While many of us were unplugging
from the internet to spend time with loved ones over the holidays, LastPass,
the maker of a popular security program for managing digital passwords,
delivered the most unwanted gift. It published details about a recent security
breach in which cybercriminals had obtained copies of customers’ password
vaults, potentially exposing millions of people’s online information.
اضافة اعلان
From a hacker’s perspective, this is the
equivalent of hitting the jackpot.
When you use a password manager like
LastPass or 1Password, it stores a list containing all of the usernames and
passwords for the sites and apps you use, including banking, health care,
email, and social networking accounts. It keeps track of that list, called the
vault, in its online cloud so you have easy access to your passwords from any
device. LastPass said hackers had stolen copies of the list of usernames and
passwords of every customer from the company’s servers.
This breach was one of the worst things
that could happen to a security product designed to take care of your
passwords. But other than the obvious next step — to change all of your
passwords if you used LastPass — there are important lessons that we can learn
from this debacle, including that security products are not foolproof,
especially when they store our sensitive data in the cloud.
What did the hack entail?First, it is important to understand what
happened: The company said intruders had gained access to its cloud database
and obtained a copy of the data vaults of tens of millions of customers by
using credentials and keys stolen from a LastPass employee.
It is easier to set up safeguards for our most sensitive accounts before a breach occurs than to try to protect ourselves afterward
LastPass, which published details about the
breach in a blog post December 22, tried to reassure its users that their
information was probably safe. It said that some parts of people’s vaults —
like the website addresses for the sites they logged in to — were unencrypted
but that sensitive data, including usernames and passwords, were encrypted. This
would suggest that hackers could know the banking website someone used but not
have the user ame and password required to log in to that person’s account.
Most importantly, the master passwords that
users set up for unlocking their LastPass vaults were also encrypted. That
means hackers would then have to crack the encrypted master passwords to get
the rest of the passwords in each vault, which would be difficult to do, so
long as people used a unique, complex master password.
Karim Toubba, CEO of LastPass, declined to
be interviewed but wrote in an emailed statement that the incident demonstrated
the strength of the company’s system architecture, which he said kept sensitive
vault data encrypted and secured. He also said it was users’ responsibility to
“practice good password hygiene”.
Many security experts disagreed with
Toubba’s optimistic spin and said every LastPass user should change all of his
or her passwords.
“It is very serious,” said Sinan Eren, an
executive at Barracuda, a security firm. “I would consider all those managed
passwords compromised.”
Casey Ellis, the chief technology officer
of the security firm Bugcrowd, said it was significant that intruders had
access to the lists of website addresses that people used.
“Let’s say I’m coming after you,” Ellis
said. “I can look at all the websites you have saved information for and use
that to plan an attack. Every LastPass user has that data now in the hands of
an adversary.”
Here are the lessons we can all learn from
this breach to stay safer online.
Prevention is better than treatment.The LastPass breach is a reminder that it
is easier to set up safeguards for our most sensitive accounts before a breach
occurs than to try to protect ourselves afterward. Here are some best practices
we should all follow for our passwords; any LastPass user who had taken these
steps ahead of time would have been relatively safe during this recent breach.
—Create a complex, unique password for
every account. A strong password should be long and difficult for someone to
guess. For example, take these sentences: “My name is Inigo Montoya. You killed
my father. Prepare to die.” And convert them into this, using initials for each
word and an exclamation point for the I’s: “Mn!!m.Ykmf.Ptd.”
For those using a password manager, this
rule of thumb is of paramount importance for the master password to unlock your
vault. Never reuse this password for any other app or site.
—For your most sensitive accounts, add an
extra layer of security with two-factor authentication.This setting involves
generating a temporary code that must be entered in addition to your user name
and password before you can log into your accounts.
Most banking sites let you set up your
cellphone number or email address to receive a message containing a temporary
code to log in. Some apps, like Twitter and Instagram, let you use so-called
authenticator apps like Google Authenticator and Authy to generate temporary
codes.
But remember, it is not your fault.Let me clarify one big thing: Whenever any
company’s servers are breached and customer data is stolen, it is the company’s
fault for failing to protect you.
LastPass’s public response to the incident
thrusts responsibility on the user, but we do not have to accept that. Although
it is true that practicing “good password hygiene” would have helped to keep an
account more secure in a breach, that does not absolve the company of
responsibility.
There are risks to the cloud.Although the breach of LastPass may feel
damning, password managers in general are a useful tool because they make it
more convenient to generate and store complex and unique passwords for our many
internet accounts.
Always have a plan for pulling out your data — in this case, your password vault — in the event that something happens that makes you want to leave.
Internet security often involves weighing
convenience versus risk. Ellis of Bugcrowd said the challenge with password
security was that whenever the best practices were too complicated, people
would default to whatever was easier — for example, using easily guessable
passwords and repeating them across sites.
So do not write off password managers. But
remember that the LastPass breach demonstrates that you are always taking a
risk when entrusting a company with storing your sensitive data in its cloud,
as convenient as it is to have your password vault accessible on any of your
devices.
Eren of Barracuda recommends not using
password managers that store the database on their cloud and instead choosing
one that stores your password vault on your own devices, like KeePass.
Have an exit strategy.That brings us to my final piece of advice,
which can be applied to any online service: Always have a plan for pulling out
your data — in this case, your password vault — in the event that something
happens that makes you want to leave.
For LastPass, the company lists steps on
its website to export a copy of your vault into a spreadsheet. Then you can
import that list of passwords into a different password manager. Or you can
keep the spreadsheet file for yourself, stored somewhere safe and convenient
for you to use.
Read more Technology
Jordan News
.jpg)
.jpg)
