1/12/23 – Recently, LastPass, a password manager, has been in the news due to a compromise they experienced in 2022. We have been closely watching the developing situation and are offering our guidance to the community based on currently available information.

The data included in the breach included encrypted information, such as passwords and unencrypted information (e.g., associated URL). However, LastPass warns that a threat actor may use social engineering techniques and phishing attacks to trick users into disclosing sensitive information, like passwords. Additionally, a threat actor could use brute force to attempt to crack LastPass master passwords.

The compromise of systems at companies is a daily occurrence in the modern world. Despite the most recent security incident with LastPass, most security professionals still agree that password managers have more benefits than posed risk. Password managers enhance security by allowing you to store your passwords and other sensitive information in a virtual safe that is accessed with one very strong password. Password managers like LastPass also help users keep track of all stored accounts, making it a lot easier to update passwords and reduce password reuse. Information Technology Services has been using LastPass for several years and fully expects that LastPass will continue to make improvements to their security.

The Information Security Office recommends LastPass users take the following steps to help secure accounts and reduce any risks associated with the recent security incident:

1. For LastPass personal account users, review and/or update your LastPass master password or passphrase (a string of words), making sure it is at least 12 characters long and is a passphrase that is memorable to you but is seemingly random and hard to guess. The longer the better;
2. For all LastPass users, including those using federated logins, update any account passwords stored in your LastPass vault where a compromise could likely result in harm, like your financial, health or professional accounts;
3. For everyone and everything- never re-use your passwords;
4. Be highly skeptical of communications that you did not initiate, such as email or text requests to confirm account information. Remember, UConn nor legitimate third parties will ever ask you to share or confirm your passwords.

ITS continues to support and recommend use of LastPass. For more information about the UConn LastPass account, visit: https://kb.uconn.edu/space/IKB/26149945350/LastPass.

---