One more LastPass update

Written By Homefront Cybersecurity

Over the past few weeks our team has been researching and discussing how to move forward after the recent LastPass hack.  If you're not familiar with the history, please see this blog post released in December 2022. 

 

WHAT HAVE WE LEARNED THE PAST FEW WEEKS? 

The only thing we have learned since our last post is that LastPass engaged Mandiant to assist with breach recovery.  Mandiant has a good reputation for breach recovery and the fact that they were engaged by LastPass is a good sign. 

WHAT IS HOMEFRONT DOING? 

HomeFront plans to continue using LastPass because: 

  • We have taken steps to ensure that if someone accesses the HomeFront vault as a result of the LastPass breach, they will be unable to access our accounts. 

  • We have not received unexpected multi-factor authentication attempts.  This indicates that if HomeFront vault was obtained as part of the LastPass breach, no one has tried to login to any of our accounts. 

  • Companies that are breached often get an increased cybersecurity budget to address issues that caused the breach.  It's likely that the best cybersecurity LastPass has ever had is RIGHT NOW. 

WHAT SHOULD YOU DO? 

We strive to provide our clients with data to enable informed decision making.   Here is some information that may be helpful towards deciding what to do next. 

  • Every password manager company is targeted and vulnerable to attack.  Even if a password manager is perfectly secure, it could be breached if an employee is socially engineered or bribed to give up sensitive information.  An illustration of this (that all password managers are targeted) is the Norton (Lifelock) password manager breach that occurred in December 2022. 

  • Although HomeFront plans to continue using LastPass for the reasons noted above, there are other password managers who have NOT recently experienced a breach like 1Password and Bitwarden.  If you are uncomfortable going forward with LastPass, these are reputable options. 

  • If you are a HomeFront client using LastPass you should have a strong master password AND multi-factor authetication enabled.  Therefore, if a bad actor tries to access your vault, you would be notified through a multi-factor authentication prompt you didn't initiate.  IF YOU HAVE EXPERIENCED THIS SCENARIO, PLEASE CONTACT US IMMEDIATELY FOR ASSISTANCE. 

ALSO CONSIDER... FREEDOM AND SECURITY ARE AT ODDS 

One hundred percent security is not possible.  A home with boarded windows, vaulted doors, cameras, motion sensors, a guard dog, a security dog, a moat, and a dragon is still not 100% secure.  Maintaining this level of security would be overly restrictive and cost prohibitive for most people... but it may be reasonable for someone who is highly visible with lots of money.  To learn more about this concept check out this document by world renowned cybersecurity practitioner, Bruce Schneier. 

Technology has amazing benefits and improves our lives, but also comes with cybersecurity risk.  We should consider the measures we're willing to take to address the risk.  Since passwords are the keys that open the door to all technology, password managers are one of the best ways to manage cybersecurity risk.  Although maintaining password managers require time to configure and are at risk of being hacked, we still think they are worth the effort.  Why?  Because a properly configured password manager allows a family to practice great password hygiene while securely sharing passwords among family members. 

 

Please contact us if you have questions about secure password management or would like to learn more about a home cybersecurity evaluation. 

Homefront Cybersecurity https://www.homefrontcs.com
Previous

Bitcoin basics
Next

Home Security Is Not Cybersecurity