LastPass breach — should you move on?

I used LastPass as my password vault
LastPass logo

I was urging my clients and family to use LastPass as their password vault. If you were one of these people, you probably know this did not end very well… and you could email me if you would rather hire my services, to handle this for you.

LastPass has not been handling their latest security breach in a manner that makes me confident that they are protecting everyone’s password vault! On December 22nd, 2022, their update said that “the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

It is safe to assume the attackers would have obtained the metadata associated with every user’s account! This makes future potential attempts to use brute-force decryption to crack open users’ accounts an undeniable possibility.

MOVE ON to another Password Manager

I prefer Bitwarden for my own use, although Dashlane and 1Password are excellent alternatives to my choice. I have used most Password Managers available, and any one (that is trustworthy) is better than thinking up ‘your own’ passwords, and writing them down. As a human, you cannot create passwords with enough entropy, i.e. not complicated enough — use a Password Manager!

Bitwarden is based on open source technology, which means they are being scrutinized every step of the way, unlike the proprietary (secret) technologies that almost every of their competitor cling to.

For me, Bitwarden is the easiest way to secure all of your passwords and sensitive information, and they provide a tool to import password vaults from other providers.

Do not reuse your old master password

Create a new master password, and then change all the passwords inside your newly established password vault. Since your old password vault was most likely among those which were downloaded, the attackers will keep it on a hard-drive until one of their minions can crack into it, one day…

You want to be sure that when that happens, every password in your old password vault will have been replaced with a new randomly created one.

Create an impressive master password

I recommend taking a line from one of your favourite books, and modifying it…

Remembering a sentence (that you could even highlight in an actual book) to reference, is relatively simple. Just be sure you join the words with a symbol, such as a hyphen or an ‘!’, and then capitalize the first letter in some of words, and add a few numbers and symbols.

THE LONGER IT IS THE SAFER YOU ARE

For instance, if you used this sentence (out of some book): The Bluebells represent the Party and Winston and Julia’s love affair.

And then converted it into: The-Bluebells-Represent-The-Party&Winston&Julia’s-love-affair-44 — to become the string of characters you use as your new password.

In the example above…
  1. the ‘blank spaces‘ became hyphens
  2. he word ‘and‘ became the symbol ‘&
  3. the number ‘44’ represents some year that is special for you — do not use your birth year
THIS WOULD BE A SAFE PASSWORD

Once you think you have come up with a password you can remember, why not test it at Security.org’s How secure is my password? Make sure it is in fact, good enough to protect your new password vault.

Do not settle for any password for which the results suggest that a computer might take less than 1 million years to crack it.

— Norman Atterbury

Write a Comment

Your email address will not be published. Required fields are marked *