What LastPass’ Data Breach Says about Password Security
June 25, 2015
Password management is a concept generally preached, but not often applied. Security professionals may tell you to diversify all passwords online, not to use personal identifiers, mix up the character types, and to never use the same passphrase twice.
They say this. You agree. How many of us follow best practices for password management? How many of us use the same password (variations of the same password), for online logins for everything from Facebook and Twitter to Online Banking, student loans, car payments, and managing your 401K?
The recent security compromise reported at LastPass, a proven and popular cloud-hosted password manager, reinforces the skepticism voiced by critics.
The LastPass Data Breach
The CEO of LastPass responded to the breach by stating,
“Our security and processes worked as designed, and customer data was, and is, protected. Because we are requiring verification for any new IP address or device, your account is secure. You will be prompted to update your master password when you login. Not all users will see the prompt immediately, but your account is safe and you can update when prompted. For added security going forward, we recommend enabling multifactor authentication. Also, be wary of phishing emails asking you to disclose your master password, payment information, or any other personal information. Never, ever disclose your master password or any confidential information, even to someone claiming to work for LastPass.”
LastPass’ transparency, quick turnaround from discovery to notice, and continual updates is admirable. The IT staff noticed an issue on Friday and notified users via blog post on Monday. They updated users with new information Tuesday.
Although they made all the right moves after the incident, should you still trust your passwords with a password manager?
Advise from an expert
If you cannot trust a password manager to store and secure login credentials, then what’s the next best move?
According to Jonathan Jenkins, cyber security expert and trainer,
“In regards to all password storage, whether it’s an application or cloud based they are all susceptible to hacking. Applications are code that can be reverse-engineered. Within that code lies the means to break into the storage. Cloud based solutions still have code involved that can be changed and reviewed often with however many individuals involved in maintaining a cloud. More people usually means more human error. The best thing a person can do is to truly remember their passwords.
There is no perfect solution. One good method is creating 20 or more unique passwords that you can rotate through for a 3 year period. Personally I use a 50 unique password rotation for a 7 year rotation.”
Why there are no guarantees in password security
Not everyone has the memory to retain complicated passwords. There are too many things to keep track, too many websites you log into on a daily basis, and you don’t necessarily have time for nor care about password security.
When it comes to password management and cyber scurity in general, nothing is 100 percent secure. If you are starting to become more concerned, read the privacy policies and terms and conditions of websites and online businesses. See what they say about data breaches. Read the fine print.
If you do not approve of their policies pertaining to security issues, then do not use their services.
For more information on password management, check out: