he LastPass breach reminded us there is no way to stay 100% safe online and highlights some of the risks associated with using a central vault to store passwords and other secrets. However, password managers (PMs) remain the most secure way to protect passwords, even though they are not perfect. PMs allow you to store strong, unique passwords for all the dozens or hundreds of websites, web applications and services a user utilizes regularly. Additionally, PMs: • Enable the user to log in without typing the password every time, protecting them from keyloggers • Allow users to utilize stronger passwords that don’t need to be written down • Encourage users to use different passwords for every account • Provide some protection against credential harvesting phishing emails, as they will not populate credentials into spoofed sites While keeping all your passwords in one location is an inherent risk with PMs, the trade-off is worth the risk. Most PMs utilize 256-bit Advanced Encryption Standards, zero trust (your master password is encrypted before leaving your device) and twofactor authentication (2FA) to protect password vaults. Types of Password Managers There are three types of PMs: device-based, cloud-based and onpremise. Each class is an exercise in balancing the equation of security and convenience. For example: • Device-based solutions run locally on a device that limits sharing the password vault on multiple devices, do not detect weak or reused passwords and do not have the security controls a commercial PM does. • Cloud solutions work with multiple devices and detect weak or reused passwords; however, your data is on someone else’s server. • On-premise solutions may appear to be the safest option, but they provide complications in maintaining in-house IT infrastructure and data backups which may increase the cost. Note: Using your browser’s “Save Password” feature to save passwords is not considered a safe or recommended way to store passwords. While some inherent risk stems from the mere use of any PM solution, understanding the risk of each solution should be obtained during the due diligence and vendor management process. Any risk remaining after the solution selection should be addressed in the IT risk assessment to ensure the solution’s risk score is acceptable to your organization’s risk appetite. Things to Consider When Changing Password Managers If your organization currently utilizes LastPass as a password management solution, it is absolutely appropriate to evaluate alternate PM products and solutions, as there are many viable password management vendors in the market. However, it is recommended that your organization only switches PM providers after doing your homework. Keep in mind your current investment with the incumbent provider. For example, even if you believe it’s in your organization’s best interest to switch PM providers, what does that transition look like? Does your current PM provider make it easy for you to transition all your sites and passwords to another platform, or will that transition be timeconsuming and complicated? Alternatively, your organization may wish to shift from a cloud-based password manager to a device-based or on-premise version. Still, it is recommended that you evaluate the pros and cons of making such a switch. For example, if you currently have users utilizing a cloud-based PM and want to shift to an on-premise PM, what functionality will your users lose in that switch? If you are evaluating your password management solution, it is recommended that you do the proper homework (vendor due diligence and IT risk assessment) on alternative PM solutions to ensure appropriate security controls and risk mitigation measures are in place. Only once you’ve done the appropriate homework can you determine the best path forward for your organization based on an informed business decision. w SBS CyberSecurity does not partner with nor endorse any password management vendors or solutions. For more information, contact Robb Nielsen at 605-251-7375 or robb.nielsen@sbscyber.com. SBS helps business leaders identify and understand cybersecurity risks to make more informed and proactive business decisions. Learn more at www.sbscyber.com. Are Password Managers Secure? By Shane Daniel, SVP Information Security Consultant/Regional Director and Terry Kuxhaus, Senior Information Security Consultant, SBS CyberSecurity 16 THE ARIZONA BANKER
RkJQdWJsaXNoZXIy ODQxMjUw