While many of us pulled the plug on the internet to spend time with loved ones during the holiday season, LastPass, the maker of a popular digital password management security program, delivered the most unwanted gift. It published details of a recent security breach in which cybercriminals obtained copies of customers’ password vaults, potentially exposing millions of people’s online information.
From a hacker’s perspective, this is the equivalent of hitting the jackpot.
When you use a password manager like LastPass or 1Password, it stores a list of all usernames and passwords for the sites and apps you use, including banking, healthcare, email, and social network accounts. It keeps that list, called the Vault, in its online cloud, so you can easily access your passwords from any device. LastPass said hackers stole copies of each customer’s list of usernames and passwords from the company’s servers.
This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But aside from the obvious next step — to change all your passwords if you used LastPass — there are important lessons to learn from this debacle, including that security products aren’t foolproof, especially when they store our sensitive data in the cloud. save.
First, it’s important to understand what happened: The company said intruders accessed its cloud database and obtained a copy of tens of millions of customers’ data vaults by using credentials and keys stolen from a LastPass employee. .
LastPass, which published details of the leak in a blog post on Dec. 22, sought to reassure its users that their information was likely safe. It said some parts of people’s vaults — such as the website addresses of the sites they logged into — were unencrypted, but sensitive data, including usernames and passwords, was encrypted. This would suggest that hackers may know the banking website someone used, but don’t have the username and password needed to log into that person’s account.
Most importantly, the master passwords users set to unlock their LastPass vaults are also encrypted. That means hackers would then have to crack the encrypted master passwords to get the rest of the passwords in each vault, which would be difficult as long as people used a unique, complex master password.
LastPass CEO Karim Toubba declined to be interviewed, but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive vault data encrypted and secure. He also said it was users’ responsibility to “practice good password hygiene”.
Many security experts disagreed with Mr. Toubba’s optimistic spin, saying that every LastPass user should change all of his or her passwords.
“It’s very serious,” said Sinan Eren, an executive at Barracuda, a security firm. “I would consider all those managed passwords compromised.”
Casey Ellis, the chief technology officer of the security company Bugcrowd, said it was significant that intruders had access to the lists of website addresses people used.
“Let’s say I come after you,” Mr. Ellis said. “I can look at all the websites you have stored information for and use that to plan an attack. Every LastPass user now has that data in the hands of an adversary.”
Here are the lessons we can all learn from this breach to stay safer online.
Prevention is better than treatment.
The LastPass breach reminds us that it’s easier to put protections in place on our most sensitive accounts before a breach happens than it is to try to protect ourselves afterwards. Here are some best practices we should all follow for our passwords; any LastPass user who took these steps beforehand would have been relatively safe during this recent breach.
-
Create a complex, unique password for each account. A strong password should be long and hard to guess. Take for example these sentences: “My name is Inigo Montoya. You killed my father. Prepare to die.” And convert them to this, using initials for each word and an exclamation mark for the I’s: “Mn!!m.Ykmf.Ptd.”
For those using a password manager, this rule of thumb is paramount for the master password to unlock your vault. Never reuse this password for another app or site.
-
For your most sensitive accounts, add a additional layer of security with two-factor authentication. This setting involves generating a temporary code that must be entered in addition to your username and password before you can log in to your accounts.
Most banking sites allow you to set up your mobile number or email address to receive a message with a temporary code to log in. Some apps, like Twitter and Instagram, let you use so-called authenticator apps like Google Authenticator and Authy to generate temporary codes.
But remember, it’s not your fault.
Let’s clarify one important thing: when a company’s servers are breached and customer data is stolen, the company is to blame for not protecting you.
LastPass’s public response to the incident puts the blame on the user, but we don’t have to accept that. While it’s true that practicing “good password hygiene” would have helped keep an account more secure in the event of a breach, that doesn’t absolve the company of its responsibility.
There are risks to the cloud.
While the LastPass breach may feel devastating, password managers in general are a useful tool as they make it easier to generate and store complex and unique passwords for our many internet accounts.
Internet security is often about balancing convenience versus risk. Bugcrowd’s Mr. Ellis said the challenge with password protection was that when the best practices were too complicated, people would default to what was easier, such as using easy-to-guess passwords and repeating them across different sites.
So don’t write off password managers. But remember, the LastPass breach shows that you’re always taking a risk when you trust a company to store your sensitive data in the cloud, no matter how convenient it is to have your password vault accessible on all your devices.
Mr. Eren of Barracuda recommends not using password managers that store the database in their cloud, but choosing one that stores your password vault on your own devices, such as KeePass.
Have an exit strategy.
Which brings us to my final piece of advice, which can be applied to any online service: Always have a plan to retrieve your data — in this case, your password vault — in case something happens that makes you want to leave.
For LastPass, the company lists steps on its website to export a copy of your vault to a spreadsheet. You can then import that list of passwords into another password manager. Or you can keep the spreadsheet file for yourself somewhere safe and easy to use.
I’m going for a hybrid approach. I use a password manager that does not store my data in the cloud. Instead, I keep my own copy of my vault on my computer and in a cloud drive that I control myself. You can do this by using a cloud service like iCloud or Dropbox. Those methods aren’t foolproof either, but they’re less likely than a company’s database to be targeted by hackers.
