A friend of mine, Igor Odnovorov, always said, “Convenience is the enemy of security.” This recently hit home for me and many others.
I have used the LastPass password manager for years. I made sure to investigate how the company protects user data, and it was clear that they did not maintain any keys or the ability to decrypt your data, except using your “master password.” The proverbial one key that rules them all. This makes it very convenient to store and retrieve all your passwords, especially if you use the random password generator.
Recently LastPass announced a security breach, which I have been following closely both as a product user and security practitioner. Last week, they sent this announcement. If you read closely it indicates that “the threat actor was also able to copy a backup of customer vault data from the encrypted storage container.” This means that someone now has my password vault, although not my master password.
They continue to explain that “the threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.” So now the big questions: “How secure is my master password,” and “Can any information that might be available on the Dark web from other breaches be used to hack my master password. Recalling my master password, I know it’s unique, but how hard would it be to crack?
So now I start thinking about what's in my LastPass vault if they were to get in. All of my email, financial accounts and any other important accounts are protected with traditional MFA or 2FA, whatever the specific organization allows. Good I'm protected, right? Wrong. Other recent attacks irrefutably prove that traditional MFA and 2FA are phishable.
I am also using the LastPass MFA application, which backs up your MFA keys to the cloud. Great. If they get into my LastPass account they also have my MFA keys, no need to even phish and socially engineer me into sending them an MFA code.
Then it hits me that my recovery key for my “Metamask Wallet” is stored in my LastPass vault. So not only can they get to my financial accounts but also my crypto wallet (not much stored there, but still).
Fixing all this will take multiple steps:
When considering how to secure your logins, keep in mind: