Time to strengthen your password hygiene!

David Calvert
January 5, 2023
  # security
        
A picture of a Vault

It’s 2023, happy new year!

If you were still a LastPass user in December, I hope that the terrible news didn’t ruin your Christmas and New Year’s Eve parties. No matter if you are concerned by the breach or not, the beginning of the year is always a good opportunity for everyone to take good resolutions, why not choose to strengthen your password hygiene!?

What happened?

LastPass got hacked again, “an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data”. Ouch!

On December 23, 2022, I received this email sent to every LastPass user:

Dear LastPass Customer,

We recently notified you that an unauthorized party was able to gain access to a third-party cloud-based storage service which is used by LastPass to store backups. Earlier today, we posted an update to our blog with important information about our ongoing investigation. This update includes details regarding our findings to date, recommended actions for our customers, as well as the actions we are currently taking.

We thank you for your patience and continued support of LastPass.

The Team at LastPass

I was busy preparing Christmas and didn’t have time to look into further details, so I didn’t do anything that day. But a few days later, it all changed when I saw the headlines… If you are still a LastPass user, I strongly recommend you to read the official incident notice from LastPass, this article from Wired, this article from 1password and these toots (toot #1, toot #2) from Jeremi M Gosney, or any other source.

There are still a lot of unanswered questions, and LastPass is not providing many details and numbers about the breach. The situation is already pretty bad, and it will only get worse in the coming weeks or months. Attackers have plenty of time to prepare for step 2, especially when they will be able to crack the vaults or even sooner with the unencrypted metadata they already have.

LastPass has been my password manager for years, but even with a strong password, I didn’t feel safe and didn’t trust the service anymore. This is why I decided to make a move, and I think you should too!

What to do?

Many recommended picking another service, and while it’s not mandatory yet, it’s probably the best thing to do right now. Changing all your passwords is a real burden, but if you are, or if you were a LastPass user, I think you should!

I have been using 1password at work, and I’m both familiar and satisfied with the service so far. Before making the switch, I wanted to try Bitwarden following the recommendation of a friend, and I have to say that it’s a pretty solid option, especially if you’re looking for a free, or cheap option. After comparing the two services side by side, I prefer the user experience of 1password, and I also believe that it will be the best option for the other members of my family, that’s why I finally decided to choose it over Bitwarden.

If you’re considering a switch, I recommend trying them both before making a choice.

Call to action

If you are a LastPass user:

  • read the articles mentioned earlier
  • rotate all your passwords to the maximum strength available
  • use Two-Factor Authentication (2FA) everywhere it’s available (try to avoid text-based when possible)
  • consider a Nitrokey or a YubiKey
  • regularly check https://haveibeenpwned.com

In all cases, you can still:

  • use a password manager if it’s not already the case
  • check the strength of all your passwords and take action accordingly
  • rotate your important passwords from time to time, always to the maximum strength
  • use Two-Factor Authentication (2FA) everywhere it’s available (try to avoid text-based when possible)
  • consider a Nitrokey or a YubiKey
  • regularly check https://haveibeenpwned.com

Final words

Best wishes for 2023, I hope that, like me, you will start the year with better password hygiene!

Feel free to follow me on:

👋