Pagoda Blog

LastPass is one of the largest password managers on the market, serving more than 30 million users. On December 22, 2022, LastPass disclosed that their users’ password vaults had been accessed by an unknown threat actor. Fortunately, some of the data is encrypted but that doesn’t mean it can’t be decrypted by a motivated threat actor.  

 

If you are a LastPass user, there are immediate steps you should take to help secure your account which we’ll cover below. If you’re not a user, you should still pay close attention to this breach and what it reveals about your own password management service and password practices. 

 

How did LastPass get breached? 

The 2022 LastPass security breach started back in August. The “unknown threat actor” gained access to “source code and technical information” in this first security incident. This information was used to target a LastPass employee and gain access to the third-party cloud-based storage service used to backup users’ vaults. 

 

Unfortunately, the incident back in August wasn’t fully contained. The threat actor was able to use their access to the backed up files to copy basic account information including customers’ company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. LastPass also discloses that “unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data” were also accessed.   

 

According to LastPass, the threat actor can only decrypt customers’ account credentials if they crack or gain access to their master password. They claim that users who have adhered to their default master password settings have little to worry about as “it would take millions of years to guess your master password using generally-available password-cracking technology.” 

 

Let’s take a closer look at these claims and how secure a LastPass account with a strong master password really is. 

 

What security experts are saying about the LastPass data breach

Security experts are criticizing this claim that it would take millions of years to crack your master password as both providing users with a false sense of security and laying the blame for any breached accounts on the shoulders of customers, rather than LastPass. 

 

Security researcher Wladimir Platant writes in his blog, “This prepares the ground for blaming the customers. LastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didn’t follow their best practices.”     

 

Jeffrey Goldberg, CEO of LastPass competitor 1Password, writes that the ‘“millions of years” claim appears to rely on the assumption that the LastPass user’s 12-character password was generated through a completely random process … unless your password was created by a good password generator, it is crackable.” 

 

He goes on to say that, “the LastPass account password “best practices” advice linked to in their announcement says nothing about using a password generator.” Therefore, he deduces, it’s safe to assume that many LastPass users created their master password without a password generator, effectively negating the “millions of years” claim. 

 

Furthermore, a highly secure password manager should never only rely on a master password to protect their users’ accounts. If LastPass encrypted more of their data and required a special key in addition to the master password, an unauthorized third party would not be able to decrypt your data even if they did gain access to the system. 

 

What steps should LastPass users take to secure their accounts? 

If you are a LastPass user, below are the primary steps you should take to mitigate the risk of a cybercriminal decrypting your usernames and passwords. 

 

Step 1. Check that your master password follows the LastPass password best practices.

 

Step 2. If your password meets their requirements, you don’t need to change the passwords of the accounts stored within your LastPass vault.

 

Step 3. If your password does NOT meet the requirements, begin to go through all your stored account credentials and change the passwords in order of priority. Change your most sensitive accounts first, such as your bank accounts and email accounts, and then move down the list.

 

Step 4. All users should change their master password, regardless of strength. Make sure it is at least 12 characters and we suggest using a passphrase that is memorable to you but would be extremely hard for anyone else to guess. Think in terms of a variation on a phrase (add numbers and perhaps combine two phrases) that triggers a specific, personal memory so that it’s easy for you to remember but hard for an unauthorized party to crack.  Do not use this password for any other accounts, and store it offline on a piece of paper and keep a copy in two highly secure places like a safe deposit box at your bank and a locked file cabinet or safe deposit box in your home.     

 

Step 5. Set up multi-factor authentication for your account, if you haven’t done so already.

 

Step 6. To further secure your account, we recommend following the LastPass guidelines for compromised accounts.

 

In addition to securing your existing LastPass account, security experts outside of LastPass are recommending that all users switch to a more secure password manager. The two primary reasons are:

 

1) LastPass’s failure to quickly detect and contain the initial security incident in August that led to the major December breach.

2) This is LastPass’s eighth security incident since 2011. 

 

For business owners working with an IT service provider, we recommend Passportal. We use Passportal for our clients because it is highly secure and gives our team the ability to help manage account credentials and ensure our clients always adhere to cybersecurity best practices.       

 

Password management practices all of us should start right now

The LastPass data breach is a good reminder of the importance of utilizing best password practices across your accounts. Here are a few key takeaways from this incident that LastPass users and non-users alike can benefit from: 

 

- Never reuse passwords 

- Use a password generator to create strong, unique passwords 

- Store your master password offline in a secure location like a safety deposit box  

- Always use 2FA or MFA to secure accounts 

- Consider using passwordless authentication 

- Research your password manager and choose one that doesn’t rely on a master password alone to protect your account 

 

To follow-up on that last point: A highly secure password manager should require not only a master password but also an additional “key” to access your account. Both Passportal and 1Password utilize this extra layer of protection to ensure that should an unauthorized party breach their systems, any data they obtained would be unusable without the special key needed to decrypt the data.  

 

If you have any questions about your current password manager or would like help transitioning from LastPass to another, more secure service, don’t hesitate to reach out for a consultation with one of our IT experts. 

 

Feature Photo by Desola Lanre-Ologun on Unsplash

 

Related Posts: 

How to Set Up Passportal for Your Entire Team and Secure Your Account Credentials

What Business Owners Can Learn from IBM’s Annual Cost of Data Breach Report

5 Ways a Data Breach Can Cause Long-term Damage to Your Business

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing. 

 

 

Want IT to serve you better?

 

 

 

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.