There have recently been a couple of well-publicised breaches of LastPass. Most people will be familiar with LastPass but in case you are not, it’s a well-known and popular password vault/manager.
Does this mean you shouldn’t use a password vault?
Absolutely not. YOU SHOULD USE A PASSWORD VAULT.
You should have unique and complex passwords for every site you use, as well as MFA (Multifactor Authentication) . All those phishing attacks that we warn you about, or the various ‘games’ on social media aimed at getting you to share something personal (like your favourite teacher, the name of you first pet and so) are aimed at either guessing your password reset question or getting a password that the hacker can test on other sites you use.
Making good use of a quality password manager allows you to easily use complex passwords as well as securely share information within your organisation. Free password managers such as those offered with in Chrome and Edge do not have the features and security levels that meet the requirements of for example, cyber insurance.
Kinetic’s advice mirrors that of the security experts. You should be using a quality password manager.
Our experience is clear, strong passwords are a key tool for security and responsible organisations supply their employees with strong tools. Without company supplied password managers, employees are left to develop their own systems and invariability that means weak and/or reused passwords.
Is my KARE Password Vault affected?
No.
Kinetics clients that use our KARE Password Vault product are not affected. KARE Password vault is based on an alternative product. The breach only applies to the vendor LastPass.
Were your passwords lost in the LastPass breach?
If you are a LastPass user and your data was included in the breach, then you should have been notified by them of the breach by now.
In that email LastPass will say that the stolen data is encrypted, they also say: “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”
“If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.”
“it would take millions of years to guess your master password using generally-available password-cracking technology”
LastPass are saying that your data encrypted by a key that is unique to yourself. They also run a further level of strengthening over that before storing them using a Password-Based Key Derivation Function [PBKDF2] a password-strengthening algorithm.
What happened and could it happen to other products?
LastPass prudently backs up data, with each client’s data being encrypted using a unique key. Some of that data was stored in a third parties’ infrastructure. Hackers gained access to that infrastructure and downloaded the stored encrypted backups. We do not currently know how that access was gained.
This raises the question : can this happen to another password manager product?
To understand the answer to that question, we need a dose of reality. The reality is that anyone can be hacked by a person with the right resources (skills), enough time and a measure of luck. That becomes harder as the target becomes more sophisticated. As target requires more resources and time (pushing up cost to the hackers), the less likely they are to invest in doing so, and the more they need chance or luck to help them
In an interconnected world, we need to assume a level of prudent trust in our partners. We need to trust that they are taking reasonable measures around the safety of our data. As that data becomes more valuable, the higher the ‘reasonable’ standard becomes.
At this point, there is not enough information available to assess if there was any negligence.
What we can say is that this failure does not dilute the importance of using a good password manager. More organisations are hacked because they don’t have strong password practices than have been put at risk by this breach.
If you do use LastPass, what should you do (other than switch to the Kinetics password vault)?
If you have been notified that your data was exposed, our advice is that it is prudent to set about changing your passwords.
It is true that LastPass say that it would take millions of years to hack the encrypted data. However, we can not ignore that the data was stolen and is now beyond the control of LastPass and yourself.
Refreshing all passwords, even if done over a stretched target time period, removes that risk.
Even with a password manager, you will have had some leakage of passwords overtime. For example, ex-staff will know some of the passwords and realistically, human nature is that some people will have somehow saved some of your passwords elsewhere. Likewise, there may be some passwords that were imported long ago and never updated from older, less secure complexity. You may well also find accounts which you simply no longer need.