Published in The Business News on March 8th, 2023
In August of 2022, LastPass notified customers of a security incident, wherein “threat actors” gained access to their systems. When LastPass initially reported the breech, it sounded minor. As the months rolled on, LastPass released new information every few weeks, and in each update the incident got worse. By the time we hit late December, the message was basically, smoke em’ if you got em’, we’re all going down… A little dramatic and the IT community responded in kind.
LastPass & Password Managers
LastPass is the largest and most popular password manager on the market. There are a bunch of password managers out there and they all work roughly the same. Instead of keeping your passwords on a sticky note under your keyboard, passwords are stored in a secure vault on the Internet. LastPass is the most feature rich and easiest to use, but they do seem to get hacked annually. Competitors include Dashlane, BitWarden, 1Password and Keeper.
Following the breech, competitors and IT journalists started publishing all sorts of opinions. Do this, do that, get off LastPass now and go to this other product. This one is hack-proof, that one has never been hacked. Businesses started leaving LastPass, like rats on the Titanic, and perhaps rightfully so, but no one was talking about best practice, just best products.
Everyone Gets Hacked
The dust hasn’t settled on this yet and I won’t tell you which product to use. I can tell you that the sticky note is a bad idea. I can also tell you my personal opinion on this, which is that everyone gets hacked. If you are big enough and have something of value, you are a target and you will eventually get hacked.
Getting hacked is like a musician having their song parodied by Weird Al Yankovic. It shows that you’ve made it (or you’re worth targeting). Weird Al isn’t going to parody a struggling artist and hackers aren’t going to target an SMB from middle-Wisconsin. The big boys, however, will get hacked because they have something worth hacking.
Verizon was recently hacked. You didn’t throw out your iPhone, in favor of writing letters, did you? Target was hacked. My wife didn’t give up her retail therapy and I have the new curtains to prove it. Uber, Twitter, Microsoft, American Airlines, U-Haul, TikTok, Apple, Cisco, Marriott and Capital One were all hacked in the past year and that’s just skimming the surface. How many companies fail to report getting hacked? How many don’t even know?
My point is that everyone gets hacked. Most of the businesses you work with, have been hacked, will be hacked, or are being hacked right now by threat actors, evil doers, hackers or whatever name you want to assign. It’s inevitable and it happens more than you think. It is your responsibility to keep your data safe, and it isn’t that much work.
Best Practice
There are three simple things that can drastically reduce your risk.
- Freeze your credit: Equifax, Experian and TransUnion allow you to create an account and freeze your credit. It’s quick and easy to do, or to undo. Once frozen, bad guys won’t be able to open a new account in your name, even if they got your social security number off the Dark Web.
- Use multifactor password authentication wherever possible and wherever not possible, set a minimum of a 12-character password and change it monthly. For the password, use a combination of words that make no sense together, like carpetcoffeespiderman. Mix in upper/lower case, numbers and symbols if needed. Password managers getting hacked won’t matter as much, if you are using good practice.
- Understand the scams: You should know what a Phishing email looks like. You should understand that the police won’t text you and demand iTunes gift cards as payment for past due taxes. If it smells bad, it’s bad. Ask for help and/or educate yourself…. The guy with the trenchcoat isn’t going to sell you a real Rolex for $50.
Of the ten or so password managers that I looked into, all but Dashlane has been compromised and they are standing on the top of the mountain, daring the bad guys to knock them off. In my opinion, it’s only a matter of time. I don’t use it personally and I make no recommendation for or against any one product specifically. I do recommend good practice in all areas of cybersecurity. Learn it yourself or get help from people like me. It’s only painful or scary if you ignore it.