Author Topic: A Breach at LastPass Has Password Lessons for All of Us  (Read 116 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35382
  • Gender: Male
  • I Do Windows
    • Email
A Breach at LastPass Has Password Lessons for All of Us
« on: January 06, 2023, 06:54:29 AM »
While many of us unplugged from the internet over the holidays to spend time with loved ones, LastPass, the maker of a popular security program for managing digital passwords, delivered a most unwanted gift. It recently published details about a security breach in which cybercriminals obtained copies of customers’ password vaults, potentially exposing millions of people’s online information.

From a hacker’s point of view, this is equivalent to hitting the jackpot.

When you use a password manager like LastPass or 1Password, it stores a list containing all the usernames and passwords for the sites and apps you use, including banking, healthcare, email and social networking accounts Huh. It keeps track of that list, called a vault, in its own online cloud so you can easily access your passwords from any device. LastPass said the hackers stole a copy of the list of usernames and passwords for each customer from the company’s servers.

This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But besides the obvious next step — to change all your passwords if you used LastPass — there are important lessons we can learn from this debacle, including that security products are not foolproof, especially when they Store our sensitive data in the cloud.

First, it’s important to understand what happened: The company said the intruders gained access to its cloud database and a copy of the data vault containing millions of customers using credentials and keys stolen from a LastPass employee.

LastPass, which published details about the breach in a blog post on December 22, attempted to reassure its users that their information was likely secure. It said that some parts of people’s vaults – such as the website addresses for sites they logged into – were unencrypted, but sensitive data including usernames and passwords were encrypted. This shows that hackers can know the banking website that someone uses but do not need the username and password to log into that person’s account.

Most important, the master password that users set to unlock their LastPass vaults was also encrypted. This means hackers would have to crack the encrypted master password to get to the rest of the passwords in each vault, which would be difficult to do as long as people used a unique, complex master password.

LastPass CEO Karim Touba declined to be interviewed, but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive Vault data encrypted and secure. Is. He also said that it was the users’ responsibility to “practice good password hygiene”.

Many security experts disagreed with Mr. Touba’s optimistic spin, saying that every LastPass user should change all of their passwords.

“It’s very serious,” said Sinan Eren, an executive at security firm Barracuda. “I think all those managed passwords have been compromised.”

Casey Ellis, chief technology officer at security firm BugCrowd, said it was important that the intruders had access to lists of website addresses that people used.

“Let’s say I’m following you,” said Mr. Ellis. “I can see all the websites you have saved information for and use that to plan an attack. Every LastPass user has that data now in the hands of an adversary.

We can all learn from this breach to stay safe online.

prevention is better than cure.

The LastPass breach is a reminder that it’s easier to set up security measures for our most sensitive accounts before a breach occurs than it is to try to protect ourselves after. Here are some best practices that we all should follow for our passwords; Any LastPass user who took these steps ahead of time would have been relatively safe during this recent breach.

   • Create a complex, unique password for each account. A strong password should be long and difficult for anyone to guess. For example, take these sentences: “My name is Inigo Montoya. you killed my father Ready to die.” and convert them to: “Mn!!m.Ykmf.Ptd,” using the initials and I for each word and an exclamation point.

For those using a password manager, this rule of thumb for a master password to unlock your Vault is paramount. Never reuse this password for any other app or site.

   • For your most sensitive accounts, add one Extra layer of security with two-factor authentication, This setting involves generating a temporary code that must be entered in addition to your username and password before logging into your account.

Most banking sites let you set up your cellphone number or email address to receive a message containing a temporary code to log in. Some apps, like Twitter and Instagram, let you use so-called authenticator apps like Google Authenticator and Authy to generate temporary codes. ,

But remember, it’s not your fault.

Let’s make one big thing clear: Whenever a company’s servers are breached and customer data is stolen, it’s the company’s fault for failing to protect you.

LastPass’ public response to the incident places responsibility on the user, but we are not required to accept it. While it is true that practicing “good password hygiene” helps keep an account more secure in the event of a breach, it does not absolve the company of responsibility.

There are risks to the cloud.

Although the LastPass breach may seem innocuous, password managers in general are a useful tool because they make it more convenient to create and store complex and unique passwords for our many Internet accounts.

Internet security often involves weighing convenience versus risk. Bugcrowd’s Mr. Ellis said that the challenge with password security was that even when best practices were too complex, people would default to whatever was easier – for example, using easily guessable passwords and using them Repeat across sites.

So don’t write off password managers. But remember that the LastPass breach shows that you always take a risk when entrusting a company with storing your sensitive data in its cloud, as convenient as accessing your password vault on any device you own.

Barracuda’s Mr. Eren recommends not using password managers that store databases on their cloud and instead storing your password vaults on your own devices like KeePass.

Create an exit strategy.

This brings us to my final piece of advice, which can be applied to any online service: Always have a plan to extract your data – in this case, your password vault – in the event that something happens that causes you to leave. Want to

For LastPass, the company lists steps on its website for exporting your Vault’s copy to a spreadsheet. You can then import that list of passwords into a different password manager. Or you can keep the spreadsheet file for yourself, stored in a safe and convenient location for you to use.

I use a hybrid approach. I use a password manager that doesn’t store my data in its cloud. Instead, I keep my copy of Vault on my computer and in a cloud drive that I control myself. You can do this using a cloud service like iCloud or Dropbox. Those methods aren’t foolproof either, but the chances of hackers targeting a company’s database are low.