Try passkeys, but keep your password manager
I don’t know any writers who like angry emails, especially on a Monday morning after a vacation, but that’s what I encountered this week after the latest LastPass data breach. A reader was upset after hearing about the breach and asked me about PCMag’s recommendation for the software. And they were absolutely right to ask!
I understand. Data breaches are scary. If a hacker discovers your username or password and you don’t have multi-factor authentication on your accounts, all your data could end up in the hands of a stranger. That said, I have no reason to believe that your passwords wouldn’t be safe in a LastPass vault.
As PCMag’s lead security analyst Neil J. Rubenking noted last week, LastPass says the breach did not expose any passwords. Rubenking suspects that the hackers made off with customer information such as email addresses, physical addresses or credit card information. Yes, this is worrisome, but not nearly as worrisome as a breach exposing the contents of users’ password vaults.
LastPass, along with the other password managers we’ve recommended, uses Zero Trust security architecture for credential storage, so only someone who knows your master password can unlock your vault. The Company does not have your master password; only you do, so LastPass can’t get your passwords, the government can’t get your passwords, and as long as a hacker doesn’t get your master password, they can’t get your passwords either. With that in mind, you should choose a long, strong master password for your vault and add another layer of protection to your password management account with multi-factor authentication.
The whole situation makes me yearn for widespread access key adoption on the web.
What are access keys?
We may not have to mess around with clumsy credentials and extra software much longer. Earlier this year, representatives from Apple, Google and Microsoft announced that the companies are working with the FIDO Alliance and are adopting a new way to log in with a password.
Passport keys are FIDO credentials used for authentication. Passkeys are synced between your devices via a cloud service (like iCloud, for example), and the cloud service also keeps an encrypted copy of your credentials. According to the FIDO Alliance(Opens in a new window)a group devoted to eradicating password use online, Passwords provides an easier and more secure way to log into websites and apps.
Apple rolled out Passcode as part of iOS 16, allowing you to sign in to your accounts on supported apps and websites with Face ID or Touch ID. Check out PCMag’s guide to setting up a passcode on an Apple device.
Google has been working on finding password alternatives for a long time. Back in 2013, the company worked with Yubico to try to create a USB-based login process, and in 2016, Google announced that it was beta testing a passwordless login system. Android users can’t partake in Google’s vision for a password-free future just yet, but back in May the company said the simplified sign-in process would be available “within the coming year.”
The big downside to passwords is that they are new, so not all sites accept them. Eventually, many developers will use them for their apps and websites, so I recommend you look for the password logo on websites where you can sign in with a password instead of a password.
(Credit: FIDO Alliance)
Why should you continue to use a password manager?
Since most apps and websites haven’t adopted the technology to authenticate passwords yet, you’ll need a password manager to log in securely online. Password managers are still the best way for most people to keep their login information organized and secure.
A password manager helps you create multiple complex and unique passwords and stores them in a vault. You don’t need to remember the passwords because the password manager fills in the passwords for you. Not having to remember passwords prevents you from reusing them around the web.
A password manager is a safer option than writing down your passwords and keeping them on sticky notes on your desk or in a notebook that can easily be lost or stolen. You can store your passwords in a spreadsheet stored on your computer or mobile device instead of using a password manager, but it’s not very secure and it can be cumbersome to cut and paste your credentials every time you need to log in on many different sites throughout the day.
How to choose a new password manager
If you want to use a password manager but are still unsure about LastPass after the latest data breach, there are many other excellent and secure options. LastPass is a big target for hackers because the company is well known and has a massive customer base. A less popular password manager, such as the free, open source, Editors’ Choice award-winning Bitwarden, may be an option for people who want to avoid opening future emails with the scary subject line “Recent Security Incident.”
Check out PCMag’s article on switching password managers for a step-by-step guide. Whichever password manager you choose, remember to enable multi-factor authentication on all your accounts, including your password manager, to make it harder for would-be data thieves to get hold of your information.
Do you like what you read? Get an extra story delivered to your inbox weekly. Sign up for the SecurityWatch newsletter.
What else is happening in the security world this week?
Security flaws in Florida’s tax website exposed filers’ data. A security breach on the website of the Florida Department of Revenue exposed hundreds of taxpayer social security numbers and bank account numbers.
Understanding Teen Hackers: DHS to investigate attack by LAPSUS$ gang. The Department of Homeland Security’s Cyber Safety Review Board will review the hacking techniques of LAPSUS$ to help organizations protect themselves from similar threats.
Scammers pose as Google to trick hundreds of businesses into paying fees. Google’s lawsuit alleges that the scammers used the names “G Verifiers” and “G Hyper Local” to trick businesses into paying fees to maintain their presence on Google Search and Maps.
GameStop claims that the data leak was only a test and not actual customer data. But it turns out that some of this data belongs to real people.
What to do if your antivirus program stops working. Antivirus companies strive for continuous protection, but the software is not perfect. Here’s what you can do if your antivirus stops working or fails to prevent a malicious attack.
Do you like what you read?
Sign up SecurityWatch newsletter for our best privacy and security stories delivered straight to your inbox.