In general, it’s a good thing to be using a password manager to generate a strong, unique password and to keep track of all of your passwords. For many of OptfinITy’s clients, the password manager that has been used has been LastPass – something we ourselves have been using since 2013.
Over the past 6 months, however, there have been reports coming out about a security incident which occurred in August and then again in November at LastPass, about a potential hack. On December 22nd, LastPass clarified a previous security incident they had reported in November as being much more concerning, where the hacker’s data breach actually exposed encrypted password vaults—the crown jewels of any password manager—along with other potential user data.
The details, or more specifically, the lack of details that LastPass provided about the situation a week ago were worrying enough that security professionals quickly started calling for users to switch to other services. While some people have been making those suggestions, OptfinITy does not want to make a knee jerk reaction and is currently doing our own research into the situation. This is what we know so far:
- Sometime over the last 3-4 months, the encrypted vaults of all or some of the users were stolen.
- These vaults which contain all of the usernames and passwords are encrypted with a master password which only the end user knows.
- The encryption that is used is extremely difficult to hack without massive computer capabilities, something that very few people in the world have access to.
- Although encryption is great for making it hard to decode what a password is, it does not stop hackers from using other tools to guess passwords on the vaults. For example, if you utilize a password that is a common dictionary word followed by a number, those passwords will be easier to crack and the usernames and passwords will become available to the hackers. For those with complex passwords (i.e. C@nUGu3$$Th~sPw), your data will be much harder to access.
So what should you do?
We are still investigating the issue and do not feel that it makes sense to switch to another provider today. The reason for this is that there is no 100% secure software or cloud-based solution and it is imperative that the solution you switch to is in fact a better option than the current one, or as the adage goes, the “devil you know is better than the devil you don’t”.
That being said, we are recommending that all LastPass users do the following immediately:
- ALL LastPass users must change their MASTER password to login to LastPass and that the password should be complex in nature, containing a mixture of letters, numbers and symbols and without spelling a dictionary word.
- All users should enable multi factor authentication on their vaults.
- Whether you do use LastPass or not, we are recommending all users create an account on Have I been Pwned? (https://haveibeenpwned.com/) to ensure they learn of any breaches affecting them as soon as possible.
- While the vaults were encrypted, the meta data about the users of the vaults was not. As a result, hackers will have access to potential contact info, which means customers should be on extra alert for phishing emails and phone calls purportedly from LastPass or other services seeking sensitive data and other scams that exploit their compromised personal data. Nobody will ever need your master password for any reason.
- If you were an end-user who used a simple master password, it is our recommendation that you go through and change all of the passwords within your vault.
At this moment, OptfinITy is evaluating the situation while also testing out two potential replacement products for password management and will be in touch with our clients about their concerns and any potential changes. Should you have any questions in the meantime, please don’t hesitate to reach out to us at email@example.com.