Skip to content
Laird Norton Wealth Management
  • Services
          • Wealth Planning
            • Business Owner
            • Equity Compensation
            • Estate Strategies
            • Philanthropic Giving
            • Tax Strategies
          • Investment Management
            • Tax-Aware Investing
            • Risk Management
            • Alternatives & Private Market
            • Impact Investing at LNWM
          • Trust Services
            • Beneficiary Services
            • Family Legacy
            • Trust Administration
            • Trust Benefits
            • Understanding Trusts
          • NonProfit Clients
            • Request RFP Participation
  • About
          • About LNWM
            • Fiduciary Financial Advisor
            • How We Help
            • Our Team
            • Corporate Social Responsibility
            • Careers
            • Community
            • Board of Directors
            • FAQs
        • two people in a kayak on water
  • Insights

        • Blog

          Top-of-mind at LNWM and elsewhere.

          Papers

          Expert insights and analysis.

          Videos

          See what we're up to.

          Media

          Our published work and media coverage.

  • Contact
Search Icon
Client Login
mobile-login

Home » Insights » Financial and Business Planning » A Breach at LastPass Has Password Lessons for Us All

A Breach at LastPass Has Password Lessons for Us All

Independent Media | Family and Finance, Financial and Business Planning | January 12, 2023 (January 13, 2023)
This article was written by an independent media source and selected by LNWM for our blog readers. LNWM provides this third-party information for informational purposes only and has not verified the accuracy or completeness of such. In addition, LNWM is endorsing neither the content nor the author of the commentary.

From The New York Times: While many of us were unplugging from the internet to spend time with loved ones over the holidays, LastPass, the maker of a popular security program for managing digital passwords, delivered the most unwanted gift. It published details about a recent security breach in which cybercriminals had obtained copies of customers’ password vaults, potentially exposing millions of people’s online information.

From a hacker’s perspective, this is the equivalent of hitting the jackpot.

When you use a password manager like LastPass or 1Password, it stores a list containing all of the user names and passwords for the sites and apps you use, including banking, health care, email and social networking accounts. It keeps track of that list, called the vault, in its online cloud so you have easy access to your passwords from any device. LastPass said hackers had stolen copies of the list of user names and passwords of every customer from the company’s servers.

This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But other than the obvious next step — to change all of your passwords if you used LastPass — there are important lessons that we can learn from this debacle, including that security products are not foolproof, especially when they store our sensitive data in the cloud.

First, it’s important to understand what happened: The company said intruders had gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers by using credentials and keys stolen from a LastPass employee.

LastPass, which published details about the breach in a blog post on Dec. 22, tried to reassure its users that their information was probably safe. It said that some parts of people’s vaults — like the website addresses for the sites they logged in to — were unencrypted, but that sensitive data, including user names and passwords, were encrypted. This would suggest that hackers could know the banking website someone used but not have the user name and password required to log into that person’s account.

Most important, the master passwords that users set up for unlocking their LastPass vaults were also encrypted. That means hackers would then have to crack the encrypted master passwords to get the rest of the passwords in each vault, which would be difficult to do so long as people used a unique, complex master password.

Karim Toubba, the chief executive of LastPass, declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive vault data encrypted and secured. He also said it was users’ responsibility to “practice good password hygiene.”

Many security experts disagreed with Mr. Toubba’s optimistic spin and said every LastPass user should change all of his or her passwords.

“It is very serious,” said Sinan Eren, an executive at Barracuda, a security firm. “I would consider all those managed passwords compromised.”

Casey Ellis, the chief technology officer of the security firm Bugcrowd, said it was significant that intruders had access to the lists of website addresses that people used.

“Let’s say I’m coming after you,” Mr. Ellis said. “I can look at all the websites you have saved information for and use that to plan an attack. Every LastPass user has that data now in the hands of an adversary.”

Here are the lessons we can all learn from this breach to stay safer online.

Prevention is better than treatment.

The LastPass breach is a reminder that it is easier to set up safeguards for our most sensitive accounts before a breach occurs than to try to protect ourselves afterward. Here are some best practices we should all follow for our passwords; any LastPass user who had taken these steps ahead of time would have been relatively safe during this recent breach.

  • Create a complex, unique password for every account. A strong password should be long and difficult for someone to guess. For example, take these sentences: “My name is Inigo Montoya. You killed my father. Prepare to die.” And convert them into this, using initials for each word and an exclamation point for the I’s: “Mn!!m.Ykmf.Ptd.”
    For those using a password manager, this rule of thumb is of paramount importance for the master password to unlock your vault. Never reuse this password for any other app or site.
  • For your most sensitive accounts, add an extra layer of security with two-factor authentication. This setting involves generating a temporary code that must be entered in addition to your user name and password before you can log into your accounts.
    Most banking sites let you set up your cellphone number or email address to receive a message containing a temporary code to log in. Some apps, like Twitter and Instagram, let you use so-called authenticator apps like Google Authenticator and Authy to generate temporary codes.

