LastPass users received an unwelcome Christmas present: a Dec. 22 update to a “Notice of Recent Security Incident” post reporting that the unknown attackers behind a breach first revealed in August had managed to “copy a backup of customer vault data.”
Web addresses, usernames, and passwords for saved logins are among the data now at risk. However, with only two remaining encrypted vaults, the post advised LastPass users not to panic because the attackers would need either exceptionally good luck or an extraordinarily long amount of time to unlock any one vault by trying random passwords one after the other.
“Because of the hashing and encryption methods we use to protect our customers, attempting to brute force guess master passwords for those customers who follow our password best practises would be extremely difficult,” CEO Karim Toubba wrote in the post.
Are password managers vulnerable to hacking?
Customers, however, frequently disregard best-practice instructions to choose unique and complex passwords for each account and instead rely on familiar and simple passwords. According to research, people admit to reusing passwords; in one small survey conducted in 2021, 24% of respondents said they used an older password to secure their password-manager account.
Password manager services emphasise the importance of using unique and complex master passwords, but they are not equally strict. Toubba’s post, for example, mentions that until 2018, LastPass did not require master passwords to be at least 12 characters long, and that prior to that, LastPass used simpler techniques to generate encryption keys from these master passwords.
LastPass did not respond to two emails seeking comment.
If you reused an older password for your LastPass account, you are most vulnerable because that old password may have been leaked in a data breach, making it simple for attackers to try it on a copy of your data vault—a technique known as “credential stuffing.”
“Changing your LastPass password will not help here,” Sean Gallagher, principal threat researcher at Sophos, wrote in an email. He advised LastPass users to change any passwords they’d saved in the service, no matter how tedious it may be.
Gallagher cautioned LastPass users to be wary of phishing emails posing as password-change requests from LastPass.
Is it worthwhile to pay for a password manager?
The case for password managers in general is still compelling. Apple and Google, for example, offer limited free services, whereas third-party apps like Bitwarden (free and paid options available) and 1Password (paid only) consistently perform well in independent reviews, offer better cross-platform compatibility, and don’t require you to put so many digital eggs in one giant tech company’s basket.
“Despite the LastPass breach, I still strongly recommend that people use password managers,” said Lorrie Faith Cranor, director of Carnegie Mellon University’s CyLab Security and Privacy Institute and former FTC chief technologist.
“If you use a password manager, you don’t have to think about coming up with unique and strong passwords anymore, and you don’t have to figure out how you’re going to remember them,” she told USA TODAY in 2021.
