For years, password manager apps like LastPass and 1Password have marketed their services through statements like “Don’t Let A Password Cost You Millions” and “Passwordless is Possible.” With over 45 million people using password managers (or vaults), they are meant to be a stepping stone on the way to a passwordless Internet – getting people away from reusing passwords and storing them with pen and paper.
However, the recent hack of LastPass undermines the confidence in password managers and shows how all current password systems are vulnerable.
Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year.
In an updated blog post on its disclosure, LastPass CEO Karim Toubba said the intruders took a copy of a backup of customer vault data by using cloud storage keys stolen from a LastPass employee. – TechCrunch
It’s still unclear how many people are impacted by this hack. Although each user’s password vault is secured by their master password (known only by the user and not LastPass), this puts hackers right on the doorstep of a goldmine. Whether through brute-force attacks or phishing attacks, the hacker could crack into these password vaults and have access to millions of people’s passwords, billing info, and other sensitive data.
The best thing you can do as a LastPass customer is to change your current LastPass master password to a new and unique password (or passphrase) that is written down and kept in a safe place. This means that your current LastPass vault is secured.
The good news is that any account protected with two-factor authentication will make it far more difficult for an attacker to access your accounts without that second factor, such as a phone pop-up or a texted or emailed code. – TechCrunch
What makes this hack particularly worrisome, though, is that over the last couple of years, LastPass has marketed the ability to manage people’s crypto wallet login credentials. Notable crypto (and NFT) enthusiasts like Path.eth share how this hack affected their crypto wallets:
Throughout that thread, Path shares how he did everything right when it comes to being safe and secure with your passwords and wallet keys. And yet, he was still targeted and compromised.
I think this situation further proves why the move toward a password-less Internet is necessary and how innovations on the horizon, such as Passkeys, biometric authentication, and even quantum encryption are poised to change this whole password paradigm.
Thanks to the folks at the FIDO Alliance, hundreds of the largest companies are working together on the password-less Internet. Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard.
The new alternative is known as passkeys. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks because it removes passwords altogether.
In short, passkeys work by generating a pair of keys for account login. One public key and one private key. The public key is stored in the cloud and shared between your devices. The private key is stored locally on your device and requires biometric authentication to operate (Face ID, Windows Hello, or other biometric readers offered by device makers). – Everydays 54: The Password-less Internet
Overall, the LastPass hack is very discouraging, considering they’re supposed to be this bastion of digital protection for us. While I’m eager for the password-less Internet, I’m reminded of the long road ahead and how we’re going to endure many more massive hacks before then. As a longtime LastPass user, I’m very worried that all of my passwords – from banking to travel to email – are sitting (encrypted) in a hacker's possession right now. Now I have to spend some of my holiday break cleaning up my digital defenses and resetting passwords.