[June 16, 2015 Update from LastPass on their research of this security incident: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/]
LastPass’ CEO announced in a blog post and an email to their users that they have detected a network intrusion into their platform. You can review that post as well as coverage from a respected publication that tracks security issues at Ars Technica. We would suggest the comments on these posts are as compelling as the news within the posts.
What do we know?
- That someone unauthorized accessed their network
- LastPass is confirming all logins with an email confirmation if coming from a new device or IP address you have not used before
- LastPass is recommending a reset of your Master Password that unlocks LastPass in your browsers and on devices
- LastPass does not believe this attack has compromised users’ encrypted vaults
- The most likely loss has been user emails (which are how we login to LastPass
Some things to consider. LastPass has done a lot of things correctly here – as we have assessed in our due diligence of them and as outlined in the articles linked above.
They were quick to notify their users and the public about this incident once they confirmed it was unauthorized. They are doing some things right in general – such as the strong encryption methods they leverage to secure user authentication and data. Additionally – they separate where the actual data is stored (user vaults) from where the authentication process happens. In essence, they have different “places” where you login and then are connected to your password vault.
What should I do?
Change your master password. This password should NEVER be used anywhere else for any purpose. This is the one unique password you need to remember.
Using two-factor or multi-factor authentication has been our mantra. If you were using it with LastPass, you have very little issue. With that second factor (a pin code or text message to complete your login), someone who gets your password cannot compromise your account. If the security incidents of the past few years are not enough, this should be incentive for you to activate it.
Run the Security Challenge in LastPass
A key component in strengthening your battle with securing passwords is using unique passwords for each site. That would be impossible without a password manager. This tool in LastPass will enable you to identify:
- Email addresses that have been exposed to data breaches
- Where you use duplicate passwords
- Weak passwords
- Passwords that have not been changed in a long period of time
Closely Review Account Settings
Take the time to review the settings available to you in LastPass. You can control access from mobile devices, enable multi-factor authentication as well as other security preferences that serve as a defensive perimeter in protecting your login credentials.
We are the first to embrace password managers. and continue to advocate for their use. We are also selective about those we recommend as it takes a commitment and risk to store dozens or hundreds of critical passwords in the cloud. However, the consequences of NOT using a password manager are a much higher risk. Being able to have unique, difficult passwords in conjunction with using multi-factor authentication is a central component of the security recipe. This is unmanageable without password managers.
LastPass is one of three password managers we currently follow and recommend. The other two are RoboForm and 1Password (the latter from a company called AgileBits). All three provide solutions for Mac and PC as well as mobile devices.