Are your Passwords strong enough?
If you’re still using the LastPass password manager after their system was hacked, you’re not alone. I am too. For now. And if you’ve recently switched, or have never used a password manager, THIS ARTICLE IS FOR YOU, TOO!
Don’t rely on a false sense of security! Regardless of how you manage your passwords you must pay attention to password strength. Click To Tweet
LastPass users have all (belatedly) received email updates about their well-publicized security breach in August 2022. Although LastPass was admittedly negligent and did not communicate well with its subscribers, they have since taken responsibility, explained what happened, and discussed the implications — not all of which are as scary as they seemed at first — in their March 1st Security Incident Update and Recommended Actions blog post. (If you do have LastPass and haven’t already read it, please take the time now.)
Even if you’re not inclined to accept their apologies, or trust their plans for increased security in the future, you will hopefully take their advice to heart regarding password strength. Because that advice applies to ALL passwords and ALL password managers, not just to theirs. Don’t rely on a false sense of security!
What I did first
When I heard about the LastPass breach — and, c’mon, what service hasn’t ever been breached, to some level or another? — naturally, I thought, “Ugh!” OK, it was more like “Oh, $%*#”! However, knowing that there are multiple layers of security, and that not all of the layers were breached, I wasn’t too worried about my accounts. And I had seen no signs of my own accounts being breached.
Besides, most password managers do not store or have any access to your Master Password or the encrypted information in your password database. Much of the security of your password manager depends on the strength and safety of your one Master Password.
Sidebar: This one article contains “4 Reasons Password Managers Are Secure” and “8 Reasons Password Managers Aren’t as Secure as You Think”.
So, the first thing I did was to change my Master Password.
I was in the habit of changing it once a year anyway, according to a formula I had devised. This time, though, I chose a long, random password and stored it in a safe place. (The same place I previously stored my formulaic Master Passwords in case I forgot the formula. LOL? And I have a trusted person who knows where that is, in case of an emergency.)
What worried me was that I was not finished with my project of upgrading all of my account passwords to a currently-acceptable level of security. I had (and still have) over 300 passwords stored in LastPass. Does that sound like a lot? Well, I’m pretty active online. I have many business and organizing, photo and genealogy, writing and publishing, social media, banking, medical, and entertainment accounts. I am also constantly trying new tools for the sake of research and learning, and I do not hesitate to make purchases online. So, yeah, I do have a lot of accounts! But I don’t use them all every day. Many accounts (but not a lot, percentage-wise) were, by now, obsolete. They amounted to what can only be called password clutter.
Password security is a moving target
Remember the good old days when everyone had their favorite password and used it foreverything? Then we learned that was not safe because they were too easily guessed/deduced/hacked. We were forced to start adding, bit by bit, things like a combo of upper and lower case letters plus a number and a special character. People joked that next passwords would require the addition of a tasteful haiku and your first born child. Then it was whole phrases. Or, acronyms based on whole phrases. Then it was no duplicates! (The problem being that if someone guesses your clever naming scheme they can use it to access all your accounts.) Then it was randomly-generated passwords.
LastPass had already been nagging me for months — years? certainly long before the breach — to eliminate duplicates and increase the strength/security of all my passwords. I had, early-on in the nagging process, upgraded the passwords for my most important accounts (think financial, medical, legal, anything associated with a credit card). And I had created the new habit of choosing randomly-generated passwords for new accounts, “important” or not. I did not hesitate to implement Multifactor Authentication as soon as it was offered (years ago).
So, the next thing I did was to doggedly continue converting my less-important, still-less-secure passwords (shorter, repeated, formulaic ones) to more secure passwords (longer, unique, randomly-generated ones). I cleared some password clutter by closing unused accounts (not just deleting them from my LastPass vault.) And I did something recommended in the recent LastPass Security Bulletin that I’d never heard of (and don’t ask me to explain it): I increased my “iteration count” setting as per their instructions.
