The LastPass Breach

LastPass, one of the biggest online credential managers was breached.

Should this scare you away from online credential managers? No

Should this scare you away from LastPass? Yes

Please read this article to learn what to look for in a credential manager and why you should get one now.

LastPass claims that if you use their default settings “it would take millions of years to guess your master password using generally-available password-cracking technology.”  This is disingenuous at best, and outright wrong at worst.  I won’t go into the details here to explain why, but if you are interested I can point you to a great article.  (Full disclosure: the article is written by a competitor of LastPass, but facts are facts).

This article will explain a major difference between two specific credential managers: LastPass and 1Password.  There are many other credential managers available, but for the purposes of this article, we will focus only on these two.  If you are interested in a different credential manager, you should compare its security features with these.

What stands between a hacker and your data?

Basic security includes a master password, which should be long, complex, and memorized by you.  However, if the hacker has the means to continuously throw passwords at the vault, then they could eventually break in.  That’s why it’s so damaging that hackers were able to obtain the encrypted password vaults of LastPass customers.  They can now throw passwords repeatedly at the vaults until one opens it.  Once that happens with LastPass, then the hackers have access to all of the customer’s data.

With 1Password, you get another layer of security: a secret key.  The secret key is a 25-character, random string that is never stored in the cloud.

The most relevant facts about the Secret Key are:

1. It’s created on your device when you first sign up.
2. It’s never passed to or through 1Password servers.
3. It’s woven into your account password when deriving the keys needed to decrypt your data.
4. It’s very long and complex (128-bits).

The consequence of 1 and 2 is that 1Password (and therefore anyone who breaches their servers) have no access to your Secret Key whatsoever.

The consequence of 3 is that an attacker would need to have or guess your Secret Key to decrypt your data.

And the consequence of 4 is that it is not going to be guessed.

The bottom line is that you need to use a credential manager whose success is based on designing for failure.  The password manager you use will hopefully not be breached, but they must plan for being breached.

The 1Password Secret Key may not be the most user-friendly aspect of their human-centered design, but it means that they can say with full confidence that your secrets will remain safe in the event of a breach.

The number of passwords we all must manage these days can be overwhelming.  Especially if we follow the requirements to use unique passwords for each account.  Do yourself a favor, follow the security guidelines and get a credential manager… just make sure you confirm first that it is truly secure.

I am not affiliated with 1Password, but I stand behind their security model, not only with words but also by trusting it with my personal credentials.

If you have questions about this, please let us know and we will be happy to assist you.
Take care,