The LastPass hack is VERY big. What is the best way to manage passwords?
Lastpass, one of the most popular password management providers, suffered a data breach that exposed data for their 33 million customers. A terrifying amount of data!
To date, we have determined that when the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup containing basic customer account information and related metadata, including company names, end user names, billing addresses, email addresses, phone numbers, and the IP addresses that the customers accessed the LastPass service from.
The threat actor was also able to copy a backup copy of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form completions data.
LastPass Press Release
So essentially the hackers were able to access ALL of the customer data. As much as most things are still encrypted, the data that isn’t highlighted as URLs is still pretty valuable data. It essentially shows the hackers all the sites you access using LastPass, and if the sites are interesting enough, they can make you a target.
List your products for free
Every LastPass user is at risk, and they are silent
Currently, the ONLY thing preventing hackers from decrypting a LastPass customer’s data is the customer’s master password used to generate the encryption key for that account. This master password is one you use to access your LastPass account. And if your password is one of the weak ones, you are most at risk of being hacked. LastPass also handles this in a very shady way. Their press release was only published on their blog, and they cite that they only notified less than 3% of users who happened to be their business customers, even though the hack affected all of their customers.
We have already notified a small subset (less than 3%) of our Business customers to recommend that they take certain actions based on their specific account configurations. If you are a business customer and you have not already been contacted to take action, there is no other recommended action for you to take at this time.
LastPass Press Release
So after telling everyone that these hackers have EVERYTHING and the only form of security left is the user’s master password, they say if they didn’t contact you then relax. You are okay. This is the worst advice they can give their customers. This is in stark contrast to the way Google handled the data breach, which to this day still advises all Google Password Manager users to update passwords for all websites that still use passwords from before the data breach. Why LastPass only advised less than 3% of their users and kept it hush-hush for the other 97%+ makes it look like they’re trying to save face by keeping quiet and only informing clients who can make the most noise them to give them bad press.
So what is the best way to manage my piles of passwords?
There are many ways to manage passwords. And I will list them here so you can choose which ones work best for you.
Keep using LastPass
A majority of LastPass users are definitely going to stick with it for a couple of reasons. Maybe because it’s a familiar platform and they don’t want to invest time and energy in learning a new one, or they still have an active subscription that’s holding them hostage. It’s still fine.
These people can still continue to use LastPass, but they cannot avoid the painstaking task of updating every password in LastPass, as well as the master password of their LastPass account to something strong and random with at least 12 characters. This must be done immediately.
The hackers copied data, so if you update your details, what they took will be old data that no longer works to access/decrypt your information.
Use a different password manager
You may not actually need to download or subscribe to a third-party password manager. Most platforms come with built-in password managers. Google comes with a built-in Android smartphone and the Chrome browser on PC. All passwords are stored in your Gmail account. In the Apple ecosystem, you have the option of iCloud as a password manager, and if you want to take this service to the cloud, you can also activate iCloud Keychain.
Mobile devices such as smartphones also have built-in password managers for apps that store passwords on the device or in the cloud. In the Android world, you have Google’s solution that stores passwords for your Gmail account. There is also a first-party option that stores the passwords in a password vault provided by the device manufacturer. A bit of an advantage of these methods is that they come with an extra layer of security with biometric authentication via fingerprint or 3D facial recognition. These may be slightly more secure than PC alternatives.
You can also use third-party password managers that are in direct competition with LastPass. They will definitely see the LastPass hack as an opportunity to make their solutions more secure for their customers. One such app is 1Password.
Set up 2-factor authentication
2-factor authentication is a security measure that requires an extra step of verification when you log in on top of your username and password combination. The most common forms of this are a code sent via SMS or call. It gives any potential hacker another barrier to entry because they need to have physical access to your device in order to access this code. Also, the code expires after a few minutes, and when this happens, a new one will be required.
Whether you use a password manager or not, you need to enable 2-factor authentication, especially on your email used to log into social media accounts, bank accounts, apps, and other important websites.
The best way to not get hacked is to stay off the internet. So these methods will not keep you 100% safe from hackers. However, they will definitely make it many times more difficult for them to succeed, which is the next best option.