Moving my parents away from LastPass
Mom and Dad Had Questions
The LastPass debacle reached outside of my InfoSec bubble recently, and into my family this holiday. My parents learned about the data breach via the news and Facebook, and asked me for an explanation.
For people in their 70s, my parents are rather tech savvy. They’re at least to the point where they can function on the internet and do whatever they want. Both mom and dad know enough now to understand how serious the LastPass incident is. But honestly, my parents don’t care too much for the technical details. They just want to get to the point and understand the facts of the matter, which made my job explaining things easier.
Personal Tech Support
The thing is, like most of us in tech, I’m the go to IT person for the family. A few years back, I moved my parents over to LastPass. Why? The interface was easy enough to understand, and they were able to navigate it. Of the password manager options I showed them, they selected LastPass. Fine. For their needs, LastPass was exactly the right option at the time. But now, they’re concerned.
Their master password was over 12 characters. By all rights, even if criminals did target their compromised data, they’re likely secure. I’m not giving anything away when I tell you it was a structurally complete sentence. I say was, because as the title of this blog post suggests, I’ve moved them off of LastPass anyway, regardless of the low risk. I wasn’t willing to risk their accounts, and neither was my dad.
An Unlikely Solution
However, the solution I suggested, and the method my dad felt best, likely isn’t for everyone. My parents now use a password book. This book is kept secure, and contains strong passwords for the critical websites. They’ll use sentences for some of the non-critical websites they visit.
I won’t get into details, but their banking, retirement, and most financial accounts are using more than 20 characters, generated by the Bitwarden password generator, which were then copied down to the book (printout that’s typed, not hand written). Other accounts are protected by passwords that form complete sentences, based on things only my parents know. They have written these sentences down, and stored them in the deposit box at the bank, for when I’ll need them after they’re gone.
I’ve left them instructions on how to use the password generator in the future (but my dad understood immediately, so I doubt he will need my help), and informed them of another critical matter. Phishing.
Post-breach Risk Factors
See, the LastPass incident isn’t just about a data breach. The data the criminals compromised can also lead to phishing attacks that leverage the LastPass incident as a lure. Clearly this can cause additional knock-on problems for the victims in this case.
So I’ve explained that issue, and told them to send me any email or text message that claims to originate from their critical accounts (something we defined ourselves). This way, they can let me advise them. A process my parents were more than happy to accommodate.
The solution isn’t the most technical, but it is the one that works and makes sense to my parents. Therefore, it’s the best solution for them. Never let perfect get in the way of good.