LastPass breach reveals core troubles with password management solutions
There was a time when managing the deluge of complex logins was a simple matter, relying on password manager programs and extensions as we continued the fight for better security. More so, complex passwords are a handy, free way to immediately improve cyber defense, and these days, mandatory. But, remembering a list of complicated password phrases is a taxing responsibility and even the best of us lose track. With the need to have different logins for various websites, apps, and software, it gets overwhelming.
Password managers remedied this by syncing all complex logins in a single access point. In other cases, they auto-generated security logins too. It’s handy for increasing security and seamlessly managing multiple logins, and for a time, was considered safe from breach or compromise. The reason was that passwords were stored in encrypted databases and not accessible by even development teams, the logic being if they couldn’t get to the passwords, neither would malicious actors.
Enter LastPass, throwing cold water on that idea. In August 2022, the password manager organization informed its users of a data breach that, as they claimed, did not impact stored logins, phrases, or personal info. As it turns out, the breach was worse than initially discussed.
Breaking through encrypted backups
The breach is part of a systemic compromise that started with the theft of proprietary information and code. This allowed hackers to further access lateral data based on stolen employee credentials, granting malicious third parties troves of data. The data in question comprised company metadata, customer details, email addresses, billing addresses, and password vaults containing encrypted logins.
The information taken was used to target a backup cloud-based server, something LastPass emphasized was not in their production environment. While no immediately dangerous info was taken like credit card info, it does create a doorway for attackers to brute force guess passwords.
The encrypted info stolen is protected by 256-bit AES encryption, which is only unlocked with a user’s master password. However, with the siphoned details from the August breach, hackers now have a direct line to, again, brute force guess master logins. Given the dominant issue of weak passwords or guessable logins, it puts users at risk where they once relied on a manager to keep their passphrases safe.
How can I guard my login data?
If threat actors can eventually discover methods to circumvent password protections, even with managers, then we’re returning to square one of personal cybersecurity hygiene. The root of the LastPass breach comes down to the selected master password. If a user maintains an easily guessable passcode, then their chances of falling victim to phishing campaigns or identity theft greatly increase.
Malicious actors can take advantage of user behavior, too. If your login phrase was compromised in an unrelated data breach, chances are that information will wind up in dark net markets which purchase stolen logins in bulk. Therefore, hackers can assemble a pattern and potentially guess or brute force through the password manager, in this case, LastPass. Now, we’re asking a question relating to good password hygiene and creating defensible logins, which is a circular problem.
We choose password managers because we rely on the complexity they offer. Since it’s challenging to recall numerous complex logins, the manager is meant to be a safe reservoir we can easily access. But the key to this repository is one login, the potentially unsafe one. If a threat actor attains that, they smash through the safeguards of the password manager. So, we’re now back to square one, which is managing a safe password (or passwords).
The issue, then, is something managers like LastPass were meant to solve, but threat actors find ways to circumvent even these encrypted defenses. More so, this problem extends to business models, since SMBs and organizations take advantage of
Improving cybersecurity hygiene
Until there is truly a foolproof way to guard passwords against threat actors, even password managers won’t fully protect us. However, it’s worth pointing out that isn’t an inherently bad thing. Too much of IT and cybersecurity philosophy on a ground level relies on automated solutions and a “hands-off” approach. We end up relying on background resources without emphasizing the disciplines of good security principles. Thus, when something like LastPass is compromised, the blow can fracture networks and individual security.
So, it’s a matter of relying on the “fundamentals.” What are the fundamentals? It depends, but in the realm of cybersecurity and IT, there are spoken (and unspoken) rules about maintaining a strong security posture. Much of it surrounds passwords – though as we’ve discussed before, the password problem is not improving. Because of this, it’s better to adopt a mindset of proactivity and expectancy. The reality is, it’s probable and likely that you’ll be subject to some form of password-related breach. It’s an assumption, and therefore, a situation you have to prepare for.
But first, let’s review the basics:
- Your logins and passwords should be complex with variations in numbers, letters, and symbols
- It’s a good idea to use different passcodes for different websites, at least ones of importance (different login for a bank account, social media, business, etc)
- Set up MFA where available, whether as an organization or with personal devices
- Have extensive data backups and versatile architecture (like the cloud) in case of a breach event
- Set up email alerts for unusual sign-in activity or sign-in attempts
- Pay attention to data breach news regarding compromised passwords/logins (internet browsers
Beyond these foundational procedures for improving password-related defenses, comprehensive monitoring is also essential for detecting unusual sign-in activity.
If nothing else, the breach at LastPass – which could prove significantly worse as the investigation continues – is a reminder to never wholly rely on any single solution. Truly, good security hygiene relies on consistency, habits, and discipline. We take for granted the tools at our disposal, and even the nature of unique sign-ons. Perhaps, then, we need to practice vigilance to better protect ourselves.
Never forget, you can always reach out to experts for help.
Bytagig is an experienced third-party provider with backup resources in case of breach events. For more information, you can contact us today.
Bytagig is dedicated to providing reliable, full-scale cyber security and IT support for businesses, entrepreneurs, and startups in a variety of industries. Bytagig works both remotely with on-site support in Portland, San Diego, and Boston. Acting as internal IT staff, Bytagig handles employee desktop setup and support, comprehensive IT systems analysis, IT project management, website design, and more. Bytagig is setting the standard for MSPs by being placed on the Channel Future’s NexGen 101 list.