Defeating Password Managers
Over the last few years the use of password managers such as Dashlane, 1Password andĀ LastPass have become common place in organisations. They’ve also been highly promoted as good practice by almost every security expert including password god Troy Hunt and security researcher Scott Helme.
My observations have been that companies introducing password managers into their organisation have missed some key points while massively underestimating this risk or not seeing it at all.
One Password To Rule Them All
The point of a password manager is to have one strong password that you can remember which you use to access all of your other accounts/passwords so that you don’t have to remember lots of password thus encourages less password reuse and stronger password choices.
The Bad Thing
I’ve seen this scenario a couple of times in development teams but suspect it’s representative of all kind of teams. One (or several) individuals champion the use of a password manager because of the obvious benefits it offers. Management are skeptical at first but eventually agree and the company pick the provider for them, have a quick training session/email with the employees and start using it.
Some password managers like Dashlane will give each employee a score that can be seen by management showing how strong their passwords are or if any have been reused. This is great as it provides feedback that it is being used as intended or if not the employee can be reminded about the password policy. Before this information would have been invisible to the company.
So now the employees only have to remember one password and the company can see that they aren’t being reused and are strong, great. Well that’s not entirely true, they also have to remember their Windows password as it’s likely they cannot use the password manager until after they have logged in. This is where the old problem of password reuse comes back, while those that championed for the password manager (hopefully) wouldn’t dream of using the same password to log into Windows as their master password there will be members of the team that might.
Windows passwords (NTLMv2 hashes) are notoriously easy to crack and can be captured a number of ways, especially if someone has access to the network or SMB isn’t being blocked outbound.
Two Factor Authentication (password manager)
Ok, some users may have turned two factor authentication on for the password manager. If you attempt to login and the password manager sends an authentication request to the target you will have tipped them off that their password has been compromised.
It’s likely that if two factor authentication is turned on it will be skipped for known machines, so if you have physical access to the office and can use the targets PC you can gain access there since you already have their windows login details. It’s also probable that the group who reused their password are more likely to also be in the group who haven’t setup two factor authentication.
Apart from engaging in a penetration test I don’t think companies are checking that the password used to login to Windows is different to employees master passwords, it certainly hasn’t been checked in the handful of companies I’ve come across.
The Numbers
It’s important to say I’ve only seen a very small sample, it was in the region of 30% to 40% of employees that had the same password for their Windows login as their master password after 6 months to 2 years of a password manager being introduced.
In my sample there didn’t seem to be a difference between job roles or those with access to more sensitive accounts which was surprising.
Even if the numbers were significantly smaller than this it would still be a risk that is underestimated at the moment given what the master password can open up access to.
Another Observation
I also noticed after the adoption of a password manager the employees where much more likely to share passwords/accounts now there was a secure mechanism for doing it. Before someone may have asked their manager to log them into a system for a specific function. This is a small/subtle change but does mean multiple people hold the responsibility for keeping credentials to systems secure. This maybe a small change but it does change the level of risk slightly which I think is often not understood or missed by the company.
Mitigation’s
- Regular training – It is vital employees are told specifically not to do this, getting them to understand why this is a problem may help.
- Regular auditing – Let the employees know that audits will be carried out, this can be a great preventative measure and should highlight if the problem exists.
- Two factor authentication – Make it a requirement employees use two factor authentication not only for the password manager but for all of your accounts. This could lessen the impact if a master password gets compromised.
It’s Not All Bad
I love my password manager, it makes life easier and me feel more secure. However it’s important that rules are always followed and the risks are properly understood by those making decisions in companies we trust to hold are data.