LastPass, a popular password storage platform, revealed last month that it had been hacked by a threat actor who gained access to a significant amount of personal customer information. The password manager has come under fire for the way it stored certain sensitive information and for downplaying the severity of the attack.
LastPass users are now left to deal with the fallout from the hack, plus the bigger question: Is any password manager safe? Let’s dig deeper and find out.
What Exactly Happened with LastPass?
LastPass enjoyed one of the best reputations as a password manager, both the free and paid versions — until now. In December, the company blog revealed that a threat actor managed to steal encryption keys from a LastPass employee. They were able to do so by using information that was compromised in a prior security breach in August.
By stealing encryption keys, the threat actor gained access to an incredible array of information, including company and end-user names, email and billing addresses, telephone numbers, encrypted usernames and passwords, and unencrypted URLs.
LastPass CEO Karim Toubba tried to calm the waters by writing on the company blog, “It would take millions of years to guess your master password using generally-available password-cracking technology.” However, the “million-years” quote has been debunked by several competitors, namely 1Password’s Principal Security Architect Jeffrey Goldberg, who published a follow-up blog post to refute the claim.
LastPass’ Weak Security Claims
According to Goldberg, the “million years” prerequisite assumes that users used the site’s algorithm to generate their passwords, which is often not the case. It also assumes that users did not use their master password for any other accounts.
Additionally, it might take a human a million years to crack an algorithm-generated password, but hackers use computers that are able to try billions of possibilities tirelessly.
Of course, 1Password is a LastPass competitor and Goldberg does not pass up the opportunity to explain how, with 1Password, user data would be totally safe. But he is not LastPass’ only critic.
Calls for abandoning LastPass have ranged from CNET to Wired to The Verge. The latter points out the danger LastPass left unchecked by leaving its URLs unencrypted. By allowing bad actors to see what URLs people visit, they can create targeted phishing emails with customized scams.
Should All Password Managers Be Avoided?
Password managers are incredibly useful and convenient tools to make our lives easier and it’s hard to imagine life without them. But it is important to remember that every digital convenience comes with risk.
According to Infosecurity Magazine, you do not need to write off password managers entirely, but you should recognize that some are better than others. While LastPass actually had a good name in the industry, the recent breaches have shown it is important to perform due diligence rather than simply going with a name you recognize.
Of course, passwordless authentication may be the ultimate solution to the issue of password managers and breaches. Passwordless technology stands to replace traditional passwords with either one-time passwords or biometrics. Google recently unveiled its new passkeys for Chrome, while Apple and Microsoft have already released similar products. Like all new technology, however, it will take time for something vastly new to become accepted.
How Should We Protect Our Passwords?
Until passwordless authentication takes off, most do not want to give up the convenience of a password manager. Therefore, it is important to choose a brand carefully and be equally careful how we use our passwords.
If you were caught in the LastPass mess, here are five tips to help. The latter three are good regardless of the password manager you use.
- Consider switching to a different password manager.
- If you do not want to change managers, change your passwords, starting from the most important ones all the way down to the seemingly insignificant ones. (Deleting the master password is not enough, as the bad actor already downloaded all the data.)
- Enable 2FA whenever possible.
- Use passwords generated by the site whenever possible, as these are the most difficult to crack.
- Check your bank and other accounts regularly for irregular activity.
Getting hacked is never pleasant, but it is worse if you find out two months after the fact instead of two hours. With all internet safety, being armed with information is the best defense you can implement against malicious actors.