At the end of 2022, Passbolt onboarded its 1,000th customer and moved to its own private offices in Belvaux. The password management tool for teams and business shares its growth story and the ongoing battle with cybersecurity misconceptions.
If you want a job done well, sometimes it pays to do it yourself. That was what drove serial entrepreneur Kevin Muller to build the first version of an open source password manager tool for the needs of his India-based digital agency. Originally from Longwy, word reached Luxembourg about the exciting new tool and, in 2016 Muller and his team were invited to participate in the first Fit 4 Start Luxembourg accelerator programme.
Muller caught the bug for product building and quit the digital agency to focus solely on Passbolt, convincing his two co-founders, also long-time associates and ITC experts from Europe to join him.
The programme helped the firm to develop a commercial strategy for its open-source software. The response exceeded Muller’s wildest expectations. Attracted by the tool’s transparency and security, developers jumped on board, and word-of-mouth replaced the need for traditional marketing.
“If developers love your product, then they will start creating blog articles and tutorials to talk about it,” Muller, now the CEO, says.
“If developers love your product, then they will start creating blog articles and tutorials to talk about it”Kevin Muller, Passbolt CEO
From 2017 to 2022, Passbolt was hosted at Technoport in Belval, a business incubator and event space aimed at technology startups. During this period, it raised a total €5m in two fundraising rounds that enabled the team to grow four times over four years.
“When we left Technoport we were almost 20. I cannot emphasise enough how easy it was to scale our team at Technoport,” Muller says.
The new office, located not far from Technoport in Belvaux, will enable the current 20 FTEs and 10 externals, to rise to around 40 FTEs in the short-term future.
Growing cyber threats
When we spoke in March, Passbolt had already been adopted by 15,000 organisations. In 2023, it focuses on exponential acceleration, while ensuring maximum security in the face of growing cyber threats.
Rival password management tool firm Lastpass learned this the hard way when in 2022 a hacker stole password vault data by hacking an employee’s home computer.
“Security is a team sport, and we need to also look at their mistakes and see if we can learn for ourselves from these mistakes,” says Passbolt CTO Remy Bertot, adding: “No Password Manager can claim that they will be secure forever, for every single scenario. I think it’s more about transparency, like what kind of risks that your password manager is responding to and what kind of risk you are not covering.”
“Security is a team sport, and we need to also look at their mistakes and see if we can learn for ourselves from these mistakes”Passbolt CTO Remy Bertot
Founded in 2008, Lastpass is one of the oldest players in the market. Unlike Passbolt, its encryption key is derived from the user password, using what is called a key derivation function. According to Bertot, this employs an older algorithm constructed for the first version of Lastpass when fewer iterations were required. “But hardware improved, and now the recommended number of rounds to do this derivation is 600,000 to make it more expensive for an attacker to brute force it. Because they constructed this software 10 years ago, and have not migrated their users to this new, more stronger algorithm configuration, they’re having an issue,” explains Bertot.
Lastpass has since deployed fixes. But the incident shows how much damage a low-cost hack can inflict on a company. The attacker first gained access to developer accounts through a successful phishing attack on employees. In Bertot’s words “these developer accounts had too many privileges, so they had access to other accounts and that’s when the first hack stopped. They were able to detect this abnormal behaviour and shut it down.”
The lesson learned here is the need to educate staff against phishing campaign practices and make sure they have 2 factor authentication enabled, while also applying the least privilege principle.
Having secured the address of a key player at Lastpass, the attacker then hacked their home network through a video streaming software that had not been updated. The employee was using his personal machine for work, enabling the hacker to get into the Lastpass infrastructure, steal backups and decrypt accounts thus accessing customer credentials.
The incident is interesting for the fact that it highlights a growing gap between tech workers and public opinion. How could a cyber security employee fall for a phishing attack? And why didn’t the firm communicate more quickly about the incident?
On the one hand, attackers are showing impressive levels of dedication. On the other, it is hard to communicate when you are still trying to understand what has happened, especially when the attacker is hiding their tracks. Bertot explains: “The world works at an increased pace and cybersecurity forensic work doesn’t move at the same pace as communication in the media.”
Public criticism and increasingly sophisticated techniques used to craft phishing campaigns mean that attacks are taking a toll on a sector where burnout is commonplace. Bertot says it is easy to criticise when you are not in that world. “Imagine being put in the position where you need to secure a castle, but there is an army of 200,000 people in front and you have four people. How are you expected to protect against such scenarios?”
The reality is that Passbolt’s work is a “constant arms race. You need to invest and improve constantly. There is no point at which this is done.”
Passbolt’s work is a “constant arms race. You need to invest and improve constantly. There is no point at which this is done.”Remy Bertot, Passbolt CTO
The firm has adopted a number of measures: frameworks, like SOC2, which includes multiple reviews on a quarterly basis; it for example helps to remove access where appropriate and introduces approval requirements for granting access to newcomers. The hardest thing to communicate is the residual risks found in all systems. These risks often arise from competing priorities between software design and ease of use. One obvious example is facial recognition. “An attacker could kidnap you and use your face to unlock your phone. That’s also an example of a residual risk you knowingly accept to take when you’re enabling biometric,” says Bertot.
Looking to the near future, the password manager will shortly take part in the Google Growth Academy cybersecurity acceleration programme. It is one of 15 European startups selected out of 120, to receive support. “I’m interested and intrigued by what it would mean for us,” says Bertot.
This article was first published in the Silicon Luxembourg magazine. Get your copy.