Downplaying Security Breaches is a disturbing trend. But this security incident is alarming! Why are you exposed?
Can hackers guess your password? What can you do to protect yourself now? This post covers what to do next if you’re a LastPass subscriber.
The Breach Exposed Customer Data
LastPass’ November breach escalated from the security incident reported in August last year.
In August 2022, CEO Karim Toubba confirmed that the hackers took some source code.
Stolen customer account and vault data in November 2022 is a grave concern. Even attackers have access to unencrypted customer data.
Usually, Usernames, email and billing addresses, phone numbers, etc., fall in this category. But those same shady attackers also have a copy of customer vault data.
Additionally, they have access to unencrypted data like website URLs. Also, they have access to encrypted data like usernames and passwords.
The company revealed that the intruder leveraged information from the previous breach. And on November 30, 2022, LastPass blogged about the intrusion.
Still, vague security breach disclosures are irresponsible. Toubba posted that intruders could “gain access to certain elements” of “customers’ information.”
Also, LastPass doesn’t encrypt the entire file. So, URLs and IP addresses are exposed.
Yet hackers could launch phishing attacks to trick users and steal their passwords.
Can Hackers Guess Your Password?
The company said customers’ password vaults are encrypted. To unlock it, the customer uses their master password. Still, it’s only known to the customer.
LastPass has a “Zero Knowledge” structure in place. This means that LastPass does not know your password.
But they warned that the hackers “may attempt to use brute force to guess your master password.” This can lead to decrypting the copies of the vault data they took.
Still, the issue is their reports need to be more accurate. They state, “if you use the default settings…, it will take millions of years to guess your master password.”
That claim assumes that a customer generated a random 12-characters password. How is it misleading? Only some people use the LastPass password generator.
Hashcat Cracks Password
Several graphics cards have the raw processing power to decrypt passwords in hours. Also, you can crack easy-to-guess short passwords in a few hours. So, stating it takes “millions of years” is not accurate.
The new Nvidia GeForce RTX 4090 has enough power to make it the most potent password cracker. You can use Hashcat, an advanced password recovery tool with a video card or GPU, to guess a password.
Password researcher Sam Croley posted the first Hashcat benchmarks for the RTX 4090.
Hashcat uses several different algorithms to search for the real password. It uses brute force attacks, mask attacks, and rule-based attacks.
The tests show that a rack of eight GeForce RTX 4090 cards could unlock an 8-character password in just 48 minutes.
Sometimes, passwords use dictionary words or have easy patterns. Then the cracking time can drop a lot. Instead of taking hours, it could take a few minutes.
Do you want to take that risk? Probably not. No one will blame you if you quit LastPass.
What Can You Do to Protect Yourself?
Changing your Master Password is most important. We cannot trust them any longer. But it would help if you still considered changing all your passwords.
Moreover, you can work on them in the order of priority. With that said, here’s what you can do to protect yourself now:
- Change your Master Password. Use longer passwords, at least 12 characters long. We recommend 20 characters long or more.
- Turn On 2FA (Two-factor Authentication). Enable 2FA on any online account that offers it. This will alert you, and you need to approve each login attempt. Typically, your phone is your secondary authenticating device.
- Change your most essential accounts’ passwords. This includes online banking, financial records, medical information, etc.
- Change all your online account passwords. Start with your email accounts and Social Media profiles. Then work your way down by order of priority for the remainder of the logins.
- Find a new Password Manager – I recommend Bitwarden. Yet, you can research other password managers.
A Few LastPass Alternatives
Here are a few alternatives to LastPass. Also, a quick Google search can show you many more.
Bitwarden: Its free tier allows you to use it across unlimited devices. It works with Windows, macOS, Linux, Android, iPhone, and iPad. Also, it works with most browsers, such as Chrome, Firefox, Safari, Edge, Brave, etc.
1Password: It doesn’t offer a free tier but offers a 14-days free trial. This password manager is also cross-platform.
Dashlane: It offers a limited free version for storing 50 passwords on one device. Also, it works with many Operating Systems and most browsers too.
The Bottom Line
Many tedious steps to secure your personal data are needed. The attackers have a copy of your encrypted vault at the time of the breach.
But the hackers have unlimited time to crack that master password by brute force attacks.
You are vulnerable, and it’s quite a risk if you don’t act now.
Updating your most important logins would be wise! So, protect yourself further by enabling 2FA on most of your accounts.