Breaking the News
LastPass, a popular password manager favored by many users, recently experienced an unsettling breach. Read notice from LastPass.
What are the implications and what do people really need to know?
LastPass is one of the largest password manager companies, storing over 30 million user’s passwords and credentials to various accounts. They recently released a notice regarding a security breach. If you don’t already see the problem here, let me break it down to you this way… LastPass data is essentially the internet version of Smaug the Dragon’s horde of gold in the Hobbit – a treasure trove for any cybercriminal.
Why Attract Attackers?
A password manager is a high target for cyber criminals, so why would you store your passwords online? Well, there are other alternatives for how to store your passwords:
Your options can go beyond these, but they’re so insecure that I feel irresponsible even listing them with that caveat.
A password manager is one of the most secure options to store your passwords and LastPass has maintained a reputation of trusted security. A password manager fits in that nice middle ground of all points on the technology triangle.
I have used LastPass for a decade now and still recommend them. I can manage all my accounts with truly random passwords and take advantage of its other functionalities like seamlessly sharing passwords with my wife.
I have seen them go through this in the past and their response and action has allowed them to rebuild trust with me. I recommend everyone use some variation of a password manager; either an online one, (LastPass or 1Password), or an offline Password Vault, (RoboForm or KeePass XC). At the end of the day, even an offline vault is not 100% secure and can also be breached.
Will I continue to use LastPass moving forward? Yes.
Everyone Gets Breached
Here’s the thing, it’s not a question of if you’ll get breached, but when. When it comes to online security, the weakest link in the chain is human error. As for the recent LastPass security incident, this remains true.
31% of breaches are confirmed to occur from user error.
With the official count of confirmed cases soaring, it doesn’t take much to wager that reality may be even worse than what’s been reported. An organization’s security foundation rests on user awareness – it can be the difference between protection and vulnerability, no matter how many other layers are added, (AntiVirus, Endpoint Detection, SIEM/SOC). Taking a comprehensive approach to security, including how you manage a security training tool, will lead your business down the path of success.
Choosing the right password manager and moving your information can be a journey. Why go through that rather than see if LastPass takes this unfortunate opportunity and uses it as tuition? So, we’re staying. Now what?
It is important to know if you’re in immediate danger. Start by asking yourself how secure was your master password? At this point that, the master passwords have not been reported as compromised, but it’s only a matter of time. This will depend on how simple or complex you made your master password. If you want to learn more about this, Roger Grimes shared an informative breakdown on the implications regarding the LastPass breach. Read here.
For the quick version of the concepts Roger presents, the longer the password the better. My last password was 24 characters, so hopefully I have some time… keyword, “hope”.
Password Strength is easier than we think.
A few tips to consider before updating your new master password:
Urgent vs Important
Changing your master password is just the beginning of a much larger task. Every password stored in LastPass will need to be updated. I have over 500 passwords that now need to be changed, and no, that was not a typo. Nevertheless, updating your login credentials is essential for protecting yourself from this security breach.
So what do you do? Burn days on end and just power through? That is an option, and if you have multiple weak passwords, you probably should do that. However, most of us have families, jobs, and other obligations that doesn’t make this easy to tackle.
When deciding the best approach for you, think in terms of impact. This incident shouldn’t be taken lightly, but if your password was secure, it reduces the urgency… just a tiny bit.
A note about MFA: If you have MFA set up for most accounts, that is helpful, but you still need to address your passwords. MFA is a layer and it’s not full proof. It simply delays the impact longer to give you more time to change your passwords.
To help determine what is “urgent vs. important,” I crafted a list which should help you accelerate this process. While this list may not be perfect, keep in mind, “security is a bear race.” By breaking it down into components you will be able to evaluate what is most important to prioritize first. Over the next few weeks focus on working your way through the items one at a time and you’ll soon be ahead of the game.
These are the front doors where people get access to all the other parts of your life, (e.g., email and phone for MFA, gov accounts for identity, bank for $’s).
Digital Spring Cleaning
Similarly to your home, it’s beneficial to conduct a digital “spring cleaning” by updating passwords and clearing out accounts that are no longer in use. To make this even more efficient, my wife and I created a shared folder dedicated specifically for deleting active but unused online profiles – that way they won’t be floating around on vulnerable servers any more than necessary!
To keep your digital life organized and running smoothly, it’s important to take the time for some much-needed maintenance. Set up a calendar reminder today for your annual digital spring cleaning and reduce the risk of being compromised.
The scary truth is that your personal data is now out there, and your digital footprint is only growing. This is not to make you fearful, rather take action. We now have our passwords updated and deleted unused accounts, but there is always room for an extra layer of cybersecurity and additional measures that must be taken.
Enable MFA on your password manager, and generally any other thing that you’re allowed to. It’s just helpful.
Be aware that a lot of new people will now suddenly know your email (refer to my earlier paragraph about user training. Don’t fall for Phishing attempts. Also, they’re getting smarter, so be on the lookout.
This is a pro tip: Links in email can be dangerous. When you get an email about signing onto your account to do something from a company whose services you subscribe to. Sometimes those emails provided a link to be helpful and it may, or may not, be legit. It’s easy enough to not click the link and to simply go to your account directly.
There is NO GOOD reason for anyone to ask you for your password. LastPass will never do it. Microsoft will never do it. Google will never do it. No one whose legitimate will do this. Don’t fall for it.
Be a Realist… and Maintain Hope
The internet has enabled us to connect with friends, explore new cultures and learn in ways never before possible. It’s an incredible tool that can also be a source of immense frustration and potentially dangerous at times.
The bottom line, the internet is a platform that we rely on and will not stop using despite its inability to become a completely secure environment. So don’t be afraid to take advantage of the amazing opportunities available right at our fingertips; simply remain vigilant and proactive.
Protecting your organization from harm requires more than just knowledge – it takes a comprehensive approach. Our security experts are dedicated to providing you with the total security solution that keeps malicious threats at bay and safeguards your organization’s valuable information. Let us provide you with the protection you need so you can breathe easy. Contact us today.