LastPass Security Breach Are your passwords secure?

In light of the recent breach of LastPass password manager, we want to ensure that you have the knowledge and tools you need to be able to mitigate any risks to which you may have been exposed.

If you use or have used LastPass to store any passwords or sensitive notes, please be aware that you are at risk. Updating your master password now will NOT secure your information. The hackers have the encrypted data that was encrypted using your old master password and changing it now will not change that fact. Be very careful not to expose yourself further by falling prey to a phishing campaign.

Take Action

  1. Change all of your passwords immediately and ensure that the passwords you choose are strong and secure.
    • Manually change all of your passwords as soon as possible. Ensure that you are logging into the correct service when changing your password and do NOT follow any suspicious email links that are asking you to change your password.
    • In order to change your password for VSTracking, login to your account, click on the gear wheel in the upper right corner of the screen and select My Profile. From your profile you can change your password using the Change Password button located in the center of your screen.
    • VSTracking will enforce a minimum strength password. See this chart for an idea of how the strength of your password can protect you from a brute force attack.
  2. Enable Multi Factor Authentication wherever possible.
    • VSTracking now has Multi Factor Authentication available. Users can enable MFA by adding a device under their My Profile page and Administrators can enforce it as mandatory through the Additional Settings – Security Options section of the Admin area.
    • MFA is currently only available via SMS using a TOTP (Time-based One-Time Password), but we are rolling out some additional security options in the form of device-based TOTP authentication targeting the 4th quarter of 2023.
  3. Consider changing your passwords regularly.
    • VSTracking now allows you to enforce a 90 day password expiration policy. Administrators can access this through the Additional Settings – Security Options section of the Admin area.
    • If you choose to enforce regular password changes, we recommend that you use a random password generator with a minimum of 12 characters and to store them in an encrypted vault.
  4. Consider generating a unique password every time.
    • VSTracking now allows you to enforce passwords to be unique from the previous 10 passwords that a user has used.

Brute Force Attacks

Now that this breach has happened, even though your vault is encrypted, the hackers will have multiple tools to decrypt your vault. The most obvious way they will use is to attempt to unlock the vault using brute force attacks. In simplistic terms this means they can run a program to try every unique string until one successfully opens the vault. Depending on the strength of your password, this could take anywhere from instantaneously, to days, years or even centuries. Take a look at this chart for an idea of how long it may take to crack your password.

Phishing Campaigns

A second less obvious way that you may be at risk is through phishing campaigns. LastPass encrypts every one of your usernames and passwords, but unfortunately, they did not encrypt your URLs. This means that the hackers will have a list of all of the sites for which you have a user. This makes it easy for them to send targeting phishing emails, texts, or notifications. Some of these campaigns can be very convincing and will likely attempt to use the actual breach as a pretext for the campaign. For example, they may send an email, presumably from Amazon or Facebook or some other website which warns you that your password has been compromised and to change it immediately. Rather than taking you to the real site to change it, however, they will direct you to a phishing site from which they will collect your password as soon as you submit it. The site will often look very similar to the real site and will have a very similar url (ie. amazone.com or faceebook.com).

Additional Discussion

Password management and security is a hotly debated topic and there are many differing opinions on the best way to do things. The fact of the matter is that there are pros and cons to most solutions and what works for one person or organization may not work for another. Consider your options carefully and make a decision that is right for you. Below are some additional resources to help you take control of your own security practices.

Password Managers

Password managers have become an important resource in helping users to keep track of their passwords in a secure and easy-to-use manner, but as we have seen with the recent breach, they are not without flaws. Choosing the right password manager can be a challenge.

Should you choose a local password manager or a cloud-based manager?

Which product offers the best security?

If you store your passwords on your computer or device, then you risk losing access to your passwords if your device is lost or stolen. However, if you choose a cloud-based solution then you put your passwords in the custody of a third party who may get hacked or go out of business or otherwise lose or mismanage your passwords. Here are some of the best solutions, both local and cloud-based:

  • KeePassXC – KeePassXC is an open source free software, cross-platform, locally-based password manager. It can be a little harder to setup than some of its competitors, but the added security may be worth it. Plus it is free.
  • BitWarden – BitWarden is easy to install and use and passwords can be easily imported from other platforms. The standard solution is cloud-based, but they offer the option to self-host your vault for advanced users. They offer both free and paid services and flexible vault storage and the software is open source.
  • 1Password – 1Password is a trusted cloud-based password manager. It encrypts your data in an online vault that is secured using a secret key that is only ever stored on your device. They have plans starting at $2.99/mo for personal use and $7.99/mo for businesses.
  • Built-In Browser Password Manager – most browsers have a built-in password manager. While they may be convenient, they vary greatly in their security and it is not always easy to discover their vulnerabilities. In many cases, however, the security and features of your browser’s built-in password manager will be sufficient if you are working on a private computer. Do not use on a public computer.

 

Posted in