But remember, it’s not your fault.

Let’s clarify one big thing: Whenever any company’s servers are breached and customer data is stolen, it’s the company’s fault for failing to protect you.

LastPass’s public response to the incident thrusts responsibility on the user, but we don’t have to accept that. Although it’s true that practicing “good password hygiene” would have helped to keep an account more secure in a breach, that doesn’t absolve the company of responsibility.

There are risks to the cloud.

Though the breach of LastPass may feel damning, password managers in general are a useful tool because they make it more convenient to generate and store complex and unique passwords for our many internet accounts.

Internet security often involves weighing convenience versus risk. Mr. Ellis of Bugcrowd said the challenge with password security was that whenever the best practices were too complicated, people would default to whatever was easier — for example, using easily guessable passwords and repeating them across sites.

So don’t write off password managers. But remember that the LastPass breach demonstrates that you are always taking a risk when entrusting a company with storing your sensitive data in its cloud, as convenient as it is to have your password vault accessible on any of your devices.

Mr. Eren of Barracuda recommends not using password managers that store the database on their cloud and instead choosing one that stores your password vault on your own devices, like KeePass.

Have an exit strategy.

That brings us to my final piece of advice, which can be applied to any online service: Always have a plan for pulling out your data — in this case, your password vault — in the event that something happens that makes you want to leave.

For LastPass, the company lists steps on its website to export a copy of your vault into a spreadsheet. Then you can import that list of passwords into a different password manager. Or you can keep the spreadsheet file for yourself, stored somewhere safe and convenient for you to use.

I take a hybrid approach. I use a password manager that does not store my data in its cloud. Instead, I keep my own copy of my vault on my computer and in a cloud drive that I control myself. You could do this by using a cloud service such as iCloud or Dropbox. Those methods aren’t foolproof, either, but they are less likely than a company’s database to be targeted by hackers.

Excerpted from The New York Times.

  • Share:

Sign Up For Navigator

Get our quarterly insights on investments, wealth planning, taxes and trusts.

Site Logo in footer footer logo
facebook Twitter Opens a news tab Linkedin Opens a news tab Youtube Opens a news tab

About

  • Board of Directors
  • Careers
  • Community
  • Contact
  • FAQs
  • Our Team
  • Sign up for Navigator

Services

  • Investment Management
  • Sustainable Investing
  • Tax Strategies
  • Trust Services
  • Understanding Trusts
  • Wealth Planning

Address

  • Laird Norton Wealth Management 801 Second Avenue, Suite 1600 Seattle, WA 98104 United States
  • 206.464.5100
  • 800.426.5105
© 2023 Laird Norton Wealth Management. All rights reserved.
Form CRSOpen PDF in a new tab Legal Terms and Conditions Privacy Policy
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to customize your settings.
Cookie SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-advertisement1 yearSet by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
CookieDurationDescription
__cf_bm30 minutesThis cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie2 yearsLinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie2 yearsLinkedIn sets this cookie to store performed actions on the website.
langsessionLinkedIn sets this cookie to remember a user's language setting.
lidc1 dayLinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory1 monthLinkedIn sets this cookie for LinkedIn Ads ID syncing.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
CookieDurationDescription
_uetsid1 dayBing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid1 year 24 daysBing Ads sets this cookie to engage with a user that has previously visited the website.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
CookieDurationDescription
_ga2 yearsThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gcl_au3 monthsProvided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid1 dayInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress30 minutesHotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen30 minutesHotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample2 minutesHotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample2 minutesHotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjTLDTestsessionTo determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
_omappvp11 yearsThe _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs20 minutesThe _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
calltrk_session_id1 yearThis cookie is set by the Provider CallRail. This cookie is used for storing an unique identifier for a user browser session. It is used for tracking the number of phone calls generate from the website.
vuid2 yearsVimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
CookieDurationDescription
_fbp3 monthsThis cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_mkto_trk2 yearsThis cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
fr3 monthsFacebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
MUID1 year 24 daysBing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie15 minutesThe test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
CookieDurationDescription
_ce.gtldsessionNo description
_dc_gtm_UA-41670453-11 minuteNo description
_hjSession_275188330 minutesNo description
_hjSessionUser_27518831 yearNo description
AnalyticsSyncHistory1 monthNo description
BIGipServerab10web-nginx-app_httpssessionNo description
BIGipServerab47web-nginx-app_httpssessionNo description
calltrk_landing1 yearThis is a functionality cookie set by the CallRail. This cookie is used to store the landing page URL. It helps to accurately attribute the visitor source when displaying a tracking phone number.
calltrk_nearest_tld9 years 10 months 8 daysNo description
calltrk_referrer1 yearThis is a functionality cookie set by the CallRail. This cookie is used to store the referring URL. It helps to accurately attribute the visitor source when displaying a tracking phone number.
CookieLawInfoConsent1 yearNo description
li_gc2 yearsNo description
SAVE & ACCEPT
Powered by CookieYes Logo