A Breach at LastPass Has Password Lessons for Us All

While many of us were unplugging from the internet to spend time with loved ones over the holidays, LastPass, the maker of a popular security program for managing digital passwords, delivered the most unwanted gift. It published details about a recent security breach in which cybercriminals had obtained copies of customers’ password vaults, potentially exposing millions of people’s online information.

From a hacker’s perspective, this is the equivalent of hitting the jackpot.

When you use a password manager like LastPass or 1Password, it stores a list containing all of the user names and passwords for the sites and apps you use, including banking, health care, email and social networking accounts. It keeps track of that list, called the vault, in its online cloud so you have easy access to your passwords from any device. LastPass said hackers had stolen copies of the list of user names and passwords of every customer from the company’s servers.

This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But other than the obvious next step — to change all of your passwords if you used LastPass — there are important lessons that we can learn from this debacle, including that security products are not foolproof, especially when they store our sensitive data in the cloud.

First, it’s important to understand what happened: The company said intruders had gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers by using credentials and keys stolen from a LastPass employee.

LastPass, which published details about the breach in a blog post on Dec. 22, tried to reassure its users that their information was probably safe. It said that some parts of people’s vaults — like the website addresses for the sites they logged in to — were unencrypted, but that sensitive data, including user names and passwords, were encrypted. This would suggest that hackers could know the banking website someone used but not have the user name and password required to log into that person’s account.

Most important, the master passwords that users set up for unlocking their LastPass vaults were also encrypted. That means hackers would then have to crack the encrypted master passwords to get the rest of the passwords in each vault, which would be difficult to do so long as people used a unique, complex master password.

Karim Toubba, the chief executive of LastPass, declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive vault data encrypted and secured. He also said it was users’ responsibility to “practice good password hygiene.”

Many security experts disagreed with Mr. Toubba’s optimistic spin and said every LastPass user should change all of his or her passwords.

“It is very serious,” said Sinan Eren, an executive at Barracuda, a security firm. “I would consider all those managed passwords compromised.”

Casey Ellis, the chief technology officer of the security firm Bugcrowd, said it was significant that intruders had access to the lists of website addresses that people used.

“Let’s say I’m coming after you,” Mr. Ellis said. “I can look at all the websites you have saved information for and use that to plan an attack. Every LastPass user has that data now in the hands of an adversary.”

Here are the lessons we can all learn from this breach to stay safer online.

The LastPass breach is a reminder that it is easier to set up safeguards for our most sensitive accounts before a breach occurs than to try to protect ourselves afterward. Here are some best practices we should all follow for our passwords; any LastPass user who had taken these steps ahead of time would have been relatively safe during this recent breach.

Let’s clarify one big thing: Whenever any company’s servers are breached and customer data is stolen, it’s the company’s fault for failing to protect you.

LastPass’s public response to the incident thrusts responsibility on the user, but we don’t have to accept that. Although it’s true that practicing “good password hygiene” would have helped to keep an account more secure in a breach, that doesn’t absolve the company of responsibility.

Though the breach of LastPass may feel damning, password managers in general are a useful tool because they make it more convenient to generate and store complex and unique passwords for our many internet accounts.

Internet security often involves weighing convenience versus risk. Mr. Ellis of Bugcrowd said the challenge with password security was that whenever the best practices were too complicated, people would default to whatever was easier — for example, using easily guessable passwords and repeating them across sites.

So don’t write off password managers. But remember that the LastPass breach demonstrates that you are always taking a risk when entrusting a company with storing your sensitive data in its cloud, as convenient as it is to have your password vault accessible on any of your devices.

Sahred From Source link Technology

Leave a Reply

Your email address will not be published. Required fields are marked *