Sidebar: I’m seeing a lot of “never been breached” advertisements these days. This article is a few years old, but it explains why this is not necessarily something to brag about: Five Reasons Why “Never” Being Breached May Not Be A Good Sign.
Are YOUR passwords strong enough?
I don’t blame anyone who’s switched to another password manager! Members of the professional groups to which I belong have been discussing the situation, and many have already jumped ship. Others are reverting to manually-tracked passwords on spreadsheets. The most common replacement, among people I know personally, is 1Password. There are other alternatives as well. But are they impenetrable to hackers? No — nothing is!
Regardless of how you manage your passwords you must pay attention to password strength.
Here is a chart that shows how long it will take a hacker to “brute force” your password, from a 2022 Hive Systems blog post (they say a 2023 edition is forthcoming). I first saw a version of this chart a couple of years ago and it made an impression on me. Please click to enlarge it so you can clearly see all the headings.
This information applies no matter what password manager you use. Most of my passwords for important accounts are in the orange/yellow range at this point. When I first heard about the LastPass breach I still had some passwords — for less important accounts — in the purple and red ranges. But, by now, they’ve all (mostly) been changed. (I don’t aspire to achieve the green range. Pretty sure I don’t care if they hack my by-then useless accounts billions of years from now!)
Don’t put all your eggs in one basket!
If you are distrustful of the internet, you aren’t alone, and you should have a healthy skepticism! At the same time, as in so many areas of life, knowledge is power. I recently agreed — wholeheartedly — with a man who attended a presentation of mine, that something could, indeed, happen to his photos if he stored them in cyberspace. Thus, he concluded, he shouldn’t store them there. No — I disagreed, just as wholeheartedly — he should! Something possibly happening is no reason to not store something in the cloud, or anywhere else. That’s why we back up our files and store multiple copies in multiple places! Three (3) copies, to be precise; using two (2) different data storage types; one (1) of which is stored offsite. This data industry best practice is known as the 3-2-1 Rule, as described in my blog post Are your files backed up? and my book What’s a Photo Without a Story? How to Create Your Family Legacy.
Same goes for the data stored in password managers. I have downloaded a copy of all my accounts and login info to my computer as a backup to LastPass. And my computer files are backed up both in the cloud and on an external hard drive (EHD). If someone does try to hack my accounts based based on what they obtained in the October 2022 LastPass breach, they will be working with old passwords that have since been changed. And, if it’s an account for which I have implemented Multifactor Authentication, I will be notified. I will also keep abreast of developments in password security (as best I can) and act accordingly.
Why am I writing about this?
This topic is important to me because:
- I’ve recommended LastPass to others in the past.
- I’ve mentioned LastPass in blog posts such as: Are your files backed up? And Are You Prepared for Identity Theft?
- I mentioned LastPass in my book What’s a Photo Without a Story? How to Create Your Family Legacy.
- I don’t want people to have a false sense of security just because they are NOT using LastPass.
Part of me feels that there will be no SAFER service after this ordeal than LastPass! LOL? Who knows where the next breach will occur — 1Password? Some other popular password manager?
Or, I could be wrong. And I reserve the right to change my mind at any time!
Think of it this way: It’s kind of like living in earthquake country, or a flood zone, or hurricane alley and deciding to stay, knowing the risks, and being prepared, rather than moving. Some people will think you’re crazy. But you have your reasons for staying, including not wanting to trade one set of problems for another.
Meanwhile, I’ve also written — in Always Believe in Yourself and in What are you worried about? Don’t worry – Take action! — about trusting your own wings, rather than simply hoping the branch won’t break.
Know this: The internet security “branch” probably WILL break at some point.
Do you have a back-up plan? Are you prepared?
Please share with us in the comments below!
- Copyright 2023 by Hazel Thornton, Organized for Life and Beyond
- Hazel is an author, genealogist, and retired home and office organizer.
- What’s a Photo Without the Story? How to Create Your Family Legacy
- Go With the Flow! The Clutter Flow Chart Workbook
- Feel free to link directly to this post! Click here to ask about other uses.