Are your Passwords strong enough?

lastpass logo

 

 

If you’re still using the LastPass password manager after their system was hacked, you’re not alone. I am too. For now. And if you’ve recently switched, or have never used a password manager, THIS ARTICLE IS FOR YOU, TOO!

 

 

 

Don’t rely on a false sense of security! Regardless of how you manage your passwords you must pay attention to password strength. Click To Tweet

 

LastPass users have all (belatedly) received email updates about their well-publicized security breach in August 2022. Although LastPass was admittedly negligent and did not communicate well with its subscribers, they have since taken responsibility, explained what happened, and discussed the implications — not all of which are as scary as they seemed at first — in their March 1st Security Incident Update and Recommended Actions blog post. (If you do have LastPass and haven’t already read it, please take the time now.)

Even if you’re not inclined to accept their apologies, or trust their plans for increased security in the future, you will hopefully take their advice to heart regarding password strength. Because that advice applies to ALL passwords and ALL password managers, not just to theirs. Don’t rely on a false sense of security!

What I did first

When I heard about the LastPass breach — and, c’mon, what service hasn’t ever been breached, to some level or another? — naturally, I thought, “Ugh!” OK, it was more like “Oh, $%*#”! However, knowing that there are multiple layers of security, and that not all of the layers were breached, I wasn’t too worried about my accounts. And I had seen no signs of my own accounts being breached.

Besides, most password managers do not store or have any access to your Master Password or the encrypted information in your password database. Much of the security of your password manager depends on the strength and safety of your one Master Password.

Sidebar: This one article contains “4 Reasons Password Managers Are Secure” and “8 Reasons Password Managers Aren’t as Secure as You Think”.

So, the first thing I did was to change my Master Password.

I was in the habit of changing it once a year anyway, according to a formula I had devised. This time, though, I chose a long, random password and stored it in a safe place. (The same place I previously stored my formulaic Master Passwords in case I forgot the formula. LOL? And I have a trusted person who knows where that is, in case of an emergency.)

What worried me was that I was not finished with my project of upgrading all of my account passwords to a currently-acceptable level of security. I had (and still have) over 300 passwords stored in LastPass. Does that sound like a lot? Well, I’m pretty active online. I have many business and organizing, photo and genealogy, writing and publishing, social media, banking, medical, and entertainment accounts. I am also constantly trying new tools for the sake of research and learning, and I do not hesitate to make purchases online. So, yeah, I do have a lot of accounts! But I don’t use them all every day. Many accounts (but not a lot, percentage-wise) were, by now, obsolete. They amounted to what can only be called password clutter.

Password security is a moving target

It is beyond the scope of this post to explain why I’m not at 100%. But I was previously down around 50%! So yay, me!

Remember the good old days when everyone had their favorite password and used it foreverything? Then we learned that was not safe because they were too easily guessed/deduced/hacked. We were forced to start adding, bit by bit, things like a combo of upper and lower case letters plus a number and a special character. People joked that next passwords would require the addition of a tasteful haiku and your first born child. Then it was whole phrases. Or, acronyms based on whole phrases. Then it was no duplicates! (The problem being that if someone guesses your clever naming scheme they can use it to access all your accounts.) Then it was randomly-generated passwords.

LastPass had already been nagging me for months — years? certainly long before the breach — to eliminate duplicates and increase the strength/security of all my passwords. I had, early-on in the nagging process, upgraded the passwords for my most important accounts (think financial, medical, legal, anything associated with a credit card). And I had created the new habit of choosing randomly-generated passwords for new accounts, “important” or not. I did not hesitate to implement Multifactor Authentication as soon as it was offered (years ago).

So, the next thing I did was to doggedly continue converting my less-important, still-less-secure passwords (shorter, repeated, formulaic ones) to more secure passwords (longer, unique, randomly-generated ones). I cleared some password clutter by closing unused accounts (not just deleting them from my LastPass vault.) And I did something recommended in the recent LastPass Security Bulletin that I’d never heard of (and don’t ask me to explain it): I increased my “iteration count” setting as per their instructions.

Sidebar: I’m seeing a lot of “never been breached” advertisements these days. This article is a few years old, but it explains why this is not necessarily something to brag about: Five Reasons Why “Never” Being Breached May Not Be A Good Sign.

Are YOUR passwords strong enough?

I don’t blame anyone who’s switched to another password manager! Members of the professional groups to which I belong have been discussing the situation, and many have already jumped ship. Others are reverting to manually-tracked passwords on spreadsheets. The most common replacement, among people I know personally, is 1Password. There are other alternatives as well. But are they impenetrable to hackers? No — nothing is!

Regardless of how you manage your passwords you must pay attention to password strength.

CLICK TO ENLARGE

Here is a chart that shows how long it will take a hacker to “brute force” your password, from a 2022 Hive Systems blog post (they say a 2023 edition is forthcoming). I first saw a version of this chart a couple of years ago and it made an impression on me. Please click to enlarge it so you can clearly see all the headings.

This information applies no matter what password manager you use. Most of my passwords for important accounts are in the orange/yellow range at this point. When I first heard about the LastPass breach I still had some passwords — for less important accounts — in the purple and red ranges. But, by now, they’ve all (mostly) been changed. (I don’t aspire to achieve the green range. Pretty sure I don’t care if they hack my by-then useless accounts billions of years from now!)

Don’t put all your eggs in one basket!

