Home / Science-tech / Vault hacked open

Vault hacked open

Explaining how a breach at LastPass has password lessons for us all

Brian X. Chen   |   Published 16.01.23, 04:32 AM

While we were unplugging from the Internet to spend time with loved ones over the holidays, LastPass, a security program for managing digital passwords, delivered the most unwanted gift. It published details about a security breach in which cybercriminals had obtained copies of customers’ password vaults, potentially exposing millions of people’s online information.

When you use a password manager like LastPass or 1Password, it stores a list of the user names and passwords for the sites and apps you use, including banking, healthcare, email and social networking accounts. It keeps track of that list, called the vault, in its online cloud. Hackers had stolen copies of the list of user names and passwords of every customer from the company’s servers.


There are lessons to learn from this debacle, including that security products are not foolproof. The company said intruders had gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers by using credentials and keys stolen from a LastPass employee.

LastPass tried to reassure its users that their information was probably safe. It said some parts of people’s vaults — like the website addresses for the sites they used — were unencrypted but that sensitive data, including user names and passwords, were encrypted. This would suggest hackers could know the banking website someone used but not have the username and password.

Most importantly, the master passwords that users set up for unlocking their LastPass vaults were also encrypted. That means hackers would then have to crack the encrypted master passwords to get the rest of the passwords in each vault, which would be difficult to do, so long as people used a unique, complex master password.

Karim Toubba, CEO of LastPass, wrote that the incident demonstrated the strength of the company’s system architecture. He also said it was users’ responsibility to “practice good password hygiene”.

“It is very serious,” said Sinan Eren, an executive at Barracuda, a security firm. “I would consider all those managed passwords compromised.”

The LastPass breach is a reminder that it is easier to set up safeguards for our most sensitive accounts before a breach occurs than to try to protect ourselves afterwards. Here are some best practices we should all follow for our passwords.

Create a complex, unique password for every account. A strong password should be long and difficult for someone to guess. For example, take these sentences: “My name is Inigo Montoya. You killed my father. Prepare to die.” And convert them into this, using initials for each word and an exclamation point for the I’s: “Mn!!m.Ykmf.Ptd.”

For those using a password manager, this rule of thumb is of paramount importance for the master password to unlock your vault. Never reuse this password for any other app or site.

For your most sensitive accounts, add an extra layer of security with two-factor authentication. This setting involves generating a temporary code that must be entered in addition to your username and password.

Most banking sites let you set up your cellphone number or email address to receive a message containing a temporary code to log in. Some apps, like Twitter and Instagram, let you use so-called authenticator apps like Google Authenticator and Authy to generate temporary codes.

Although the breach of LastPass may feel damning, password managers in general are a useful tool because they make it more convenient to generate and store complex and unique passwords.

Internet security often involves weighing convenience versus risk. Casey Ellis, the chief technology officer of the security firm Bugcrowd, said the challenge with password security was that whenever the best practices were too complicated, people would default to whatever was easier.

Eren of Barracuda recommends not using password managers that store the database on their cloud and instead choosing one that stores your password vault on your own devices, like KeePass.

Always have a plan for pulling out your data — in this case, your password vault — in the event that something happens that makes you want to leave.

For LastPass, the company lists steps on its website to export a copy of your vault into a spreadsheet. Then you can import that list of passwords into a different password manager. Or you can keep the spreadsheet file for yourself, stored somewhere safe and convenient for you to use.


Copyright © 2020 The Telegraph. All rights reserved.