If you haven't seen the recent reports of Mat Honan's devastating hack, it's a powerful tale and one worth reading in its entirety. It's in part a cautionary tale about the current security practices of online services, but given that and other recent breaches, his situation raises bigger questions about what we can learn from the situation and how we can prepare ourselves moving forward.
There are two overarching messages we want LastPass users, and the web community at large, to take away from the story:
- Proactiveness and preparation are key in mitigating risks of attacks, and
- Protect your email account like your online life depends on it, because it pretty much does these days.
- Change the password for your email account(s), now. We have seen alarming statistics on the number of leaked passwords out there, including leaked email username and password combinations. A password generator like the one built into LastPass allows you to create unique, long, strong passwords for each of your online accounts. The LastPass security challenge can also help you identify any weak and duplicate passwords still lurking in your vault. One account's password compromised = all accounts compromised that use that password, or that give access to the password reset functions for other accounts.
- Protect your email account(s) with multifactor authentication if possible. Google has increased efforts to encourage all Gmail users to set up multifactor authentication. If your email service offers the option, enable it as soon as possible. You'll ensure that just knowing the password for your email account will not be enough to let someone in.
- Replace answers to "security questions" with obscure, non-personal responses. Truthfully answering security questions can put you at risk for social engineering. Use a password generator or create bogus answers that you can then store in a note in LastPass - if you do ever need to reference it, you'll have access to the bogus answer, but you'll ensure that your personal information can't be used against you.
- Set up multifactor authentication for your LastPass account, now. By adding multifactor authentication to your LastPass account, you're requiring another piece of secure data to be entered after you submit your master password, but before you can gain access to your stored data. So even if your master password is somehow captured, by a keylogger or even by someone you thought you could trust, you'll keep them locked out because they won't have that second piece of login data.
- Create a "security email address" for your LastPass account. Although protecting your primary email address(es) should be a high priority, you can set up an obscure email address to be used in the case of account recovery, multifactor authentication resets, and other critical changes to your LastPass account.
- Run the Security Challenge, and get proactive about your security fitness level. Located in the Tools menu of the LastPass addon, the Security Check allows you to keep an eye on weak and duplicate passwords, and reminds you of ways to improve your overall online security (such as #4 above). Take full advantage of LastPass security options, like autologoff on browser idle and restricting IP address to certain countries.