diff --git a/brainsteam/content/posts/2022/12/27/post-lastpass-password-management/index.md b/brainsteam/content/posts/2022/12/27/post-lastpass-password-management/index.md index fae14b2..d08d1ee 100644 --- a/brainsteam/content/posts/2022/12/27/post-lastpass-password-management/index.md +++ b/brainsteam/content/posts/2022/12/27/post-lastpass-password-management/index.md @@ -20,13 +20,14 @@ tags: {{
}} -Earlier this month [LastPass revealed that they had been breached](https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/) and then a few days later that [that their customer's encrypted password data was stolen](https://www.tomsguide.com/news/lastpass-hack-was-even-worse-than-originally-reported-should-you-delete-your-account). Following a couple of years of controversy including [earlier breaches](https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/) and [price rises](https://alternativeto.net/news/2022/1/lastpass-seemingly-deliberately-holding-users-password-data-hostage-alongside-new-pricing-plans/), this latest breach hasn't been a particularly good look for them. +Earlier this month [LastPass revealed that they had been breached](https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/) and then a few days later that [that their customer's encrypted password data was stolen](https://www.tomsguide.com/news/lastpass-hack-was-even-worse-than-originally-reported-should-you-delete-your-account). Following a couple of years of controversy including [earlier breaches](https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/) and [price rises](https://alternativeto.net/news/2022/1/lastpass-seemingly-deliberately-holding-users-password-data-hostage-alongside-new-pricing-plans/), this latest breach hasn't been a particularly good look for them. I've been an LP user for a few years, but this latest breach has me concerned - particularly because their customer data vaults have been exposed. + + +_**Quick disclaimer:** I'm not specifically a security expert but I've been the CTO at a small tech firm for the last 6 years and data breaches are one of the topics that keep me up at night and make me sweat at work on a regular basis. I probably spend an unhealthy amount of time thinking and worrying about this stuff_ ## Making Good Use of Time Bought with LastPass' Strong Encryption -Let me be up front about the fact that I am a Machine Learning specialist, not a security expert. That said, I've been the CTO at a tech firm for the last 6 years and data breaches are one of the topics that keep me up at night and make me sweat at work on a regular basis. - -So then, on the subject of the LastPass breach: the good news is that LastPass uses pretty strong encryption to store customer password vaults so, in the worst case, it might take hackers years or centuries to break in to your account depending on the strength of the password you chose. [Wladimir Palant](https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/) gives a bit more detail about the tactics that an attacker might use and how long this might take. +Well, the good news is that LastPass uses pretty strong encryption to store customer password vaults so, in the best case for users, it might take hackers years or centuries to break in to your account depending on the strength of the password you chose. [Wladimir Palant](https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/) gives a bit more detail about the tactics that an attacker might use and how long this might take. You can also use [this tool](https://lowe.github.io/tryzxcvbn/) to estimate out how secure your password is and how long it might take a very dedicated hacker to crack your vault. *NB: do **not** use your actual master password in the test tool but an analogy of it. For example if your real password was TopSecretPassword123 you might try a different combination of a 3,6 and 8 letter word followed by some numbers: BarDemonsAbstract567. This works because the tool uses the length of your password and the type of each char (number, letter, symbol) to estimate its difficulty* @@ -34,26 +35,26 @@ You can also use [this tool](https://lowe.github.io/tryzxcvbn/) to estimate out You might also want to see if your password is on a [list of leaked passwords](https://haveibeenpwned.com/Passwords) that have previously been cracked because an attacker is bound to try these first rather than guessing randomly. -In summary, unless you are famous (to the public or to security services), your password appears on a list of leaked passwords, you might not be in immediate danger. However, my advice would be to assume the worst and start changing all your passwords yesterday. +In summary, unless you are famous (to the public or to security services) or your password appears on a list of leaked passwords, you might not be in immediate danger. However, my personal stance is to assume the worst and start changing all my passwords (I'm balancing a few minutes of inconvenience now for peace of mind versus the potential for hours of stress if someone breaks into an important account). ## Should I keep using LastPass? What About this other Cloud-based Password Manager? Since the breach, people been recommending a plethora of other cloud solutions. BitWarden seems to have a very good reputation and others include 1Password and Dashlane. Now, don't get me wrong, all of these providers certainly have a better reputation than LastPass at this point in time (as far as I can tell from a quick bit of searching, none of them have suffered serious breaches). However, I take the somewhat pessimistic view that security breaches are pretty much inevitable at successful companies that grow beyond a certain point because: - - a) Employing more people to do more 'stuff' increases the odds of both human error and malignant intent. - - b) Big companies with more data make juicier targets for would-be hackers - - c) As companies move from focussing on growth in new markets to focussing on profitability and reducing costs, leadership teams sometimes raise the axe to expensive processes and teams like cyber-security, reducing the quality of their protections against breaches. + 1. Employing more people to do more 'stuff' increases the odds of both human error and malignant intent. + 2. Big companies with more data make juicier targets for would-be hackers + 3. As companies move from focussing on growth in new markets to focussing on profitability and reducing costs, leadership teams sometimes raise the axe to expensive processes and teams like cyber-security, reducing the quality of their protections against breaches. -These three issues can often combine explosively, shattering the reputation of a once-loved company overnight. +These three issues have the potential to combine explosively, sometimes shattering the reputation of a once-loved company overnight. -I'm not making any specific allegations about the providers I've listed here. However, I would not be surprised if, in the next few months or years time, we see a current `darling' of the password manager market appearing in the news under similar circumstances to LastPass. +I'm not making any specific allegations about the providers I've listed here. However, I would not be surprised if, in the next few months or years time, we see a current 'darling' of the password manager market appearing in the news under similar circumstances to LastPass. -If you subscribe to this viewpoint then there are a couple of ways to look at things. Either you continue to use cloud-based password managers and accept that you're likely to need to change all of your passwords every few years after a breach, maybe jumping from incumbent provider to scrappy password startup because they haven't been hacked yet and, they've got a great reputation. Or, you take the view that keeping your passwords in the cloud (read: on someone else's computer) is not a good idea and that you should look for local solutions. +If you subscribe to this "hacks are inevitable" viewpoint then there are a couple of ways to look at things. Either you continue to use cloud-based password managers and accept that you're likely to need to change all of your passwords every few years after a breach, maybe jumping from incumbent provider to scrappy password startup because they haven't been hacked yet and, they've got a great reputation. Or, you might take the view that keeping your passwords ~~in the cloud~~ on someone else's computer is not a good idea and that you should look for local solutions. -I'm not willing to stick my neck out on the line and make a recommendation either way here: I'll leave that as an exercise for the reader. +I'm not willing to stick my neck out on the line and make a recommendation either way here: I'll leave that as an exercise for the reader. -## Some Local/Non-Cloud Solutions +## Some Local/Non-Cloud Solutions for Personal Protection ### KeePass + SyncThing @@ -74,7 +75,7 @@ Of course with LessPass there's no need to worry about backups as long as you ha To me, there's something about LessPass that feels a little too much like magic - I'm kind of waiting for a cryptographer to come along and tell me why I shouldn't use it and what the major flaw with it is. However, until that day, it seems like a really great approach and I'm definitely up for trying it out. -### Funding +### Open Source Funding KeePassXC, SyncThing and LessPass are all open source projects which are free at the point of use but obviously cost money to develop. My ask of readers thinking of switching to one of these solutions would be to consider donating the money you would have spent on SaaS licenses for one of the cloud password managers to whichever solution you end up going for: @@ -85,10 +86,23 @@ For solution 1, consider splitting your SaaS fee across these projects evenly For solution 2, please donate to the LessPass team via the [LessPass OpenCollective Page](https://opencollective.com/lesspass) +## Some Strategies for Business/Commercial Password Protection + +If you are in an IT leadership role in a business you're probably thinking "sending keepass files over slack doesn't sound like a scaleable solution" and you'd be right. The above solutions are suggestions for personal password hygiene. Likewise LessPass probably isn't an option in a commercial setting as you'd be reliant on either shared credentials or copying and pasting generated passwords - both of which completely defeat the point. + +For internal applications you can use SAML/SSO solutions in combination with multi-factor authentication solutions (ideally physical hardware keys) so that each employee can authenticate against multiple services using only their primary email/intranet account. + +I'd absolutely assume that you do also need some kind of password management solution because if you don't supply one your employees will absolutely start sending each other passwords unencrypted over slack. A hypothetical (and lets face it, pretty horrifying) conversation might look like this: + +> **Account Manager** "can you change something for me on the customer's system?" +> **Business Consultant** "I'm busy with another client right now, but you can log in with your client's email address and `hunter2` and do it yourself..."). + +Firstly, make sure that you have explicit policies and processes for password sharing in your employee handbook and make sure that your team know about it. At my current company we run mandatory cyber-security training annually and as part of onboarding for new staff. Secondly, give your team tools that empower them to share credentials as securely possible. If that's via some kind of cloud-based password management platform then you can at least keep an eye on what is happening and, if and when that system is breached, you know which of your employees' credentials may have been compromised (versus in a shadow-IT scenario where you have no idea that employees are using a system that has recently been compromised). + ## Conclusion -In conclusion, password security, like many of the topics that I think about and write about, is complex and multifaceted. If you are a LastPass user, I'd strongly recommend changing your master vault password and all the passwords that you care about over the next few days if you can (and if you are a high profile activist or celebrity, do this yesterday). As for what to do next? Well, that's up to you. If you believe that there won't be another LastPass breach for a little while you might change your passwords and stick with them. You might trust another upstart cloud-based password manager company for a few months or years until they inevitably get breached. You could try one of the local-only approaches I've suggested but, I'd suggest that you never assume it's 100% foolproof, be ready for the unlikely scenario in which a SyncThing vulnerability is announced or someone does indeed tell me why LessPass' magic isn't secure. +In conclusion, password security, like many of the topics that I think about and write about, is complex and multifaceted. If you are a LastPass user, I'd strongly recommend changing your master vault password and all the passwords that you care about over the next few days if you can (and if you are a high profile activist or celebrity, do this yesterday). As for what to do next? Well, that's up to you. If you believe that there won't be another LastPass breach for a little while you might change your passwords and stick with them. You might trust another upstart cloud-based password manager company for a few months or years until they inevitably get breached. You could try one of the local-only approaches I've suggested but, I'd suggest that you never assume it's 100% foolproof, be ready for the unlikely scenario in which a SyncThing vulnerability is announced or someone does indeed work out that LessPass' magic isn't secure. -We live in a modern, interconnected world where we interact with ~~the cloud~~ someone else's computer every single day. So, when it comes to security and passwords, don't put all of your eggs in one basket. +We live in a modern, interconnected world where we interact with ~~the cloud~~ someone else's computer every single day. So, when it comes to security and passwords, don't put all of your eggs in one basket. A good security model is a lot like ~~ogres~~ an onion in that it has layers - in fact this layered approach is exactly what LastPass have done right and why I'm not sounding the big red klaxon shouting "CHANGE ALL YOUR PASSWORDS RIGHT NOW". Do your homework and don't give companies the benefit of the doubt when it comes to your personal and private information. -One last thing: **Should I use a password manager? GOD YES! LastPass is Not representative of all password managers.** \ No newline at end of file +One last thing: **Should I use a password manager? GOD YES! Don't let this breach put you off password managers. They're better than sticky notes on your monitor.** \ No newline at end of file