Bright Security’s Enterprise Grade Dev-Centric DAST Integrates with

Microsoft Defender for Cloud →
Product
Product overview

See how dev-centric DAST for the enterprise secures your business.

Web attacks

Continuous security testing for web applications at high-scale.

API attacks

Safeguard your APIs no matter how often you deploy.

Business logic attacks

Future-proof your security testing with green-flow exploitation testing.

LLM attacks

Next-gen security testing for LLM & Gen AI powered applications and add-ons.

Interfaces & extensions

Security testing throughout the SDLC - in your team’s native stack.

Integrations

Connecting your security stack & resolution processes seamlessly.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Book a demo

We’ll show you how Bright’s DAST can secure your security posture.

Resources
Blog

Check out or insights & deep dives into the world of security testing.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Case studies

Dive into DAST success stories from Bright customers.

Research

Download whitepapers & research on hot topics in the security field.

Company
About us

Who we are, where we came from, and our Bright vision for the future.

News

Bright news hot off the press.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

We're hiring

Want to join the Bright team? See our open possitions.

Bug bounty

Found a security issue or vulnerability we should hear about? Let us know!

Contact us

Need some help getting started? Looking to collaborate? Talk to us.

Resources > Blog >
Password Managers: Friends or Foes?

Password Managers: Friends or Foes?

Akira Brand & Amanda McCarvill

So, you recently decided to purchase a password manager. It is time to say goodbye to remembering an endless number of passwords or storing your passwords in unsafe locations (please, not on a post-it note on your desk!). Your passwords are safe, and you no longer need to worry about your data becoming compromised. Life just got a whole lot easier, right? Not necessarily. Although password managers are beneficial tools for keeping your passwords organized and encrypted in a single place, no solution is perfect. 

The Case of LastPass 

Password management service, LastPass, reported a data breach of their system in August 2022. The attacker obtained source code and technical information from the development environment, which was leveraged to target a specific employee. Once the employee had authenticated using multi-factor authentication, the actor utilized their persistent access to impersonate the employee. 

Gaining access to the employee’s device, the attacker lifted the employee’s credentials and security keys to gain access to files from the company’s cloud-based storage services. In December 2022, the company reported that the attacker obtained a backup of the customer vault data through the third-party cloud-based storage service. 

Let’s talk about the timeline

LastPass’ issues started back in August of 2022. In this incident, attackers had gained access to portions of a development environment due to a compromised developer account and stole technical and proprietary information. LastPass initially claimed that no evidence existed that the incident involved any access to customer data or encrypted password vaults. And that appeared to be the end of the issue. 

However, in a LastPass blog by Karim Toubba updated in December 2022, it was revealed that a “threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022.” What does this mean? It means that someone was able to break into a storage vault, using information they had gained during the August incident. But what happened once they got into that vault? Were they able to take the passwords and information right out of the vault? Well, technically, no. The passwords themselves were encrypted, however, it doesn’t mean that LastPass was out of hot water.  The attacker had obtained basic customer information, including email addresses, billing addresses, IP addresses of where LastPass was accessed, and telephone numbers. And, as other sources have suggested, a LastPass password is not difficult to decrypt with the right resources, mainly due to the fact that entropy in password creation does not prevail when it comes to users choosing any type of password. As such, these passwords are crackable, encryption or not. 

What Does This Mean For Users? 

Although the stolen vault remains protected with 256-bit AES encryption, users with weak master passwords could be at risk. To successfully decrypt the data, the attacker would need access to a unique encryption key derived from each user’s master password. Lastpass utilizes an industry-standard Zero Knowledge architecture, which ensures the company can never gain access to the customer’s master password. Without knowledge of this password, no one other than the vault owner can decrypt the data. 

However, the hacker could access the vault through brute force if password best practices aren’t followed. Additionally, the attacker could leverage the customer’s basic information to target individual users through various attack methods, such as phishing. 

How to Protect Yourself 

While password managers are a great tool, best practices must still be followed to protect yourself from becoming vulnerable to an attack. In the case of Lastpass, users with weak master passwords are the ones at risk. Luckily, there are steps you can take to protect your passwords and ensure your data is secure in 2023. 

  1. Use a minimum of 12 characters 
  2. Combine upper case, lower case, numeric, and special character values 
  3. Ensure your password is easy to remember; but not easy to guess! 
  4. Never use personal information 
  5. Ensure your password is unique; don’t share it with other accounts! 
  6. For extra layers of security (better safe than sorry!), change all of the passwords you have saved in your LastPass accounts. This will take some time, but add an extra layer of protection for your sensitive information. 

What does this mean for LastPass’ future?

We of course don’t know for sure. However, even for security professionals, going through and rotating entire swaths of passwords for extra security after this breach will take quite some time, leaving a bad taste in these customers’ mouths. For a layman, it is safe to say that taking this extra layer of security precaution may not enter their minds, or will take months to complete. So, the severity of this breach cannot be underestimated, and consumer trust has certainly been broken. It remains to be seen if trust and transparency on the part of LastPass can be regained in the coming months.  

Resources

Domain Hijacking: How It Works and 6 Ways to Prevent It

What Is Domain Hijacking?  Domain hijacking refers to the unauthorized acquisition of a domain name by a third party, effectively taking control away from the rightful owner. This form of cyber attack can lead to significant disruptions, including loss of website functionality, email services, and potentially damaging the brand’s reputation.  Domain hijackers often exploit security

Mastering Vulnerability Management: A Comprehensive Guide

Modern day organizations face a constant barrage of cyber threats, making it imperative to implement robust vulnerability management processes. Vulnerability management is a systematic approach to identifying, evaluating, treating, and reporting on security vulnerabilities in systems and their associated software. In this blog post, we’ll delve into the four crucial steps of vulnerability management process

Vulnerability Scanners: 4 Key Features, Types, and How to Choose

A vulnerability scanner is a specialized software tool designed to assess the security of computers, networks, or applications by automatically detecting and analyzing weaknesses. These scanners proactively search for security vulnerabilities, such as unpatched software, misconfigurations, and other security gaps that could be exploited by attackers. Some scanners can simulate the actions of an attacker to help identify exploitable vulnerabilities.

Get our newsletter