The Lessons of the LastPass Hack
March 10, 2023
As a fan and long-time user of LastPass, I was alarmed by the latest LastPass hack. But what exactly happened, and what does it mean for users like you or me?
In a nutshell, LastPass suffered a security breach that exposed some user data, including billing and email addresses, end-user names, telephone numbers, and IP address
information. LastPass has 30 million users. It claims that only 3% of them have been seriously impacted, and that it has been working with those users to maintain security.
Three percent might not seem like a lot, but this is bad news.
Should You Be Concerned?
Yes, of course you should be. LastPass has written a couple of blog posts reassuring its customers, but I think some healthy skepticism is in order.
While LastPass uses high level encryption and a “zero knowledge” system, the reality is that the hackers now may have encrypted master passwords and potentially access to your whole
Zero knowledge is a term used to describe a system where the service provider doesn’t have access to the plain text version of your usernames and passwords.
Instead, they used encryption and decryption processes that were managed solely by the user’s device, making it extremely difficult for anyone, including LastPass employees themselves, to
access the passwords. Said another way, LastPass does not have access to the actual passwords stored in its system; only the user does.
This doesn’t mean stolen encrypted data is safe. Arguably the villain here could use “bruteforce” to guess your passwords. This will take anywhere from half an hour and $100 to millions
of years (no exaggeration, this is the range of times provided by various sources).
What is the Likely Impact of the LastPass Hack?
The impact of the LastPass hack will vary from person to person. It’s not worth the gamble that it’ll take a million years to hack your account(s), so it’s wise to make adjustments now.
Your best defense? A good offense.
What Do You Do Now?
Given that we don’t know what the impact will be, it is important to take steps to protect yourself
after a hack.
Take these actions:
1. Change your master password. It should be 16 characters long or longer. Do not use any identifying information in it (name, address, SSN, etc.). Opt for a phrase, like a
favorite movie line. Use odd variations on words.
2. Use two-factor authentication. You should have turned this on a long time ago. Before you get into your vault you should have to use your phone or a code to verify it’s you. I
know this is a pain. Get used to it. It’s the way of password security going forward. If you’re using biometric identification (thumbprint, facial recognition), this will go faster.
3. Use a password on your phone.
4. Change your passwords on highly sensitive accounts – banking, credit cards, insurance, health care, social media, tax information, document vaults, etc. Use LastPass to create
passwords for you so that you create unique, strong ones.
5. Monitor your accounts for suspicious data.
6. Consider changing password vaults.
Do I Still Recommend LastPass?
Sadly, no, because that would just make me look stupid.
However, I believe that hacks like this are humbling not only for the victim company but for all the password managers out there. Password managers will likely be stronger than ever.
I remain a fiercely strong advocate of having a password manager for many reasons but they all come down to this: They protect us from ourselves. We use better passwords, we use two factor authentication, we don’t repeat passwords, we don’t share passwords in an unsafe way, and we can use them to transfer information in the event of incapacity or death.
The truth is that I will probably stay with LastPass for now, try out a new password manager, and if I like the new one, I will probably migrate everything. I have over 300 entries in my
LastPass, many of which are old or useless. It’ll take me a while to migrate, but I’m all about purging no longer needed items.
Understand, however, that I actually do use “good password hygiene.” My master password is 18 characters long, is written down nowhere, and shared with no one. I change all my work related passwords every 90-180 days. I change my banking passwords about once a year. I use two-factor authentication on every account in which it is offered to me. I look at every single
banking transaction – personal and business – at least once a month. I use a credit report service to monitor my credit.
Yes, it’s a pain and takes up time. Yes, it’s totally worth it.
If you are not doing all these things, then you need to take action sooner and build some new habits.
How To Protect Against a Future Hack?
Do all those things I mentioned above:
1. Use a password manager.
2. Use strong, unique passwords,
3. Use two-factor authentication.
4. Use a password on your phone.
5. Change your passwords when needed.
6. Monitor your accounts for suspicious activity.
By doing these things, you can ensure that your online accounts are secure and protected against unauthorized access. I’ve been talking to people about their money for over 25 years. I have only had to start talking about identify theft and fraud in the last five or so. It’s a serious financial self-care topic now.
Please don’t ignore it.
If you need encouragement around password vaults, don’t hesitate to reach out.
Lanning Financial Inc. is a registered investment adviser. Information presented is for educational purposes only and does not intend to make an offer or solicitation for the sale or
purchase of any specific securities, investments, or investment strategies. Investments involve risk and unless otherwise stated, are not guaranteed. Be sure to first consult with a qualified financial adviser and/or tax professional before implementing any strategy discussed herein. Past performance is not indicative of future performance.