As many of us unplugged for the holidays to spend time with loved ones, LastPass, the creator of the popular security app for managing digital passwords, delivered a most unwanted gift. It published details of a recent security breach in which cybercriminals obtained copies of customers’ password vaults, exposing millions of people’s online information.
From a hacker’s point of view, this is tantamount to hitting the jackpot.
When you use a password manager like LastPass or 1Password, it keeps a list of all the usernames and passwords for the sites and apps you use, including your banking, health, email, and social networking accounts. It keeps track of that list in its online cloud, called a vault, so you can easily access your passwords from any device. LastPass said the hackers stole copies of every customer’s list of usernames and passwords from the company’s servers.
The breach was one of the worst things to happen to a security product designed to take care of your passwords. But aside from the obvious next step — changing all your passwords if you’ve used LastPass — there are important lessons we can learn from this debacle, including that security products aren’t foolproof, especially when they store our sensitive data in the cloud.
First, it’s important to understand what happened: The company said attackers accessed its cloud database and copied the data stores of tens of millions of customers using credentials and keys stolen from a LastPass employee.
LastPass, which published details of the breach in a blog post on December 22, tried to reassure its users that their data was safe. He said some parts of people’s storage, such as the website addresses of sites they visit, are not encrypted, but sensitive information, including usernames and passwords, is. This suggests that hackers may know the banking website someone is using, but not have the username and password required to access that person’s account.
Most importantly, the master passwords that users set to unlock their LastPass vaults are also encrypted. This means that hackers would have to crack encrypted master passwords to get the rest of each vault, which would be difficult to do as long as people use a unique, complex master password.
LastPass CEO Karim Toubba declined to be interviewed, but said in an emailed statement that the incident demonstrates the strength of the company’s system architecture and that its sensitive vault data is encrypted and protected. It also said it was users’ responsibility to “practice good password hygiene”.
Many security experts disagreed with Toubba’s optimistic spin, saying that every LastPass user should change all their passwords.
“It’s very serious,” said Sinan Eren, chief executive of security firm Barracuda. “I would consider all these managed passwords compromised.”
Casey Ellis, chief technology officer at security firm Bugcrowd, said it’s important for intruders to access lists of website addresses that people use.
“Let’s say I’m coming after you,” Ellis said. “I can look at all the websites you store data on and use it to plan an attack. Every LastPass user now has that information in the hands of an adversary.”
Here are the lessons we can all learn from this breach to stay safe online.
Prevention is better than cure
The LastPass breach is a reminder that it’s easier to put security measures in place for our most vulnerable accounts before a breach occurs than it is to try to protect ourselves afterwards. Here are some best practices we should all follow for our passwords; Any LastPass user who took these steps ahead of time would be relatively safe during this latest breach.
∙ Create a complex, unique password for each account. A strong password should be long and difficult for someone to guess. For example, take these sentences: “My name is Inigo Montoya. You killed my father. Prepare to die.” And using the initials of each word and the exclamation mark for I, make them: “Mn!!m.Ykmf.Ptd.”
For those of you who use a password manager, this rule of thumb is critical for a master password to unlock your vault. Never reuse this password for another application or site.
∙ Add an extra layer of security with two-factor authentication for your more sensitive accounts. This setting involves generating a temporary code that must be entered in addition to your username and password before accessing your accounts.
Most banking websites allow you to specify your mobile phone number or email address to receive a message containing a temporary login code. Some apps like Twitter and Instagram allow you to use authenticator apps like Google Authenticator and Authy to generate temporary codes. .
Remember, it’s not your fault
Let’s get one big thing straight: When any company’s servers are compromised and customer data is stolen, it’s the company’s fault for failing to protect you.
LastPass’s public response to an incident places responsibility on the user, but we are not obligated to accept it. While it’s true that practicing “good password hygiene” would help keep an account more secure in the event of a breach, that doesn’t absolve the company of liability.
There are risks to the cloud
While the LastPass breach may seem bad, password managers are generally a useful tool because they make it easier to create and store complex and unique passwords for our many online accounts.
Internet security often involves weighing convenience against risk. The problem with password security, Bugcrowd’s Ellis says, is that when best practices are too complicated, people tend to go for the easier one — like using passwords that can be easily guessed and repeating them across sites.
So don’t delete password managers. But remember, the LastPass breach demonstrates that as convenient as having your password vault accessible on any device, you’re always taking a risk when you trust a company to store your sensitive information in the cloud.
Eren from Barracuda recommends against using password managers that store their database in the cloud, and instead choose one that stores your passwords on your own devices, such as KeePass.
You have an exit strategy
This brings us to my final piece of advice, which can be applied to any online service: Always have a plan to remove your data—in this case, your password vault—if something happens that makes you want to leave.
For LastPass, the company lists the steps on its website to export a copy of your vault to a spreadsheet. You can then import that password list into another password manager. Or you can keep the spreadsheet file in a safe place for you to use.
I prefer a hybrid approach. I use a password manager that doesn’t store my data in the cloud. Instead, I keep a copy of my vault on my computer and in a cloud drive that I manage. You can do this using a cloud service like iCloud or Dropbox. These methods aren’t foolproof either, but they’re less likely to be targeted by hackers than a company’s database.