Take a Pass on LastPass

Published on 12th January 2023 Author: Rob Black

Almost immediately, I realized that I had waited too long.

My driver’s license was due to expire near the end of last month, and by the time I got around to making an appointment to get it taken care of, the time slots at the nearby RMV offices were gone. As a matter of fact, they were taken at ALL of the RMV offices.

Finally, after widening my search range to 50 miles (!) and using a AAA office, I was able to book a time at an office about an hour away. And so I drove over there and got it done.

I had no choice. Making your way in modern society requires a government-issued ID, without which you can’t board a plane, open a bank account, drive a car legally, or otherwise prove that you are in fact who you say you are.

This type of foundational documentation is what is known as a “root of trust” — the base credential upon which all other credentials are built. Without it, you can’t get much done.

The same concept applies in the digital world. Except here, instead of a driver’s license, your passwords serve as a component of your root of trust. They are what grant you access to the hundreds of services you rely upon. Which is why it’s really important that your passwords stay well protected.

It’s also why the recent breach of cloud password storage company LastPass is so worrisome.

Not only did LastPass give up customer information, but its communication to customers regarding the breach was incompetent, if not deliberately misleading. The incident occurred in November of last year, but LastPass didn’t come clean about it until the Thursday afternoon before Christmas, announcing it (sort of) at a time when most people were not paying close attention. Coincidence?

What the LastPass Breach Means to You

If you were a LastPass user at the time of the attack, here is what the attacker now has:

Your email address.
A list of every web site you’ve ever logged into with LastPass (LastPass did NOT use your Master Password to safeguard the identity of these websites).
Metadata about you: IP address, billing address, telephone number, etc.
An encrypted copy of your vault data.

What can the attacker do with this information?

Use your email address to perform a password spraying attack on all of the websites you’ve logged into.
“Brute force” your vault data. The vault within which your passwords are stored was taken. Ture, the bad guys don’t have the key (your LastPass Master Password), but they can try millions of combinations, taking as much time as they like, until it finally opens.
Phish, keylog, or otherwise get your Master Password from you in a subsequent attack and then use it to unlock all of your passwords.
Phish / SMish (text-based phishing) you using the knowledge they have of all the web sites you’ve visited, leading you to believe the requests are legitimate:

“This is AmEx. We see that your normal spending pattern for Netflix, Starbucks, and Joe’s Fly Fishing shop changed this month. Log in here to check your charges.”

“This is Bank of America. Your autopay for Verizon and Minnie’s Miniature Muffins failed. Please send us the six-digit code we just sent you to confirm that you received this message.”

What should you do as a LastPass customer?

Change ALL of your important passwords in LastPass. There may be hundreds, so it will take time to get to everything. Start with your financial institutions, email providers, key corporate accounts, and any other important vendors.
Change your LastPass Master Password. Why is this necessary if the attacker doesn’t have it? Because they could acquire it in a future attack and use that to unlock the vault they already have.
Cancel your LastPass account. See below for more.

What to do as a human with lots of passwords.

You only need one driver’s license, but you need hundreds of passwords and their associated usernames. You could…

… memorize them. Hard to do.

… keep them on paper. Not necessarily bad, but the paper could get lost, stolen, or damaged, and you won’t have access to your passwords if the paper is not with you. Plus, you’d have to go back to typing in your username and password every time you log into a site, which means you are likely to default to simpler passwords and reuse them across sites.

… host it yourself using a vendor like Keepass, Enpass, or Bitwarden. This requires a high degree of technical sophistication and is not recommended for most people.

… use a hosted password manager (just not LastPass!). For most people, this is still going to be the best option.

Which password manager should I use?

One of the things we look for in a vendor is its degree of security transparency. Both 1Password and Bitwarden have published security whitepapers (here and here) that show off how they do what they do (a good sign).

Of course, the moment you permit a third party to store your passwords in the cloud, you are introducing a degree of risk. Any cloud vendor could come under attack and they will continue to be an attractive target because they maintain so much vital data.

But as we have written about before, effective cybersecurity always involves tradeoffs between convenience, cost, and safety. So while LastPass is a nonstarter based on past behavior, for most people, these other vendors strike the right balance.

Don’t Wait

The bad guys may be working hard, right now, to break into your vault. But just because the attackers never rest, it doesn’t mean you need to be an attractive target.

Change your passwords, switch to a reliable vendor, and stay vigilant! Let me know if you need a ride to the RMV. It will give me a break from changing my passwords.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).