Interview: Rachael Stockton, LastPass

The age-old debate on password security, and how strong and practical they are, has been going for many years and now in 2018, it seems that the story continues.

According to research released by LastPass in November 2017, 91% of the 2000 people surveyed understood the risks of reusing passwords, but 61% said that they would continue to do so. In the same research, it was estimated that a company with around 250 employees would have up to 48,000 passwords in use across the organization. The numbers are quite terrifying in that respect: 61% works out at around 29,000 passwords, being reused for applications such as social media and business applications providing opportunities such as what was seen with the LinkedIn breached data.

Infosecurity spoke to Rachael Stockton, director of product strategy at LastPass, about some of these issues, and whether we are expecting employees to be cybersecurity gurus on matters such as password strength.

“I really think we are coming to a point where we have been so focused on getting so secure that we’ve reached a limit of what employees and individuals want to be able to do, and can remember,” she said. “We’re chasing the perfect when we could be better off with just the good or really good.” 

Stockton made reference to the NIST guidelines, which determine that a minimum eight character password should be used for more sensitive accounts, while a maximum length should be 64 characters. She agreed with claims made by NIST that changing passwords regularly “is not going to make us safer”: NIST’s guidance stated that “verifiers should not require memorized secrets to be changed arbitrarily (e.g., periodically)” but a change should be forced “if there is evidence of compromise of the authenticator.”

Is password security a case of what makes us good enough rather than perfect? Stockton said we need consistency of what is perfect, as if we expect people to be perfect, then “we are never going to meet that.”

She also claimed: “Good enough is not the same for every company, but also it may not be the same for every individual. Every organization needs to look at what information that these individuals have access to and what is the potential risk of that information, and what is the appropriate level of security that you’re going to ask for to protect it.” 

In another survey sponsored by LastPass, statistics revealed 23% of the 355 IT executives and 550
corporate employees surveyed used social media credentials to sign into business applications, and 25% were encouraged to re-use those credentials. Stockton said she was “very surprised about” these statistics.

“I think what that does say is if you are allowing someone to use an external tool that you have no control over, or control over the password requirements for that Facebook account, you really need to figure out how you can appropriately provide guidelines or at least management for both personal and professional passwords.” 

She went on to say that with password re-use, even if it is used for one work application, it can allow access attempts to be made and with every consumer breach, there is a potential impact upon the business too.

In 2018 we’re still having the same conversation about password security, did she feel we would still be talking about this in 10 years time? Stockton said that we are having a lot of movement with other ways to be able to authenticate, such as facial recognition, but we still have a way to go before we really are able to get rid of the password.

“So in the meantime we want to make it as safe and easy as possible for people to make it secure.”

One such method of authentication is Single Sign On (SSO), a product that LastPass offers. Is this something that customers are specifically asking about as a product to deal with authentication challenges? Stockton said that it depends on the size of the organization. “When we’re selling to medium and larger sized organizations, they are focused more on the password management side of things, as they generally use another provider for SSO.

“Smaller organizations use more of our capabilities and integrate with their existing apps to our SSO and I think there is more opportunity as there is often not a CISO or security staff and this doesn’t need a specific person, installation or resource management.”

According to research released in 2017 more data records were leaked or stolen during the first half of 2017 (1.9 billion) than all of 2016 (1.37 billion). With new revelations recently about more data breaches this week, there has to be more concern about the number of password details that are breached and just how these are used. 

Yes there are solutions to better protect your passwords, but the need for employees to realize the sensitivity of what they use has to be paramount for the security policy. 

What’s Hot on Infosecurity Magazine?