The LastPass Breach
Ditch the vendor if you like, but don’t ditch the concept
Let me start by saying that LastPass’s response and disclosure process have been very disappointing so far. This article published by Wired, titled “Yes, It’s Time to Ditch LastPass” really sums up my thoughts on the matter.
The vaults are out there somewhere, and the data dumps will most likely start showing up for sale on the dark web after the threat actor has finished taking a go at credential stuffing using the victims’ accounts. What remains to be seen is whether the data leak is going to be limited to accounts with weak master passwords, or if they can find a hole in their “proprietary binary format” to get into all password vaults.
My suggestion: reset all account passwords you had stored in LastPass, then either ditch the vendor, or use a very strong master password with FIDO2 hardware keys and hope for the best.
I chose to reset all my passwords, move them to another platform, and stop auto-renewing my subscription with the vendor. There have been too many security issues with LastPass over the years for me to ignore. I enjoyed using the platform, but it’s time to move on. End of story. No need to flog the dead horse.
That being said, despite the inherent risks involved with using password managers, they still beat password reuse or sticky notes so I continue to use and advocate them. If you’re tech-savvy and can set up an offline password manager and ensure you can access it on demand, good for you! But most people lack the technical expertise or simply have better things to do with their lives than setting up OpenVPN with device certs passing through pfSense in their underground bunker. So, let’s be realistic and not go down that rabbit hole. We can nerd out about that later on Discord.
The reality is that, for most people, the most optimal solution is to continue using an online password manager, at least until password-less authentication goes mainstream everywhere, from Amazon to the DMV and IRS websites. That’s probably not going to happen at any time in the near future, so how do we minimize the risk involved with using online password managers?
This may not work for everyone, but here is how I’ve been doing it.
- For non-critical accounts (e.g. reward programs, airlines, etc.) I let the password manager generate randomized passwords. There’s no need to memorize these.
- For accounts where a breach can cause me financial or reputational damage (e.g. email, social media, banking, 401k), I use a mental algorithm to generate unique passwords and do not store them anywhere.
I just came up with one that generated the password mA!MoreShakshuka@18 for “facebook.com”. There’s a mix of constants and variables in there. See if you can reverse-engineer it. - Length is almost always more important than complexity. TheygotthegunsButwegotthenumbers! is exponentially harder to crack and much easier to remember than ^12xWhqU!+.
The Center for Internet Security (CIS) recommends a minimum of 14 characters. However, I would say 20 is good for now until processors get faster or quantum computing goes mainstream. - Use MFA in as many places as possible. The order of preference should be: hardware token (FIDO2 or U2F), mobile app, and SMS text as a last resort.
Lastly, for corporate accounts on 3rd party sites (GitHub, Jira, etc.), always opt for single sign-on (SSO) instead of local accounts. This makes life easier for your employees by letting them use a single set of credentials, for your IT team by not having to set password policies across multiple platforms manually, and for the compliance department by not having to worry about disabling the Salesforce account for the account manager who left five years ago.
Your identity management platform should be configured to use different authentication methods (password only, MFA with mobile app, MFA with hardware token, etc.), authorization to and within different apps (HR platform, CRM tool, etc.), and session timeout settings using a context-based method (managed vs. unmanaged device, location, time of the day, etc.) so you’re not causing MFA-fatigue for your users.
This can be implemented using an identity-driven access platform like Microsoft Conditional Access, Okta, Duo, etc. Some people call this Zero Trust but that’s a topic for another blog post.
