LastPass, one of the most popular password managers, has revealed that the customer data for its 25.6 million users has been significantly compromised. The news comes as the fallout grows from a previously disclosed breach that occurred in August.
In a blog post, the company’s CEO Karim Toubba said that unknown threat actors had accessed and copied a cloud-based backup of customer vault data, including encrypted passwords, usernames and form-filled data.
Although Last pass customers’ master passwords are “heavily” encrypted and should still be protected, the company is urging customers with weak master passwords to “consider minimising risk by changing passwords of websites you have stored” doesn’t inspire huge confidence.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our zero-knowledge architecture,” Toubba added
The breach of the password vault means that the hackers could get unlimited attempts at deciphering the master passwords, however, a strong master password may take ‘millions of years’ to crack through brute force techniques.
Furthermore, the breach of customer data for the password manager’s millions of users is fodder for a string of phishing attacks to come.
Let’s face it, the attack doesnt mean that we have to ditch password managers altogether, however, we can look at better options, so here are some of them.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate GoTo. Customer passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture. More info: https://t.co/xk2vKa7icq pic.twitter.com/ynuGVwiZcK— LastPass (@LastPass) November 30, 2022
Don’t go back to browsers
As many of you might already know that most of the popular internet browsers have inbuilt rudimentary password managers - it's the easiest choice but not the best.
Over the years, Google (NASDAQ:GOOGL) has significantly improved the password manager built into Chrome, however it does not pack the security nor is as widely supported as having a dedicated password manager itself.
Firstly, password managers on browsers do not force a strong master password or a strong password itself and this is a recipe for disaster.
In addition, the autofill feature on the browser can easily reveal the password within seconds to the hacker who has remote access to the device.
Furthermore, interoperability between competing devices and operating systems has been a challenge for browser-based password managers.
1Password - Paid
If you are willing to shell out, 1Password comes highly recommended.
Integrated with the Have I Been Pwned database, it alerts you each time your registered account and password have been compromised in a data breach.
Like other password managers, 1Password has apps and browser extensions that work just about everywhere, including MacOS, iOS, Android, Windows, Linux, and Chrome OS.
The highlight is the ‘Travel Mode’ which lets you delete any sensitive data from your devices before you travel and then restore it with a click after you've crossed a border.
This prevents anyone, even law enforcement at international borders, from accessing your complete password vault.
In addition to being a password manager, 1Password can act as an authentication app like Google Authenticator, and for added security, it creates a secret key to the encryption key it uses, meaning no one can decrypt your passwords without that key.
1Password also has a work around for the autfill vulnerability that is plaguing many password managers as well.
Bitwarden - Free
If you are looking for a secure, open source and free password manager, Bitwarden is the way to go.
Its open-source nature makes it available for anyone to inspect its code, hunt for bugs and vulnerabilities and offer solutions to fix them.
The password manager is powered with apps for Android, iOS, Windows, MacOS, and Linux, as well as extensions for all major web browsers.
Bitwarden also has support for Windows Hello and Touch ID on its desktop apps for Windows and MacOS, giving you the added security of those biometric authentication systems.
It also gives you access to a plethora of additional features in the premium version, however, there are no limits on the number of passwords one could store on the free version.
Password managers are still the way to go
After the LastPass attack, the use of password managers as a whole may not sound encouraging.
However, would you stop using browsers if Mozilla was compromised?
Perhaps password managers are not for you if you can remember unique, 12-character complex passwords for each of your accounts.
If you can’t do that, then password managers are still the only path forward.
If entrusting all your passwords to the cloud makes you uncomfortable, consider using a local password storage program on your computers, such as Roboform, PasswordSafe or Keepass.
Again, take care to pick a strong master password, but one that you can remember. If you forget the master password you are pretty much out of luck.