Tips for Creating a Strong Password
Correct risky password behavior and reduce your chances of being hacked.
Standard recommendations for passwords, in order to make them hard to break, are to not use the same password for different sites, to change your password every so often and to not save them on the browser.
You know, there are days when I have trouble remembering my cell phone number, let alone passwords to the 50 or so sites I visit that require them, especially for the places that I infrequently visit.
That's why some security experts recommend using a password vault service. It keeps all those pesky passwords in one secure location, and you only have to remember one. Usually, that's the safest way to store the password online. However, as Guillaume Lovet, senior manager for the Threat Response Team at Fortinet, told me:
The flip-side of the coin being that if your master password gets broken for some reason, all your passwords are compromised at once.
And that's what may have happened to LastPass when it was possibly breached. As reported on its blog:
Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
We don't think there's much of any chance of [compromised passwords] at this stage. If there was, it would be on the orders of tens of users out of millions that could be in that scenario, just because of the amount of data that we saw moved. But it's hard for us to be 100 percent definitive without knowing everything.
Siegrist believes that those who have a strong master password are fine. In fact, while LastPass is trying to resolve the situation, it told users who know they have a strong master password that they can opt out of having their password changed. Reading the comments on the LastPass blog, there are some angry customers, but it's clear that people are asking questions, getting answers and some will come away happy with the company.
I see two morals to this story. The first is that, even though LastPass decided to operate as if in a worst-case scenario, it's a good idea to tell customers what's happening right away and to keep them updated. The second moral is that it's important to create strong passwords because they really are a good first wall of defense against a breach.