LastPass Replacement

2 min read

We’d like to loop back with the attendees of our panel discussion on the LastPass incident.

Since that time, we’ve learned that Norton LifeLock has also had compromises. Along with CircleCI and Slack, it’s clear there is a trend of gaining source-level access to enterprise tools, which raises the risk of another “backdoored update” like SolarWinds, as we discussed in the panel.

We also promised we would be transparent about our selection process for a password manager, as the process may help the communities we serve. Rather than articulating why we rejected products, we’ll keep this positive and talk about how we selected. The process we used was as follows:

  1. We set up a committee to make the decision.
  2. We drafted a list of attributes or features that define the ideal product. Many of these attributes are drawn directly from the feature sets that are advertised by different product vendors, others are (e.g.) no reported major security incidents in the last 3 years, and more.
  3. We came up with a list of 6 products, drawn from product reviews over a period of 3 years
  4. Each committee member did a deep dive into the feature sets advertised by the vendors and mapped them to the attributes we’d selected.
  5. We met as a committee and debated the results, and shortlisted 3 vendors
  6. We obtained security documentation for the 3 vendors and evaluated that documentation in detail
  7. We selected a product for enterprise use, and other to recommend to our employees for home use.

Along with standard features, the list of attributes we considered to be the desired differentiators are the following:

  • Stored Password Strength Check – offers a method for evaluating master password security without revealing the password.
  • Price – self explanatory
  • Product Launch Date – How long has the vendor been in business and when was the product launched
  • Zero-Knowledge – An overused term, but the vendor is not in possession of master keys
  • Central Administration – Reporting interface, revocation capability
  • Security Events in past 24mo – What’s in the media regarding security incidents?
  • Access Levels – Granular enough to meet our requirements?
  • Access Auditing – Usage and other reports
  • Programmatic Access – APIs available for automation?
  • Age of Secrets – Age tracking for potential rotation scheduling?
  • 3rd Party Audits for Security – Has the product been exposed to a security assessment that is available for review and conducted by a third party?
  • Intuitive to use – A good recommendation is that the product works well for seniors
  • Uses TLS – Nothing moves without encryption
  • Integrates with authenticator apps – Microsoft, Google, Duo
  • Integrates with FIDO keys – Hardware tokens for device access
  • Breach Reporting – Sites for which users have passwords stored
  • Weak Password Detection and Reporting – Just in case users aren’t meeting the bar

Result: we have selected Keeper and we are advocating home use of BitWarden. We will be rolling out Keeper to our entire employee base and making its use mandatory through policy. The reason we chose a different product to recommend for home use is that we don’t want home and business credentials to be in the same product. If another product breach occurs and we need to go through this exercise again we do not want to impact our employees’ access to their banks and retail sites.

You can view the webinar here: