![]() Ellis of Bugcrowd said the challenge with password security was that whenever the best practices were too complicated, people would default to whatever was easier – for example, using easily guessable passwords and repeating them across sites. Internet security often involves weighing convenience versus risk. Although it’s true that practicing “good password hygiene” would have helped to keep an account more secure in a breach, that doesn’t absolve the company of responsibility.Īlthough the breach of LastPass may feel damning, password managers in general are a useful tool because they make it more convenient to generate and store complex and unique passwords for our many internet accounts. LastPass’s public response to the incident thrusts responsibility on the user, but we don’t have to accept that. Let’s clarify one big thing: Whenever any company’s servers are breached and customer data is stolen, it’s the company’s fault for failing to protect you. Some apps, like Twitter and Instagram, let you use so-called authenticator apps like Google Authenticator and Authy to generate temporary codes. Most banking sites let you set up your cellphone number or email address to receive a message containing a temporary code to log in. This setting involves generating a temporary code that must be entered in addition to your user name and password before you can log into your accounts. – For your most sensitive accounts, add an extra layer of security with two-factor authentication. Never reuse this password for any other app or site. ![]() Prepare to die.” And convert them into this, using initials for each word and an exclamation point for the I’s: “Mn!!m.Ykmf.Ptd.”įor those using a password manager, this rule of thumb is of paramount importance for the master password to unlock your vault. For example, take these sentences: “My name is Inigo Montoya. A strong password should be long and difficult for someone to guess. – Create a complex, unique password for every account. Here are some best practices we should all follow for our passwords any LastPass user who had taken these steps ahead of time would have been relatively safe during this recent breach. The LastPass breach is a reminder that it is easier to set up safeguards for our most sensitive accounts before a breach occurs than to try to protect ourselves afterward. Here are the lessons we can all learn from this breach to stay safer online. Every LastPass user has that data now in the hands of an adversary.” “I can look at all the websites you have saved information for and use that to plan an attack. “Let’s say I’m coming after you,” Ellis said. “I would consider all those managed passwords compromised.”Ĭasey Ellis, the chief technology officer of the security firm Bugcrowd, said it was significant that intruders had access to the lists of website addresses that people used. “It is very serious,” said Sinan Eren, an executive at Barracuda, a security firm. Many security experts disagreed with Toubba’s optimistic spin and said every LastPass user should change all of his or her passwords. ![]() He also said it was users’ responsibility to “practice good password hygiene.” Karim Toubba, CEO of LastPass, declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive vault data encrypted and secured. ![]() That means hackers would then have to crack the encrypted master passwords to get the rest of the passwords in each vault, which would be difficult to do, so long as people used a unique, complex master password. Most importantly, the master passwords that users set up for unlocking their LastPass vaults were also encrypted. This would suggest that hackers could know the banking website someone used but not have the user name and password required to log in to that person’s account. It said that some parts of people’s vaults – like the website addresses for the sites they logged in to – were unencrypted but that sensitive data, including user names and passwords, were encrypted. 22, tried to reassure its users that their information was probably safe. LastPass, which published details about the breach in a blog post Dec. First, it’s important to understand what happened: The company said intruders had gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers by using credentials and keys stolen from a LastPass employee. ![]()
0 Comments
Leave a Reply. |