January 17, 2022 – Final update for the LastPass breach
Previous blog article: LastPass Breach Blog article and update 2 (12-24-2022)
“Parachute manufacturers have a low tolerance for risk, don’t they?” Bradley Gross said a recent CyberHoot group discussion regarding the LastPass breach. “That doesn’t stop them from making parachutes, does it?” If you are going to dive, you have a second parachute as a backup, you diligently practice emergency procedures, and you fold your parachute; You do these things to ensure the best chance of success, because failure is, well, fatal. This analogy can be applied to password managers. They are your parachute protecting your digital identity. When failures occur, they can be devastating, but you must have your parachute.
In the online connected world we live in today, you must have and use a password manager. However, in a critical failure like the LastPass breach, we have the opportunity to step back and evaluate our criteria for how we choose a password management provider and how we operate the solution. We need to look at the implementation of our chosen password management solution to ensure it is ‘packaged right’. We need to train for emergencies like this (no software ever written is perfect). We need to choose the best possible manufacturer. This blog article describes CyberHoot’s criteria for selecting a password management provider that you can leverage for your business or your managed service provider (MSP).
CyberHoot has decided to switch to another password management (PM) platform. We also agreed to stop recommending a specific password manager to others. There are many reasons for this change. We usually listen to cyber security gurus like Bruce Snyder, Brad Deplin of TotalDigitalSecurityand Jeremy Gosney (Yahoo Security Researcher). They too have recently come to the conclusion that LastPass’s latest security breach and its communication about it is the last straw, and it’s time to migrate. But who is chosen and how are they chosen?
CyberHoot learned a lot about PM solutions during this recent event. We explored the many challenges these providers face. They really resemble parachute makers. Therefore, CyberHoot suggests you follow our criteria for choosing your PM tool:
- First of all: Given the criticality of the data contained in your password manager, and the fact that most products are cloud-ready (providing a large body of attackers), and the fact that no software solution ever written has been perfect, CyberHoot recommends that you find a vendor that Conducts multiple third-party application security assessments, penetration tests, and audits of its platform, architecture, and code base.. You want a product independently verified, on an annual basis, by more than one third party (if possible). While this is not a guarantee that all bugs and vulnerabilities have been identified, it is certainly better than not doing them at all. All other criteria are really of secondary importance.
- Many people have argued that cloud-enabled SaaS PMs are still practical and important for ease of use, but some are also stand-alone solutions that don’t sync over the cloud (internet). You will have to make a decision about whether or not to sync in the cloud.
- A strong bug-bounty program is also a very strong indicator that the vendor is serious about finding and eliminating critical risks in their platform. It provides gray hat and white hat hackers the financial incentive to sell their zero bugs to a vendor instead of the dark web. You want a PM solution that documents its bounty program.
- Features, pricing and functionality will be your next and final set of criteria to measure against. This is where most of the vendors are in fairly close proximity to each other. The feature sets, functionality (browser plug-in, mobile device support, technical support) are somewhat similar with some features that differentiate between vendors. In this area, if you have met choice 1 and choice 2 above, it depends on your preferences, ease of use and specific needs. Consider checking out these three password manager reviews from trusted tech advisors:
