A good password is a critical part of protecting your data. So, when LastPass, a popular password manager solution, announced that its third-party cloud-based storage service had been breached, allowing an unknown attacker to gain access to backups containing customer data including password vaults, a lot of people got nervous.
The bad news is that those customer password vaults are in the hands of that attacker. The good news is that they remain secure thanks to LastPass’ zero-knowledge encryption model. Because LastPass does not store customer master passwords, which are required to decrypt sensitive fields in the password vaults, the attacker should not be able to access them. That said, other non-encrypted data was compromised in this breach, including:
- Email addresses associated with LastPass accounts
- Non-encrypted fields stored in password vaults including website URLs
- User metadata including names, IP addresses, billing addresses, and telephone numbers
What is the threat to LastPass users?
LastPass’ encryption model is specifically designed so the company does not hold the keys necessary to decrypt data without a master password. If users selected master passwords that were sufficiently long – 16 characters or more – and did not reuse that password for other websites or solutions, it would require massive resources and time to brute-force the vaults. Because of the time involved, it makes it a very unlikely scenario, especially as the effort would then have to be multiplied for every LastPass user since keys are not shared between accounts.
The company added that the same holds true for businesses using LastPass with a federated login. Customers who used single sign-on between LastPass and Azure Active Directory can be similarly reassured that their password vaults remain secure. The single sign-on system generates strong master passwords on each user’s behalf, storing those credentials outside of LastPass’ control.
That said, given that other non-encrypted data like personal information and website URLs were compromised, it is possible that this information could be used in social engineering attacks in the future. That data also gives attackers insights into what services a particular person may use.
What are the takeaways from this incident?
Given this attack, some may be wondering if they should move to a different password manager provider or even forego password managers altogether. Based on the current information available, there is no indication that LastPass was negligent in these attacks. It’s very possible that a similar attack would have been successful against any of the other major password management services. The cost of changing providers is not any guarantee that you’ll be protected against future incidents.
As for giving up on password managers, the benefits typically outweigh the risks of using such a service. These solutions give users a secure location to store sensitive data and relieve them from the burden of remembering an increasing number of complex passwords. Experience shows, when password managers are not available, users are more likely to reuse passwords across different services and store those passwords in insecure locations. Both practices should be avoided at all costs.
If you are a LastPass account holder – or are using any other password management service – consider the following actions:
- Create a master password of at least 16 characters and avoid the use of words or phrases that can be easily guessed. If you used a weak master password in the past or reused that same password with any other service or solution, it’s time to update it – as well as change any passwords that were stored in your vault.
- Even if you used a strong master password or single sign-on, consider updating passwords for critical services stored in your vault as an extra precaution.
- Enable multi-factor authentication on every service you use.
- Be on the lookout for social engineering and phishing attacks related to LastPass or any of the services stored in your password vault. Be especially cautious if you receive any password reset requests.
LastPass Versus LastPass Enterprise
Whether you are using LastPass (personal) or LastPass Enterprise, the associated risks and recommendations remain the same. In addition, we think you should consider implementing LastPass Enterprise because you can configure this version to include strong, hidden, 64-digit employee vault passwords which makes it exponentially more difficult to crack than a 12-digit password used to protect a personal vault.
If you would like more recommendations on how to protect your business from phishing and other cyberattacks, contact us, we’re here to help.