Near the end of 2022, LastPass was hacked. If you are an effected user, you need to take action now.
If you did everything right in the past, you are probably OK for now. But recent news reveals that LastPass had several lapses, which may require you to take immediate action, and probably should consider switching password managers. But you really should still use a password manager. Here are some lessons learned.
Rather than re-hashing the details of LastPass’s fall from grace that came to a climax in December of 2022. I’m writing this article to provide context and guidance.
The LastPass breach is scary, and has lessons for all of us.
The timing of the lastest news was problematic, as many people, including journalists and researchers were off for the holidays. A cynical person might say that LastPass planned for this as a way of minimizing negative press. But deep analysis will come in force over the next weeks and months.
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
My advice here is primarily based a summary story by Ars Technica that provides a good explanation with recommendations. One important thing to remember at times like this is that there may be a tendancy to “over-hype” the severity of the problem, and to jump to conclusions. And in this case, it does seem like there were some inaccurate statements made by some “experts” on social media. That’s why I didn’t post this article immediately after the most serious news broke about this breach. I wanted to see what a range of experts were saying about it before weighing in with my perspective.
This is my take on the LastPass story to this point… I’m sure there will be more to come.
I’ve been a LastPass user for many, many years, with hundreds of credentials stored there. The theory was that the architecture was done in a way that made it very hard for an attacker to crack the master password… IF IT WAS STRONG, meaning at least 12 characters and random enough to be “not guessable” using “dictionary attacks” or through a bit of open source research.
Initially, LastPass was an independent company and its founder Joe Siegrist was doing all the right things, as far as anyone outside could tell. Many people, including security professionals trusted the company.
In particular, over the years, a few security breaches did occur, but LastPass was praised for its transparency and proactive approach. That’s pretty much all you could ask for.
Since then, LastPass was purchased by LogMeIn in 2015, and it’s fair to say that since then, Joe’s original security and service principles may not have been a priority. LastPass was later spun off in 2021, but there is no evidence that the founding principles were reinstated.
The bottom line is that the only obstacles between an attacker and any LastPass user’s stored passwords may be the strength of their master password and less importantly, the potential obscurity of being one of 33 million users in the same position.
The question of whether or not to trust LastPass statements will be debated over the next while. However, if you are a LastPass user, regardless of whether or not you intend to continue using it, there are three things you should do:
1) Change your LastPass master password.
Log in to your online LastPass account and use Account Settings to change your LastPass master password. Make sure it is something longer than 12 characters (preferably, much longer), but memorable, such as a line from a movie or story that you remember well (including punctuation). Length is the key to password strength.
2) Increase the “iterations” used for encryption key generation.
Use the Advanced Account Settings to increase the strength of your master password encryption. Change the “Password Iterations” setting from the current value to one that is at least 300,100. This will make it much harder to do a brute force attack on the master password.
3) Change important passwords ASAP.
Ideally, you should change all “sensitive” passwords for accounts used in LastPass. However, if you have many credentials stored there, this will be a long job, and should be done on a priority basis, starting with the most sensitive accounts first. Just remember that anything that was in your LastPass vault before August 2022 may have been compromised, including “secure notes” that may have been encrypted, but are still subject to being cracked. These may not be easy to “rotate” but you should watch credit card statements that had numbers store din LastPass closely from now on for suspicious activity.
4) Monitor your exposure.
You can sign up for notifications of future potential leakage of your passwords on the Have I Been Pwned website by submitting email addresses you use for major online accounts including the email you use for your LastPass account. If the email address shows up in a known security breach then you will get a notification of it, and you should change it immediately.
Taking these actions should raise the bar for any accounts that have not yet been compromised, and help you respond quickly if any were, or become, compromised.
Despite the seriousness of this issue, it illustrates that any online service can suffer a security breach. The best we can do is try to reduce risks wherever possible.
The risks of using a password manager “properly” are still far less than using the same password for multiple accounts, or storing them in an insecure personal file.
By “properly”, I mean that you should use a strong master password that is more than 12 characters long and is not guessable, in addition to using Two-Factor Authentication for accessing your vault (although this particular measure does not reduce your risk from the LastPass or any other breach where an attacker gets access to the password vault).
I recommend that you follow news reports carefully from reputable security journalists such as independent security and privacy journalist Brian Krebs (who has not yet posted about the recent LastPass news as of the time of this article) or Dan Goodin at Ars Technica.
Stay tuned…
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.