LastPass is the password management solution billed as "The Last Password You'll Ever Need." Well, this is a hard promise to keep when your response to being breached is to ask all of your customers to change their passwords. That's right folks, LastPass is the latest cloud offering to be hacked. They just announced this last night.
While they say all of the information that was accessed was encrypted and there's no way for the perpetrators to access the stored passwords, you still have to wonder. Here's a few lines from their most recent blog post:
"The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."
"We are confident that our encryption measures are sufficient to protect the vast majority of users."
I don't know about you, but this doesn't give me a complete sense of security or comfort - "vast majority of users"? Sure seems like some legalese instead of just saying "all users". There must be a reason for this.
If you're using LastPass, here's a link to their Security Notice detailing their recommendations. Their short answer is change your master password.
While in theory, password management systems like LastPass has always seemed like a good idea and they've always intrigued me. But I've never been able to get past the "what if" of when they're breached. So now that one has, now what?
Here are a couple of suggestions for password management:
- First, never put your most sensitive passwords into any password manager. That means passwords to your banks, online trading accounts, and any other websites that aren’t worth exposing to any increased risk.
- Wherever possible, enable two factor authorization. This is where you enter a username and password into a website, and then a unique code is sent to your mobile phone to complete the login process.
Call me old school, but personally, I'm hesitent to store anything as important as passwords someplace I can't touch.