Lastpass Cyber Security Breach
Lastpass cyber security breach demonstrated that even good cyber products can become compromised. In my previous blog post “10 Security Related Tools to Have on your Computer“, I recommended a product called LastPass for managing your passwords. LastPass is one of the most popular apps for password management. For this app, you only need to remember one password which locks all the passwords for various sites. LastPass fills in the proper login information for various sites and services. But obviously, hackers know that if they can compromise this app, they could gain access to your entire kingdom. No app is 100 percent full proof though, and it was recently learned from the company that their Lastpass product was breached. The breach consisted of password reminder hints, user emails and other information being stolen.
I am sure readers who decided to use Lastpass based on our recommendation, were probably ready to, as Christina would say, Karate chop us when you heard that LastPass was breached by Hackers. Eeeek!!! But let me assure you, your passwords to your accounts should still be protected.
Now, although reminders and emails could be used by hackers to try to compromise your password accounts, the hackers still do not have access to the master password to your account. It is similar to a back robber getting into the bank, but not into the vault. LastPass stated that the hackers did not access their password vaults, which is where the passwords you use on other sites is stored. Therefore, there is no need to change the password you have stored for your various accounts.
Unlike the serious lack on encryption used by the Office of Personnel Management (OPM) in guarding federal employee’s social security numbers, LastPass secures your password with a high level of encryption which was not exposed in the breach. Thus, the master passwords stored in the system were not compromised. Lastpass adds a unique element, or salt (a random string of data used to modify a password hash), to each user password which enables database administrators to complicate things for attackers who must then rely on automated tools to crack user passwords. For a better understanding of how LastPass encrypts your master password, read Brian Kreb’s Article on the Lastpass breach.
Another security feature with LastPass is that they do not enable a password reset inn case you forget your master password, thus there is no way for the hackers to access all of your stored password. But, this makes it critical, if you do use LastPass, to back up or store your master password in a secure location (i.e. lockbox, or safe) in case you forget or lose it.
Now for the case of reminders, if you did use something insanely easy to guess, like the name of your pet or the hometown you grew up in, then yes this breach could possibly have a devastating effect allowing the hackers to easily guess your master password and have access to all of your accounts.
LastPass is still prompting all users to change their passwords as an extra precaution, especially those who they determined had very weak master passwords. LastPass is also adding a new extra layer of protection and providing users the ability to enable multi-factor authentication for the password manager. This is an extra way to verify your identifying your identify when accessing your various accounts. This would mean that you would have to enter a code sent to your mobile device which must be entered in addition to your username and password account to gain access to your account. I am planning to post a blog soon on explanation and benefits of multi-factor identification.
Note, that since your emailed was compromised in the breach, please be careful of phishing emails impersonating LastPass which might try to get you to enter your master password or click on embedded links in the email. As mentioned in previous posts, don’t clink on email links from these phishing emails and always type the URL into the web browser if you need to log into your LastPass account. I still recommend Lastpass for managing your passwords if you can’t come up with complicated and different passwords for the various sites that you visit online. It remains a good product.