As a fan and long-time user of LastPass, I was alarmed by the latest LastPass hack. But what exactly happened, and what does it mean for users like you or me?
In a nutshell, LastPass suffered a security breach that exposed some user data, including billing and email addresses, end-user names, telephone numbers, and IP address information. LastPass has 30 million users. It claims that only 3% of them have been seriously impacted and that it has been working with those users to maintain security.
Three percent might not seem like a lot, but this is terrible news.
Should You Be Concerned?
Yes, of course, you should be. LastPass has write
n several blog posts reassuring its customers, but healthy skepticism is in order.
While LastPass uses high-level encryption and a “zero knowledge” system, the reality is that the hackers now may have encrypted master passwords and potentially access to your whole vault.
Zero-knowledge is a term used to describe a system where the service provider doesn’t have access to the plain text version of your usernames and passwords.
Instead, they used encryption and decryption processes managed solely by the user’s device, making it extremely difficult for anyone, including LastPass employees, to access the passwords. Said another way, LastPass does not have access to the actual passwords stored in its system; only the user does.
This doesn’t mean stolen encrypted data is safe. The villain here could use “brute force” to guess your passwords. This will take anywhere from half an hour and $100 to millions of years (no exaggeration, this is the range of times provided by various sources).
What is the Likely Impact of the LastPass Hack?
The impact of the LastPass hack will vary from person to person. It’s not worth the gamble that it’ll take a million years to hack your account(s), so it’s wise to make adjustments now.
Your best defense? A good offense.
What Do You Do Now?
Given that we don’t know the impact, taking steps to protect yourself after a hack is essential.
Take these actions:
- Change your master password. It should be 16 characters long or longer. Please do not use any identifying information (name, address, SSN, etc.). Opt for a phrase, like a favorite movie line. Use odd variations on words.
- Use two-factor authentication. It would be best if you turned this on a long time ago. Before entering your vault, you should use your phone or a code to verify it’s you. I know this is a pain. Get used to it. It’s the way of password security in the future. If you’re using biometric identification (thumbprint, facial recognition), this will go faster. 3. Use a password on your phone.
- Change your passwords on susceptible accounts – banking, credit cards, insurance, health care, social media, tax information, document vaults, etc. Use LastPass to create passwords for you so that you create unique, strong ones.
- Monitor your accounts for suspicious data.
- Consider changing password vaults.
Do I Still Recommend LastPass?
Sadly, no, because that would make me look stupid.
However, I believe that hacks like this are humbling for the victim company and all the password managers out there. Password managers will likely be more vital than ever.
I remain a fiercely strong advocate of having a password manager for many reasons, but they all come down to this: They protect us from ourselves. We use better passwords, we use two-factor authentication, we don’t repeat passwords, we don’t share passwords in an unsafe way, and we can use them to transfer information in the event of incapacity or death.
The truth is that I will stay with LastPass for now, try out a new password manager, and if I like the new one, I will probably migrate everything. I have over 300 entries in my LastPass, many old or useless. It’ll take me a while to migrate, but I’m all about purging no-longer-needed items.
However, I understand that I use “good password hygiene.” My master password is 18 characters long, written down nowhere, and shared with no one. I change all my work-related passwords every 90-180 days. I change my banking passwords about once a year. I use two-factor authentication on every account in which it is offered to me. I look at every single banking transaction – personal and business – at least once a month. I use a credit report service to monitor my credit.
Yes, it’s a pain and takes up time. Yes, it’s worth it.
If you are doing only some of these things, you must act sooner and build new habits.
How To Protect Against a Future Hack?
Do all those things I mentioned above:
- Use a password manager.
- Use strong, unique passwords,
- Use two-factor authentication.
- Use a password on your phone.
- Change your passwords when needed.
- Monitor your accounts for suspicious activity.
Doing these things ensures your online accounts are secure and protected against unauthorized access.
I’ve been talking to people about their money for over 25 years. I have only had to start talking about identity theft and fraud in the last five or so. It’s a severe financial self-care topic now. Please don’t ignore it.
Don’t hesitate to reach out if you need encouragement around password vaults.
Lanning Financial Inc. is a registered investment adviser. The information presented is for educational purposes only and does not intend to make an offer or solicitation for the sale or purchase of any specific securities, investments, or investment strategies. Investments involve risk and, unless otherwise stated, are not guaranteed. Be sure to first consult with a qualified financial adviser and/or tax professional before implementing any strategy discussed herein. Past performance is not indicative of future performance.
About the Author:
Jessica Lanning JD, CFP® brings focus and perspective to your individual financial needs to identify your opportunities for investment and wealth. Regardless of what you’ve done before or what “mistakes” you think you’ve made, Jessica can help get you back on track quickly and safely. As a former practicing lawyer, she brings a comprehensive approach to legal, tax, and financial challenges so that her clients can enjoy peace of mind. A huge proponent of conscious decision-making, Jessica makes sure her clients are educated and informed so that they make sound decisions with clarity and confidence.
Lanning Financial Inc. is a registered investment adviser. The information presented is for educational purposes only and does not intend to make an offer or solicitation for the sale or purchase of any specific securities, investments, or investment strategies. Investments involve risk and unless otherwise stated, are not guaranteed. Be sure to first consult with a qualified financial adviser and/or tax professional before implementing any strategy discussed herein. Past performance is not indicative of future performance.