I’ve been a big proponent of using a password manager for years. Managers allow users to develop a litany of complex, effective passwords without having to remember or write down tens if not hundreds of passwords. I’ve touted the password manager called LastPass as the best platform and I’ve been its fan for years. LastPass was easy to use, worked on multiple devices, secure, and had a good reputation. They had been around for years and were one of the top reliable/secure choices. That is until now!
LastPass Security Breach
Recently, LastPass had a MAJOR security breach in which presumably their entire customer base’s password vaults were stolen. Not just a breach that accessed data; the data tables were stolen! That means the hackers have the data files. That’s not good. Fortunately, each password vault is encrypted and the encryption keys were not part of the data stolen. However, the hackers can use “brute force” (a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys) to break get individual vault access.
If you used a complex and long password for your LastPass vault, then you are somewhat protected (i.e., The hackers and their bots will ignore your account for now and attempt to crack the easy ones first. Complex passwords can take years, decades, or centuries to crack.). If your LastPass master password was not a long, complex combination, you might be in trouble and it’s time to change your passwords ASAP.
In our digital world, there will always be cybersecurity risks for all companies, including password management firms like LastPass. The troubling part of the recent LastPass security incident is how LastPass handled the situation.
LastPass’ Handling of the Breach
Instead of communicating the breach immediately, in detail, and honestly, they chose to hide details, miscommunicate, AND provide more facts only AFTER they were investigated. Poor form for a security company. The real kicker came when their “solution” relied solely on the opinion that everyone’s data was essentially safe because it was encrypted and hackers would need up to 1 million years to hack the data—a true statement IF you are using a long and complex password. But, most people don’t use a long complex password on their vaults, which means the risk of a breach is high. They left that part out. Plus, they never pushed their users to change their critical passwords just in case. Not good.
This approach leads to some uncomfortable conclusions about how LastPass thinks about breaches, handles their own security, and cares about you the customer. The breach has led most experts, including myself, to lose faith in the platform and company. It still makes sense to use a password manager. It is time for users to leave LastPass and move to a more trustworthy and robust platform. We recommend that our clients do so immediately. I have personally switched to 1Password and recommend that our clients do the same.
Thankfully, moving to another password management platform is easy.
7 steps to reduce your risk and move to another password manager
1. Immediately change all your critical passwords—your bank, credit card, investment accounts, and anything you care about and would never want someone to access or steal.
2. Choose a new password manager. Again, I recommend 1Password. (Don’t waste time changing your old LastPass master password. The hackers have a copy of your password vault with your old password and changing it on LastPass will not affect anything.)
3. Go into LastPass and export all your data (after updating your critical passwords). The LastPass export file can be easily imported into your new password manager.
4. Use the import function in your new password manager to import the file into your new password manager.
5. IMPORTANT: Delete the export file. Once the import process is completed, Hold the Shift key down and click the export file, and hit Delete to permanently delete the file (You DO NOT want this file sitting around in your Deleted items).
6. Delete and cancel your LastPass account after you get comfortable with your new password manager.
7. Turn on multi-factor authentication (MFA) for your new password manager.
Security incidents can happen even to the most security-conscious companies with multilayer cybersecurity. Pragmatic business owners understand that risks exist and that the best way to protect themselves and their companies is to protect their data and access. I strongly recommend that users start using MFA and a long, complex passphrase (12+ characters using upper- and lower-case letters, numbers, and symbols). If there is a security accident, you will be one of the luckier ones to be on the “ignore list” since your password will be too secure to spend time trying to hack.
Hackers are lazy and always go after easy targets. DON’T be one!