Password Managers
Simple title; not necessarily a simple question.
The current spotlight is on LastPass and its parent company GoTo.
As we know, LastPass was compromised over the summer, but, it appears from what we know, that even though the hackers stole some of the password vaults, assuming your master password was strong, we think you are still secure. They also mentioned that long time users should increase the number of iterations of PBKDF2 they are set for, but that really has minimal impact on strength. Good to do, but not critical.
Today, however, LastPass’ parent, GoTo, announced that their data was compromised over the fall as well. It only affected some of GoTo’s products, including Central, Pro, join.me, Hamachi and RemotelyAnywhere.
In this case, which we **THINK** is separate from the LastPass case, they say that the hacker not only stole the encrypted backups but also acquired the encryption key.
IT TOOK GOTO TWO MONTHS TO LET US KNOW ABOUT THAT.
In LastPass’ December 22 update they said:
The information included encrypted passwords, usernames and form-filled data. “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our zero knowledge architecture,” Toubba said in the updated blog post.
“The master password is never known to LastPass and is not stored or maintained by LastPass,” Toubba said.
https://www.cybersecuritydive.com/news/lastpass-breach-timeline/639725/
The reason why I think these two breach details are separate is that GoTo says that the hackers stole (acquired is their more polite term) usernames and passwords. If the passwords are for the website, then that makes sense, but if the usernames are for the vault, that makes no sense since they should not even have those, encrypted or otherwise.
GoTo is resetting account passwords; LastPass is not – another reason to think that the attacks are separate.
Here is what I am most upset with them about.
It is not about the breach, it is about the communications afterward.
Look, we all know that the lawyers run the company and in this case, there is probably a lot of concern about class actions, so you have to listen to the lawyers to a degree.
But in my opinion, what we are telling customers if they ask, is that, from what we know so far, we think your passwords are safe, but because of the horrible way LastPass has dealt with the aftermath, it is hard to reward them. You should consider other password managers. Again, as best we know, this is not because we think there is a risk of imminent password breach – truth is that they are being sufficiently opaque that we can’t be sure – but because they are likely letting the lawyers run the company, we don’t know.
We hear other lawyers talk about this all the time. You have to balance fear of litigation with destroying brand reputation and, in my opinion, GoTo/LastPass is doing a great job of destroying the brand.
If someone does not already have a password manager and is looking for a recommendation, LastPass isn’t on the list to be considered.
Am I punishing them for their lack of transparency? In a word, yes. I don’t know any other way to get the message across.
The other thing I am punishing them for is that only certain fields, like the password, were encrypted. That means that if you use the password manager to store all manner of data, like they would like you to do, some of that might not have been encrypted. Passwords are safe, other data, maybe not.
I don’t know if there was a good reason for that or if they were just being stupid. If there was a good reason, they have not explained that to us yet.
One other thought. You need to balance security and convenience. Are you using MFA on your password manager? You should.
This is the ultimate “vendor risk”. This is a high risk company and you need to treat it accordingly. If you have not already, start now.
If it means that you need to change password managers, well, then, so be it.
If it means that you need to do a mass password change – well, that is ugly for sure, but you might have to do it.
Another thought. If you are using MFA, then that is an extra level of security that even having the userid and password doesn’t solve the problem for hackers.
I have heard that some password managers can do both password and MFA.
I STRONGLY RECOMMEND NOT DOING THAT. I understand it is convenient, but it also means that your password manager – any password manager, is a single point of failure and that is a problem.
If you are confused at this point, I completely understand. If you want to discuss the situation, please give us a shout. It is not simple and the software vendors are not making it any easier.
Credit:
The Verge, again
by 