Password Management Tools: Hidden Cybersecurity Risks?

In theory, password management tools can boost security for end-users. But take a closer look, and some of the tools may also have some unexpected risks, according to recent third-party research and analysis.

The story goes something like this, according to Independent Security Evaluators (ISE), a consulting firm in Baltimore, Maryland:

  • On the upside: "Password management tools allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file," ISC notes.
  • On the downside: "ISE Researchers have uncovered a surprising security weakness in password managers – several popular products appear to do a weak job at scrubbing passwords from memory once they are no longer being used," the Naked Security blog notes. The ISE research uncovered the problem to different degrees in versions of 1Password, Dashlane, LastPass and KeePass. the Naked Security blog added.

Overall, Sophos (owner and publisher of the Naked Security blog) says users should still embrace password management tools. But what does all the chatter mean for MSSPs and MSPs in the market?

Passportal CEO Colin Knox's Perspectives

We reached out to Passportal CEO Colin Knox for some perspective. Passportal, to be clear, was not part of the ISE report above. But Knox and his company bring key perspectives to the conversation -- since Passportal focuses its entire password management business of MSPs, MSSPs and cybersecurity channel partners.

LinkedIn: Passportal CEO Colin Knox

We asked Knox one question: What do you make of the ISE report and Naked Security's analysis? His reply:

“I would suggest that while some password managers can be manipulated on an active user’s computer to find password information, the vulnerability relies on authenticated access to both the computer and password manager itself. Overall, password tools remain a smarter security practice paired with MFA, opposed to storing credentials in systems that are more susceptible and don’t adhere to best-practice password hygiene, such as storing credentials in spreadsheets, sticky notes, plain text files, emails, or other tools .

In the case of an MSP or MSSP, they are responsible and accountable for hundreds, if not thousands, of passwords to the most privileged, sensitive accounts and client data that, if breached, could take down an entire network of businesses. It is also time to de-myth the safety of storing critical credentials in a PSA, RMM, or documentation tool. Such tools do not provide granular access control with immutable auditing and tracking, no knowledge data encryption, and password change automation, leaving the MSP at high-risk when it comes to technician turnover, client compliance requirements, or if compromised by malware/ransomware through phishing attacks.

With the ever increasing target on MSPs by hacking organizations like APT10, time is now of the essence for MSPs to get their houses in order and recognize that client security starts at home, securing their own systems, credentials, and other privileged client knowledge.”

Knox raises a timely point regarding APT10. The alleged hacker group has targeted MSPs worldwide, government and cybersecurity officials have claimed in recent months.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.