You may have heard or will hear in the news about the security breach at LastPass yesterday. We use and recommend LastPass to our clients as a secure way to store and manage passwords for all their on- line activity. This bulletin is intended to inform our clients about the breach based on the information so far, and what impact it will have.
First: If you use a complex password or pass phrase as your master password in LastPass, then there is no real threat to your data and passwords. According to LastPass, the hackers were able to get email addresses and password hints only. They store the encrypted data on a separate server which is excellent business practice. In addition, unlike other security breaches:
- They quickly identified, contained and evaluated the breach
- Users were promptly notified
- They properly obscure stored password data (hashing) and use strong encryption
- The data vault (where your encrypted data is stored) is not on the same system as the authentication (your logon) data.
- Your computer’s browser adds additional hashing
- If hackers had your encrypted data it would be nearly impossible to crack even one file with today’s technology. In addition it would take decades to brute force even one file due to a built in timer that slows down the process.
Second: If you use a simple master password like “password” or “kitty123” then I would recommend you change your master password to something with capital letters, numbers and symbols and keep it more than 8 characters. The longer the password or pass phrase the better. You can change the password if you feel you need to.
Third: LastPass is still (in our opinion) one of the best and most secure password managers out there. NOT using an encrypted password manager such as LastPass is much more dangerous. Using the same password for multiple sites is asking for trouble in today’s world. The methods and procedures used by LastPass have been vetted and approved by some of the best crypto and security people in the business. If our own government used the crypto and methods adopted by companies like LastPass then they would not have “lost” millions of records on our government employees including their social security numbers, security clearance information, medical history, and a lot more.
Fourth: We all need to be aware that computers themselves are and will be compromised. HOWEVER, the data residing on them needs to be encrypted and protected using strong password hashes. LastPass understands this as their password hashing algorithms are the best and strongest in the business. I feel much more confident my data and passwords are protected using encryption services such as LastPass than I do about my data with ANY government database and most corporate databases. It is time we all started thinking about cyber security.
Until further notice, we will continue to use and recommend secure, encrypted password managers to our clients. LastPass is no exception. This is the best we have to date, as soon as something better comes along we will test it and let you know.