What does your human logic dictate?
Using third-party password managers like LastPass, sometimes thought to be more robust and secure than operating system password managers?
Or would you rely on built-in primary providers of password management like Google, Apple, and Microsoft?
LastPass disclosed a security breach in August, and until this week, users still thought that their most sensitive information was protected. That made some consumers even more trusting of password managers who thought that even in the case of a breach, personal data was safe with LastPass.
In the latest update revealed by LastPass this week, the company disclosed that the attack uncovered in August did actually reach the password vaults.
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
In simple English, this means that the attackers got hold of personal data like websites that you had passwords saved for, and other identifiable consumer information, like IP addresses. But the most sensitive data, namely passwords and usernames, was fully encrypted, and therefore unusable by the attackers.
That’s pretty bad, but it could have been worse.
In order to decrypt the encrypted passwords, an encryption key derived from the user’s master password is needed. LastPass does not save that master password, so in the meantime, your passwords should be safe as long as only you know the master key.
But.
If your master password is not strong, hackers can try to brute force the system to compromise your master password. That shouldn’t be too hard for a seasoned hacker.
LastPass users should definitely change their master password and all passwords stored in their vault. It is highly recommended to use settings that exceed the LastPass default.
In addition, it might be a good idea to check “Have I Been Pwned?” to learn of any breaches affecting your email or domains.
Third-party password managers have some really great features, but it still means storing your personal secrets on someone else’s computer. Using a primary provider like Google, Apple, or Microsoft means putting more confidence in the operating systems we already use and trust, creating a single point of failure if something goes wrong.
