We had loved LastPass so much that we had actually called it The Best Password Manager. So, when the story of the hack broke out a while ago, we were all in a state of shock. But, does that mean everyone ought to ditch LastPass and use something else? Are your passwords safe in the cloud? Can we trust the company again? That’s what we’re trying to find out.
Needless to say, this is the first thing that needs to be done. Panicking, or worse, spreading false information via any medium, is just not the right way to respond to any crisis. While it’s natural to feel scared when you read a news like this, you have to realize that unnecessary panic just does not serve any purpose. In their blog post, LastPass have made it clear, and I quote,
In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed.
Yes, it does go on to say that
The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
But, what does this mean, you ask? Simply stated, it means while all your passwords are safe, other info may not be. For which, again, the blog post has already stated a few helpful tips.
Yes, the data from password managers is stored on the cloud, but the information is encrypted right on your computer. And even though the cloud computing architecture does involve a slight risk, you can still rest easy knowing that all encrypted data is never stored there. Which include all your passwords.
This old adage could never be more relevant than in these times of internet snooping and loss of privacy. Here are some steps that you should follow when it comes to your LastPass account, to ensure you don’t lose your sleep over such incidents.
Change the Master Password
To change the Master Password of LastPass, simply click on Preferences, where you will find the Account settings section on the left. Clicking that will give you the option to Click here to launch account settings as shown below.
Clicking that will open a new tab, where all you need to do is hit the Change Master Password button and go for a newer (and stronger) alternative.
That’s it, the most important step that you should be doing after this incident is done!
2-Factor Authentication and Other Security Options
We feel it is a good idea to use 2-Factor Authentication wherever possible, and especially in places where sensitive data is stored. LastPass is absolutely correct in suggesting the use of this service and we feel that you should do this right away, after changing your master password. In fact, while you’re at it, do consider adding the 2-Step Authentication Factor to all the services you use which hold sensitive data.
In LastPass, you will find Multifactor Options in Account Settings (see above). This is where you will find options to further secure your LastPass account. You will also see the Grid Authentication option that we have written about before.
Another layer of security that LastPass entails its users to explore is the country-based restriction policy. Once enabled, this will enable only devices originating from the country of your residence to access your LastPass data. If a device from any other country tries to access it, they will show an error message. We’ve covered this in much detail and you should definitely read it, if you haven’t already.
Don’t be. There’s nothing more to be done here. LastPass has already updated their security and is already prompting users to be verified via email, if they are using a new device or a new IP. To verify this, we tried just that and were happy to report that this step works just as advertised.
Existing users are also being prompted to change their Master Password, but even if you don’t get that prompt, we urge you to do it anyway. Lastly, we’d like to quote Jeremi Gosney (a password security expert at Stricture Group) who spoke to Ars Technica about the hack –
On an NVIDIA GTX Titan X, which is currently the fastest GPU for password cracking, an attacker would only be able to make fewer than 10,000 guesses per second for a single password hash. That is proper slow! Even weak passwords are fairly secure with that level of protection (unless you’re using an absurdly weak password.) And this doesn’t even account for the number of client-side iterations, which is user-configurable. The default is 5,000 iterations, so at a minimum we’re looking at 105,000 iterations. I actually have mine set to 65,000 iterations, so that’s a total of 165,000 iterations protecting my Diceware passphrase. So no, I’m definitely not sweating this breach. I don’t even feel compelled to change my master password.
In fact, quite a few members of our own team use the tool and we have done exactly the same things that we have stated above. And now we wish to spread the knowledge to as many people as possible.
Want To Try Alternatives?
Okay, if you feel that you have lost faith in LastPass because of all this, then of course, there are always alternatives. If you’re willing to invest a little money (and some of that lost faith) then there’s always 1Password. It’s the same architecture and security measures at play, but Agilebits, the company behind 1Password, does have a better track record than LastPass. By that, we mean that it’s never been hacked. Hasn’t been reported, to be more precise. Yet.
Even though it is not as convenient as 1Password, if you’re willing to play around, a few plugins can be added to match the functionality of its paid peer. It does take some patience, though, so be prepared.
Our 2 Cents
It’s very easy to blame a company and say they weren’t careful with your data. But that’s as good as blaming banks when there is a robbery. People haven’t stopped putting their money there and neither should you stop trusting password managers, just because one was hacked.
We’re not even saying that the security was lax on LastPass’ part, but they definitely need to pull up their socks. It wasn’t the first time a threat was detected in their system, but both times nothing major was stolen/lost. They acted quickly and promptly notified users and have already dealt with the security issue which lead to this. With a little more precaution yourself, you can ensure a much happier state of mind. If you can spend all that time thinking about your bank balance, we’re certain you can spare a few thoughts for the passwords that keep them safe, too?