Password managers are great tools for using unique passwords for each web site, securing confidential information, and securely sharing information. Credential theft is used extensively by criminals for ransomware attacks and committing fraud – so using unique passwords is a critical security control. However, it also represents a single point of failure, if it is compromised every password protected in it is also compromised. Many tools exist with different features, capabilities, and costs. We encourage every organization to review the available tools and select a standard tool that fits.

What do you do when your password manager company is compromised? The recent announcement by LastPass  that a backup of the encrypted customer vault was copied from their systems is a reminder we all need to stay vigilant. The announcement indicates the sensitive data (e.g., username, password, and secure notes) are encrypted with 256-bit AES and can only be decrypted by a specific user’s master password. The risk is that a brute-force (guessing every possible combination) attack could give the criminal access to usernames and passwords. Overall, the risk is pretty low as long as the master passphrase is longer than 12 characters and (ideally) has some complexity. But, there is still a risk, so we recommend a few key actions to protect yourself and the organization.

So what needs to be done now? Any time a Password Manager is compromised (others have been breached and more will be breached over time) we recommend the following actions:

• Change the master passphrase – make it at least 15 characters long, easy to remember, and significantly different from the previous passphrase. Some additional guidance on passphrases: nothing personal (relatives, school, work, pets, etc.), do not use historically significant, pop culture, song lyrics, or sports related. Hackers load their software with all this information and use it in the brute force attacks. Mix in some complexity if you can, but make sure it is easy for you to remember.
• Change sensitive accounts passwords – change the passwords for all accounts with sensitive data such as banking, investments, healthcare, credit tracking, cell phone, or related accounts. The good news is that using a password manager makes this part a bit easier.
• Multi-factor authentication – as you change passwords for sensitive data accounts, it is also an excellent time to enable multi-factor authentication wherever possible (including the Password Manager).

Switching Password Manager software is always an option, but the three steps above are still recommended as you set up your new software. Do not reuse any passwords or passphrases from the old solution, only new, unique, and 15+ characters long passwords. Remaining vigilant, using layers of security, and maintaining security awareness are critical to staying safe in our increasingly digital world.

As always, if you need information or assistance with cyber security, please feel free to contact our RubinBrown Cyber Security team at any time.

Published: 1/19/2023

_{^{Readers should not act upon information presented without individual professional consultation.}}

_{^{Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.}}