While many of us unplugged from the internet to spend time with loved ones during the holidays, LastPass, maker of a popular security software for managing digital passwords, delivered the most unwanted gift. It published details of a recent security breach in which cybercriminals had obtained copies of customers’ password vaults, potentially exposing millions of people’s online information.
From a hacker’s perspective, this is equivalent to hitting the jackpot.
When you use a password manager like LastPass or 1Password, it stores a list containing all the usernames and passwords for the websites and apps you use, including banking, healthcare, email and social networking accounts. It keeps track of the list, called the vault, in the cloud, so you have easy access to your passwords from any device. LastPass said hackers had stolen copies of the list of usernames and passwords for each customer from the company’s servers.
This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But aside from the obvious next step — changing all your passwords if you used LastPass — there are important lessons we can learn from this debacle, including that security products aren’t foolproof, especially when storing sensitive data in the Cloud.
First, it’s important to understand what happened: The company said intruders gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers using credentials and keys stolen from a LastPass employee.
LastPass, which published details of the breach in a blog post on Dec. 22, tried to reassure users that their information was likely safe. It said some parts of people’s vaults – such as the website addresses of the pages they logged into – were unencrypted, but that sensitive data, including usernames and passwords, was encrypted. This suggests that hackers may know the banking website someone used, but not have the username and password required to log into that person’s account.
Most importantly, the master passwords that users set up to unlock their LastPass vaults were also encrypted. That means hackers would then have to crack the encrypted master passwords to get the rest of the passwords in each vault, which would be difficult to do as long as people used a unique, complex master password.
LastPass CEO Karim Toubba declined to be interviewed, but wrote in an email that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive vault data encrypted and secured. He also said that it is the users’ responsibility to “practice good password hygiene”.
Many security experts disagreed with Toubba’s optimistic spin, saying that every LastPass user should change all of his or her passwords.
“It’s very serious,” said Sinan Eren, an executive at Barracuda, a security firm. “I will consider all the managed passwords compromised.”
Casey Ellis, chief technology officer at security firm Bugcrowd, said it was significant that attackers had access to the lists of website addresses that people used.
“Let’s say I’m coming after you,” Ellis said. “I can look at all the sites you have stored information for and use it to plan an attack. Every LastPass user has that data now in the hands of an adversary.”
Here are the lessons we can all learn from this breach to stay safer online.
Prevention is better than treatment.
The LastPass breach is a reminder that it’s easier to put security measures in place for our most sensitive accounts before a breach occurs than to try to protect ourselves afterwards. Here are some best practices we should all follow for our passwords; any LastPass user who had taken these steps beforehand would have been relatively safe during this recent breach.
— Create a complex, unique password for each account. A strong password should be long and difficult for someone to guess. For example, take these sentences: “My name is Inigo Montoya. You killed my father. Prepare to die.” And convert them to this, using initials for each word and an exclamation point for the I’s: “Mn!!m.Ykmf.Ptd.”
For those using a password manager, this rule of thumb is of utmost importance for the master password to unlock your vault. Never reuse this password for other apps or websites.
— For your most sensitive accounts, add an extra layer of security with two-factor authentication. This setting involves generating a temporary code that must be entered in addition to your username and password before you can log into your accounts.
Most banking sites allow you to set up your mobile phone number or email address to receive a message containing a temporary code to log in. Some apps, such as Twitter and Instagram, allow you to use so-called authenticator apps such as Google Authenticator and Authy to generate temporary codes.
But remember, it’s not your fault.
Let’s get one big thing straight: Every time a company’s servers are breached and customer data is stolen, it’s the company’s fault for not protecting you.
LastPass’s public response to the incident puts the responsibility on the user, but we don’t have to accept it. While it’s true that practicing “good password hygiene” would help keep an account more secure in the event of a breach, that doesn’t absolve the company of responsibility.
There is a risk to the cloud.
While the LastPass breach may feel damning, password managers are generally a useful tool because they make it more convenient to generate and store complex and unique passwords for our many Internet accounts.
Internet security often involves weighing convenience against risk. Bugcrowd’s Ellis said the challenge with password security was that when the best practices were too complicated, people would default to what was easier — for example, using passwords that are easy to guess and repeating them across sites.
So don’t write off password managers. But remember, the LastPass breach shows that you’re always taking a risk when you entrust a company to store your sensitive data in the cloud, as convenient as it is to have your password vault available on all your devices.
Eren of Barracuda recommends against using password managers that store their database on their cloud and instead choose one that stores your password vault on your own devices, like KeePass.
Have an exit strategy.
That brings us to my final piece of advice, which can be applied to any online service: Always have a plan to extract your data—in this case, your password vault—in case something happens that makes you want to leave.
For LastPass, the company lists steps on its website to export a copy of your vault to a spreadsheet. You can then import that list of passwords into another password manager. Or you can keep the spreadsheet file for yourself, stored somewhere safe and convenient for you to use.
I take a hybrid approach. I use a password manager that doesn’t store my data in the cloud. Instead, I keep my own copy of my vault on my computer and in a cloud drive that I control myself. You can do this by using a cloud service such as iCloud or Dropbox. These methods are also not foolproof, but they are less likely than a company’s database to be targeted by hackers.
This article originally appeared in The New York Times.