LastPass and What To Do Next

Breaking the News

For those of you who don’t follow this type of stuff….LastPass was breached.
First, why does that matter to anyone? It’s a good question if you don’t follow any security news, or maybe don’t know what LastPass is exactly. The short version is it’s largest company that allows you to store passwords for all your things online. If you’re like me you already see the problem here, but to make it clearer I’ll just say that 30 Million people use this service to keep their passwords safe and secure. That kind of treasure trove is like the internet version of Smaug the Dragon’s horde of gold in the Hobbit. You’re just inviting attacks, and that’s exactly what happened.

Wait But Why?

Why would you store your passwords online? Well, there are other alternatives for how to store your passwords.

  • Offline Password Vault
  • Paper Notebook that you cling onto for dear life.

There are other options beyond these but they’re so insecure that I feel irresponsible even listing them with that caveat. Suffice it to say, LastPass is one of the online tools that has offered relatively decent security (all my accounts have separate truly random passwords) alongside decent functionality for myself and my wife (we can share passwords seamlessly). It fits in that nice middle ground of all points on the technology triangle. See that HERE.

For me, I’ve used it for a decade now and still recommend them. I have seen them go through this in the past and they learned and changed enough that it rebuilt trust with me. I recommend everyone use some kind of password manager. Either an online one (Lastpass or 1Password) or an offline Password Vault (RoboForm or KeePass XC). At the end of the day, even an offline vault is not 100% security and can also be breached.

The question will I stick with LastPass moving forward. Yes.

Everyone gets breached

Here’s the thing. It’s not a question of if you’ll get breached, it’s when. Speaking from industry expertise. There needs to be an awareness in any online security conversation that the weakest link in the chain is the human factor. In the LastPass situation this was also true. 31% of breaches are confirmed to occur because of users. When you realize that’s only the confirmed number, I would put money on the number actually being higher than that. When you consider the impact of that, user awareness is going to be THE BIGGEST differentiator in an organization being protected regardless of any other layers. The same is true for individuals. You need to talk to your kids about protecting themselves online. Same is true for you. As an individual contributor you can find free resources from KnowBe4 and ThreatAdvice. For your kids, you can get resource from the Center for Internet Security.

Quick chat about your place of work: If you have concerns about your company having a good cybersecurity posture, then I’ll say that simply buying a phish training/testing tool is a step but you have to know how to manage that and respond. It’s really that piece alongside the overall security posture of the organization that is where I love to help in a holistic way. Do you think having Antivirus with no phish training will protect you from a bad day? If you have concerns here on an org perspective. Message me and let’s chat.
Ok, back to regularly scheduled programming of you as an individual with your own life outside of your company.

So moving to another online password tool makes less sense in that light. Why do that rather than see if LastPass takes this bad opportunity and uses it as tuition. So we’re staying. Now what?

Immediate danger

First, you have to decide if you’re in immediate danger. How secure was your master password. At this point that hasn’t been reported as compromised, but it’s only a matter of time until that is compromised and the dependency on the time is how simple or complex you made your master password. If you want a good read, Roger Grimes has a linked in post that gives a great breakdown on the implications of this in context of the LastPass breach.
For a TLDR version of the concepts Roger presents I refer to one of my favorite xkcd posts often. Basically, the longer the better. My last one was over 24 characters, so I hopefully have some time. Even with that, notice i’m still basing that on hopes.

Password Strength is easier than we think.

So, how secure was yours will depend on the speed at which you need to change all your passwords.

Moving forward you should make your new master password with the following considerations:
-24 or more characters
-Numbers, Upper and LowerCase Letters, Weird Character
-Capital Letter NOT at the beginning
-Weird Character NOT at the end

Urgent vs important

Once you’ve changed your Master, you’ll still need to change all your passwords stored in LastPass. I know that’s a bear. I have over 500 passwords that now need to be changed. I didn’t mistype. I’m sure that’s a lot to some users and light to others. So what do you do? Burn days on end and just power through? It’s an option and if you had a weak (12 character) password, then you might want to do that. Most of us have families and jobs. So how do you deal with that?

Think in terms of impact. This is truly an Important thing, but if your password was secure, it reduces the urgency a tiny bit.
A note about MFA: If you MFA most things, it helps but you still need to address your passwords. It's a layer and it's not full proof. It simply delays the impact longer to give you more time to change your passwords.
So, in terms of impact I took a shot at the list. This probably isn’t perfect, but remember “Security is a bear race” and if you work down in this order over the next few weeks then you’ll be doing better than some others.

  1. First Layer
    • Local Computer
    • Email
    • Phone Accounts
    • Government Accounts (SSN, CAD, etc), Bank Accounts
    • These are the front doors where people get access to all the other parts of your life. (e.g. email and phone for MFA, gov accounts for identity, bank for $’s)
  2. Second Layer
    • Core Business Tools
    • Secondary Finance Services (Paypal, Venmo)
    • Donation Sites (non-profit accounts)
    • Investment Accounts
    • Domain Registrations (DNS is a powerful security tool)
    • Health Records
    • Security Services
    • Local Network Infrastructure (your home router, etc)
  3. Third Layer
    • Productivity Tools
    • Music
    • Entertainment
    • Shopping
  4. Fourth Layer
    • Travel Sites
    • Social Media
    • Exercise

This isn’t a holistic list, but you could take it and glean the concepts about order of importance in changing whatever passwords you have. It breaks the big elephant down into smaller chunks.

Digital Spring Cleaning

The other thing to think about that makes me less upset about this is that it’s good to do a digital “spring cleaning” every so often. I generally do it once per year on making sure everything is up to date and any passwords that don’t automatically change get changed. In this case, I’m changing all of them. Also, 500+ is a lot and I’ve already found some where the accounts simply don’t exist any longer. So I’m removing some as I go. My wife and I also created a shared folder for accounts to be deleted where we can file away accounts that still exist and shouldn’t. So we can reduce our footprint on the internet. This will get more of our data out of places that can be compromised and reduce our own risk.

Like anything else in life, things must be maintained. So feel free to take the steps above and begin scheduling your digital yearly cleaning.

Moving Forward

Now the final thing is that, regardless of who likes this, there’s more data about you that’s now out there. Changing your master password and all your individual passwords was A step. There’s still some things to do now that things have changed.
First – Enable MFA on your password manager…..and generally any other thing that you’re allowed to. It’s just helpful
Second – Be aware that a lot of new people will now suddenly know your email (refer to my earlier paragraph about user training. Don’t fall for Phishing attempts. Also they’re getting smarter, so be on the lookout.
Third – This is a pro tip: Links in email can be dangerous. When you get an email about signing onto your account to do something from a company whose services you subscribe to. Sometimes those emails provided a link to be helpful and it may, or may not, be legit. It’s easy enough to not click the link and to simply go to your account directly.
Fourth – There is NO GOOD reason for anyone to ask you for your password. LastPass will never do it. Microsoft will never do it. Google will never do it. No one whose legitimate will do this. Don’t fall for it.

Be a Realist…and Maintain Hope

The internet is a place that has enabled so many wonderful things. However, in times like these the internet can be frustrating, at best, and dangerous, at worse. So it’s not a great situation, but given the imperfections in the world we should look at the good side of it along with the bad.

In light of that, something I’ve read seems to encompass this situation well.

“Here is the world. Beautiful and terrible things will happen. Don’t be afraid.”

Frederick Buechner