If you’ve known me for any length of time, you probably know that I highly encourage everyone to use a password vault of some kind. There are several good ones available some of them are free, other’s cost money. Over the years I’ve tried several and the ones I’ve used the most are KeePass and more recently LastPass.
Yesterday, the internet was on fire over the possible intrusion to LastPass’s servers (please read this as I feel it’s the proper way to handle such a situation). But I want to point out 2 things, which are mentioned in the article:
- LastPass is very clear in that they are not 100% sure something was breached
- They did notice a traffic anomaly that they couldn’t explain
These are very important points that need to be considered when it comes to using LastPass. But I want to give my thoughts since I actually use the service.
Your Passwords Are Probably Safe
One of the main arguments people give against LastPass is that it puts all your passwords in the cloud on their servers. While true, that’s not the full story. You can read their website where they explain how it all works, but I’ll give you the gist. Basically when you sign up for last pass, the vault for your passwords is created locally, encrypted, and then uploaded to their servers. They don’t have a way to unlock it on their end. You have to have your master password to be able to unlock anything around your LastPass vault.
On top of that, LastPass is giving everyone a set of options. A user can do any of the following:
- Change their master password
- Not change their master password now, and be reminded to do so later
- Take the risk and not change their master password
By making people change their passwords, they’re attempting to negate any issue a possible intrusion might cause. If you have a really strong master password, then you’re probably okay (if your master password is “password” you’re doing it wrong).
Also, I think that LastPass handled this situation really well. They informed their users, and are requiring them to take action, even though all they found was a traffic anomaly, and not an actual breach. They are standing on the side of caution, and since they’re a password vault, that’s exactly what you should want them to do.
What I’m Going to Do (and What You Should Do Too)
I’m going to move to using two factor authentication with my LastPass account. What this means is that not only will I need my LastPass credentials (email address and password), but also some other way of authenticating myself to access my LastPass password vault. LastPass offers multiple options for this, and they should be researched to find one that works best for you.
However, other password vaults offer similar functionality. I know that KeePass offers this, but I’m not sure about 1Password.
If you’re using a password vault, I would recommend moving to using two factor authentication. I would also recommend doing so for any site that offers the ability to use two factor authentication (Gmail and several banks offer this). Doing so helps lower the risk of you being compromised.
Below is a list of password vaults. Please consider using one of these and start using secure passwords (and different passwords on different sites). Please note that outside of LastPass and KeePass I don’t know too much about the others.