What is a password manager and how does this LastPass hack impact nonprofits using this tool?
What is a password manager?
If you know that you shouldn’t use “1-2-3-4-5” or “password” as your password, you probably also know that each password to an account you use should be long, strong, and unique to that account. You shouldn’t make your password something easy to remember, because using any word makes it easier for a computer program to crack it. And you should never reuse your passwords. Hackers with access to passwords previously stolen and uploaded to the darkweb will try those known passwords on all the other accounts they can find for you, in the hopes that you reused your Yahoo password on something juicy like your bank login.
But how can you remember hundreds of passwords for all the secure accounts you need today for everything from online banking to a newspaper site or social media login?
One option in a modern office is to use a Single Sign On, but this is usually impractical for home use, because it must be set up by an administrator for an enterprise system.
For ordinary consumers, password managers have been a big help. Password managers let you store the unique and non-word strong passwords you create for each of your accounts in a vault; you need only memorize the master password to access that vault, then the password manager will help you log in to your many accounts. It’s very convenient and helps keep your accounts strong and resistant to hacking.
However, hacking into a password management tool is like finding a golden goose for cybercriminals. Not only can they use those vaults to hack into your accounts themselves, they can sell those files online for other hackers to try too.
Password managers such as 1Password, Keychain for Apple devices, LastPass and many others are rightfully very concerned with their own security and their own reputation.
Background:
It was reported December 22, 2022 that a hacker gained access to the personal password vaults at LastPass. This is on top of earlier incidents over the past year where LastPass experienced breaches. LastPass admitted a hacker was able to access customer vaults from a backup. The vaults themselves are encrypted with the Master key used by the customer. This was originally reported in TechCrunch, and confirmed by LastPass CEO Karim Toubba in a blog post.
Next Steps:
If you are a LastPass customer you should login and change your master password.
That will protect your vault moving forward, but it is important to recognize that won’t help the password vault that was stolen. You should go through your passwords stored in LastPass and update your passwords on all accounts there as well. Assume that in time every password in your private vault will become available to hackers, so you should take steps now to ensure the passwords within it will no longer be in use.
The other aspect to consider implementing, if you haven’t already, is multi-factor authentication protection applied to the accounts that you have saved in LastPass. It is important to include a second factor, such as an MFA app on your phone, or a Text based MFA system, to ensure that even if a hacker gets your password, they would also need your phone to complete logging in as you.
After taking these actions, you should still assume that eventually your LastPass vault will be breached, and you may want to change your password manager altogether. This article from CNET has some recommendations. There is some concern that as computing power increases, hackers with access to these private LastPass vaults will just spend as many months as it takes to eventually crack many of them, even strong and long passwords. Other password solutions, like 1Password, use a different security method. You can read a comparison of their security and transparency in this CNET article.
Broader Implications of the LastPass Hack and Nonprofits:
If your organization already uses a password manager or SSO:
The recent breaches at LastPass and at OKTA demonstrate that hackers are becoming increasingly more sophisticated in their methods for gaining access to systems and targeting credentials. Larger organizations should continue using or switch to SSO solutions like Microsoft’s Enterprise Applications to manage access from an admin perspective. This is preferable to creating and managing discrete credentials and storing them in a vaulting solution like LastPass.
Microsoft and OKTA also include the ability to store and insert credentials in their SSO solutions, providing methods for both SAML(Security Assertion Markup Language) and form based authentication. Having an SSO solution helps to improve the centralized auditing reporting and management of credentials by a network manager.
If your organization needs to begin using a password manager or SSO to improve your cybersecurity stance:
If your organization is thinking about implementing a password manager solution, please pause and incorporate these recent disclosures about LastPass into your evaluation. The security and integrity of the data stored in these systems is critical, but not the only evaluation criteria. Ease of use and management of the platform is also important.
This also highlights the importance of including Multi-Factor Authentication for all accounts because passwords themselves aren’t going to guarantee the security of an account.
How does this LastPass hack impact nonprofits? How does it impact you?
One way to assess your organization’s cybersecurity stance is to do an inventory of your policies, technology, and staff training, and involve your nonprofit leadership in ensuring that your nonprofit is as prepared as possible for security breaches to yourself or to your IT vendors. A good place to start is with our self-assessment Cybersecurity Quiz, which takes about 10 minutes and is free.
To learn about creating a layered approach to cybersecurity, please download our free Cybersecurity Readiness for Nonprofits Playbook, which walks through our philosophy and includes practical tips and considerations.
Finally, you can review our Cybersecurity Insurance webinar and learn more about the ways increasing your defenses against hacks and ransomware can improve your ability to find the correct level of insurance. You can also view our Cybersecurity Training for Grantees webinar to learn more about one funder who is focused on protecting the nonprofits they fund by paying for and requiring basic training.
Ready to get strategic about your IT?
Community IT has been serving nonprofits exclusively for twenty years. We find that many nonprofit organizations deal with more cybersecurity risks than they should have to. As a result, cyber damages are all too common. Whether through a third party vendor or a phishing or ransomware attack on your own organization, you need to be prepared for cybersecurity risks and understand your work and personal security options. And your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your cybersecurity risks to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you to include cybersecurity foundations in your well-managed IT.
Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand.
We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap, if you don’t have an in-house IT Director. We want all nonprofit organizations to improve their cybersecurity and prevent impacts like this LastPass hack on nonprofits.
If you’re ready to gain peace of mind about your cybersecurity, let’s talk.