CyberHoot drafted a new LastPass article: Last Straw for LastPass separately with criteria for choosing a replacement password manager.
Naked Security has this article detailing their take on the LastPass breach and admission that encrypted vaults were stolen. They have some helpful comments and insights. This got CyberHoot thinking some more…
We stored our Credit Card information in LastPass for Form Filling ease of use. Will we cancel and re-issue our credit cards? Speaking personally now, I will not. My Master Password was so long and complex that the cracking effort required according to this website’s Password Strength Meter was: 7 quadrillion years whew! That’s a relief.
LastPass released new information on their latest breach announcement from Nov. 30th in which their monitoring identified a new breach (tied to their Aug. breach). In this update from 12/22/2022 they admit that they believe 256 bit AES encrypted client password vaults were stolen from the 3rd party. This is the first time they’ve acknowledged that client data was at risk. Here’s their take on the situation:
“If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.
However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”
So, what does this mean for all you LastPass users out there, or for Companies that have deployed LastPass to their Users? A lot of work actually.
CyberHoot’s Impact Assessment:
Out staff knows the following to be true: in many of the LastPass environments we have supervised over the last decade, despite our training videos and our password policies requiring a minimum of 14 character passwords (2 longer than LastPass defaults) we have seen many Master Passwords that were WEAK. Therefore, given the general lack of strong password hygiene in general, this new breach information from LastPass requires CyberHoot to make the following recommendations to anyone using LastPass personally or in your business:
CyberHoot LastPass Viability: Q: Does CyberHoot think LastPass is a viable solution given this breach and previous breaches they have faced?
Answer: We cannot answer that question for you. For Cyberhoot, we will continue to use LastPass as we’re fully vested in them at this point. Our Master Passwords are FAR LONGER than 12 characters making our vault theft unlikely to yield anything to the hackers in question here. In addition, as painful as this episode has been for LastPass, it shows their commitment to transparency and security. It would have been potentially far easier for them to hide this incident by sweeping it under the rug. They did not. We want a company that is transparent. Admits mistakes when they happen. Has advanced monitoring in place to catch security events (as they did in this case). And reports on it honestly and openly. We’ll end with a statement the FBI has long been quoted for because it applies to ALL companies and ALL password manager software vendors.
“There are two types of companies in this world. Those that know they’ve been hacked, and those that don’t know they’ve been hacked.”
We know when and how LastPass was hacked here. Do we know anything about any other password manager vendors being hacked?
Full transparency: CyberHoot has not made a single dime from LastPass in any capacity, referral program or otherwise. We have probably left $1000’s of referral dollars on the table because of our desire to remain at arms length for our reporting.
Naked Security Dec. 23rd Article on LastPass Breach
LastPass Blog outlining the breach and their response
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
A recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...
Read moreA newly uncovered cyberattack campaign is exploiting Zoom’s Remote Control feature to infiltrate the systems...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.