We’ve been advocating for and using password manager software for many years. After extensive testing, we landed on LastPass several years ago for its advanced security capabilities, ease of use and reasonable price and it has become an important part of our defense-in-depth strategy.
Unfortunately, no security solution is completely invulnerable, and password managers by their very nature are high-value targets for hackers, so, it’s not a huge surprise to learn about attacks on the platform. But the most recent LastPass security incident had us concerned from the outset and we began closely following related news when the incident was first reported in August 2022. As further information has slowly trickled out, we’ve become increasingly concerned about the risk to LastPass customers as well as the way that LastPass has handled it.
On December 22nd, 2022, LastPass published an update about the incident on their blog that said “The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.”
As a result of this update from LastPass, we have serious concerns about the possibility of attackers cracking weak or easily guessed master passwords which would give them access to all the encrypted passwords in the corresponding password vaults. Because the attackers have exfiltrated the vaults, they have unlimited time to attack users’ master passwords. This is a very serious concern and one that multi-factor authentication (you are using MFA on all your accounts, right?) will not remediate.
Despite this incident, we still firmly believe that a strong password manager is an important tool that will help most people improve their cybersecurity hygiene and most experts agree. This article from The Guardian does a nice job of explaining why you should use a password manager: “Not using a password manager? Here’s why you should be…”
Our dedicated cybersecurity team is actively evaluating other secure password manager software to replace LastPass. A recommendation from the team is imminent and will be published as soon as our team’s assessment is complete.
What You Should Do Now
- If you have a LastPass master password that is less than 12 characters, is not unique (has been used elsewhere) or is easy to guess, you should not only change your master password, you should also generate new passwords for all accounts in your vault as soon as possible. Again, MFA on your LastPass account should be enabled, but will not help in this case because the attackers have the encrypted password vault files and unlimited time to crack them.
- If your LastPass master password is 12 or more characters and is also unique and not easily guessable, you’re probably OK because of the difficulty of cracking such a password. That said, we encourage you to err on the side of caution and create a new master password as soon as possible based on the tips below.
- After you have created a new master password, create new passwords for all the accounts in your vault. You can use the Generate Password feature of LastPass to create a new strong password for each account. While this may be tedious, this step is critical because if attackers can crack your master password, they will be able to decrypt and access ALL of the passwords in your vault.
- Enable MFA on your password manager (and all your accounts). This will help block access for attackers even if they have your password for a given account.
- Beware of phishing, smishing (text) and vishing (voice) attacks that attempt to leverage the LastPass incident. For example, an email that appears to be from LastPass that asks you to log in. This may be an attempt by attackers to get your credentials.
Tips for Creating New Passwords
- Longer is better. Ensure each password is unique and not easily guessable.
- It’s best to use a “pass phrase” that is long but easy to remember, easy to type and hard to guess. Pick something that only you would know.
- For example, the phrase “I Love Pizza with Onions!” becomes “IL0v3Pizz@with0ni0ns!” Easy to remember, easy to type, hard to guess and at 21 characters, VERY difficult to crack.
- Once you have created a strong new master password for your account you can use the Generate Password feature of LastPass (or similar feature in other password managers) to create very long, very strong random passwords for each account in your vault.
We understand that the security of your data is of the utmost importance to you, your stakeholders, and your customers. Our team at Intrust IT is committed to maintaining the highest levels of security and privacy and transparency about unfortunate issues such as this. We will continue to carefully monitor the situation and will update this blog post with additional information and recommendations as warranted.
Thank you for your continued trust in Intrust IT and we sincerely apologize for any inconvenience this may have caused for you or your organization.
For the latest information from LastPass, visit their blog post “Notice of Recent Security Incident.”