A few hours ago, password management service provider LastPass disclosed, through a blog post from the CEO and founder Joe Siegrist, that suspicious activity had been discovered on the company’s network. Further investigation found “LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised”.
The advice for LastPass customers is simple – go to your account and change your Master password right now. And, if you use that Master password as the password on any other service you use, you ought to change that as well.
And, if you’re not already using multi-factor authentication with LastPass, it’s time to get with the program.
LastPass is saying that no encrypted data was taken, so there’s no need to change your passwords for any sites and services you were using LastPass with.
We live in a very complex world. Many of us access hundreds of sites and many of those sites conduct a transaction when sharing their data. We provide some personal information in return for some service or convenience.
As a result of the sheer number of passwords we end up creating, there’s a need to find a way to make remembering all those passwords and other account details easy.
For a long time, we’ve been taught writing passwords down was a recipe for disaster and a poor security practice. But the trouble isn’t writing down your password – it’s where your store that written copy.
Many large, highly security-conscious enterprises keep written copies of high-importance account information. But those copies are secured in sealed envelopes (often more than one envelope is used) and then stored in a safe or other secure location.
Access to the password vault is limited to a select number of people and usually requires at least two members of senior management for access.
In other words, the important data is in a secure location, in a tamper-proof container with limited access.
LastPass is not an enterprise service, but we can learn from enterprises here.
Maybe it’s time to keep a secure list, on paper, rather than relying on service providers to manage our personal security.
Personally, I’m a very low-trust person when it comes to my personal data. I work on the assumption companies will be hacked and lose my data.
I’ve never heard of some hacking a hand-written list stored in a drawer at home.
We live in the era of the mega-breach. Maybe it’s time to go back to the old ways, sacrifice some convenience and make our personal data our personal responsibility.