Password Hygiene: LastPass Edition!
Category
News, Awareness
Risk Level
On December 27, 2021 multiple cybersecurity media outlets began reporting on LastPass users who believed their master passwords had been stolen. By December 28th, LastPass released a statement reassuring its users that it had not been breached, and instead users were being targeted in “credential stuffing” attacks, where attackers leverage publicly available credentials resulting from previous hacks, compromises, and automated attack tools to try to compromise LastPass account master passwords.
While LastPass may not have suffered a breach, it should be a wake up call to many who still use single-factor password-based authentication to their LastPass accounts and password vaults to do a little housekeeping.
“What is LastPass?”
LastPass is a “password manager” with both a web-based interface and mobile app that can help you generate, store, and access all of the ways you secure your favorite services. You can store secret information including usernames and passwords for all you accounts spread across any number of platforms in a centralized, secure repository called a “vault.” This way, you don’t have to remember, write down, or insecurely store passwords on their own. LastPass fully manages the security of all of this information stored within the vault, including encryption, so you can imagine how a breach of their security protocols might be a really bad thing. If you’d like to learn more about password managers, check out our ACT post on them here.
“Ok but what’s credential stuffing?”
Credential stuffing is a tactic hackers commonly use to compromise internet accounts. Hackers will generally incorporate credentials previously compromised as part of other attacks, available on public pastebins, hacker-frequented forums (i.e. 4chan), or sites on the dark web, into automated attack tools to perform a targeted guessing attack to see if the account is using those previously compromised credentials. Check out our writeup on how hackers use your passwords in practice in our ACT post here.
“Got it. So how do I protect myself?”
There are a few steps you can take to protect yourself from credential stuffing attacks specifically, and other steps you can take to ensure your LastPass account, or other password management tool of choice, remains secure in the face of these types of attacks:
Step #1: Don’t reuse passwords
Avoid reusing the same credentials, especially those for very important accounts like your password management tool master password, email accounts, banking or other financial accounts, healthcare accounts, social media accounts, etc. This will prevent a cascading failure of your account security if one of those accounts is compromised in the future, since, hopefully, you haven’t reused the same password for other accounts.
Since it isn’t easy to track many unique passwords, that’s where a tool like LastPass pays particular dividends. It allows you to store all those passwords in one place and recall them for use at any time via the web interface, browser extension, or mobile application.
Step #2: Monitor if your passwords have been stolen
To prevent credential stuffing type attacks from compromising your accounts, you can periodically monitor or check public sites to see if any of your accounts’ credentials have been compromised and released publicly. One of these sites is https://haveibeenpwned.com. Have I Been Pwned is a great tool to check whether your individual passwords or accounts have been compromised in some of the largest breaches identified. You can use Have I Been Pwned in a multitude of ways, however the most helpful for individuals trying to verify whether their passwords or accounts have been compromised are the “Password” check tool, the “Email/Phone Number” check tool, and the continuous monitoring tool that will allow you to set up alerts for email addresses in the event they show up in a pastebin or compromised set of credentials in the future.
Check if your email address or phone number have been stolen using ‘have i been pwned’
If your email address, phone number, or an individual password you check shows as compromised, it’s a good idea to quickly change that password anywhere you are possibly using it. Additionally, tools like LastPass, also monitor usernames and passwords you store in them against these sources and will often warn you that a password you are using has been previously compromised and recommend you use a new one - just another benefit of using the service!
Step #3: Enable MFA
Utilize multi-factor authentication (MFA) where it is available, especially for high risk sites or accounts such as your LastPass or other password management solution, financial accounts, email accounts, social media accounts, healthcare accounts, etc. MFA provides an added layer of security when you are using a password, and combines something you know (password) with a second input credential of a different type (i.e. something you are, something you have) to gain access to the account or application.
In some cases that second factor in addition to your password (something you know) may be an expiring pin or one time passcode sent via text message to your phone (something you have), a rolling code from an authenticator app (i.e. Google Authenticator, Microsoft Authenticator, LastPass Authenticator, Entrust Identity, etc.), or for direct access to operating systems, applications, and mobile apps a biometric credential such as a fingerprint, retina scan, or facial recognition (i.e. FaceID). In any case, two is better than one, and this will protect you in the event of a hacker having your password. Since the second factor is enabled, they won’t be able to gain access with just the password alone, giving you some comfort that the account will remain secure and only accessible by you.
Enabling MFA via an authenticator app adds additional security to your accounts.
“All set up! What else should I know?”
If you are using a master password to secure things like your LastPass vault, it is a good practice to periodically change that password, just in case it is stolen and has yet to be made public and known. We recommend changing those passwords, and the passwords associated with any of your high risk accounts as previously mentioned, at least annually. You can do this more frequently if doing so does not impact your ability to remember the new password and it does not require you to write it down or store it in plain text to recall. If you’re using LastPass, it will remember all of your passwords for you so you won’t have to worry about forgetting your new one!
Additionally, we recommend for master passwords or passwords to other important accounts you use more complex passwords than you would for your low risk accounts. You should avoid using common dictionary phrases, proper names or nouns, and easily guessable strings such as birthdates, street addresses, or phone numbers for any passwords you use, but especially on high risk accounts. Incorporating a mix of character types including letters, numbers, and symbols (where supported) is good, but length is key. For a breakdown of the benefit of character types used and length, check out our famous Password Table which shows you the time it could take a hacker to compromise your password based on its complexity and length.
Still have questions about securing your passwords and the use of password managers like LastPass securely? Hive can help! Feel free to reach out via the Contact Us page, and we’ll help guide you to a more secure digital life!
Follow us - stay ahead.
Read more of the ACT
