The supply chain breach of Passwordstate, an Australian-based enterprise-grade password manager, was the latest in a series of confidence-shaking breaches since the SolarWinds attack was disclosed in December.
While Passwordstate has a relatively low level of brand awareness in the U.S., more than 29,000 organizations across the globe and upwards of 370,000 IT and security professionals used the password manager.
The Passwordstate breach, involving the insertion of malicious malware inside a software application update, raised questions about the very trust and security of password managers, a product that thousands of companies consider their last line of defense against malicious threat actors.
The use of password managers is on the rise, according to Juan Andres Guerrero-Saade, principal threat researcher at SentinelOne, with most consumer solutions folded into widely used web browsers.
"While it's generally better practice than what most users do with their passwords (reusing predictable passwords or writing them down in a text file or post it note), it does represent a single point of failure that needs to be specially guarded," said Guerrero-Saade.
Analysts acknowledge password managers are not the perfect solution for secure authentication. However, they offer a combination of security and flexibility that give companies the ability to maintain worker productivity with some assurance that IT security officials can manage who gets access to applications, confidential company data and personal information.
More than 80% of security breaches in the enterprise are based on using weak or reused passwords, according to Gartner research. And most user-generated passwords have only 40.5 bits of entropy, a password combination that a computer can guess in less than an hour.
Additional data shows 60% of users reuse the same passwords on multiple sites, so when a threat actor manages to figure out one password, they are likely to figure out passwords across multiple sites, according to the Gartner report.
Users on average can have 100 different usernames and passwords for different applications. Password managers can control access to a wide array of accounts and users need only remember the master password. Password management software is capable of generating passwords with up to 500 bits of entropy, which is very difficult for a computer generated hack to overcome.
"Having all the user credentials in one place does pose a risk," David Chase, Gartner senior research director said via email. "However, we need to ask, 'What is the alternative?'"
If the answer is to integrate the site with an authentication platform that incorporates federated protocols, analytics and data loss protection then that should be included in the system, Chase said. However, not all password applications support federated protocols.
LastPass for example, is used by more than 70,000 businesses across the country. The company offers a widely used password management service for consumers, but the enterprise version includes a series of enhancements designed to protect sensitive company data, while giving IT security officials the ability to manage scale across a large base of workers.
Tom Garrubba, CISO at Shared Assessments, said many organizations — including his — have embraced password managers as means of providing secure authentication. He said the idea of storing password credentials under one system is not something that he is concerned about.
"My focus is on the security surrounding the accounts being stored, such as the strength of the encryption of the accounts and passwords, the strength and means of encryption where they pass these credentials to the user, encryption key management and their internal machinations for managing overall security," Garrubba said via email.
There are a couple of indicators that Garrubba uses to judge the effectiveness of a password management system. One is whether the help desk or IT support team show a decrease in the number of password change requests. Another indicator is whether users report a lower number of phishing attempts, since those attempts are often linked to the number of compromised passwords.
When looking for a password management application, companies need to look for a vendor that has a track record of being proactive about security, being responsive to customers in terms of providing transparency, and also using the best available technology and best practices when it comes to how they manage the product.
"If you see bad practices that are happening inside a company or a history of breaches or generally they just don't take things seriously, those are red flags that I would look at," James Pleger, manager SpecOps at SumoLogic.
"The bottom line is this, when you vet out a vendor with respect to a cybersecurity solution — and in this case an enterprise password management product — you have to make sure that certain features, functionality and security safeguards are there," Darren Guccione, co-founder and CEO of Keeper Security.
Correction: This article has been updated to reflect Darren Guccione is the CEO and co-founder of Keeper Security.