LastPass password manager site breached

Anthony Caruana
16 June, 2015
View more articles fromthe author
AAA
Security

Privacy, security, business, google, macworld australiaA few hours ago, password management service provider LastPass disclosed, through a blog post from the CEO and founder Joe Siegrist, that suspicious activity had been discovered on the company’s network. Further investigation found “LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised”.

The advice for LastPass customers is simple – go to your account and change your Master password right now. And, if you use that Master password as the password on any other service you use, you ought to change that as well.

And, if you’re not already using multi-factor authentication with LastPass, it’s time to get with the program.

LastPass is saying that no encrypted data was taken, so there’s no need to change your passwords for any sites and services you were using LastPass with.

Opinion

We live in a very complex world. Many of us access hundreds of sites and many of those sites conduct a transaction when sharing their data. We provide some personal information in return for some service or convenience.

As a result of the sheer number of passwords we end up creating, there’s a need to find a way to make remembering all those passwords and other account details easy.

For a long time, we’ve been taught writing passwords down was a recipe for disaster and a poor security practice. But the trouble isn’t writing down your password – it’s where your store that written copy.

Many large, highly security-conscious enterprises keep written copies of high-importance account information. But those copies are secured in sealed envelopes (often more than one envelope is used) and then stored in a safe or other secure location.

Access to the password vault is limited to a select number of people and usually requires at least two members of senior management for access.

In other words, the important data is in a secure location, in a tamper-proof container with limited access.

LastPass is not an enterprise service, but we can learn from enterprises here.

Maybe it’s time to keep a secure list, on paper, rather than relying on service providers to manage our personal security.

Personally, I’m a very low-trust person when it comes to my personal data. I work on the assumption companies will be hacked and lose my data.

I’ve never heard of some hacking a hand-written list stored in a drawer at home.

We live in the era of the mega-breach. Maybe it’s time to go back to the old ways, sacrifice some convenience and make our personal data our personal responsibility.

One Comment

One person was compelled to have their say. We encourage you to do the same..

  1. Paul Mah says:

    I still don’t think that writing down passwords on a piece of paper is a solution, but I will certainly be exploring off line methods of storing my passwords. Between this and Kaspersky being hacked recently, I think it is clear that nobody is immune to security breaches, and businesses will do more to explore additional defenses to detect intrusions the moment the take place (Rather than assume attackers will never breach the network) – Paul Mah, commenting on behalf of IDG and FireEye.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us