Freely subscribe to our NEWSLETTER

“The conversation around “passwordless” authentication is gaining in popularity, especially with the big players like Microsoft and Google making it relatively painless to adopt. If you’re an existing LastPass customer, continue to monitor their website and official communications for new guidance. Currently, LastPass as not identified anything that would necessitate specific actions by end-users. They are engaging in mitigation efforts and incident response and investigation internally.

Currently, there is no known breach of sensitive customer data and passwords. However, this breach does offer an opportunity to evaluate your security posture if the scope of the breach expands, or other breaches happen in the future — this is true regardless of if you use LastPass specifically or not. This may mean proactively rotating passwords, temporarily switching to another password manager or password management service. Use multi-factor authentication for not just your bank accounts and social media, but especially for your LastPass or other password management solution. Many providers, including LastPass, are offering and migrating to "passwordless" logins which use more advanced security technologies such as FIDO2 security keys. This reduces friction for end-users and increases the overall account security. I, personally, use YubiKeys.

Many services, including Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless) and Google’s Advanced Protection Program (https://landing.google.com/advancedprotection/), have already been offering this capability for several years to allow you quicker and more secure access to your accounts — both personal and work. Much like any future breach or zero-day, you cannot necessarily predict it, but you can take the action today to add those additional security controls and audit your account’s access to minimize the level of impact if/when that happens. Password managers would be a challenging but attractive target for a threat actor, as they unlock - quite literally - a treasure trove of access to hundreds of thousands of accounts and sensitive customer data in an instant if they are breached.

I think another important takeaway is that the benefits of using a secure password management solution often far outweigh the risks of a potential breach/what that breach may make accessible. When layered with the other security recommendations, it’s still one of the best solutions to prevent credential theft and associated attacks.”