Password managers are programs that let you store an ever-growing list of online credentials in a safe location. These programs remove the need to record this information insecurely, such as by emailing them and writing Post-it Notes.
Many security experts advise clients to use these programs as part of best security practices because they also let you create strong and unique passwords for each online account you have. Additionally, some programs alert you if you duplicate a password across different accounts and can notify you if your password has appeared in a known data breach.
However, if your program’s secure vault is compromised, it potentially puts every one of your online accounts at risk of compromise. This issue drew my attention following last year’s extensive LastPass breach incident.
In 2022, there were multiple breaches at LastPass. In addition to putting the response and actions of LastPass under the spotlight, the incidents have raised questions over the safety of storing multiple login credentials on password managers altogether.
LastPass announced in late August 2022 that “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account.” This enabled the attacker to take portions of source code and some proprietary LastPass technical information.
After conducting an investigation and forensic review, LastPass said it found no further evidence of activity from the threat actor. The unauthorized access was limited to its development system, which is “physically separated” from its production environment.
At the end of November, they made another announcement that an unauthorized party had gained access to a third-party cloud storage device. This new breach was enabled by the information gained by the attacker during the original August incident.
And a few days before Christmas, the firm informed users that attackers had accessed encrypted customer data (username, password, and notes) and unencrypted data (the website addresses of customers’ online accounts).
Do I believe you should keep your LastPass account following this last episode? No, but the damage has already been done. There is a high likelihood that your account may have been compromised. But if you want to continue to use LastPass, there are three things you must do to continue using the service.
- First, you must strengthen your master password and ensure it is unique, long, and complex.
- Second, as an extra security precaution, you should change the passwords for the websites you have stored in the service.
- Third, you should be on the lookout for targeted phishing attempts in the coming months, with the attackers accessing your unencrypted contact information and websites.
I have reviewed these services over the years and have not found one I have felt entirely comfortable using – and I have not only my accounts to manage but many of my client’s accounts. I hate to say it, but the safest and most secure way of managing your passwords is to use a notebook and write them down.
If you use a document or spreadsheet and your computer is ever compromised, you will lose that information, and bad actors will use it against you.
What is the best way to implement this Luddite approach? Have one page per account, and write the name and website address at the top. Have a one-line entry per password, preferably with the date you first used it. If you must change a password, cross out that line, and write a new one along with the date, you created it.
The more complex we have made our lives by thinking that computers would make things easier for us, the more I think we need to use simple methods to maintain our security.