To our valued clients,
Many may have heard about the recent data breach at LastPass, a popular password vault and management solution. This was a combination of two incidents and has sparked a lot of debate in the IT community and raised questions about LastPass and their ability to secure some of your most important information.
You can read their public releases regarding the incident here:
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
The Tech Group still recommends using password managers. The benefits substantially outweigh the risks. There are many options and different approaches to password management that should be taken into consideration when choosing a solution. Some options to consider (but not comprehensive) are cloud vs. local, individual vs. shared, browser plugin functionality, auto rotation and dark web reporting.
The recent LastPass incident leaked hashed (encrypted) passwords. While the hashes use a high level of encryption, it is possible to decrypt them if a short master password was used. LastPass has required a 12-character master password since 2018. If your master password is shorter than 12 characters you should assume those passwords have been compromised and they should be changed immediately. If your master password is 12 characters or longer you should assume that at some point in the future technology will become advanced enough to decrypt your password. Again, your password should all get changed in the near future. In all cases your master password should be changed immediately.
Credential Protection Recommendations from Tech Group
- Enable MFA/2FA (multifactor or two-factor) authentication everywhere possible
- Use a 25-character master password/pass phrase
- Length is better than complexity
- Number letter substitutions are not effective
- Never use personal information as part of your password
- Use human-readable passphrases with numbers and symbols (sometimes you do need to type them)
- Password should be a minimum of 12 characters
- Change your master password on an annual basis
- Use a dark web monitoring service to see when any of your credentials are publicly available