LastPass Security Breach
Password management is certainly not a new topic, but in the light of recent cyber attacks, especially to LastPass (blog post), it is worth reviewing. LastPass uses a zero knowledge model with regards to the master password. The zero knowledge architecture means that you are the only one that knows your master password, and it will never be stored in their infrastructure. If you should forget your master password, your only option is to create a new one. Gaining an understanding of how LastPass implements the zero knowledge model may have been the motivation for the recent cyber attack.
Best Practices and the LastPass Password Manager
If you have many passwords, safely maintaining them can become a headache. There are many applications that can help you with your passwords, and this article will show you how to use the LastPass password manager. Share our blog post on 5 tips for strong password security with your end-users to educate your team on the importance of password security.
LastPass provides a browser plug-in to assist in managing your passwords. You can sign up for it here, and you can create a new account by specifying your email address and a master password. LastPass provides tips on creating a strong master password, and their interface displays the strength of your password as you create it.
Once you have created your LastPass account and you need to update a password, or create a new one, you can do so by following these steps.
Select Advanced Options in the bottom of the left side menu
In the new menu, under Improve Your Security, select Generate secure password
You should then see this form
This form will allow you to specify the password length, which characters will be included in the password, and whether the password is simple to say or read. As you are editing these parameters, the strength of the password you are creating will be displayed.
How to Setup LastPass Multi-Factor Authentication
Multi-Factor Authentication (MFA) is an authentication process where more than one credential is used to verify a user’s identity. MFA can be as simple as providing a text code to the user via text message or an authentication application, or can be as sophisticated to include biometric or location information.
LastPass supports multiple MFA options and these can be configured as follows.
Select Account Settings in the bottom of the left side menu
Within the Account Settings form, select Multifactor Options
You will then see the MFA options available to you, and clicking on the pencil icon will allow you to configure, or edit, one of these choices
Create a Password Policy
It is a password best practice to change your passwords on a regular basis. There is some debate as to how often a password should be changed. Originally it was believed that passwords should be changed every three or four months, but if you have created a strong password, you may not need to change it that frequently. Clearly, if you learn that your password may have been compromised, you should change it immediately. The LastPass account settings show when your master password was created, and lets you change it. To reach this form, follow the steps to configure MFA and select the General tab instead.
It is also a good practice to not use the same password for multiple accounts. LastPass provides a status page based on the passwords that you have saved and provides an overall security rating.
To navigate to this page, select the Security Dashboard item in the middle of the left hand side menu.
Managing Your Team’s Passwords
If you are an administrator for your LastPass team, you can view the status of each of your team member’s passwords with these steps.
Click on the Admin Console item in the bottom portion of the left side menu
This will open the teams page, and selecting the Users menu item will display the users page.
This will display each team member and display the strength of their password and indicate if they are using an MFA application. By double clicking on a user, it is possible to view more details, and by clicking on the “...” in the upper right corner, you can modify this user.
This view can be used to require a user to change their password which is useful if their password is flagged as weak.
Create a Policy for Sharing Passwords and Sensitive Information
The best practice related to sharing passwords, or other sensitive data, is to never do so. If you find that you must share such data, LastPass provides a secure sharing center. You can share a password as follows.
Select the Sharing Center option from the left side menu
Select the Shared with Others link in the top middle of the Sharing Center page
Click on the plus sign in the bottom right of the page
As the user shares their passwords/secure credentials, or has these shared with them, they will be added to the user’s LastPass Sharing Center. The password sharing form includes an option which makes it possible to share a password without the recipients viewing it. In this case, they can use LastPass to populate the password field on a web page without displaying it in plain text.
Password management is an ongoing process that is necessary to keep your data secure. Passwords need to be unique, cryptic, and changed frequently, and this can be a headache most users do not want. The good news is that there are many password management utilities, like LastPass that make this task much more user friendly.
About the Author
Eric Hamer is a cyber security enthusiast and is the CTO, managing software engineering at HacWare. Eric lives in Missoula, Montana with his family and two dogs. By practicing safe password management, neither dog’s name is ever used in any of his usernames or passwords.