[Reading time: 5 minutes]
Yesterday, I wrote about the LastPass security breach. I got a few follow-up questions from your fellow subscribers that I think are worth sharing.
(And thanks to everyone who took the time to contact me).
Q: If my LastPass account is protected with MFA, doesn’t that mean the bad guys will need more than just my LastPass master password before they can see the information in my password vault?
A: Unfortunately, no.
This MFA security protection is only protecting LastPass’ front door (e.g. the LastPass website or one of the LastPass apps). Apparently, the bad guys didn’t get in via the front door. They went through a back door and gained access to a backup copy of the password vaults. Each vault in this backup is only protected by (i.e. encrypted with) your LastPass master password.
It’s like storing all of your important information in a safe in your home. The front door of your home is protected with a lock, and only you have the key.
Unfortunately, the bad guys got in via a back door and robbed the safe*. Now that the safe is in their possession, the question of ‘if’ or ‘when’ they will gain access to the contents of the safe is outside of your control.
* To be more accurate, they robbed an exact replica of the safe and its contents. And apparently, the people who were responsible for securing the back door didn’t tell you about this for more than 3 months.
Q: If all of my important accounts are protected with MFA, does it really matter if the bad guys gain access to my LastPass vault and see the passwords to these accounts?
A: Yes, MFA should prevent the bad guys from accessing one of your important accounts with just your password.
- I bet that not all of your important accounts are fully protected with MFA.
- I bet that you have stored an emergency access code for at least one of your important accounts in your LastPass vault. This emergency ‘One Time Code’ will enable the bad guys to circumvent the MFA security on these accounts.
- Your password is one of your multiple authentication factors (that’s why we call it ‘MFA’). If your password is now known to the bad guys, there may now only be a single layer of security keeping them from your important accounts.
- You are assuming that the bad guys will never find a way around the MFA protection that is set up on your important accounts.
- Most importantly, if you use the “LastPass Authenticator” app for MFA authentication and you have enabled “Cloud Backup” within the app, I think you should assume that this breach will also enable the bad guys to see your MFA codes. After all, the “Cloud Backup” facility in the LastPass Authenticator appears to back up the MFA codes.. into your LastPass password vault. Suddenly, MFA has a serious single point of failure.
Q: I have more than 100 / 300 / 1000 passwords stored in my LastPass vault. It will take months to move to a new password manager and reset all of these passwords. Isn’t there an easier way?
A: Yes.. but no!
Moving to a new password manager is relatively simple – You can export your LastPass data to a CSV file and import it into an alternative in a matter of minutes – e.g. BitWarden; 1Password.
Unfortunately, I’m not aware of a fast way to reset the passwords on all of your accounts.
This is why you need to focus on your most valuable accounts first** – e.g. email accounts, bank accounts, anything to do with crypto wallets, social media accounts, and PayPal / Stripe / online payments accounts.
For each account:
- Make sure it is protected with MFA**.
- Make sure your LastPass vault is not storing any emergency access codes / One Time Passwords for this account – You may have stored them as a note within the vault. If so, you need to regenerate these codes and securely store them somewhere else (e.g. print them out and store them with your important files at home). Do not store them in your password manager.
- Reset the password on the account and store the new password in your new password manager.
* If you use the “LastPass Authenticator” app to generate the MFA security code for an account and you have previously enabled “Cloud Backup” within that app, you should move MFA for these accounts to an alternative app asap – e.g. Google Authenticator; Authy. This usually involves logging in to each account, disabling MFA, and setting it up again in your new authenticator app.
Q: Is there a word missing from your last line yesterday: “Perception may not reality. But when it comes to security, perception matters.”
A: Absolutely. I meant to say “Perception may not be reality. But when it comes to security, perception matters.”
Less haste; more speed.
Q: Doesn’t this prove that password managers are not good for security?
A: That’s an interesting question. I will discuss this tomorrow.