If you are distrustful of the internet, you aren’t alone, and you should have a healthy skepticism! At the same time, as in so many areas of life, knowledge is power. I recently agreed — wholeheartedly — with a man who attended a presentation of mine, that something could, indeed, happen to his photos if he stored them in cyberspace. Thus, he concluded, he shouldn’t store them there. No — I disagreed,  just as wholeheartedly — he should! Something possibly happening is no reason to not store something in the cloud, or anywhere else. That’s why we back up our files and store multiple copies in multiple places! Three (3) copies, to be precise; using two (2) different data storage types; one (1) of which is stored offsite. This data industry best practice is known as the 3-2-1 Rule, as described in my blog post Are your files backed up? and my book What’s a Photo Without a Story? How to Create Your Family Legacy.

Same goes for the data stored in password managers. I have downloaded a copy of all my accounts and login info to my computer as a backup to LastPass. And my computer files are backed up both in the cloud and on an external hard drive (EHD). If someone does try to hack my accounts based based on what they obtained in the October 2022 LastPass breach, they will be working with old passwords that have since been changed. And, if it’s an account for which I have implemented Multifactor Authentication, I will be notified. I will also keep abreast of developments in password security (as best I can) and act accordingly.

Why am I writing about this?

This topic is important to me because:

  1.  I’ve recommended LastPass to others in the past.
  2.  I’ve mentioned LastPass in blog posts such as: Are your files backed up? And Are You Prepared for Identity Theft?
  3.  I mentioned LastPass in my book What’s a Photo Without a Story? How to Create Your Family Legacy.
  4.  I don’t want people to have a false sense of security just because they are NOT using LastPass.

Part of me feels that there will be no SAFER service after this ordeal than LastPass! LOL? Who knows where the next breach will occur — 1Password? Some other popular password manager?

Or, I could be wrong. And I reserve the right to change my mind at any time!

Think of it this way: It’s kind of like living in earthquake country, or a flood zone, or hurricane alley and deciding to stay, knowing the risks, and being prepared, rather than moving. Some people will think you’re crazy. But you have your reasons for staying, including not wanting to trade one set of problems for another.

Meanwhile, I’ve also written — in Always Believe in Yourself and in What are you worried about? Don’t worry – Take action! — about trusting your own wings, rather than simply hoping the branch won’t break.

Know this: The internet security “branch” probably WILL break at some point.

Do you have a back-up plan? Are you prepared?

Please share with us in the comments below!

_________________________________________________________

 _________________________________________________________

 

 

Share this:

Print Friendly, PDF & Email

9 Comments

  1. Kathy on April 1, 2023 at 12:45 pm

    Thanks for this post. We are long-time users of LastPass with hundreds of passwords stored. You are spot-on in your reaction/response to this breach. Like you, we also did not over-react and chose instead to focus on changing outdated passwords to at LEAST 12 mixed characters (quite a task) and iteration count. Like you say: “Part of me feels that there will be no SAFER service after this ordeal than LastPass!”

    • Hazel Thornton on April 1, 2023 at 12:58 pm

      Thanks for your comment, Kathy! I’ve definitely been feeling in the minority on this one!

  2. Seana Turner on April 3, 2023 at 8:51 am

    Well, I think all of us can always do better. I do feel it is a bit of a moving target. I find that two-factor authentication gives me peace of mind.

    I laughed about your question, “Remember when we all had one password for everything?” YES, I certainly do! I also remember, believe it or not, when I had zero passwords. I mean, it’s hard to believe that was even the same “me.”

    This isn’t going to change, so it is worthwhile to be mindful, stay current, and have a plan.

    • Hazel Thornton on April 3, 2023 at 9:01 am

      Yeah…it seems that more and more things in our lives are moving targets….sigh. Health care…how much one needs to earn for a comfortable retirement…the lifespan of an electronic gadget…what platform has which TV shows….just a few examples that come to mind.

  3. Sabrina Quairoli on April 3, 2023 at 9:43 am

    Important topic! I agree that we all need to strengthen our passwords and minimize duplications. I am at 93% in my high safety. =) I did the same thing. I found that some of the accounts didn’t even exist any longer.

    Small business owners usually have lots of passwords, you are not alone. =)

  4. Janet Barclay on April 3, 2023 at 9:54 am

    This is very valuable information! I wrote a post on this topic several years ago, but yours is much more in-depth and (of course) up to date. Thanks!!

    • Hazel Thornton on April 3, 2023 at 10:16 am

      It’s a moving target!

  5. Linda Samuels on April 3, 2023 at 12:47 pm

    A scary yet valuable story. You’re right about having a false sense of security. Nothing is 100% safe, but implementing the ideas you suggested, whether you use a password manager or not, seems wise. Thank you for all the excellent info and for making me rethink my system.

  6. Julie Bestry on April 4, 2023 at 1:35 am

    Amazing job, Hazel! Everyone should read this!

    Add me to the list — I’m still using LastPass, because I felt satisfied after reading all of the updates, but I also upped my “iterations” to 60,000, as recommended. (And I have a secondary, backup password manager, because having two feels better than one!)

    I use two-factor authentication on anything that’s “important” (financial, legal, medical), but I have hundreds of accounts that were created over 16 years just so that I could explain the process of using those accounts on my blog. They’re unique passwords that, if hacked, would have no impact on my “real” life. But yes, you’ve made me realize how wise it would be to go through and get rid of the password clutter. Add that to the task list!

    And I love the point you made about the man who feared a potential problem so he wouldn’t use the cloud at all for photos. Do such people not recognize that their houses could (heaven forbid) burn down or float dissolve in a flood? Multiple types of coverage, and a complex enough password to keep us in the orange zone should suffice. After 12,000 years, the bad guys are welcome to my passwords. 🙂

Leave a Comment