Recently, the password manager application known as LastPass suffered a security breach that jeopardized the data of most, if not all, of their users. While the university does not use LastPass, there may be campus members who use it personally. In this blog post we will provide helpful information and suggestions for those who do use Last Pass and don’t know what to do to secure their information.

LastPass provides a list of questions to ask yourself to determine if you need to take action. However, if you use this service, we still recommend that you proceed with preventative measures regardless.

  • Is your master password unique? (i.e. not used on any other website)
  • Is your master password at least 12 characters?
  • Is your master password hash iteration value set to at least 600,000? (instructions on how to check)

Did you answer no to any of these questions? If so, keep reading and please take the recommended actions.

Change passwords you have stored in LastPass.

Since the threat actor has an encrypted copy of passwords you store in LastPass along with other customer vault data, it is possible for them to use brute force to ascertain your master password and decrypt your information. If they are successful, they may be able to gain access to your online accounts, especially on accounts that do not have multi-factor authentication enabled. However, if you follow the best practices around master password, it is unlikely that the threat actor will be able to decrypt your data.

Update your master password.

Suggestions from LastPass: “It’s important to create a strong and unique master password that’s at least 12 characters long, but ideally 16-20. As you may know, LastPass uses the master password and username to create a unique encryption key that keeps sensitive data from being exposed. The longer and more complex the master password, the stronger the encryption key. And without the encryption key, no one, including LastPass or bad actors, has access to unencrypted data in a user’s vault.”

  • Use a minimum of 12 characters, but longer is better
  • Use at least one of each upper case, lower case, numeric, symbols and special characters
  • Make sure it’s unique (don’t use it anywhere else)
  • Don’t use personal information
  • To maximize your security use a randomly generated master password

Turn on dark web monitoring.

This feature notifies you if any of your email addresses have been found in databases of credentials exposed in other security breaches. According to LastPass, dark web monitoring will be made available for free users in the upcoming weeks.

Additional preventative steps: https://support.lastpass.com/help/security-bulletin-recommended-actions-for-free-premium-and-families-customers 

Additional information regarding the incident: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/