Being secure online often requires putting some amount of trust into companies that claim to have our best interests at heart. While these security companies may indeed have their users’ best interests at heart, that’s not enough to prevent security breaches. When a breach then occurs, it can shake people’s trust in what was once considered a foolproof element of security.
That’s precisely what has been happening with LastPass over the last few weeks. A company once held up as a beacon in password security revealed that hackers managed to gain access to user password vaults. Basically, their key promise to customers was broken.
In this article, we’ll go through the ins and outs of the LastPass breach, how the company handled it, and whether or not you should use a password manager going forward. Let’s get into it.
The latest breach
LastPass had a few security scares in 2022, but reassured customers that everything was fine. Unfortunately, in December, the company posted an update to its advice regarding their August breach, revealing this was not actually the case. As it turned out, malicious actors had managed to copy customers’ data and encrypted password vaults.
According to the company, hackers stole some source code and technical information, using it to target an employee and steal credentials and keys for accessing and decrypting several storage volumes within the company’s cloud-based storage service. The threat actor managed to access basic customer account information, end-user names, billing addresses, email addresses, telephone numbers, and customer IP addresses.
Despite the password vaults being stolen, LastPass assured customers that it wouldn’t be possible to access their actual passwords since they’re protected by “256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password”. They said that master passwords should be impossible to crack, and that theoretically it would take a million years even using the latest available technology.
However, security experts have not responded well to LastPass’s update, accusing the company of playing down the seriousness of the situation and even holding back information.
The expert response
According to The Verge, Wladimir Palant, who helped develop AdBlock Pro, is one security researcher who’s unhappy with how LastPass has handled the situation. He believes the company is trying to portray August and the latest incident as two separate incidents when in reality, they just failed to contain the initial breach.
He has also cast doubt on the company’s claim that a user’s master password would take a million years to crack, considering the company doesn’t enforce password best practices. This is despite the company claiming that 12-character passwords have been the default since 2018. Palant said, “I can log in with my eight-character password without any warnings or prompts to change it.” Jeffrey Goldberg, 1Password’s principal security architect, also weighed in on the claim, stating that it presumes users create their passwords based on a completely random process, such as that of a password generator. Golberg believes that all human-created passwords are crackable and could be potentially cracked quickly, for the price of $100.
It’s also not insignificant that these hackers have access to all the URLs users have saved passwords for. Palant has expressed concern that hackers could paint a complete profile of users from that information. It could also be dangerous for users accessing websites with information that’s illegal in their country.
What you should do about it
As some experts say, if you use LastPass, now is probably the time to move to a different password manager, especially considering it’s the company’s seventh security incident in just over ten years. Don’t let it turn you off password managers entirely, though. Experts say they are still a better option than the alternative, even with this recent controversy. Your best bet is going for a manager that encrypts everything, not just your passwords. And you should always use the strongest password possible for your master password. Don’t leave it to chance.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.