For the beleaguered password management company LastPass, the hits just keep on coming.
On Monday, the tech publication Security Week reported that last year’s security breach at LastPass was even scarier than it seemed. According to a statement issued by the company, hackers broke into the home computer of a LastPass software engineer, where they planted a “keylogger” program that copied the engineer’s every keystroke. The bad guys used this data to figure out the engineer’s password and gain access to sensitive files, including keys to LastPass file backups. The stolen files were encrypted at least, but they’re now in the hands of determined criminals who will surely try to figure a way in.
This new information shows that the bad guys’ efforts to infiltrate the company were sophisticated and relentless. But what really bothers me is that we’re just hearing about this, months after LastPass reported the original hack. The company, a spinoff of Boston-based software firm GoTo, deserves credit for honesty. But for urgency, not so much. Besides, this isn’t the first security lapse at LastPass. I’ve been a subscriber for over a decade, and in that time, the service has been plagued by multiple hacks and software bugs.
The last straw for me was a notice that my premium subscription was up for renewal. The price isn’t bad — $36 a year — but an insecure security service isn’t worth a dime.
On the other hand, I won’t give up on password managers. They’re vital security tools, because they make it easy to attach very strong passwords to all my online accounts. I can access those passwords from my phone, and from any Internet-connected computer. Password managers also make it easy to generate new passwords and instantly file them for future use.
These programs all still have one critical weakness — the user’s master password. Lose it, and you lose access to all your passwords. Worse yet, if somebody steals or guesses the master password, they’ve got the keys to your entire kingdom. Still, I’d rather memorize just one very hard password than assign easy-to-remember, easy-to-guess passwords to my bank account, credit cards, medical records, and countless other critical files.
Lisa Plaggemier, executive director at the National Cybersecurity Alliance in Washington D.C., put it rather well. “I absolutely am still a fan” of password managers, she said, “because all the alternatives are worse.”
Plaggemier suggested that LastPass users should protect themselves by changing their master passwords, as well as all the most sensitive passwords stored in their online vaults, such as financial, medical, and social media sites.
She also recommends setting up multifactor authentication, which requires an additional form of identification when logging in. For instance, Google offers a free authenticator app that displays a different random number every minute. To log in, the user must enter the master password, then launch the app and type in the random number. It’s a nuisance, but it’s very secure.
Still, for me, it’s time to seek out a different password manager. There are plenty of alternatives, and none is terribly expensive. For now I’ve opted for Bitwarden, a free service that seems to include pretty much everything I’ll need from a password manager. And for what it’s worth, Bitwarden claims it has never been successfully hacked.
Bitwarden is available as an extension app that runs inside all the major web browsers. That way you can easily use it to log into your favorite sites. It also comes as a smartphone app for Apple or Android devices.
Switching to a new password manager is unexpectedly painless. Give LastPass credit; it offers an easy way to decrypt and export all your stored data. In turn, Bitwarden will quickly import this file. Once this is done, delete the decrypted password file, and you’re all set.
Of course, with any password manager, the user takes a leap of faith. Do these guys know what they’re doing? And will they level with me if things go wrong?
With Bitwarden, time will tell. But as for LastPass, its time is up.
Hiawatha Bray can be reached at firstname.lastname@example.org. Follow him on Twitter @GlobeTechLab.