We recommend the use of a password manager to improve the security of your access to online resources and generally recommend LastPass for this use. Some of you may have received a notice of a recent security incident from LastPass, or have seen or heard about it in the news.
Summary: if your LastPass master password is both strong and unique, you do not need to take any specific action in response to this incident.
What Happened: In a small nutshell, in November, a threat actor through persistent effort was able to obtain a copy of the encrypted vaults of many or all LastPass users. The vaults contain username and password information for online sites and resources, as well as secure notes, credit card information, and other personal information that needs to be kept private. These vaults are protected using strong encryption, and a master password that is known only to the vault’s owner.
The Key: A critical key to the security of any password manager is a strong and unique master password. “Strong” means at least 12 characters long (preferably 20 or longer), using a variety of lower & upper case letters, numbers, and other characters. “Unique” simply means you do not use this same password in any other context (and especially not as a password for any other login access).
What should you do? As noted in the summary, if your current LastPass master password is strong and unique, the risk to your information is minimal, and you don’t need to do anything (though you may choose to anyway). If not, we do recommend you take the following steps to reduce the potential risk to your information:
- Change your master password, make it both strong and unique (ask me about “passphrases” if you want help!)
- In the short term: change the passwords to your accounts that control assets, such as banking, credit card, and financial sites;
- Change the passwords to your critical online accounts that could cause harm if you are exposed, such as secure work resources.
- Also: change the password to your primary email accounts (eg, your work and your personal email accounts; email access is often used by attackers to reset “forgotten” passwords to other resources).
- Over time: change the passwords to the other sites and resources that were in your password manager.
- Activate “2-factor authentication” for any of your sites that have it enabled as an option for secure authentication.
What are the risks to you from this incident (why take the recommended steps)? Again, in a nutshell, since the threat actor has access to a copy of your vault, they can try to break into it using techniques such as “brute force” or “password reuse” attacks. If your master password is not both strong and unique, the probability that any bad actors will successfully decrypt your vault over time changes from “practically impossible” to “improbable” (or worse, if your password was very weak!).
Should you quit using LastPass?:
Some security experts suggest current users should stop using LastPass altogether. I don’t think that’s necessary, but you may choose to do so. Commonly recommended alternatives include 1Password, Bitwarden, and Dashlane. Password managers built into your computer’s operating system, such as Microsoft’s Authenticator and Apple’s Keychain are reasonable options as well. However, please do not use the “remember me” function built into most browsers, as these are at higher risk of exposure from vulnerabilities in the web browsers themselves.
An additional word of advice: if you use a password manager, I recommend that you do write your master password down and store it in a very safe place (such as a fireproof lock box with your other critical documents). So, in the event of death or other personal catastrophe, your designated heirs or proxies will be able to access your critical online resources.
Harvard has a very good notice to their community about this:
LastPass posted an update notice about the incident here:
Ben Marsden, Information Security Specialist, ProsperiTea Planning