The conventional wisdom in the secure access space says that you should vault your passwords and rotate them. Password vaulting is what most privileged access management (PAM) solution vendors claim is the core of PAM, it is what most market analysts expect from PAM solutions, and it is simply what PAM vendors have been doing for the past 20 years.
But are there challenges with password vaults? There certainly are.
Challenges with password vaulting
1. Compromised passwords often fulfill compliance standards
A recent study investigating more than 800 million compromised passwords found that:
88% of passwords used in successful attacks consisted of 12 characters or less, with the most common being 8 characters (24%).
‘Password’, ‘admin’, ‘welcome’, and ‘p@ssw0rd’ were the most common terms. In short, very weak passwords.
83% of compromised passwords did satisfy both length and complexity requirements of cybersecurity compliance standards such as NIST, PCI, ICO for GDPR, HITRUST for HIPAA, and Cyber Essentials for NCSC.
That last bullet point really hits home. A host of cybersecurity standardization bodies recommends certain types of passwords, but a big chunk of them end up being compromised anyway. Will password vaulting really solve the proliferation of passwords?
2. The LastPass password vault breach
Let’s look at the infamous LastPass breach in which the popular password manager got hacked.The LastPass hacker got hold of an engineer’s master password that granted access to the LastPass corporate password vault. With this, they were able to locate the decryption keys that opened the customer password vault backups.
Even professional users get careless, and their endpoints can be compromised. A ‘regular’ compromised password can open a path to a password vault that, in this case, jeopardized the entire customer base of the company.
According to recent research, software developers leaked over 10 million credentials and passwords in 2022 in GitHub commits. In practice, this means that the company IPR and their keys to the kingdom are being compromised all the time.
Again, it makes sense to question the traditional way of trying to solve such a challenge. GitHub is the global go-to place for developers to collaborate on and manage code repositories, including production code. It is hosted in the cloud, and developers operate at cloud speed.
Is it a surprise that dynamic cloud environments and modern R&D methodologies, like DevOps, are sometimes a bad match with static solutions like password vaults?
Passwordless access without password vaulting
Passwordless authorization allows (privileged) access to critical targets without the need to vault and rotate passwords afterward. One of the most powerful ways to achieve this is by using an approach where the authorization to access a target is created just-in-time (JIT) with ephemeral certificates.
These certificates contain secrets (like a password) needed to access a target, but the privileged user never sees or handles any passwords. What’s more, the certificates expire automatically within minutes after access is granted, making access revocation automatic.
Learn how easy it is to manage access without passwords in our video >
In a modern solution, a Linux admin authenticates to a PAM solution, like PrivX, using biometric authentication, like a fingerprint. They then see only the targets available to them based on their role, click their chosen target, and just like that, they are in. This is possible because the home of identities (Identity and Access Management, IAM) is mapped alongside the home of roles (Privileged Access Management, PAM).
The neat thing is that the whole process is end-to-end passwordless - all the way from the identity to the role and the target. Password vaulting or rotation is simply no longer necessary, nor are one-time passwords. That’s true Zero Trust.
Better without password vaults
We at SSH Communications Security have been promoting passwordless authentication and authorization for quite a while. At the same time, we realize that it is nearly impossible to go all-in with passwordless at one go. Password vaults are needed for certain use cases due to technological and sometimes also policy constraints.
This is why we offer a path to passwordless, like in the image below, that you can embark on at your own pace:
And the solution that makes it all happen is our Zero Trust Suite. In fact, we suggest you manage your passwords AND keys from this single solution which gives you control over your credentials but also helps you get rid of them with a passwordless and keyless approach.
Currently employed by SSH.COM as Product Marketing Manager, Jani is a mixed-marketing artist with a strong background in operator and cybersecurity businesses. His career path of translator->-tech writer -> marketer allows him to draw inspiration from different sources and gives him a unique perspective on all types...
We at SSH secure communications between systems, automated applications, and people. We strive to build future-proof and safe communications for businesses and organizations to grow safely in the digital world.