Monday, June 15, 2015

LastPass was just Hacked, Here's Why I'm Still Using Them

A coworker emailed me that my favorite password manager service, LastPass, was just hacked.  I read through the alert and followed the instructions to change my master password.  At first blush, this is bad news.  A company whose primary job is to protect access to every account I have was hacked.   Even if they _say_ nothing was stolen: Oh crap.

But, after a a little reflection, I realized this is still better than no password manager or even rolling my own.   First, I do take them at their word that no credentials are ever stored on their servers unencrypted, and that encryption used is secure.  The only way that somebody can steal my passwords would be to download my encrypted passwords and know my master password.  If you want my bank login so bad that you'd hack LastPass and then torture me to give up the master password, you must be looking at different bank statements than me.  

More importantly, though, LastPass is monitoring proactively and doing the right thing when they detect anomalies.  That to me is way more than any paper or home-rolled service can provide.  If you are not using a password manager, you are likely either writing them down on paper or using the same ones everywhere.  The latter is instant hacksville. The former is as secure as what you are writing them on.  Do you have staff monitoring the post-it notes you write your passwords on?  Do they notify you when something remotely suspicious happens related to your passwords?

No, I still enjoy the bliss of generating random passwords that even I don't know, and letting LastPass ensure they are relatively safe.

That said, there are some things LastPass could do better:  Notification for me came through reading a blog post three days after the hack.  I would have liked earlier notification and to have had it in the LastPass app as well as email.

So, if you are not using LastPass (or _some_ password manager), don't be scared off by recent events. If you are, change your passwords and move on.

3 comments:

Leigh said...

I came by to return the blog visit and thank you for leaving a comment on mine. I see you haven't blogged in awhile! Is the hacking the reason? Your post reminded me of the hack awhile back on UbuntuForums.org. You'd think a site run by a bunch of computer geeks would be safe! The person who hacked said they did it just to show they could. The passwords were all salted but we were advised to change them anyway. Nothing is truly safe and secure on the internet, is it?

Daniel Root said...

Hi Leigh- Thanks for visiting. No, my only excuse is just that I haven't made time. Chickens, garden, family and work have taken precedence over my blog for the time being. I'm sure you can sympathize. I need to get back to it though, and have a few ideas up my sleeve. ;)

Leigh said...

I can indeed sympathize! I'd say family always comes first, the other things in the middle, and blogging last. Sounds like you've had your priorities right. :) Still, blogging is a great way to keep track of projects and sharing ideas. It's a great journal in that way.