When you factor in the drawbacks of continuing to use password authentication, it becomes clear that more needs to be done to keep users safe and make sure critical information doesn’t end up in the hands of hackers.
- Hassle for users — Passwords have always been an issue for users. Before most companies tightened up their protocols, many people would incorporate something familiar into their passwords to make them easier to remember. Unfortunately, that also made them more vulnerable to hackers who could guess passwords with only a bit of information about the user. That’s not to mention the exasperation that comes with forgetting a password and having to perform multiple steps to regain access to an account.
- Security issues — Authenticating passwords poses an ongoing security challenge for security teams. They must remain constantly vigilant against potential attacks like keylogging and credential stuffing. The first half of 2022 saw almost 53 million people getting impacted by data issues like data breaches, with compromised credentials being one of the primary culprits.
- Costs of password authentication — The time spent by IT admins in password reset and recovery efforts and the time lost by users can reduce productivity.
Why Going Passwordless May Be the Answer
What happened with the LastPass password vault hack highlights the realities of our current online environment. With data becoming a more valuable commodity, there’s always someone waiting to gain an edge and obtain any information they think can benefit them. While LastPass can upgrade the security around their product, that doesn’t change the underlying reality of the dangers of placing your important passwords together in one place. It’s not hard to imagine that a determined hacker might not find success once again.
The inherent vulnerability of using passwords has caused many organizations to evaluate other security methods. Passwordless authentication has grown in popularity primarily because of the issues faced by software like LastPass. It’s an alternative form of identifying users and allowing them access to applications.
Many companies have adopted two-factor authentication, which adds an additional layer of security to password usage. Passwordless authentication, as the name indicates, bypasses passwords entirely. Instead, users gain access in other ways, often by using a mobile device supplied with a digital certificate.
How Passwordless Authentication Works
Users no longer have to maintain lists of passwords when they go passwordless. Instead, they use a strong Authenticator such as a USB Key (YubiKey) or a Smart Card. The user typically provides a PIN or selects a Certificate to the Authenticator. The Authenticator then processes the authentication locally in a secured area on the USB Key or Smart Card. As a result, the authentication process is very difficult to hack
Security benefits extend beyond authentication. For example, authenticated users can digitally sign emails and attached documents.
Benefits of Going Passwordless
Passwordless authentication helps companies get past the problems they encounter using passwords. It also means users don’t have to rely on a password manager that could end up in a similar situation to the LastPass hack. Here are some other ways going passwordless benefits companies and helps them get past the current vulnerabilities of Web 2.0 technologies.
Enhanced Cybersecurity
Passwordless authentication reduces the threat of identity and data theft because of stolen credentials. In addition, there’s no dependency on passwords, eliminating the need for companies to adopt technology like LastPass that could be hacked.
Prevents Attacks on Passwords
Getting rid of passwords lets companies reduce the threat surface for attackers. That means fewer attempts at brute force attacks, phishing, and dictionary attacks. With over 91% of attacks initiated by phishing emails, going passwordless is essential in helping businesses protect themselves and their users.
Can Lead to Lower Expenses Long-Term
Removing passwords from the security equation means less time and money spent on maintaining, protecting, and recovering passwords. You also free your organization from constantly adapting to new password storage requirements to avoid legal issues.
Offers a Better User Experience
The biggest benefit to users is no longer having to remember complex passwords or find a way to store them securely. Making access as simple as turning on a phone makes the login process seamless, improving a user’s overall experience.
Go Passwordless With Axiad
Axiad can help your organization find ways to securely connect your business users to the data and applications essential to their job roles. Learn more about how we can help by contacting one of our experts for a demo.