A note on the recent LastPass security breach, and why you should be concerned.

Do you remember RCI’s recommended password policy rules? Quick recap:

  1. Strong passwords: minimum 12 characters with a mix of numbers, upper and lower case, and special characters.  (Hint: Password, P@ssword!, and P@$$w0rd1234 are NOT strong passwords)
  2. Don’t reuse passwords. Every account should have a unique password
  3. Use password management software to manage all of these passwords. Not an excel file on your computer desktop.
  4. Your master password to access the management software has to be the strongest of all, We recommend 20 characters at the very least.

LastPass is one of the best known password management solutions out there and was a good product for many years.  Unfortunately, after being acquired by the LogMeIn group of software, LastPass has experienced more security issues than normal.  In August, LastPass found evidence that there was a security breach, but no client data was vulnerable. That breach led to an additional breach in November of a 3rd party cloud storage service, where the actors were able to gain access to client data this time and actually download client vault files.  LastPass is claiming the data is encrypted, which is somewhat true, but not all of the data was encrypted (like URLs)… not good news.


Now the big question you’ve been waiting for: What does this mean and how can you protect yourself?  

Step one is migrating to a different password management vendor!  The worst news is with vaults having been stolen,  the only real hope is that end users had very strong (12 character minimum) passwords in place.  Users with weaker passwords could potentially get brute forced, meaning all of those users’ passwords could be compromised. 

If you have been following RCI password guidelines, you are probably safe, but we still strongly recommend you update all sensitive passwords (e.g. financial accounts, email, and social media).  If you have not been following our guidelines, you need to update *all* of your passwords stored in LastPass, starting with the sensitive accounts.

If you need help migrating to a new password management solution, or are concerned your LastPass data is vulnerable, please call us at 858-880-0355 x2 and we’ll be happy to help and advise!