If you’ve followed the LastPass data leak scandal, you know something is wrong with internet security. Passwords have never been an ideal solution for accessing your accounts, but it’s the best we’ve engineered since the 1960’s. We are in the middle of the 21st century. It’s time to move on.
Table of Contents
What happened to LastPass?
To summarize the LastPass data breach, hackers stole everything. The password management company suffered a data breach back in August, and LastPass claimed at the time that customer data, accounts, encrypted vault data, and master passwords were safe.
However, as 2022 approaches, we’ve learned that almost none of this is true. In later blog posts, the company admitted that the hackers “were able to gain access to certain elements of our customer information.” And later that they had received a “backup of customer vault data”.
According to the blog post, the backup data contained “basic customer account information and associated metadata, including company names, end user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers accessed the LastPass service.” We contacted LastPass for more information about the contents of the stolen backup.
Throughout the saga, LastPass has insisted that the stolen information remain encrypted and that the hackers can only obtain customer information if they know the user’s Master Password. And that it would take “millions of years” to decode the information if customers followed LastPass best practices. That claim was dismantled by LastPass competitor 1Password a few days later.
Where are LastPass customers? Not in a good place. At the very least, they should manually change every single password for the accounts they use. But that doesn’t help against the information that hackers have already stolen, which is a nightmare scenario. There really isn’t much to do other than hope the hackers don’t crack the master password.
How do you create your passwords?
But it’s not just LastPass customers who should be concerned. Whether you use a password manager or not, password security depends on one key point of failure: how you create your passwords and master passwords.
Creating a strong password is not as easy as people think. Only truly randomized passwords are safe from brute force attacks – when hackers make multiple password attempts with thousands or millions of possibilities. Typically, these types of attacks are thwarted by limited password attempts. But when hackers have unlimited attempts (like they did with LastPass data), it’s only a matter of time before they crack a password.
So how do you create your master password, or if you don’t use a password manager, all of your passwords? Generally, people use mnemonic devices to remember their passwords. For example, if you use the title of your favorite movie to remember your password, Star Trek II: The Wrath of Khan could be “$t4rTr3K2:7h#[email protected]@n.”
That seems like a pretty strong password, doesn’t it? Unfortunately, not. As Jeffrey Goldberg points out in his repeal of LastPass’s “millions of years” security claim, it’s exactly these types of password mnemonics that hackers will try to guess first.
Sometimes users who don’t use password managers have a somewhat strong password scheme for multiple accounts. You create a more or less random password, but change a character or two depending on the service. In order to “j$0&,81)*b?-” will “j$0&,81)*b?-Fb‘ for Facebook and ‘j$0&,81)*b?-tW” for Twitter, etc. This might seem like a good scheme, but if just one of your passwords gets hacked using this method, it doesn’t take far for clever hackers to derive all of your passwords.
Password managers are a great solution for some
Password managers are an excellent solution to this problem. And for the most part, services like 1Password offer exceptional security and have multiple layers of protection and redundancies to keep your randomly generated passwords safe. It’s worth pointing out that 1Password has never suffered a data breach, let alone a catastrophic one like LastPass just experienced.
But that doesn’t mean it will never happen. And although we really appreciate 1Password review geek, in the world of high-tech crime, nothing is ever absolutely certain. Criminals work just as hard to bypass these protections as security professionals work to build them. There is just too much money and power out there to steal people’s personal information.
And there is the trust issue. A lot of people don’t like password managers because they don’t like having all their data with a third party, no matter how good the security is. And the LastPass data breach will only fuel that suspicion.
Is two-factor authentication enough?
All of this may seem academic to those who use two-factor authentication (2FA) for their internet accounts. 2FA adds an additional layer of protection, e.g. B. Sending a text message or asking to use an app like Authenticator (iOS, Android) to get a unique code every time you log in. This helps in case scammers guess your password. They will be stopped when they reach the 2FA login step. It can also act as an early warning sign that someone is trying to access your accounts.
Services such as financial institutions, social media, employers, and many more strongly recommend (and in some cases require) users to enable this layer of protection. And it has proven to be an effective way to protect your accounts.
But 2FA is not foolproof. It is only as good as the user who uses it. For example, 2FA codes are subject to phishing attacks. Smart hackers can trick users into revealing their information. Sometimes bad actors have access to your phone and this is how they can access the 2FA code. In rare cases, hackers could even spoof your phone number to intercept your 2FA code. And there will certainly be more ways to undermine the protection of 2FA codes as hackers become more adept at stealing information.
Enter passkey
These vulnerabilities in passwords have long been known to technology professionals. And last year, tech giants including Apple, Google and Microsoft all pledged to introduce a new security measure called “passkeys” to protect their customers’ data. Their efforts were fueled by a technology industry-wide joint venture called the FIDO Alliance.
A passkey is an authentication method stored locally on your device, e.g. B. a smartphone or a laptop. When you create your passkey, your device becomes your authentication method, using biometrics like face scanners, fingerprint readers, iris scanners, and voice recognition to verify your identity. That means you’ll never have to create or remember a password again. And at least for now, passkeys are not vulnerable to traditional hacking methods like brute force attacks and phishing scams.
But what if you lose your authentication device? The great thing about passkeys is that the companies that develop them keep a secure backup of your passkey in case you ever need to restore it. For example, Apple backs up your master key to your iCloud keychain, and you can transfer it between devices, even new ones, as needed.
Both Apple and Google introduced passkeys this year. Microsoft introduced its own passwordless solution in 2021. Technology services around the world are rapidly implementing technology to ensure the safety of their customers. Even password managers like 1Password, Dashlane, and even LastPass are adopting the technology.
Now that 2022 is drawing to a close, it’s time to leave behind the archaic model of passwords and embrace a new, more secure online world.
This article was previously published on Source link
