When you outsource your IT needs to Managed Service Providers (MSPs), you hand over control of critical internal systems and administrator accounts. With that level of access, MSPs inevitably manage many client credentials – often hundreds or thousands of them. With privileged access to customer systems and countless passwords, your MSP is an attractive target for hackers looking to get “the keys to the kingdom.” Password management is therefore critical for MSPs looking to ensure credentials are correctly kept track of and protected.
How hackers target MSPs
- With 1Password, you’re going to pay a slight premium over LastPass ($35.88 a year for solo use, $59.88 for a family plan, with no free option available) for a polished interface.
- 1Password and LastPass are both very good at basic password management functions. They provide apps and extensions for all of the most popular operating systems and browsers, and they include all of the essential features I expect from any premium password manager, such as.
At $36 a year, the Premium version of LastPass is a solid deal, sweetened by the. 1Password and LastPass both generate secure passwords and store them for you, keeping them in a vault you can access across all your devices. Both use one master password to secure your vault, meaning you only need to remember one password to access all of your accounts. Smart password storage, convenient password sharing, and an easy-to-manage dashboard makes LastPass Teams an ideal password solution for businesses of 50 or less. Enterprise automates and scales password management for the whole business with directory integrations, custom security policies, and more.
Hackers target MSPs with a range of cyberattacks that attempt to gain access to accounts, networks, and databases. With the rise in remote work, hackers take advantage of employees beyond the traditional purview of IT.
Password spraying, for example, is a type of brute-force attack where hackers try to log in to lots of different user accounts using a single password guess. Then they rotate through all the user accounts again, with a second password guess, thereby avoiding detection of many account-lockout settings. Strong, unique passwords are a deterrent for password spraying.
Credential stuffing, on the other hand, leverages usernames and passwords leaked in a data breach. Because people frequently reuse passwords, hackers can use the leaked usernames and passwords and automate the guesses to check which logins will work. Again, unique passwords for every account can mitigate this standard cyber attack.
Ransomwareisa popular choice, where hackers exploit known vulnerabilities to deploy malicious software on company computers or trick employees into clicking a download link. Hackers hold the data hostage until the victims pay a ransom or an organization complies with a hacker’s request. Not only is training on phishing necessary, properly managing and securing passwords reduces the likelihood someone can gain a foothold in the system to deploy ransomware.
These types of automated attacks are common. Usually, hackers are looking for easy hacks that can be programmed with software and require little work on their part. But if hackers know an MSP provides a service to a particular company, they may intentionally target that MSP to find a way into their customer’s system. For example, several years ago, hackers broke into a third-party vendor and stole Target’s network credentials used by that vendor. The result was one of the largest data breaches up to that date and a lengthy, costly lawsuit.
Why MSPs need a password manager
Given how attractive MSPs are as a target and the range of tactics hackers employ to steal data from MSPs, you should confirm that your MSP is indeed using a password manager. Achieving strong security means thinking about how an attacker may find a way in, and how MSPs can inadvertently supply that access. It’s not enough to document credentials in a password-protected spreadsheet.
Enterprise password management software not only captures and encrypts all credentials in use to manage client services, but it also facilitates secure and encrypted password sharing among team members while tying actions to individuals. That last part is essential because it maintains accountability and a “paper trail” for auditing purposes.
An MSP is critical to their clients’ daily operations, with access to lots of sensitive data. MSPs should therefore make reasonable efforts to mitigate the risk of breach and reduce any possibility of downtime. A data breach can suspend operations for hours or days, and it can, of course, result in lost customers, poor PR, legal fees, lost revenue, and other damage to the business.
Next steps for MSPs
Any MSP providing services to clients needs to have enterprise password management (EPM) software in place.
An EPM solution tracks password security across all MSP employees. Features like a built-in password generator, secure credential storage, and automatic credential filling help the MSP use strong, unique passwords to protect both the MSP’s systems and their clients’ systems.
Passwords can be securely shared with clients and colleagues via the password manager while maintaining high security standards with encryption and reporting. Usage of the password manager features and improvement of password security over time can be centrally tracked and administered.
In summary, an EPM solution takes many of the annoyances out of passwords for MSPs while helping them provide the highest levels of password security for their clients.
LastPass provides MSPs a tailored solution that offers visibility and control over every access point of their clients’ businesses via a unified admin console. If your MSP is ready to tackle password security, learn more about our business solutions and the benefits of using LastPass as an MSP.
A security researcher has recommended against using the LastPass password manager Android app after noting seven embedded trackers. The software's maker says users can opt out if they want.
German infosec bod Mike Kuketz spotted LastPass's trackers in analysis produced by Exodus, which describes itself as 'a non-profit organization led by hacktivists [whose] purpose is to help people get a better understanding of the Android applications tracking issues.'
The Exodus report on LastPass shows seven trackers in the Android app, including four from Google for the purpose of analytics and crash reporting, as well as others from AppsFlyer, MixPanel, and Segment. Segment, for instance, gathers data for marketing teams, and claims to offer a 'single view of the customer', profiling users and connecting their activity across different platforms, presumably for tailored adverts.
Lastpass 1password Keepass
LastPass has many free users – is it a problem if its owner seeks to monetise them in some way? Kuketz said it is. Typically, the way trackers like this work is that the developer compiles code from the tracking provider into their application. The gathered information can be used to build up a profile of the user's interests from their activities, and target them with ads.
Google Authenticator Authy Lastpass 1password
Even the app developers do not know what data is collected and transmitted to the third-party providers, said Kuketz, and the integration of proprietary code could introduce security risks and unexpected behaviour, as well as being a privacy risk. These things do not belong in password managers, which are security-critical, he said.
Kuketz also investigated what data is transmitted by inspecting the network traffic. He found that this included details about the device being used, the mobile operator, the type of LastPass account, the Google Advertising ID (which can connect data about the user across different apps). During use, the data also shows when new passwords are created and what type they are. Kuketz did not suggest that actual passwords or usernames are transmitted, but did note the absence of any opt-out dialogs, or information for the user about the data being sent to third parties. In his view, the presence of the trackers demonstrates a suboptimal attitude to security. Kuketz recommended changing to a different password manager, such as the open-source KeePass.
LastPass to limit fans of free password manager to one device type only – computer or mobile – from next month
READ MOREDo all password apps contain such trackers? Not according to Exodus. 1Password has none. KeePass has none. The open-source Bitwarden has two for Google Firebase analytics and Microsoft Visual Studio crash reporting. Dashlane has four. LastPass does appear to have more than its rivals. And yes, lots of smartphone apps have trackers: today, we're talking about LastPass.
Password managers are essential for most users since the number of passwords to be managed exceeds our ability to remember them, and the complex passwords needed for security are particularly hard to memorise. Using the same password across multiple services is poor practice because it increases the impact if a password is stolen or inadvertently disclosed.
The discussion about trackers in LastPass comes at a bad time. Earlier this month the company (which is owned by LogMeIn) crippled its free offering to support only a single device type, and many users have said they would switch as a result – like user Mattias Ahnberg, who wrote on Twitter: 'This means I will finally migrate away to 1Password instead of being blocked by such a limitation that you're adding.' Losing free users may even have been the intention, but the tracking issues affect paid users as well, which would be more of a concern.
A LastPass spokesperson told us: 'No sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass which is used to help us improve and optimize the product.
'All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy. We are continuously reviewing our existing processes and working to make them better to comply, and exceed, the requirements of current applicable data protection standards.' ®
Editor's note: This article was corrected after publication to refer to the more popular KeePass rather than KeyPass. Neither have trackers.