Password Management Service LastPass Gets Hacked
Despite the fact that LastPass was breached, password managers such as LastPass in general do more good than harm, according to Matt Devost, CEO at cyber-security consultancy FusionX LLC. "It is essential that users have strong and unique passwords for all of their online services, and it just isn't reasonable to assume they will remember the passwords; thus these password managers fill a critical need," Devost said. "To ensure that services like this are afforded the best protection possible, users should enable two-factor authentication." Also in favor of using two-factor authentication with password managers is Ben Tomhave, principal at Falcon's View Consulting. While Tomhave is not surprised that a breach occurred at LastPass, he's hopeful that the company will do a "lessons learned" exercise on this incident to fully understand not only the nature of the breach, but what LastPass can do to improve its defenses and optimize detection and response. "Even better would be if they publicly disclosed more details on the incident so the rest of us can learn lessons with them," Tomhave told eWEEK."In this case, one breach potentially nets a huge amount of compromises and, much like commercial fishing, unsuspecting users are caught in the wide net," he said. Any password manager requires certain compromises, according to Roger Stratton, general partner at Mach37. The user is placing a great degree of trust both in the encrypted storage method used by the password manager and in the fact that the mobile app, desktop app or browser plug-in isn't introducing additional security exposures, he said. "It is an example of putting all of your eggs in one basket," Stratton told eWEEK. "As with any other important life decision, there is a cost/risk/benefit judgment that the consumer has to make. The important thing is to protect that basket." Fundamentally though, there are always risks with passwords as soon as they are shared. Mike Murray, director of Cyber Security Assessment and Consulting at GE Healthcare, said he always abides by the old rule that "a secret is something only one person knows." "As soon as you write your password down, whether on a Post-it note or in a digital form, it is possible for someone else to get it," Murray said. "This breach is only a reminder of that fact—if you want perfect security for your passwords, you need to keep them in your brain." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Egan suggests that, in light of the LastPass breach, users reconsider which services or software they use. In his view, password managers are unfortunately still a necessity, but keeping this sensitive information local, as opposed to in the cloud, would reduce the attacks.