LastPass hack aftermath: can we trust password managers?


Hackers stole copies of LastPass customers' vaults and might attempt to decrypt them. The incident has undoubtedly shaken an online community that has repeatedly been asked to trust password managers.

ADVERTISEMENT

"The recent news that LastPass suffered a data breach is likely to spook users and prospective customers alike. It will almost certainly damage trust in LastPass – more so than the average company suffering a similar incident, simply because of the nature of LastPass's product and its claims to keep your data safe," tech expert and Senior Writer at Tech.co, Aaron Drapkin, told Cybernews.

The attackers copied a backup of customer vault data and "may attempt to use brute force to guess your master password and decrypt the copies of vault data they took."

Looking for an alternative?

Experts and users are understandably frustrated – leaving LastPass struggling to maintain its reputation for unparalleled excellence in its field. A survey of over 1,000 Americans by Security.org, a website that tests cybersecurity products, said LastPass slipped from being the most popular manager in 2021 to fourth place in 2022.

Note that the survey was conducted in November – about a month before LastPass shared details about what was stolen in the breach. Security.org experts estimate that nearly 45 million Americans use password managers.

ADVERTISEMENT

LastPass doesn't know its users' master passwords. The company gave reassurances that customers with strong master passwords shouldn't worry – "it would be extremely difficult to brute-force guess master passwords for those customers who follow our password best practices."

"Even with the LastPass breach, users are probably in a more secure position than people who don't use a password manager," Nabil Alsharif, a software engineer and information security consultant, told Cybernews.

He presumes that some users are already migrating to other password managers – and here you can find some trustworthy alternatives.

"LastPass's failure to update its user's security settings and the fact that it hasn't been more upfront with the impact of the hack in its disclosures have only made the situation worse and further eroded user trust. As a result, I expect LastPass to never be able to completely recover from this breach, especially as users migrate to other password managers like Bitwarden," Alsharif added.

ADVERTISEMENT

Beware of phishing

Paul Matvey, Cybersecurity Manager at Echelon, called the recent LastPass breach its worst breach ever because it lost the one thing it absolutely couldn't afford to lose – customer password vaults.

"This is a humbling event for both operators and users of this service. LastPass users will now need to begin finding means to mitigate the results of this compromise, including changing their master key and passwords, starting with critical accounts," he said.

The good news is that LastPass, as mentioned, doesn't know master passwords and uses strong hashing algorithms that would take a long time for hackers to break – assuming such a thing is even possible.

"One of the concerning things about the LastPass breach is that some of the metadata fields were not encrypted, such as the URLs of sites visited by the users. Therefore, threat actors have an inventory of many services you use and secrets you possess, which gives them greater intelligence to use in targeted attacks," Matvey said.

ADVERTISEMENT

Because of this very reason, LastPass users should remain vigilant and look out for phishing attempts.

"The trouble with the LastPass breach is the scale of duplicate passwords and the metadata that reveals usernames, emails, company data, and even IP addresses. Paired together, cybercriminals get the effect of a successful phishing campaign without sending a single email or SMS – all the credentials, with none of the hassle to phish for each one individually," Lior Yaari, CEO of Israel-based cybersecurity startup, Grip Security, told Cybernews.

“When selecting a password manager, choose one that works across all of your platforms and devices and encrypts all of the data in your vault. And be sure that you choose a strong and unique main password for your password manager itself to keep your credentials secure,” Gary Orenstein, chief customer officer at Bitwarden, password management service provider, told Cybernews.