The LastPass Scandal Shows It's Time to Leave Passwords Behind

A list of handwritten passwords on a note book with two crossed out.
Vitalii Vodolazskyi/

If you’ve been following the LastPass data-leak scandal, you know something is terribly wrong with internet security. Passwords have never been an ideal solution to access your accounts, but it’s the best we’ve come up with since the 1960s. We’re well into the 21st century. It’s time to move on.

What Happened with LastPass?

To sum up the LastPass data breach: hackers stole everything. The password management company suffered a data breach back in August, and at the time, LastPass claimed that customer data, accounts, encrypted vault data, and master passwords were safe.

However, as 2022 draws close, we’ve learned that almost none of that is true. In subsequent blog posts, the company admitted that the hackers were “able to gain access to certain elements of our customer’s information.” And later that they had obtained a “backup of customer vault data.”

According to the blog post, the backup data contained “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” We’ve reached out to LastPass for more information regarding the contents of the stolen backup.

Throughout the saga, LastPass has insisted that the stolen information remains encrypted and that the hackers can only get customer information if they have the user’s master password. And that if customers followed LastPass’s best practices, it would take “millions of years” to decrypt the info. That claim was taken apart a few days later by LastPass competitor, 1Password.

Where does that leave LastPass customers? Not in a good place. At the very least, they should manually change every single password to the accounts they use. But that won’t help against the information hackers have already stolen, which is a nightmare scenario. There’s really not much to do except hope the hackers don’t break the master password.

How Are You Crafting Your Passwords?

"Hack" written on a sticky note on a computer keyboard.

But it’s not just LastPass customers that should be concerned. Whether you use a password manager or not, password security comes down to a central point of failure: how you craft your passwords and master passwords.

Making a strong password isn’t as straightforward as people think. Only truly randomized passwords are secure from brute force attacks–when hackers make multiple password attempts using thousands or millions of possibilities. Typically, these types of attacks are thwarted by limited password attempts. But when hackers have unlimited tries (like with the LastPass data), it’s only a matter of time before they can break any password.

So, how are you crafting your master password, or if you don’t use a password manager, all your passwords? Generally, people use mnemonic devices to help them remember their passwords. For example, if you use the title of your favorite movie to remember your password, Star Trek II: The Wrath of Khan could become “$t4rTr3K2:7h#wR@tH0FkH@n.”

That seems like a pretty strong password, right? Unfortunately, no. As Jeffrey Goldberg points out in his takedown of LastPass’s “millions of years” security claim, it’s precisely those types of mnemonic passwords that hackers will try to guess first.

Sometimes, users that don’t use password managers will have a somewhat strong password scheme for multiple accounts. They create a more-or-less randomized password, but change a character or two depending on their service. So “j$0&,81)*b?-” becomes “j$0&,81)*b?-Fb” for Facebook, and “j$0&,81)*b?-tW” for Twitter, etc. This might seem like a good scheme, but if just one of your passwords gets hacked with this method, it’s not a long stretch for smart hackers to deduce all your passwords.

Password Managers Are a Great Solution for Some

Password managers are an excellent solution to this problem. And for the most part, services like 1Password provide exceptional security and have multiple layers of protection and redundancies to keep your randomly-generated passwords safe. It’s worth pointing out that 1Password has never suffered a data breach, much less a catastrophic one, as LastPass just experienced.

But that doesn’t mean it never will. And while we hold 1Password in high esteem at Review Geek, in the world of high-tech crime, nothing is ever totally secure. Bad actors are working as hard to defeat these protections as security professionals are to build them. There’s just too much money and power to be had in stealing people’s personal information.

And there’s the problem of trust. Many people don’t like password managers because they don’t like having all their data residing with a third-party, no matter how good the security is. And the LastPass data breach will only fuel this distrust further.

Is Two-Factor Authentication Enough?

A person types in a two-factor authentication security code into a tablet.

All this may seem academic for those who use two-factor authentication (2FA) for their internet accounts. 2FA adds an additional layer of protection, like sending you a text message or requiring you to use an app like Authenticator (iOS, Android) to receive a unique code every time you log in. This helps in case when bad actors guess your password. They’ll be stopped when they reach the 2FA login step. It can also serve as an early-warning sign that someone is trying to access your accounts.

Services like financial institutions, social media, employers, and many more highly recommend (and in some cases require) users to enable this layer of protection. And it’s proved to be an effective way to keep your accounts safe.

But 2FA is not foolproof. It’s only as good as the user who employs it. For example, 2FA codes are subject to phishing attacks. Clever hackers can trick users into giving up their information. Sometimes, bad actors will have access to your phone and can access the 2FA code that way. In rare cases, hackers could even spoof your phone number to intercept your 2FA code. And there are sure to be more ways to subvert the protection of 2FA codes as hackers become even more skilled at stealing information.

Enter Passkeys

A hand holding a smartphone with the word "passkeys" on it.

Technology professionals have known about these weaknesses in passwords for a very long time. And last year, tech giants, including Apple, Google, and Microsoft, all committed to introducing a new security measure known as “Passkeys” to help secure their customers’ data. Their efforts were worked through a tech-industry wide joint-venture known as the FIDO Alliance.

A Passkey is an authentication method that’s stored locally on your device, such as a smartphone or a laptop. When you create your Passkey, your device becomes your authentication method and uses biometric data like face scanners, fingerprint readers, iris scanners, and voice recognition to verify your identity. This means that you’ll never have to create or remember a password again. And, at least for now, Passkeys aren’t vulnerable to traditional hacking methods like brute-force attacks and phishing scams.

But what if you lose your authentication device? The great thing about passkeys is that the companies developing them will keep a secure backup of your passkey in case you ever need to recover it. For example, Apple will back up your passkey to your iCloud keychain, and you can transfer it between devices, even new ones, as needed.

Apple and Google both introduced Passkeys this year. Microsoft introduced their own passwordless solution in 2021. Technology services across the world are moving quickly to implement the technology to keep their customers safe. Even password managers like 1Password, Dashlane, and even LastPass, are adopting the technology.

So, now that 2022 is coming to a close, it’s time that we leave the archaic model of passwords behind and embrace a new, more secure online world.

Source link