While many of us are spending quality time with loved ones during the holidays, LastPass, the maker of a popular digital password management security program, is giving the most unwelcome gift.it published Details about recent security breaches Among other things, cybercriminals obtained copies of customers’ password vaults, potentially exposing the online information of millions of people.
From a hacker’s perspective, it’s the equivalent of hitting the jackpot.
When you use a password manager like LastPass or 1Password, it stores a list of all your usernames and passwords for the websites and apps you use, including banking, healthcare, email, and social networking accounts. It keeps track of that list in its online cloud (called a vault), so you can easily access your passwords from any device. LastPass said hackers stole a copy of every customer’s list of usernames and passwords from the company’s servers.
Such a breach is one of the worst things that can happen to a security product designed to protect your passwords. But aside from the obvious next step — if you use LastPass to change all your passwords — we can learn important lessons from this disaster, including that security products aren’t foolproof, especially when they store our sensitive data in the cloud.
First, it’s important to understand what happened: Using credentials and keys stolen from LastPass employees, intruders gained access to its cloud database and obtained copies of the database for tens of millions of customers, the company said.
LastPass published details about the breach in a blog post on Dec. 22 in an attempt to reassure its users that their information was likely to be safe. It said some parts of people’s vaults — such as the website addresses of websites they log into — were unencrypted, but sensitive data, including usernames and passwords, were encrypted. This suggests that hackers may know the banking website someone is using, but not the username and password needed to log into that person’s account.
Best of all, the master password users set to unlock their LastPass vaults is also encrypted. That means hackers would then have to crack the encrypted master password to get to the rest of the passwords in each vault, which is hard to do as long as people use unique, complex master passwords.
LastPass CEO Karim Toubba declined an interview but wrote in an emailed statement that the incident was a testament to the strength of the company’s system architecture, which he said allowed sensitive vault data to be encrypted and protected. He also said it was the responsibility of users to “practice good password hygiene”.
many security experts disagree Mr. Toubba is optimistic and says every LastPass user should change all of his or her passwords.
“This is very serious,” said Sinan Eren, an executive at security firm Barracuda. “I think all these managed passwords have been compromised.”
Casey Ellis, chief technology officer at security firm Bugcrowd, said it’s important that intruders have access to lists of addresses for websites that people use.
“Suppose I’m going after you,” Mr. Ellis said. “I can look at all the sites you keep information for and use that to plan an attack. Every LastPass user now has that data in the hands of an adversary.”
Here are the lessons we can all learn from this breach to stay safe online.
Prevention is better than cure.
The LastPass breach reminds us that it’s easier to put protections in place for our most sensitive accounts before a breach occurs than to try to protect ourselves after the fact. Here are some best practices we all follow when it comes to passwords; any LastPass users who took these steps ahead of time were relatively safe from this latest breach.
Create a complex, unique password for each account. A strong password should be long and difficult to guess. For example, look at these sentences: “My name is Inigo Montoya. You killed my father. Prepare to die.” and convert them into this, using the initials of each word and the exclamation point as the I: “Mn!!m. Ykmf. Ptd.”
For those of you who use a password manager, this rule of thumb is essential for the master password to unlock your vault. Never reuse this password for any other application or website.
For your most sensitive accounts, add a Provides an extra layer of security with two-factor authentication. This setup involves generating a temporary code that you must enter in addition to your username and password to log into your account.
Most banking websites allow you to set up your mobile phone number or email address to receive messages containing a temporary code to log in. Some apps, like Twitter and Instagram, allow you to use so-called authenticator apps like Google Authenticator and Authy to generate temporary codes.
But remember, it’s not your fault.
Let’s get one big thing clear: Whenever any company’s servers are compromised and customer data is stolen, it’s the company’s fault for failing to protect you.
LastPass’ public response to the incident puts the onus on users, but we don’t have to accept that. While practicing “good password hygiene” does help keep accounts more secure in the event of a breach, it doesn’t absolve companies of responsibility.
The cloud is risky.
As bad as it might feel to have LastPass compromised, password managers are often a useful tool because they make it easier to generate and store complex and unique passwords for our many internet accounts.
Internet security often involves weighing convenience and risk. Mr. Ellis of Bugcrowd said the challenge with password security is that whenever best practices become too complex, people default to simpler methods – for example, using easy-to-guess passwords and reusing them across sites.
So don’t log out of password managers. But remember, as the LastPass breach showed, you’re always at risk when you entrust a company with storing your sensitive data in its cloud, despite having easy access to your password vault on any of your devices.
Mr. Eren of Barracuda recommends that instead of using a password manager that stores the database in the cloud, choose one that stores the password vault on your own device, such as Kipas.
There is an exit strategy.
Which brings us to my final piece of advice, which can be applied to any online service: always have a plan for pulling data — in this case, your password vault — in case something happens that makes you want to leave things.
For LastPass, the company lays out steps on its website to Export a copy of your vault to a spreadsheet. You can then import that password list into a different password manager. Or you can keep the spreadsheet file to yourself, storing it somewhere safe and convenient for you.
I take a mixed approach. The password manager I use doesn’t store my data in its cloud. Instead, I keep my own copy of the vault on my computer and on a cloud drive I control myself. You can use cloud services like iCloud or Dropbox to do this. These methods aren’t foolproof either, but they’re less likely to be the target of hackers than a company’s database.