As you know from my blogs, I am an opponent of cloud single sign-on and password management services. At least at this point in time, I cannot think of a worse idea. What I am about to say will not always be true. It is true today. Any enterprise managing identities and passwords in the cloud puts itself at risk.
In April, I wrote about Heartbleed and the newly discovered identity and access management vulnerability in OpenSSL. I concluded the blog by pointing out the discovery does not represent an isolated event. Rather, it indicates cloud identity and access management and password management are filled with an indeterminable amount of security risks. However unlike Heartbleed, most cloud identity management, password management, and single sign-on information security risks are yet to be discovered, classified and contained.
Giving me cause to reconsider, I recently read the research, The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers, led by Zhiwei Li of the University of California at Berkeley that will be presented at next month’s Usenix conference. The study performs a security analysis of web-based password managers. The results outline major vulnerabilities with the most widely used systems from one-time passwords, bookmarklets, and shared passwords. From the study, I stand corrected. The study reveals the most popular web-based password managers are vulnerable to known security threats.
The research sounds an alarming wakeup call for password management companies and their customers. In the study, the UCB team examined five popular password managers for the following security concerns:
- Bookmarklet vulnerabilities
- Web vulnerabilities
- Authorization vulnerabilities, and
- User interface vulnerabilities
The UC Berkeley Web-Based Password Manager Study
The password managers tested included LastPass, RoboForm, My1login, PasswordBox, and NeedMyPassword. The team selected five widely used web-based password managers that run in a browser. The study showed all of the web-based password managers contain critical flaws. Each failed in more than one category. The failure root-causes ranged from logic to authorization and simple web security model misunderstandings. In four of the five password managers, attackers learned a user’s credentials for arbitrary websites.
To summarize the findings, the team found critical vulnerabilities with LastPass, RoboForm, and My1login bookmarklets. They exploited CSRF vulnerabilities in LastPass, RoboForm and NeedMyPassword. With NeedMyPassword, XSS vulnerabilities allowed for a complete account takeover. My1login and PasswordBox allowed for the creation of fictitious accounts and other authorization breeches. As for external threats, RoboForm and LastPass proved vulnerable to conventional phishing attacks.
In the paper’s Introduction, the researchers frame the study as, “It is a truth universally acknowledged, that password-based authentication on the web is insecure.” They then demonstrate critical failures in the most popular web-based password managers. They also importantly note insecure password managers and single sign-on exacerbate security risks, because they expose all of a user’s passwords when stolen. The study concludes with the warning web-based "password managers have flaws in their implementations that critically undermine their security."
Web-Based Password Manager Unknowns
In spite of the operational advantages, you are better off without a password manager than with one that critically undermines security. In the cloud, web-based password managers promise tremendous cost and efficiency benefits. In practice, they are susceptible to complete password manager account takeover, rampant security attacks, and spoofing. As the study points out, the security failures represent a web-based password manager’s abilities to deter known security risks.
The study offers a keyhole glimpse into the true breadth of the problem. The researches applied known methods. They used readily available tools and performed manual analysis. In the case of web vulnerabilities, the forms of attacks tested were around for Y2K. Nevertheless, like with Heartbleed before its discovery, the greatest risks with web-based password managers remain unknown. They are undiscovered. They are in operation. They exist in the cloud. Such risks were not part of the study.
The key distinction between a web-based password management system and on premise enterprise password manager is the former’s need to run in a browser. An enterprise solution does not require the duplication of identities in the cloud. An enterprise password management solution synchronizes your on-premises directories, provisions user accounts directly to your cloud services, and manages access. Best of all on premise workflow adds control that significantly reduces your security exposure.
Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects.