LastPass played down the attack, noting that passwords, usernames and form-fill data was encrypted. The online intruders had that data, but they couldn’t read it.
But some LastPass users will still be vulnerable to having their data stolen, says Jordan Heersping, an incident response manager for the Government’s Computer Emergency Response Team (Cert NZ).
Heersping notes the hackers did get a lot of unencrypted LastPass data, including people’s LastPass username, their email address (which is used as a username by many sites), billing address, telephone numbers and, crucially, a list of website addresses from each person’s vault and whether someone used weak or vulnerable passwords.
That means the hackers would take the list of websites a person visited, use their email as the username, then try common weak passwords - or run the person’s password through dark web databases compiled after other hacks, to see if they could match it up with previously-stolen passwords.
Response lacking
Heersping says LastPass could have been more on the front foot with some of its communication about its data breach. The firm’s chief executive, Karim Toubba, told the New York Times it was users’ responsibility to “practice good password hygiene”. He stopped short of telling people to change all their passwords.
“Many security experts disagreed with Mr Toubba’s optimistic spin and said every LastPass user should change all of his or her passwords,” the Times said.
The paper quoted Sinan Eren, an executive with security firm Barracuda, who said: “I would consider all those managed passwords compromised.”
Heersping agrees. “It’s better to spend a few hours changing all your passwords than putting your bank account and other data at risk,” he said.
Two tips for strong passwords
Yes, you can still trust password managers, Heersping says. He uses one himself. But the proviso is that it should be coupled with good password hygiene.
That means two things:
- Always use passwords that are long (at least 15 characters), strong (at least one number, and one special character) and unique.
- If it’s an option, use two-factor authentication (2FA), which typically involves a confirmation code being sent to your smartphone each time your log on, or more practically, each time there’s a log-in from a new device.
Sing us a song, you’re the piano man
A couple of years back, security expert Colin James - then with Vodafone - told the Herald that a “pass phrase” was a good alternative to a password.
If a site supports it, then the longer the password or pass phrase the better.
James’ top tip was to use different lines from a favourite song as your password - or pass phrase - for different websites (many sites support spaces, for natural language - though remember to throw in some numbers too, such as “3″ for “E”.)
This lyrical approach is a great way to remember long, complex passwords for different websites without shelling out for a password manager.
Cert NZ’s Heersping gives this tip his stamp of approval, saying it’s a great way to generate passwords of 30 characters or more.
What’s the best password manager?
Cert NZ does have an online guide to choosing a password manager, which tells you the features to look for, but it doesn’t recommend any specific brand.
You’re probably already using a password manager, because Google, Microsoft and Apple’s browsers all have them built in, as does security software from the likes of Norton.
If you’re after a dedicated password manager - which can have advantages in terms of exporting a list of passwords, attaching secure notes or sharing passwords with family or a set of work colleagues - a Wall Street Journal round-up said the best free password manager is the open-source Bitwarden, which it called full-featured in its basic form (there’s also a US$1 ($1.54) per month version, which offers frills including a security report identifying weak passwords and emergency access - that is, an approved second person who can access your passwords if you’re incapacitated).
The easiest to use is 1Password, the Journal said, which is priced from US$2.99 ($4.60)per month, with no free tier. 1Password was also the WSJ’s overall pick.
Honourable mention went to Dashlane, which is priced from US$2 ($3.08) per month.
The New York Times-owned Wirecutter also named 1Password as “the best password manager”, saying it bettered 40 other apps. So did Wired and the Times itself. Wirecutter said 1Password was the easiest to use and had the best family-sharing options.
Wirecutter also gave Bitwarden the nod as the best free password manager: “It does everything you’ll need and doesn’t cost anything”.
