There have recently been a couple of well-publicised breaches of LastPass.\u202f Most people will be familiar with LastPass but in case you are not, it\u2019s a well-known and popular password vault\/manager.<\/p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_2,1_2″ _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”1_2″ _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]
Absolutely not.\u202f YOU SHOULD USE A PASSWORD VAULT.\u202f <\/strong><\/p>\n You should have unique and complex passwords for every site you use, as well as MFA (Multifactor Authentication) . All those phishing attacks that we warn you about, or the various \u2018games\u2019 on social media aimed at getting you to share something personal (like your favourite teacher, the name of you first pet and so) are aimed at either guessing your password reset question or getting a password that the hacker can test on other sites you use.<\/p>[\/et_pb_text][\/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_image src=”http:\/\/kinetics.co.nz\/wp-content\/uploads\/2023\/01\/BankVault.jpg” title_text=”BankVault” _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”] Making good use of a quality password manager allows you to easily use complex passwords as well as securely share information within your organisation. Free password managers such as those offered with in Chrome and Edge do not have the features and security levels that meet the requirements of for example, cyber insurance.<\/p>\n Kinetic’s advice mirrors that of the security experts. You should be using a quality password manager.<\/p>\n Our experience is clear, strong passwords are a key tool for security and responsible organisations supply their employees with strong tools. Without company supplied password managers, employees are left to develop their own systems and invariability that means weak and\/or reused passwords.<\/p>[\/et_pb_text][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”] No<\/strong>.<\/p>\n Kinetics clients that use our KARE Password Vault product are not affected. KARE Password vault is based on an alternative product. The breach only applies to the vendor LastPass.<\/p>[\/et_pb_text][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”] If you are a LastPass user and your data was included in the breach, then you should have been notified by them of the breach by now.\u00a0<\/p>\n In that email LastPass will say that the stolen data is encrypted, they also say: \u201cThese encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user\u2019s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.\u201d<\/em><\/p>\n \u201cIf you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass\u2019 Zero Knowledge architecture. There are no recommended actions that you need to take at this time.\u201d<\/em><\/p>\n \u201cit would take millions of years to guess your master password using generally-available password-cracking technology\u201d<\/em><\/p>\n LastPass are saying that your data encrypted by a key that is unique to yourself.\u00a0 They also run a further level of strengthening over that before storing them using a Password-Based Key Derivation Function [PBKDF2] a password-strengthening algorithm. <\/p>\n LastPass prudently backs up data, with each client\u2019s data being encrypted using a unique key. Some of that data was stored in a third parties\u2019 infrastructure. Hackers gained access to that infrastructure and downloaded the stored encrypted backups. We do not currently know how that access was gained.<\/p>\n This raises the question : can this happen to another password manager product?<\/em> <\/strong><\/p>\n To understand the answer to that question, we need a dose of reality. The reality is that anyone can be hacked by a person with the right resources (skills), enough time and a measure of luck.\u00a0 That becomes harder as the target becomes more sophisticated.\u00a0 As target requires more resources and time (pushing up cost to the hackers), the less likely they are to invest in doing so, and the more they need chance or luck to help them<\/p>\n In an interconnected world, we need to assume a level of prudent trust in our partners. We need to trust that they are taking reasonable measures around the safety of our data.\u00a0 As that data becomes more valuable, the higher the ‘reasonable’ standard becomes.\u00a0<\/p>\n At this point, there is not enough information available to assess if there was any negligence.\u00a0<\/p>\n What we can say is that this failure does not dilute the importance of using a good password manager.\u00a0 More organisations are hacked because they don\u2019t have strong password practices than have been put at risk by this breach.<\/strong><\/p>[\/et_pb_text][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”] If you have been notified that your data was exposed, our advice is that it is prudent to set about changing your passwords.<\/p>\n It is true that LastPass say that it would take millions of years to hack the encrypted data.\u00a0 However, we can not ignore that the data was stolen and is now beyond the control of LastPass and yourself.<\/p>\n Refreshing all passwords, even if done over a stretched target time period, removes that risk.<\/p>\n Even with a password manager, you will have had some leakage of passwords overtime.\u00a0 For example, ex-staff will know some of the passwords and realistically, human nature is that some people will have somehow saved some of your passwords elsewhere.\u00a0 Likewise, there may be some passwords that were imported long ago and never updated from older, less secure complexity.\u00a0 You may well also find accounts which you simply no longer need.<\/p>[\/et_pb_text][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]Is my KARE Password Vault affected?<\/h2>\n
Were your passwords lost in the LastPass breach?<\/h2>\n
What happened and could it happen to other products?<\/h2>\n
If you do use LastPass, what should you do (other than switch to the Kinetics password vault)?<\/h2>\n