LastPass Security Breach
01-11-23: LastPass Security Breach:
LastPass Users have been hacked & they MUST take immediate action to protect themselves:
Dealing with passwords requires constant attention to security and given how easily our digital lives generate extensive lists of passwords several VCC presentations have provided password management strategies. These presentations have focused on two approaches: one non-cloud based relying on an encrypted spreadsheet and the other relying on cloud based commercial services like LastPass.
Previously, LastPass has been a featured cloud-based service in part because a world class security expert, Steve Gibson, endorsed and used LastPass based on his extensive analysis of LastPass security.
However, recently Gibson has stopped using LastPass and switched to Bitwarden because he feels LastPass has failed to update security in keeping with advances in hardware and software, and now contains deficiencies that have contributed to the recent LastPass security breach. Gibson also references Dashlane and 1Password as services he has examined but he currently prefers Bitwarden. AS A RESULT OF GIBSON’S ACTION, TWO VCC BOARD MEMBERS WHO HAVE BEEN LONG TIME LastPass USERS ARE ACTIVELY LOOKING AT ALTERNATIVES SUCH AS BITWARDEN.
We strongly recommend that any current users of LastPass reassess their continued use of this app in light of Gibson’s move. But, at a minimum users must change their master password and use a very stronger master password of at least 15 random characters (more is better). If a short master password (8 characters) has been used previously, then any password information stored on LastPass may be vulnerable because hardware advances have made it possible for hackers to “guess” short passwords. We strongly recommend monitoring any accounts where login information was stored on LastPass accounts secured with short master passwords, and we also strongly recommend changing the account login information.
Lastly, the use of an encrypted spreadsheet is an excellent alternative approach to avoid cloud-based services. See the VCC website for presentations on Password management systems; they all include information about encrypted spreadsheets. Most current presentation is: “Password Management” given on 4/1/2022 by Campbell & Cronas. Here is the link: