LastPass has password lessons for everyone

LastPass, the maker of digital password manager security software, was sending a surprising gift to those who were planning on going offline over the holidays. Published Details about a recent security breachCybercriminals can obtain copies of password vaults of customers, potentially exposing information of millions of people online.

This is, from the hacker’s perspective, equivalent to winning the lottery.

LastPass and 1Password are password managers that store your usernames, passwords, and login information for all the websites and apps you use. This includes banking, healthcare, and social accounts. It stores this list, called vault), in its internet cloud. You can access it from any device. LastPass claimed that hackers stole copies from the company’s servers of a list containing usernames and passwords of every customer.

This was the worst thing that could have happened to a security product that is supposed to protect your passwords. But beyond the obvious next step — to change all of your passwords if you use LastPass — there are important lessons we can learn from this debacle, including that security products aren’t foolproof, especially when they store our sensitive data in the cloud.

First, it is important to understand what actually happened. According to the company, hackers gained access to its cloud data and obtained a copy from the data lockers of tens million customers using credentials and keys stolen by a LastPass employee.

LastPass published details about the hack in a blog posting on Dec. 22. It tried to reassure users that their information was safe. It said some parts of people’s safes — such as the website addresses of sites they logged into — were unencrypted, but sensitive data, including usernames and passwords, was encrypted. This would mean hackers could see which banking website someone used, but not have their username and password to log into that person’s account.

Users were also able to use LastPass vaults without having to crack the master passwords they created. Hackers will need to crack the master passwords that users generated to unlock their vaults. This is difficult as long as they use a unique master password.

Karim Tuba, CEO of LastPass, declined to be interviewed. However, he wrote in an email statement that the incident showed the strength and security of the company’s system architecture. He stated that vault data is encrypted and protected. He stated that users had to practice good password hygiene.

Many security experts disagreeHe was optimistic and suggested that every LastPass user should change their passwords.

Sinan Eren, Barracuda Security’s executive, stated that “it’s very dangerous.” “I will consider all these managed passwords compromised.”

It is important that hackers have access to lists of website addresses that people use, according to Casey Ellis (chief technology officer at security firm Bugcrowd).

“Let’s just pretend I’m going after you,” said Mr. Ellis. “I can look at all the websites I’ve saved information on and use that to plan an attack. Every user on LastPass now has that data in the hands of the adversary.”

These are the lessons that we can all learn from this hack for staying safer online.

Prevention is better that cure.

LastPass’s breach serves as a reminder that it’s much easier to establish safeguards for our most important accounts before a breach occurs than to try to protect yourself afterward. These are the best password practices we should all follow. LastPass users who have followed these steps in the past will be relatively safe during this latest breach.

• For each account, create a unique password that is complex and unique. A strong password should have a long length and be difficult to guess. Consider these sentences: “My Name is Inigo Montoya. You killed my father. Prepare to die.” You must prepare to die.” m.Ykmf.Ptd.”

  This rule of thumb is important for those who use a password manager. It will allow you to set the master password that will open your vault. This password should not be reused for any other website or app.

• Add an extension for sensitive accounts An extra layer of security with two-factor authentication. This setup involves creating temporary codes that you must enter in addition to your username or password before you can log in to your accounts.

  Many banking sites allow you set up your mobile number or email address to receive a message containing a temporary login code. You can use temporary codes with some apps, such as Instagram and Twitter, such as authenticator apps like Google Authenticator or Authy.

But don’t forget, it’s not your fault.

Let’s be clear about one thing: If a company’s servers get hacked and customer information is stolen, it’s their fault for not protecting you.

LastPass’s public response to the incident puts responsibility on the user. However, we don’t have the obligation to accept that. While it is true, a good password-keeping practice would have helped to keep the account safer in the event of a hacker attack, it does not absolve the company from responsibility.

Clouds can pose risks.

LastPass breaches can be frightening, but password managers are generally a useful tool as they make it much easier to create and save complex passwords for our online accounts.

Internet security is often about balancing convenience and risk. The challenge with password security, said Mr. Ellis of Bugcrowd, is that whenever best practices are too complex, people default to whatever is easier — for example, with easy-to-guess passwords that are replicated across sites.

Password managers are not to be dismissed. LastPass’s breach has shown that you always take a chance when you trust a company to store your sensitive data in their cloud.

Barracuda’s Erin recommends that you avoid password managers that store your passwords on their cloud. Instead, choose one that stores your passwords on your own devices such as KeePass.

Have an exit strategy.

That brings us to my final piece of advice, which can be applied to any online service: Always have a plan in place to pull your data — in this case, your password vault — in case something happens that makes you want to leave.

LastPass lists the steps on its website. Export a copy of your vault to a spreadsheet. You can then import the list of passwords into another password manager. You can also keep the spreadsheet file private and store it somewhere safe.

I use a combination approach. I use a password management program that doesn’t store my data in the cloud. Instead, I keep my own copy on my computer and in a private cloud drive. This can be done with a cloud service like iCloud and Dropbox. These methods are not foolproof but are less likely to be used by hackers than the company database.