A dangerous, previously unknown security vulnerability has been discovered in LastPass which permits attackers to remotely compromise user accounts. LastPass is a password vault which pulls user passwords from a secure area and auto fills credentials for them.
Commenting on the story, Brian Spector, CEO at MIRACL, explains: “Password managers, like LastPass, help users manage the undue burden placed upon them by requiring complex and constantly-changing passwords. But that solution does not fix the problem since it allows all of a user’s passwords to be compromised in one place at one time. The root of password-related problems are on the infrastructure side. Storing authentication credentials in the cloud still makes them vulnerable to server side attacks. The attack vector for cyber-criminals is not an individual user’s vault that store passwords, but the entire enterprise database on the provider side that stores all user credentials. Successfully attacked, which happens extremely frequently, the authentication credentials for every singe user is vulnerable. All efforts by individuals to protect their passwords are entirely in vain if the service itself becomes a single point of failure.
“But we don’t have to accept the weekly announcements of mass-password-breaches. Multi-factor authentication with zero-knowledge protocols do not share or send user authentication credentials across the web. Digital enterprises need to remove the threat of passwords completely and restore trust not only in the services they provide, but in the internet itself.”