LastPass, a company which makes a password manager product which is a combination of software and cloud service and allows you to generate, store and protect your personal library of authentication credentials (username and passwords), disclosed on 15-June, 2015 that they discovered and blocked suspicious activity on their network. Their investigation confirmed that some of their customer data had been compromised. A number of tech news sites also reported and provided details on this event includingKrebsonSecurity and NetworkWorld.
The MU IT Security team recommends using a password manager as a strategy to both manage and protect your network logon credentials. Otherwise the tendency is towards using the same credentials across multiple sites.
It’s important to understand what information was compromised and what if believed to still be secure. LastPass reported that what the compromised data included lists of user e-mail addresses, password reminders, and additional data encryption elements called ‘salts’ and ‘hashes’. What is believed to still be protected are the user password vaults which contain lists of user websites and credentials. These vaults are kept encrypted with a extremely strong process which LastPass reports “includes running 100,000 rounds of PBKDF2-SHA256 server-side” and which makes it “difficult to attack the stolen hashes with any significant speed.”
That being said, if you use LastPass and either have a weak ‘master password’ or your have reused your master password with other websites, you may be at risk. So you should follow LastPass recommendation to visit their website http://www.lastpass.com and change your master password immediately.
Here are a few additional tips to ensure your password vault does not create a single-point of failure for your security:
- DO create a very strong master password (UPPER and lower case, numbers and special characters) and at least 15 or more characters long; since this is your first line of defense, don’t skimp on characters and don’t use anything obvious.
- DO NOT ever use your master password credentials at another website.
- DO enable multi-factor authentication with LastPass. When you turn on multi-factor, you will need more than simply an e-mail address and master password to open/view your password vault. Often you can use a smartphone app like Google Authenticator and Duo Security (both supported with the free version) to enter an additional PIN or click on a notification generated by your mobile phone. If you upgrade to the paid (premium version) then you also get a mobile version of LastPass which supports fingerprint sensors and card readers.
- DO NOT respond to any e-mails or click on any web URLs included in e-mail messages. Remember the cybercriminals now have a list that includes your e-mail address and we can almost guarantee you will see any number of e-mail messages urging you to ‘click here to change your password’. Do not become a victim of a phishing attack.
- DO contact the Marshall IT Service Desk, your department IT Service Provider or the IT Information Security team to report suspicious activity or if you have reason to believe that access to your Marshall Network account has been compromised.