Seeing a major password manager breached, it’s hard not to throw up your hands and say, “it’s helpless.” Still, don’t give up on all password managers. Used properly, they are still better than a password spreadsheet or sticky notes of your credentials. Plus, it’s definitely smarter than reusing the same password to access more than one account.
According to LastPass, the December breach affected 30 million users and 85,000 businesses. Threat actors stole a large amount of data, including encrypted customer vaults. Industry experts are not enthusiastic about the breach handling or why it happened. So, leaving LastPass may make sense.
Yet abandoning password managers may not help you secure your sensitive data. Instead, prefer a cloud-based password manager that has no way of decrypting your data. This is a zero-knowledge password management architecture, which means that you are one with the secret key needed to access your encrypted data. That way, if the data is stolen or lost, the threat actors would still need to decode your key.
This means, of course, that you need to protect your secret key. Also, you need to make it complicated enough that the bad actors can’t hack it. So, using “password123” as your secret key would not be secure. Many security experts now recommend using a passphrase instead of complicated passwords.
Enforce Multi-Factor Authentication
Multi-factor authentication (MFA) helps stop bad actors by making access more difficult. They can’t get in with a username and password alone. You add another variable for confirmation before they can compromise your account.
You’re likely already familiar with two-factor authentication. It’s typically done through a text message or an email to another account, but these can both be compromised as well.
Biometric MFA is typically best (e.g. fingerprint or face identification). If that’s not available, prefer an authenticator app (e.g. Microsoft authenticator) or a Fido 2.0 key (e.g. YubiKey).
A Fido 2.0 key is a USB device that you keep in your physical possession to provide passwordless MFA logins. Instead of having an authentication code sent to you, you press a button on your key. It sends your code to confirm your identity. When your unique code is received, the system logs you in.
Worried you’d lose the physical key? That’s not ideal. That’s why it’s a good idea to get two. Meanwhile, the Fido 2.0 key doesn’t store identifiable usernames or any of your passwords. So, anyone finding that lost key would have no way of knowing what you use it to authenticate.
Ultimately, it’s best to prepare for any service to be breached. Cut your risk by keeping up with the latest technology for protecting your data. We can help. Contact us today at 414.456.9837 or contact us to help you put appropriate security measures in place.