The LastPass security breach in late 2022 sent a shockwave through the security community. Password managers are typically seen as the most secure and trusted platforms because they have to be. Holding credentials to numerous services, a breach in any customer vault can have catastrophic consequences.
No service is perfect, and that goes for password managers, so what can you do to protect yourself even further?
From choosing strong service passwords, diligently protecting secret keys, and ensuring use of multi-factor authentication, there are steps your organization can take that will minimize vulnerabilities.
What Happened During the LastPass Breach?
In December 2022, threat actors stole LastPass backup data. The breach included source code data and customer vaults containing unencrypted metadata such as URLs and encrypted data such as passwords. This breach affects at least 30 million users and 85,000 businesses, according to data from a press release on LastPass usage.
This breach occurred when a threat actor accessed a cloud-based storage environment containing source code and technical data. The threat actors leveraged the stolen data against another LastPass employee that the threat actors used to gain further access to storage volumes and decrypt data.
Ultimately, this led to the threat actors stealing a large amount of data, including encrypted customer vaults.
What Can Your Organization Do?
Trusting your sensitive data to a cloud service is already one that requires significant research to find the right fit for your organization. An on-premises solution is not inherently more secure, either.
It is altogether too possible for overworked IT administrators to accidentally misconfigure a solution, lose credentials to a threat actor, or forget to update an on-premises solution.
An advantage that cloud services have are teams dedicated to all of the above challenges.
Many IT departments need more resources to assign similar groups to an on-premises password management solution. Presuming that your IT organization will use a cloud-based service, how can you better protect your data?
Ensuring the Use of Zero-Knowledge Password Management Architectures
When choosing a cloud-based password management solution, the service should have no way to decrypt your data. Typically done via an encryption key that the customer has that the online service does not, this “secret key” ensures that even if the data is lost, it will not be recoverable by a threat actor.
This encryption is only as good as the secret key used to encrypt the data, how well it is protected, and the level of encryption used on the cloud-provider side.
What you can do, as the customer, is create a sufficiently complex randomly generated password that is not decryptable in any reasonable timeframe.
Protecting the secret key is crucial to ensuring that there is no way a threat actor could ever decrypt your organization’s data in the event of a breach.
Securing Administrative Accounts
Naturally, any service will require administrative access to configure the online service. The administrator account usually has access to all of the stored data.
Protecting this account from phishing, or brute-force password attempts through a strong password policy, will keep a threat actor from accessing your company’s password vaults.
An administrative account should not include the use of a default username, or breached passwords. NIST recommends checking passwords against a breached password list.
Enforcing Multi-Factor Authentication
Paired with a strong password, enforcing proper multi-factor authentication will go a long way to defeating any attempts of accessing your organization’s sensitive data. A good MFA setup should include using robust methods like a hardware key or a biometric method like a fingerprint.
Often MFA is seen as an add-on, but a security-conscious organization enforces MFA policies for everyone. Even with a stolen password, MFA usually stops a threat actor, as the time and effort to compromise MFA is not worth the gains.
Protecting Access to Resources with Strong Password Policies
Underlying the protection of your company’s sensitive data is a robust password policy. A strong password policy is crucial for the online decryption key, the administrative accounts, and any device accounts that access the online resources.
By ensuring that your organization has an appropriate password policy that does not re-use breached passwords, your company will fare well if a breach occurs.
Protect Resources with Specops Password Policy
Building the base of a strong password policy, Specops Password Policy the features to keep your organization safe and compliant.
Through in-depth password complexity rules and the breached password protection add-on, your organization can ensure your users abide by best practices for passwords.
Moving beyond password rules, Specops Password Policy integrates with your Active Directory domain to provide granular targeting of devices. In addition, your organization can show if a changed password meets the complexity requirements right from the user’s desktop.
Mitigate the Dangers of a Hacked Password Manager
In the end, a breached password manager is never good, but it doesn’t have to be catastrophic. Using common-sense account security practices, strong password policies, and enforced multi-factor authentication, you can help protect your organization from falling victim.
It is always best to assume that any service is breachable at any time. Implement the appropriate security in case of a breach and minimize the risk to your company and your customer’s data.
Sponsored and written by Specops Software