#167: Password Hygiene

In this episode, I discusses the LastPass breach that occurred last year and how it has prompted me to improve my password hygiene.

I talk about why the breach has led me to move away from LastPass - and how it has provided an opportunity to clean up my password data and reset passwords for critical accounts.

I also re-emphasizes the importance of good password hygiene and using multi-factor authentication for added security.

Or listen at:

Published: Wed, 07 Jun 2023 15:08:41 GMT



Hello and welcome back to the Better ROI from Software Development Podcast.

Following the breach of the LastPass Password manager late last year, I, like many technology professionals have been looking at my password usage. In this episode, I want to talk about that LastPass breach, how I have responded, and the hygiene steps I've taken to my own passwords.

Before I talk about the breach, I introduce the idea of password managers back in episode 105. With much of our lives now being online, passwords are commonplace, and as such, there is a danger of us reusing passwords across multiple websites and services as a convenience. Doing so however is risky. If one website loses that password, then an attacker can reuse the same password for your other websites and services. If it's convenient for you, it is also convenient for an attacker.

In episode 105, I went on to recommend:

"You should really be looking at things like password managers that will generate unique passwords for every single site that you use. So that should your password be breached on LinkedIn, for example, it won't be any use on any other system because it's only ever used on LinkedIn. Think about this as a bulkhead, as used in ships, you cut off that bulkhead so that you only have minimised impact."

Now my password manager of choice for many years has been LastPass. I've always found that it provides a convenient and effective service.

Let's move on to the LastPass breach. Back in December, LastPass, disclosed that they had had a security incident - I'll link in the show notes to the actual article.

In disclosure, they said what was accessed:

"Cloud-based backup storage - contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data."

LastPass went on to say:

"All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user's master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass - therefore, they were not included in the exfiltrated data."

So boiling this down, what they're saying is that an attacker has got backups of customer vault data, but shouldn't be able to access that data because the attacker does not have the end user's master password.

Now, earlier this year, it was difficult to avoid analysis and advice in technical podcasts and periodicals about the whole subject. There was, and indeed continues to be, many thoughts regarding the specific breach and the trustability of LastPass. During that period, it became clear to me that many security experts had lost faith in his past.

Partly, I think this was because of how the handling of the breach occurred - as you see from the last past disclosure, at least two incidents occurred and the way that it was communicated felt a bit like "what next" at the time. Now, I suspect part of that was LastPass communicating as they investigated - which, while should be applauded, does make it feel like it was getting worse day by day.

And the other part of why I believe security experts were losing faith was because of the ownership of LastPass by GoTo (formally LogMeIn). They've owned them since 2015, which prompts many to question how focused the company is on security rather than turning a profit.

For me, I initially took the news of the breach as interesting, but not a problem.

However, I have to admit, as more was disclosed, the more concerned I became.

My personal worry here is that while an attacker may not have that master password, it is something that given the right time and technologies, those customer vaults are likely to be opened. Now, this could be years or even decades away, but the threat for me was a real risk.

So this prompted me to move away from LastPass to another provider.

Moving to another provider prompted me to migrate my existing passwords. And during this migration, I wanted to use this as an excuse to clean my passwords up.

Like everyone, my use of online services has grown exponentially over the years and, unsurprising, there's a lot of password data that I no longer need, be it that one time online purchase accounts for trial services, websites that I don't use anymore, websites that don't even exist anymore, credential for previous employers and clients.

And while all of those are good candidates for cleaning up that password hygiene, the last one was the one I should really have been managing better.

As a consultant, especially when working with legacy systems, it's not uncommon for me to acquire passwords as part of my day-to-day activities. Rather concerningly at one client, I appeared to be the only one keeping track of any of them - so much so I'd often be the sole repository of critical system passwords.

In an ideal world, I should never have access to critical system passwords. Access to anything critical should be linked back to my specific identity, which as needs arise, should then receive escalated privileges and then be revoked when the need has passed.

But as a consultant, you soon see that we are not living in an ideal world - thus, practicality takes over.

Thus, it's my responsibility to remove any record of those passwords when I no longer have a relationship with a given employer or client. Thus, all of those were deleted during the migration.

Alongside the migration, I also took a look at my critical accounts and made sure that I reset all of those passwords. Given how many passwords I have, trying to reset the passwords for all of them would be impractical - thus, why focused on the critical ones.

Now, I don't generally recommend changing passwords too often, as I believe it promotes dysfunctional behavior such as just incrementing the number at the end. And of course, I also recommend using multifactor authentication for any critical account. So in my case, even if the password was exposed, it still wouldn't allow the attacker access because they didn't have that multifactor authentication.

But in this case, due to the danger of one day, maybe in decades time, that vault being opened, it felt appropriate that I reset those critical account passwords.

So what are the lessons that I've taken away from this LastPass breach?

Firstly, while I think LastPass has lost a level of trust, this could happen to the provider I've moved to. It could happen to any number of providers - it's unfortunately a factor of life - and this is why it's important to make sure that I keep the hygiene of my passwords good, certainly remove any no longer used accounts, - keep it lean, all that data is a liability. In this case, less is more.

And of course, to make sure that I have multifactor authentication in place for as many of my accounts as I can - but certainly those most critical ones.

I certainly believe that we can reach that nirvana of having a world without passwords. However, I don't see that we are going to reach that anytime soon. So until then, we need to make sure that we're employing a good level of hygiene to the passwords we use.

Thank you for taking the time to listen to this episode. I look forward to speaking to you again next week.