Understanding Password Manager’s Risks and Rewards

These last several weeks have brought up a lot of interesting discussions around passwords and password management, both personally and in the enterprise. 

The Vulnerabilities

The vulnerabilities were very critical. The first vulnerability found only affected the Binary Component of the Firefox plugin.  This vulnerability allowed for an attacker to execute their malicious code payload remotely. This type of vulnerability is commonly called a Remote Code Execution (RCE) vulnerability. Essentially with a few javascript lines in a compromised or malicious webpage, the browser plugin would then allow other types of commands and code to be run on the user’s computer. This could be anything from downloading ransomware or other malware, loading a program into memory, and searching for files to upload to a drop site. The possibilities are endless.

The second vulnerability was very serious to the function and purpose of LastPass. The ability to steal a user’s password with as little as 2 lines of javascript in a compromised or malicious webpage. The vulnerability essentially commands the plugin to load vaulted credentials into the database of the server thereby storing the credentials in plaintext.

LastPass has issued fixes for all of these. Some of the fixes were server side workarounds, but there is an updated version of the plugin for the affected browsers they recommend upgrading to.

What should you do? Stop using password managers? Change password manager solutions? Accept the possible risks? Let’s examine what password managers do for consumers and enterprises before you decide.

What do password managers do?

Password managers are solutions that solve a set of problems. Users tend to create easy to guess passwords and then reuse these passwords. Enterprises have a difficult time auditing password complexity and reuse.

Of course easy-to-guess passwords are in any decent attacker’s dictionary of passwords to attempt dictionary attacks on login screens and stolen password hashes. Users reusing passwords for work, social media and e-commerce sites will mean that when the 3^rd party site is compromised, attackers have credentials into the user’s workplace, putting that company at risk of also being compromised. Even though companies may have policies regarding password reuse, creation, and complexity, it is difficult for companies to audit the passwords. They can’t always assure that the passwords are not being reused across other accounts and maintain proper complexity.

This is where password managers come into play. Good password managers allow for easy generation of complex passwords that are not reused across accounts that are stored. They should be protected by strong encryptions methods and have ability for multi-factor authentication for unlocking the encrypted vault of passwords.

Some password managers have browser plugins which detect login sections on a webpage and attempt to fill in an appropriate credential depending on the website URL or domain. Some password managers do not have browser plugins to ensure the plugin will not be used as a vector to attack and gain unauthorized access to the vault. These are usually less convenient for the average user and consumer.

What is the risk?

The risk of having one’s password manager exploited by a known exploit is mitigated easily by keeping these softwares up-to-date. Many may question, “But what about a 0day exploit?” That is, an exploit for which there is no patch, because no one but the attacker knows about the vulnerability. This is a possibility for any and all software that is currently in use. This includes the operating systems Linux, Windows, OSX, iOS, Android, etc.

A year ago there was a major vulnerability known as ShellShock which used a victim’s server application to execute bash script because of the way Linux handled environment variables. This vulnerability affected 20 years of Linux kernel based operating systems, yet here we are today, running Linux on workstations, servers, cameras, IoT, and Android smartphones. That is because of a very important detail many people leave out. Who knows what, when?

How many people knew about these LastPass vulnerabilities before the researcher found them? It is impossible to tell, but judging by the reaction by information security professionals, that number is low. How many people know about the ShellShock vulnerability in older Linux kernels? Anyone with decent Google skills. The risk of a 0day exploit affecting your applications is only as high as the value of target you are to an attacker. 0day exploits are generally used by highly motivated attackers for very targeted campaigns.

According to the Verizon Data Breach Report from 2016, 85% of all breaches they investigated in the reporting year were the result of unpatched applications and systems. That means the vulnerability was well known. Furthermore, 90% of those fell into 10 specific vulnerabilities. It found that 63% of breaches involved default, stolen, or weak passwords.

It’s important to note that the probability of being attacked by a 0day exploit on your password manager is far lower than the probability your users will reuse weak passwords and pose a greater danger your company’s security.

What should you do?

It depends on your situation.

If your company is a high value target, you might consider a different password manager than browser plugin based managers. Many privilege management solutions exist which include secure password vaults. The difficulty here will be convenience. If your users are not given an easy to use password management tool/system, they will most likely get frustrated and go back to bad habits of easy to guess passwords they will reuse. So training as well as testing candidates with functional users is very important to mitigate that.

Otherwise, consider keeping your domain admin, service account credentials, and higher privilege account credentials in a non-browser plugin based manager. This adds a layer of separation and security for the password manager and, therefore, the credentials. The rest of the enterprise can likely continue using their browser plugin based password manager without much worry.

Thinking about changing password managers due to fear of one having software development issues in house? That is a good discussion, but keep in mind that any software is able to be exploited if a vulnerability can be found. It takes consistent secure coding practices to thwart efforts of finding vulnerability in software. If you must switch, make sure you make an informed decision based on security practices.

After discussion you may think you should stop using password managers all together. This is the worst reaction one can have to the news of vulnerabilities in a piece of software. The practice of complex, auditable, and unique passwords being used by your user base brings far more value and mitigation to the security risk of account compromises than does stopping password management.

At the end of the day, it is up to each CISO to determine risk through threat modeling in order to determine appropriate actions to mature their security program.