Due to the recent LastPass incident and ongoing discovery of the impact of the breach, a person’s LastPass master password is all that remains between an adversary and all of their maintained passwords. LastPass warns that a successful brute-force attempt on users that followed the suggested master password guidelines is unlikely, but this has been highly contested, with the suggestion that $100 is enough to recover the plaintext for most users. Given the historically insecure defaults with LastPass and the fact that the password vault data has been stolen, it must be assumed that the plaintext has been recovered. Industry cryptography experts are broadly suggesting that it’s prudent for users to assume compromise and reset ALL of their passwords.
The problem for modern business
Whether or not your business is a LastPass customer, users can independently install and use LastPass. If you are like most security teams, you are left wondering about your real exposure to this incident – and whether or not to force a reset for users. Asking employees to voluntarily reset is one approach, but they may not be aware of their exposure to the risks or overlaps between their personal and work accounts.
As companies have added more distributed and remote work capabilities, the overlap between personal and business security has become a more pressing concern. According to a Balbix survey, employees typically share an average of 8 passwords between their personal and work accounts. This highlights the need for businesses to better understand the risks posed by their workforce. With personal and business accounts potentially sharing the same passwords, there is an increased likelihood of security breaches and data leaks. It is important for companies to implement solutions to mitigate these risks.
Improve workforce visibility
Ultimately, security teams need to understand the exposure of their workforce to this breach to address the risks of brute-force and phishing attacks accordingly. This means understanding where the plugin is installed, and how many employees use LastPass and other password managers.
We have seen a variety of approaches to this problem, detecting LastPass usage could mean understanding employees’ interactions with the LastPass web application on a network or email level, detecting the application on endpoint devices, detecting it via Javascript utilizing the built-in autofill capabilities or, as we do with the Keep Aware platform, detecting an installation directly in the browser.
Keep Aware Workforce Security Platform
The browser is an essential component of the attack surface for modern business. Keep Aware is a browser-based security solution that deploys passively to managed devices in minutes. This solution is not an agent and often only requires a simple browser setting modification.
Once deployed, teams gain immediate visibility of risky web interactions and software like LastPass and other password managers being utilized by the business. As the workforce adopts new SaaS technologies and the risks that come with them, Keep Aware provides continuous visibility into these applications.
Security teams can also use Keep Aware to intelligently block phishing, social engineering, and data leakage and continuously influence secure decisions across the workforce.
We would love to help your team detect LastPass usage and show you how Keep Aware helps protect every employee’s workday. Please get in touch if our team can help.
–Ryan Boerner, Cofounder @ Keep Aware