LastPass CEO Karim Toubba has revealed that the password manager was breached for a second time. The company said personal information was disclosed, but customer passwords remained safe. The incident is a reminder, some experts say, that you should take extra precautions with your password. “Perhaps the biggest vulnerability for users is that a weak master password can compromise all other passwords: so it is important that users select a very strong master password and commit that master password to memory,” Brian Robert Callahan, the graduate program director of information technology and web services at Rensselaer Polytechnic Institute, told Lifewire in an email interview. “That way, brute force attempts on the master password become infeasible or impossible.”
LastPass Hacked?
LastPass might not live up to its name after the recent security incident. The company said it detected unusual activity within a third-party cloud storage service shared by LastPass and its affiliate, GoTo. LastPass warned of a similar incident in September. “We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” Toubba wrote on the company website. “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.” Callahan said that despite the LastPass incident, password managers are usually secure. The software is a much better option than reusing weak passwords or writing passwords down on paper. “The offerings from all the major players will include security features such as encrypting your stored passwords so that if an attacker manages to steal your password database, they still would not know what your passwords are,” Callahan added. “While no software is perfect, users should be encouraged to use password managers and feel safe using them.” Callahan said that password managers had been hacked in the past. One problem is inadequate “secrets scrubbing,” such as when a password manager displays one of its stored passwords, then the password stays in system memory and is vulnerable to hackers. “If the password manager did not properly clean up system memory once the user was done looking at the password, an attacker would have a window of opportunity to also view the password,” Callahan said. The biggest security issue with cloud-based password managers is how the vendors secure their environment and where encryption keys are stored for the user’s password vault, Paul Kincaid, a cybersecurity expert at SecureAuth, a company that handles access management and authentication, pointed out in an email. “Some vendors say they have ‘zero knowledge’ of the decryption key, and thus, if the vendor’s environment is compromised, the attackers would need to brute force attack a user’s master password,” Kincaid said. “Additionally, the master key/password is the only thing that keeps the attackers out of a password manager, so a strong password and multi-factor authentication are key.
Playing Safe
Not all password managers are created equal, Craig Lurey, the co-founder of cybersecurity company Keeper Security, told Lifewire via email. He said that using a web browser to store passwords or a password manager with weak security may put your data at risk. “When exploring options, seek out a password manager with zero-knowledge and zero-trust security architecture,” he added. “Zero-knowledge means that no one but the user can access their encrypted files, which is critical in the event of a breach.” Keeping your password manager software up to date is also crucial, Matthew T. Carr, the co-founder of Atumcell, a cyber security company, said via email. “Like any software, password managers can have vulnerabilities that are discovered over time,” he added. “Keep the password manager up to date to ensure it is the most secure version.” If you do everything correctly, you can still run into problems using a password manager. The high security provided by password managers means you are in trouble if you forget your password, pointed out Tyler Farrar, a cybersecurity expert at Exabeam, in an email. “If a password manager is maintaining industry standards, they should not have the ability to view or recover your master password,” he added. Correction 12/8/2022: Corrected the source’s title in paragraph three.