June 16, 2015 Blane Warrene

What Do I Need to Know About the LastPass Hack?

[June 16, 2015 Update from LastPass on their research of this security incident: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/]

LastPass’ CEO announced in a blog post and an email to their users that they have detected a network intrusion into their platform. You can review that post as well as coverage from a respected publication that tracks security issues at Ars Technica. We would suggest the comments on these posts are as compelling as the news within the posts.

What do we know?

  • That someone unauthorized accessed their network
  • LastPass is confirming all logins with an email confirmation if coming from a new device or IP address you have not used before
  • LastPass is recommending a reset of your Master Password that unlocks LastPass in your browsers and on devices
  • LastPass does not believe this attack has compromised users’ encrypted vaults
  • The most likely loss has been user emails (which are how we login to LastPass

Some things to consider. LastPass has done a lot of things correctly here – as we have assessed in our due diligence of them and as outlined in the articles linked above.

They were quick to notify their users and the public about this incident once they confirmed it was unauthorized. They are doing some things right in general – such as the strong encryption methods they leverage to secure user authentication and data. Additionally – they separate where the actual data is stored (user vaults) from where the authentication process happens. In essence, they have different “places” where you login and then are connected to your password vault.

What should I do?

Master Password

Change your master password. This password should NEVER be used anywhere else for any purpose. This is the one unique password you need to remember.

Multi-Factor Authentication

Using two-factor or multi-factor authentication has been our mantra. If you were using it with LastPass, you have very little issue. With that second factor (a pin code or text message to complete your login), someone who gets your password cannot compromise your account. If the security incidents of the past few years are not enough, this should be incentive for you to activate it.

Run the Security Challenge in LastPass

A key component in strengthening your battle with securing passwords is using unique passwords for each site. That would be impossible without a password manager. This tool in LastPass will enable you to identify:

  • Email addresses that have been exposed to data breaches
  • Where you use duplicate passwords
  • Weak passwords
  • Passwords that have not been changed in a long period of time

Closely Review Account Settings

Take the time to review the settings available to you in LastPass. You can control access from mobile devices, enable  multi-factor authentication as well as other security preferences that serve as a defensive perimeter in protecting your login credentials.

Final Thoughts

We are the first to embrace password managers. and continue to advocate for their use. We are also selective about those we recommend as it takes a commitment and risk to store dozens or hundreds of critical passwords in the cloud. However, the consequences of NOT using a password manager are a much higher risk. Being able to have unique, difficult passwords in conjunction with using multi-factor authentication is a central component of the security recipe. This is unmanageable without password managers.

LastPass is one of three password managers we currently follow and recommend. The other two are RoboForm and 1Password (the latter from a company called AgileBits). All three provide solutions for Mac and PC as well as mobile devices.

, , , , ,

Blane Warrene

Recognized as an industry leader in financial services business development and technology, Blane has worked in progressive roles in operations, technology and compliance in the industry. He co-founded Arkovi Social Media Archiving in 2009 with Carl Cline and Tyson Lowery - successfully raising capital and delivering a modern software as a service solution for business use of social media. Blane also co-founded QuonWarrene with Neal Quon in 2009. In October 2012 Arkovi was acquired by RegEd. Blane continues to advise companies via QuonWarrene. In addition, Blane is a sought-after speaker and panelist at industry and corporate conferences where he brings a fresh and innovative approach to business issues. An avid blogger and well known on twitter, @blano, he is actively engaged in social media providing thought leadership in compliant communications. Blane serves as a board member for the Dennison Railroad Depot Museum, an Ohio national historic landmark.

Leave a Reply

Your email address will not be published.