Considering an app to manage your passwords?
[ad_1]
How to manage your passwords safely
Manage your passwords safely with these tech tips.
ProblemSolved, USA TODAY
Right before Christmas, LastPass left out an unwelcome present for users of its password-manager service: a Dec. 22 update to a “Notice of Recent Security Incident” post reporting that the unknown attackers behind a breach the company first revealed in August had managed to “copy a backup of customer vault data.”
This data now at risk includes web addresses, usernames and passwords for saved logins. But with the last two remaining encrypted, the post advised LastPass users not to panic because the attackers would need either extraordinarily good luck or an extraordinarily long amount of time to unlock any one vault by trying random passwords, one after another.
“Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices,” CEO Karim Toubba wrote in the post.
Identity theft: How can I find out if someone is using my identity? What to know about identity theft
Tracking tech layoffs: Why companies like Amazon and Meta cut jobs in 2022
Are password managers easily hacked?
But customers often ignore best-practice instructions to choose unique and complex passwords for every account and instead fall back on familiar and simple passwords. Research repeatedly finds people admitting password reuse; in one small survey conducted in 2021, 24% of respondents reported that they reused an older password to secure their password-manager account.
Password manager services emphasize the importance of picking new and complicated master passwords, but they’re not equally strict about it. Toubba’s post, for example, mentions that LastPass did not require master passwords be at least 12 characters long until 2018, and outside researchers have found that LastPass used simpler techniques before then to generate encryption keys from these master passwords.
LastPass did not return two emails requesting comment.
If you recycled an older password for your LastPass account, you face the highest risk because that old password may have been leaked in a data breach, making it easy for attackers to try it on a copy of your data vault–an attack technique called “credential stuffing.”
“Just changing your LastPass password will not help here, as the old password will still be what’s protecting the stolen password files,” Sean Gallagher, principal threat researcher at Sophos, wrote in an email. He advised LastPass users to change passwords they’d saved in the service, as tedious as that may get.
Observing that “password cracking may not be necessary if the attackers can get the master key passwords by other means,” Gallagher warned LastPass users to be wary of phishing emails purporting to be password-change requests from LastPass.
Is it worth paying for a password manager?
The case for password managers in general remains strong. For example, Apple and Google provide limited services for free, while third-party apps from Bitwarden (free and paid options available) and 1Password (paid only) consistently do well in independent reviews, offer better cross-platform compatibility, and don’t require you to put so many digital eggs into one giant tech company’s basket.
“Despite the LastPass breach, I still strongly recommend that people use password managers,” emailed Lorrie Faith Cranor, director of Carnegie Mellon University’s CyLab Security and Privacy Institute and a former chief technologist at the Federal Trade Commission.
As she told USA TODAY in 2021: “If you adopt a password manager, you don’t have to think about coming up with unique and strong passwords anymore and you don’t have to figure out how you are going to remember them.”
Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, email Rob at rob@robpegoraro.com. Follow him on Twitter at twitter.com/robpegoraro.