The recent hacking of Norton LifeLock brings the number of high-profile password manager breaches to two after LastPass was also compromised in 2022. This begs the question – if the very entities designed to safeguard our access codes cannot be trusted, is there any point in having either of them?
Industry debate around whether passwords are soon to be a thing of the past has been going on for some time, so Cybernews reached out to experts to ask whether this is truly the beginning of the end for alpha-numeric authentication.
Perhaps surprisingly, not everyone working on competing technologies, such as passwordless technology, is spelling the end of the password just yet. And judging by other industry opinions we canvassed, it seems passwords are here to stay – for a while, at least.
Paul Trulove, CEO of the company SecureAuth which aims to bring behavioral identification for company workers into the mainstream within a few years, acknowledges that the LifeLock and LastPass breaches “make a case for transitioning to passwordless authentication technology.”
"The risk of [...] using the same password or slight variations to a common password far outweighs the risk of using a cloud-based password manager."Paul Trulove, CEO of SecureAuth
However, he cautions against dropping password managers, which he still believes are mostly secure if provided by a reputable firm, until the alternatives become a reality.
"The risk of not using a password manager – or using the same password or slight variations to a common password – far outweighs the risk of using a cloud-based password manager,” he told Cybernews. “Most popular password managers are quite secure, even when utilizing cloud-based vendors. The LastPass breach also did not automatically expose all of its users’ passwords – they were still protected with the user’s master password, which, if sufficiently strong, reduces the risk of exposure.”
Other pioneers of passwordless we spoke to were less charitable. Bojan Simic, founder and head of HYPR, said: “Generally, it’s ridiculous that companies are protecting databases of passwords with a password, which is exactly what a password manager is. Password managers were always supposed to be a temporary solution until technology caught up so that a passwordless state can be realized.”
This realization, he is confident, has arrived, with even less technical businesses now able to access alternatives, for instance, passkeys, thanks to both the efforts of his own company and global secure authentication projects such as FIDO2.
“The advancements in authentication standards is making passwordless accessible to the less technical and businesses like HYPR are bringing this reality to the complicated technology ecosystem within the enterprise,” he said.
Other experts believe that both the actual threat and public perception of being threatened could be all too easily overestimated in the wake of both attacks – in other words, nothing much will change as a result of LastPass and LifeLock in the near future.
Chris Love, of web and SEO service provider Love2Dev, says that consumers are likely to be largely unmoved by the LifeLock and LastPass imbroglios – if nothing else, because they are by now so used to hearing about high-profile breaches.
“In general, I don't think the average consumer will think much about the hacks,” he said. “These sorts of hacks have been happening for years without great outrage. I would like to say the tide is shifting away from a typed password and to biometrics, but I think we are just not there yet. The technology is there, it is general consumer adoption that is lagging.”
"The coding expertise to ingegrate a biometric solution is still too complex. I have tried a few times and it required so much work. Once that barrier changes then websites and applications can add passwordless easier."Chris Love, Love2Dev
Love does see biometric identification gradually replacing passwords, but not before it has been made more easy to implement.
“The coding expertise to integrate a biometric solution is still too complex,” he said. “I have tried a few times and it required so much work using 'poor' documentation. Once that barrier changes then websites and applications can add passwordless easier.
“Even then, you still have the barrier to overcome all of the legacy systems designed for username and password. You can't just remove that in a single move. It must be phased in, and customer and employee adoption encouraged.”
Roger Grimes, data defense evangelist at KnowBe4, agrees that the public response to the LifeLock and LastPass hacks will be muted.
“Every bit of software you know and love gets hacked all the time,” he said. “Your operating system and browser get hacked dozens of times a month – and everyone still uses them. Everything can be hacked.”
Grimes also points out that the public is not only swayed by cybersecurity: often, a target organization’s response to a cyberattack can mitigate negative publicity, depending on how well it handles a crisis.
“Do they respond quickly to attack reports, and instill further trust in their customers, or end up inspiring distrust because of the way they handled the breach,” he said. “LastPass isn't necessarily inspiring confidence in either the way they protected customer data – they didn't encrypt all of it – and the transparency of the incident and response.”
Grimes said he also suspects that Norton password manager users were hacked because they did not use the service to create passwords for their accounts – an irony if ever there was one.
“It was only because they used weak or shared passwords that their Norton account fell in the first place,” he said. “The Norton compromise is an argument to use password managers, not against.”
More from Cybernews:
Subscribe to our newsletter