LastPass security has been compromised. So what? Davey Winder won't be changing his master password
The news that LastPass network security has been compromised is, of course, a serious issue. That the company being breached was one that provides a password-management service ratchets up the seriousness by a notch – or ten. So why am I, someone who has built a career on writing about IT security, not pulling my hair out about it? Well beyond the fact that I have none to tug at, the LastPass “breach” isn't as big a deal for some of us as it is for others.
"We have found no evidence that encrypted user vault data was taken nor that LastPass user accounts were accessed," a LastPass spokesperson tells us. So what's all the fuss about, you may ask – where's the risk? Well it's twofold as I see it. First, since email addresses and associated password reminders have been compromised, I'd expect to see targeted phishing attempts in the form of fake master-password-reset messages. I'd like to think I wouldn't fall for those.
As for the second risk, weak master passwords will currently be subject to brute-force cracking attempts, courtesy of the server per-user salts and authentication hashes being accessed. As far as such cracking attempts go, the fact that LastPass strengthens those authentication hashes with a random salt and throws in additional 100,000 rounds of server-side PBKDF2-SHA256 for good measure makes it harder to break them. However, if the master password is poor then it will still be open to brute-force attacks; it will just take a bit more time to crack it.
So LastPass is forcing a master password change on most users, and asking for email verification from those who log in from a new device or IP address. I won't, however, be changing my master password, nor have I (let's have a look) for 442 days now because it's random, it's complex, it's more than 25 characters long, it isn't used anywhere else, and I can remember it off by heart. In addition, it's backed up by the following two magic words: multifactor authentication.
Boom! As far as I'm concerned, all that effort to get into the periphery of the LastPass network is for nothing because I use a strong master password backed up by multifactor authentication. Even if my master password was somehow compromised, the attacker would then have to access my YubiKey (a physical token) in order to decrypt my password vault. These “advanced settings” are free to use and have been available to users for some time – plus, you don't have to purchase a YubiKey; you can use a free-to-download app such as Google Authenticator if you like. Why wouldn't you use two-factor authentication (2FA) at any site or service where it's offered? No, seriously?
Talking of advanced settings, there's another one that I use that provides me with yet another layer of confidence in my data being reasonably safe with LastPass, and that's a geographical-access lockdown. You can set “country restrictions” that enable you to decide the countries from where your password vault can be accessed. I keep this locked down to the UK unless I'm traveling abroad, in which case I enable that specific location before I depart. Oh, and I don't allow logins from Tor networks either. Paranoid, moi? No, just sensible about restricting accessing to those keys to the kingdom. As you should be too.
What worries me most about the LastPass compromise is not, oddly enough, the compromise itself but the response to it; and especially that of the media – both professional and social. There seems to be an underlying feeling of delight being taken in kicking LastPass, and plenty of “told you so”-type reporting. But what exactly did you tell us? What exactly has happened here? No encrypted password data has been compromised as far as we can see, and LastPass has been pretty transparent in disclosing the event and putting steps in place to further secure user confidence.
What would the media naysayers have us do? Revert to pen and paper, or a more technical “encrypt it yourself” solution maybe? I've seen both suggested, and neither reduce the risk for the average Joe, just the opposite in fact. Maybe move to a different password-management provider? Again, how does that help when you don't know how they'd respond when – not if – they suffer a breach? At least you know that LastPass is on the ball when it comes to breach response.
For me, a password manager remains the most secure option for most people, and if you follow my lead and combine a strong master password with multifactor authentication and some login lockdown options, you reduce the risk of compromise as much as is humanly possible.
And that, dear reader, is why I don't need to change my master password; or my password manager for that matter.