Photo by mohamed_hassan from PxHere
Understanding the Lastpass Breach
Let us be clear about this, people really don’t truly understand what is going on with this breach. It however will not stop the threat actors from taking control of your data if they get a chance. This means they will go after the websites you will visit or maybe impersonate you in some way to get the access they are seeking. Either way it isn’t like we can just sit back and do nothing.
“It is possible to crack those passwords,” Melissa Bischoping, director of endpoint security research at Tanium, said via email. “Instead of running the math to determine how complex your password would be to crack with modern equipment, it’s best to go ahead and do some credential hygiene.” — CyberSecurity Dive
Credential hygiene is necessary in our day to day routines because it helps stops theft of our accounts and our personal information. However that doesn’t that the Meta data associated with your vault was encrypted, in fact it wasn’t and can be used to exploit this issue. So even if they don’t brute force yoru password vaults, they can do fishing or means to get the access they are seeking so they can get even more information about you to use against you.
The Lingering effects of Password Managers
Password managers are a necessity in today’s time because of the all too common breaches. Even if Lastpass wasn’t breached, some other site or sites would of breached and you’d still have to change your password or add multi-authenticator access to prevent any authorized access. This goes without saying, we will see other breaches and it will not just be Lastpass. Sooner or later some other Password manager will be a target and we will see this again but that shouldn’t deter you from using a Password manager it is the one tool we will always need to create even better Passwords than we could by our selves. Although Many in the Security field are advicing users to go to another Password Manager. I too have not like the taste of what Last Pass has done. They way they made it sound less important that it truly is but that just might be because they’re lawyers got involved. Either way I will suggest three things to better help you even if you keep Last pass.
- Check your interations and make sure you have them high. I think the minium we should have is over 500,000 interations to make sure they can’t be hacked the next time as easily. Also if they are low, now is a good time to bump them up even though it makes you more of a target right now. This will help in the future, in case there is another breach.
- Change all your imporant sites passwords, don’t just wait to get hacked might as well go through and see which sites you are truly using right now and go ahead and change your password and if you can add an authentication method to help protect you incase there is another hack down the road.
- Create a new masterpassword which isn’t anywhere close to what you have now. If you can create your own acronym with a minium of 12 digits that would help. (What is an acronym?) I suggest not using the most common acronyms but creating one that you can only remember and use that. It may take some time but it could be something you have to say everytime you type in on your computer, just don’t let everyone else hear it.
Those Password Managers
Finally, let’s talk about your choices in this matter. Even though I talked about this in the previous post, we should at least look at the ones that might want to go another service. Here are a few of them that I saw around the internet:
- Bitwarden — This is the one I perfer to go to because it is so opened sourced and you have several options to choice from. It is where a lot of people are going right now after the LastPass Breach, I am sure of it.
- 1Password — This one I only know about through what i’ve heard. I’ve heard good things about this but there are not many options to those who are wanting free. This is good because they’ve been in this for quite sometimes. I’ve heard of this company for MANY years and still has some great value to give to their users.
- Dashlane — I’ve never heard of this product but it comes highly recommended by other because of how security focused they are. You will have to pay a yearly subscription fee and there is only a demo version that means you do not have a free version.
- Roboform — I’ve talked about Roboform way in the past and still it was a very useful password manager when I was using them 10 or so years ago. So they must ast least be doing something right to still be in the business. I haven’t explored them lately but I might just do that again to see how they are doing.
As you can see you have several choices to choose from if you decide you want to get away from Lastpass but ultimately you will have to decide what you want to do. I am still going to possibly go to Bitwarden because of the open source or I might go back th Roboform if I can find my license that i had with them in the past. I haven’t really decided I think Bitwarden would be my best choice because I know people can look at their code and help keep my passwords secure. Are you planning on changing or staying with Lastpass? Who will you be going to if you are going to change Password Managers? Why not leave a comment and tell me your options. I’d love to hear them and find out exactly what you are thinking about this LastPass breach.