One Key to Rule Them All? A Very Bad Idea
John Paglierani, VP of Engineering, HYPR
3 Min. Read | December 29, 2022
A friend of mine, Igor Odnovorov, always said, “Convenience is the enemy of security.” This recently hit home for me and many others.
I have used the LastPass password manager for years. I made sure to investigate how the company protects user data, and it was clear that they did not maintain any keys or the ability to decrypt your data, except using your “master password.” The proverbial one key that rules them all. This makes it very convenient to store and retrieve all your passwords, especially if you use the random password generator.
One Point of Failure
Recently LastPass announced a security breach, which I have been following closely both as a product user and security practitioner. Last week, they sent this announcement. If you read closely it indicates that “the threat actor was also able to copy a backup of customer vault data from the encrypted storage container.” This means that someone now has my password vault, although not my master password.
They continue to explain that “the threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.” So now the big questions: “How secure is my master password,” and “Can any information that might be available on the Dark web from other breaches be used to hack my master password. Recalling my master password, I know it’s unique, but how hard would it be to crack?
So now I start thinking about what's in my LastPass vault if they were to get in. All of my email, financial accounts and any other important accounts are protected with traditional MFA or 2FA, whatever the specific organization allows. Good I'm protected, right? Wrong. Other recent attacks irrefutably prove that traditional MFA and 2FA are phishable.
I am also using the LastPass MFA application, which backs up your MFA keys to the cloud. Great. If they get into my LastPass account they also have my MFA keys, no need to even phish and socially engineer me into sending them an MFA code.
Then it hits me that my recovery key for my “Metamask Wallet” is stored in my LastPass vault. So not only can they get to my financial accounts but also my crypto wallet (not much stored there, but still).
The Road to Recovery
Fixing all this will take multiple steps:
- Changing all my MFA setups to make sure that even if hackers get the passwords, they can't use the old MFA to get into the accounts.
- Changing all my passwords for any account that has any financial, bank or credit card information.
- Deleting any accounts I don’t really use and might have created for convenience, this way I am not worried about these web sites getting hacked and more information about me getting onto the dark web.
- I will never keep everything in one place under a single company or master password.
- I will not trust any cloud provider to keep all my passwords and information. (Apple are you listening, passkeys stored in the cloud are not a great idea.)
- I will continue to push using FIDO as the gold standard, so that all my logins are protected by a physical device and not stored in the cloud anywhere
Rules to Remember
When considering how to secure your logins, keep in mind:
- If it's convenient for you to retrieve your passwords then it's convenient for hackers too.
- Separate your information. If you do need to use a password manager, then use a different MFA provider and make sure the information is not stored together. If they get one part they need the other part to completely access your information.
- Look for FIDO-based passwordless authentication, and if your financial institution supports it, use that rather than traditional MFA with passwords.
- Never trust “one key to rule all,” no matter who has your data. Even large companies like Apple experience security breaches.