Norton LifeLock breach — what now?

Norton’s Password Manager was breached

Norton’s breach of their LifeLock password vault is just a reminder to me that nobody should use a locked-in password vault solution. I am a fan of using a password vault from a provider for whom providing a password manager, is their core business.

Antivirus vendors like to bundle products, such as a proprietary password manager, in with their service. That provides ‘extra value’ to their customers. Similarly, LifeLock is a password vault, bundled in with Norton’s antivirus service. And because of that, this data breach feels even more inexcusable. Norton’s stock-in-trade is ‘cyber security’, and that is the opposite of facilitating a security breach.

It is time to move to another provider

Export your Norton LifeLock password vault as a CSV file, and then import the resultant data into Bitwarden. This DIY procedure involves manually configuring your generic CSV file, so that Bitwarden can interpreted your data. Email me if you want to hire me to help you transition from LifeLock to Bitwarden.

Norton’s LifeLock password manager was never as popular as Dashlane or 1Password, for example. Someone who wanted to transition away from either of them would find it simpler to move to Bitwarden, than moving away from LifeLock. This is not what you want to hear, but this may be your reality… Any serious password manager vendor makes it easy for users to pick up their data and leave. Here are Bitwarden’s own instructions for importing your password vault data into their password manager.

But, what about antivirus protection?

Yes, you would be ‘naked’ of you walk away from Norton entirely. You probably bought their product originally for its antivirus protection anyway. You c.o.u.l.d just stop using Norton’s LifeLock Password Manager and not walk away from their Antivirus entirely.

Alternatively, you cannot go wrong with ESET, if you need to ‘remain on an island’ — meaning if you are not having your devices monitored/managed by some Managed Service Provider, like myself.

As an MSP, I install only 'managed' protection for my clients to be informed of possible attacks on their devices.
Mr. IT is not affiliated with Bitwarden

I am into Bitwarden, but I am not affiliated with them. Firstly, you could use their product./service for free, and their paid plans are probably the most affordable ones in the Password Manager category. My ESET link is also not an affiliated link.

I recommend their ESSENTIAL SECURITY product, called ESET NOD32 Antivirus — which costs $39.99 CAD (per device). Or, if you want some extra annoying features, consider their ADVANCED SECURITY product, called ESET Internet Security — which costs $49.99 CAD (per device).

I do not recommend their PREMIUM SECURITY product because it includes a Password Manager. This product is called ESET Smart Security Premium — and it costs $59.99 CAD (per device). But, as started out saying (right at the top), I don’t believe that anybody should use a locked-in password vault solution.

Migrate your vault data to Bitwarden

If I was hired to be doing this for a client, this would be my approach. If there was a relatively small number of password entries to move over, I would not export/import their actual vault’s content. Instead, I would add the Bitwarden Password Manager browser extension to Chrome.

This browser helper is designed to capture the login credentials for your websites, as you log into your various accounts (using your LifeLock password vault). This is also a great opportunity to change your passwords, one-by one. Yes, it would be a lot of work, but it is safe to assume that all your passwords have been breached.

Remember, you will only be doing this because you are concerned about the Norton breach I mentioned. Ignoring the very real threat having your passwords known to criminals will lead to far more drama in your life. The damage to your reputation will also be incalculably complicated. This is not a time to procrastinate if you were a victim of the Norton breach!

How did Norton inform customers?

It is never easy for a company to tell the world that a breach happened on their platform. LastPass found it much harder to admit their breach outright, while Norton’s announcement came closer to ‘ripping off the bandaid’. LastPass’s announcement was as shady as they could possibly make it be. Their focus was more on minimizing further damage to their brand, which ended up being worse for everyone involved.

Gen Digital (the parent company of Norton LifeLock) warned some customers that their accounts ‘may have been compromised’. They admit outright that “an unauthorized third party knows and has utilized your username and password for your account”, to these users. They had detected a credential-stuffing campaign earlier in December of 2022. Their explicit warning is that “in accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address.”

While that is awful news, they put LastPass to shame for being honest and upfront about how bad the breach is. Unlike in the case of LastPass, this breach was limited to about 6,5000 Norton LifeLock customers. In the case of LastPass, they reluctantly admitted in the end that their breach affected all their customers.

In my post on the LastPass breach, I also urged affected users to you move away! I recommended that they not reuse their old master passwords either. I explained how to design a string of characters you use as their new master password. Check it out. My ‘formula’ guides you to compose a complex password which you can actually remember. You only need to remember one really good password to access your password vault… Why not use an impressive master password?

Moving to another Password Manager

In my post on the LastPass breach, I explain why I prefer Bitwarden. Dashlane and 1Password are excellent alternatives, but Bitwarden is based on open source technology. This means that their source code is open for anyone to inspect, modify, and enhance. This is absolutely not how proprietary software like Norton’s products, will ever work. This thought might scare if you are not familiar with the open source philosophy. However, transparency is a good thing, and brilliant contributions to software includes philanthropic people. Yes, some brilliant developers care about the greater good, not about making money.

For me, Bitwarden also provides the easiest way to access passwords and sensitive information, across my different platforms. I use Mac and Windows operating systems interchangeably.

I have converted clients’ computers from Windows to Linux when they would have had to throw their old devices away otherwise… Everyone I have helped to get onto Bitwarden, love how it works (once they have migrated their data). I want to remind you that Bitwarden, provides a tool to import password vaults from other providers.

And, since your exported password data still contains a lot of valuable information, delete that file when you are done.

When is a password good enough?

If you create a password you can remember, it may be too simple to be safe enough. Your master password must be good enough to protect your new password vault from being breached. Why not test your proposed new at Security.org’s How secure is my password? I would not settle for a password that seems like it may that a computer less than 1 million years to crack it. You don’t have to settle either.

Add a few strategically placed symbols to improve the quality of your master password.

Other security breaches to ponder

LastPass breach — should you move on?

— Norman Atterbury