In The News‎ > ‎

LastPass Breach, and Password Management

posted Jun 16, 2015, 7:27 AM by Craig Cox   [ updated Jun 17, 2015, 6:17 AM ]
The urgent piece of this post is that LastPass has had a compromise.  If you are a LastPass user, you probably already received the email asking you to change your master password.  If you have a strong master password, and you change it for a completely different strong password within a day or two of the breach, you should be OK.  Brian Krebs has more details (as usual).

(Edit:  The hackers did get the email address that customers use to log in, and the password reminder hints.  These two things could easily be used as bait in phishing emails.  If you're a LastPass user, be watching for the phish.)

If you have taken my Passwords workshop, or read over the password tips page on this site, you know that I recommend LastPass (and use it personally).  Why on earth would a so-called security expert recommend a cloud password service when they can get compromised?  Here's the thinking:

1.  Most of us have too many password-protected web services to remember strong, unique passwords for each one.
2.  They need to be unique, so that a hacker that compromises (for example) FaceBook doesn't get your bank password at the same time.
3.  They need to be strong, so that if a hacker gets (for example) your bank's encrypted password list, it will take him several days to break your password.  This gives you time to change it, so the password he eventually learns is useless.
4.  A password manager kept on your own thumb drive is wonderful -- IF AND ONLY IF YOU KEEP IT BACKED UP RELIGIOUSLY.  I also keep a "keepass" database on a thumb drive.  Every weekend, without fail, I copy the one I use on the thumb drive to two other devices in different locations.  If anything happens to any one of those three devices, I still have my passwords on the other two.  Backups are important -- and I provide tips about those as well -- but if you just haven't made the time to do backups regularly, then you shouldn't bet all your access on a single device.

So risks that need to be balanced are (a) the possibility you might need to quickly change your LastPass master password, versus (b) the risk of a thumb drive failing with all your passwords on it.  In my mind, cloud-based password storage represents the lowest risk.

(Update 6/17:  I see that security expert Graham Cluley has also written in support of password managers, in spite of this breach.)

And that very strong master password for LastPass?  Recent research shows that you can remember more complex passwords than you think you can.  At the end of the article, one of the researchers mentions that he keeps his new passwords written on a scrap of paper, kept in his wallet, until he memorizes it.  While I personally prefer 15-20 characters built according to the advice linked above, there is a point to the wallet storage:  You will protect your password as well as you protect your cash and credit cards.  If you have ever lost your wallet, this advice may not be suitable for you.

That article also mentions the use of dice to generate pass phrases.  This refers to diceware.