In May, Lastpass announced an intrusion on its network that led to a data breach of user account information. LastPass is a cloud-based password manager; users load the LastPass extension into their web browsers and all the pesky password management tasks are taken care of. The user is given one-click access to fill in the username and password on known sites and the option to generate a long password and save credentials on new sites.
It’s a great, convenient service but not without its pitfalls - your passwords are stored on the cloud, so can be more dangerous than a local password manager. One hack could expose all your credentials.
I started using LastPass about three years ago, after a long stint with KeePass. I decided to make the switch, partly out of convenience and partly because it forced better password habits. For example, if I didn’t have immediate access to my KeePass database and I had to create a new account, I was more likely to use a weak password.
LastPass also supports two-factor authentication, which means an attacker has to have access to my database and my mobile phone in order to gain access to my account. I weighed the pros and cons of each and decided to move my passwords to the cloud. Looking at it from a risk-based approach, I’m more likely to lose a KeePass database from error, house burning down along with all backups, or database corruption than someone hacking into my LastPass database. It’s not a foolproof solution, but the best one for me at this point in time.
You can imagine my surprise when LastPass announced its service had been hacked. However, the silver lining is in the way the company handled the bad news – it is a textbook example of exactly the right way to handle a data breach. It notified customers at first sign of intrusion and were very forthcoming about what was taken in the attack. They also offered next steps for each customer to protect their account: change the master password immediately and enable two-factor authentication.
[ ALSO ON CSO: Password management systems: How to compare and use them ]
It was at this point I took a hard look at my password habits. I’ve been using a password manager for nearly eight years, which meant nearly all my passwords were unique and strong - but not all. Sometimes I didn’t have access to my password manager and created a weak password on the fly. I also don’t use the same password between sites - anymore. Prior to probably 2009, I reused some passwords and have some weak ones in place.
Also, keep in mind that what was considered a strong password in 2000 is a weak password today due to exponential increases in computing power that can brute-force crack passwords. My important accounts, such as online banking, trading, email and cloud storage were secure but some that seemed less significant, such as shopping or news sites, were less secure.
After the LastPass breach I decided to do a full audit of all my accounts and assess my risk. I also thought about how accounts are often linked together and how a security failure in one area can lead to a domino effect.
This happened to technology journalist Mat Honan. For example, in order to reset an Apple ID over the phone, one needs the last four digits of the credit card on file. Amazon displays the last four digits in its account settings, so if an attacker gets a hold of the credentials for an Amazon account, the information can be used to compromise all Apple services someone uses. In Honan’s case, this gave attackers access to his iCloud account, enabling them to wipe his iPhone and Mac.