Earlier in December, we learned that LastPass customers’ data was stolen in a security incident. LastPass informed its customers that leaked sensitive data, including email, phone, billing address, and the IP address of users while using the service. The company assured its customers that credentials were not compromised in the incident.
On December 22, we learned that the hacker also accessed backups of credential vaults. Even though we are assured by LastPass that no attacker can crack the password vaults due to the AES-256 encryption and Zero Knowledge architecture, we can conclude from research and personal experience that many master passwords are weak, reused, and more easily guessable than high entropy passwords.
Too many passwords
LastPass celebrated reaching 25 million users in 2020. A study commissioned by NordPass last year found that the average user has around 100 passwords for websites and services. Going by averages, a conservative estimate, an additional 2.5 billion leaked credentials will be sold on the dark web sooner than any of us expect.
The pedestrian advice journalists and experts currently recommend to users and organizations ranges from changing passwords to enabling MFA to ditch LastPass or password managers altogether. I don’t use LastPass (I use a different password manager) and my vault has over 800 credentials. Whether users have 100 or 800 passwords, changing passwords and enabling MFA on most or all accounts is a challenge, even for tech-savvy users.
100 password resets * 5 minutes per reset = 500 minutes = 8.33 hours
800 password resets * 5 minutes per reset = 4000 minutes = 66.66 hours
That time doesn’t include setting up MFA, which is impossible for all accounts.
It is improbable that anyone would invest hours, days, or weeks of their lives resetting their passwords even after an incident such as the LastPass breach.
The obvious solution of changing all the passwords –or enabling MFA– isn’t the most practical or realistic.
Credential verification stops ATOs before they start
Organizations have a fiduciary and legal responsibility to protect their users’ credentials and sensitive data. We often discuss the need to assess the risk of compromised credentials and warn that free breach notification services are not viable security solutions and provide a false sense of security.
We also explain how the risk of ATO attacks can be mitigated with modern identity threat intelligence solutions like our patented CredVerify technology. CISOs and IT leaders must go beyond free breach notification services and generic compromised password lists. The solution for monitoring and verification of compromised credentials needs to be able to answer the following:
- Is my current password leaked or reused?
- How at risk are the executives and privileged users in my organization?
- How can I only notify affected users without forcing a user to change his or her password due to hypothetical risk?
- How can I verify compromised credentials without revealing the account identifier or the credential with a service provider?
- Does this user’s leaked credential satisfy or violate my organization’s password policy?
If you haven’t done so, you can request a demo or get started with credential verification for protecting your sensitive data and customer accounts.
VeriClouds is the white-labeled solution behind one of the largest email providers in the world.