“Use a complex password, change it frequently, and don’t repeat it from site to site. Oh, and use a password manager.”

You’ve heard these recommendations from articles, security professionals, and probably your own IT team. 

However, in the wake of the recent string of data breaches that hit Okta, Norton Lifelock, LastPass, and others in late 2022, many users—from casual users to technology pros—are questioning where they should go from here.

This article will cover what you need to know about the LastPass data breach and answer some of the most common questions about password security going forward.

What You Need to Know About the LastPass Breach

In late December, LastPass released a worrying update to an ongoing security investigation it was conducting, sparked by an incident two weeks earlier. More than 25 million users had their data exposed, including the password manager’s most sensitive assets—its encrypted password vaults. 

In short, a hacker was able to access a sensitive cloud storage environment using information gleaned from a previous breach of LastPass in summer 2022, which included “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” 

Although this metadata is “in the clear”—meaning not encrypted or obfuscated—the passwords are still protected by a strong level of encryption called 256-bit AES (advanced encryption standard), which is based on the user’s master password.‍

So what does all that mean? In short, if you use LastPass for personal or professional accounts, some of your information could be part of this data breach. However, your passwords are still secure unless 1) they are cracked (which can take years) or 2) your master password is compromised.

Key Questions About Using a Password Manager

Understandably, this explanation can lead to even more questions than answers. 

Should I keep using LastPass or another password manager?

The short answer is yes.

The long answer is also yes, but ensure that you have strong password hygiene, including some of the recommendations below. Leveraged effectively, password managers offer a simple, secure, and effective way to generate, store, and use complex passwords. With a password manager, you only need to remember one password instead of dozens.

What should I do now?

First, even if you believe your master password is secure and complex, it doesn’t hurt to change it now (if you haven’t already since December 2022).

Second, change the third-party passwords you kept stored in LastPass. This is especially important for bank accounts, health records, or internal business applications and services. 

What steps can I take to strengthen my password security?

You’ve probably heard of having “good password hygiene,” but what does that mean? Here are a few key elements of having and maintaining strong passwords:

• Your password should contain uppercase letters, lowercase letters, numbers, and special characters.
• Try not to use a word that appears in a dictionary. Instead, use an acronym or exchange the above characters for other letters.
• Leverage a password manager’s random password generator to create strings that are hard to crack.
• Pair your password with multifactor authentication, such as a token or key, one-time password, or push notification app.

What else should I watch out for?

Unfortunately, even if you take the above steps, there is still the possibility that the LastPass data breach can affect you in the months to come. 

Most prominently, cybercriminals will likely attempt to use phishing or other forms of social engineering—such as faking emails sent from LastPass or your internal IT team—trying to get you to reveal your master password.

Bringing It All Together

Even if you don’t have LastPass (or any password manager), use this data breach as a reminder of the importance of maintaining strong passwords.

In addition to this guidance above, follow the recommendations from your security or IT team and conduct additional research as needed.

Password management is one of many ways to help protect your company's data. However, a strong security posture involves multiple lines of defense.

You'll want added protection for specific transactions, especially large value ones like wire payments. CertifID provides transaction level protection against wire fraud. Let us know if you'd like to learn more about the solution.

Request a Demo