CYBER SUNDAY: Password vaults

Last fall, one of the more high-profile password vaults, LastPass, experienced a massive breach, and all of us need to understand how we will interpret this.

Despite that breach, password vaults are still a great idea.

Password problems

One of the greatest dangers of such a breach is that it harms the efforts of IT directors to encourage password vault adoption by their employees.

Before we delve into that breach, we need to fully comprehend the problem that vaults are trying to solve.

The three main problems with passwords are: People reuse their passwords. People use short passwords. People tend not to use multifactor authentication.

There is no way for a human to remember 300-plus passwords without reusing them, so if you’re not using some kind of a password vault, then you are reusing passwords.

What happened

LastPass didn’t do a great job of disclosing its breach. If you use that vault, it might be time to consider switching.

To its credit, LastPass revealed a source code incident in August and updated its users that “no customer data was accessed.”

However, that wasn’t the end of the story.

Three days before Christmas, the company issued a news release that stated, “The threat actor was also able to copy a backup of customer vault data from the encrypted storage container.”

Whoa. What?

LastPass swore up and down that its vault was encrypted and that any data exfiltrated would be extremely difficult to “brute-force.”

We all understand. though, that brute-force isn’t the only weapon in the bad guys’ arsenal. Bad actors use rainbow tables and pattern matching and dictionary words.

Yes, multifactor authentication matters. Yes, they claim not to know the master password. But the fact remains sensitive data is in the bad guys’ hands.

After that disclosure, I spend a good chunk of a day resetting passwords across the board. The kids were playing with presents while I was resetting passwords. Great.

The central issue to me is that the company had some kind of major incident in August, and in its initial disclosure implied that very little was wrong.

Then over the next three and a half months, it had a series of events and revelations, culminating in revealing the bad news just as everyone was traveling, wrapping presents and eating beef Wellington.

Is announcing this, three days before Christmas, really the right move? The optics don’t look good, yet it technically counts as a public disclosure.

It reminds me of when politicians reveal bad news on Friday, hoping nobody will notice.

I’m fed up with LastPass.

Revisit passwords

The good news is that other password vaults are available. I won’t be listing them as it implies an endorsement.

This is a fantastic time to revisit your own password use. When you authenticate your 401(k), do you use a long, unique password that is bound with multifactor authentication? Have you audited all the passwords you care about?

Many organizations have begun offering multifactor authentication in recent years but don’t force their customers to use it.

Now might be a great time to do a full review of your logins to everything that you consider critical, because it would be a shame to learn too late that a bank offered you multifactor authentication but you declined to use it.

At the end of the day, don’t become complacent about protecting your passwords.

Brandon Blankenship is a cybersecurity consultant at ProCircular and a board member of SecMidwest, a Cedar Rapids-based nonprofit focused on cybersecurity education; SecMidwest.org. Comments: bblankenship@procircular.com