Business administrators that entrusted LastPass with their organization’s login credentials have some work to do to regain a defensive posture.
A monthslong cyberattack compromised most of the highly sensitive customer account data held by the password manager, with the exception of users’ master passwords, which LastPass said it doesn’t store or maintain.
The exposure is broad and potentially ruinous for organizations that don’t take additional steps to protect against unauthorized enterprise account access.
Business administrators need to assess their organization’s risk across multiple components and heed the recommendations LastPass said it shared last week in a security bulletin with about 100,000 business customers.
Here’s the most high-level actions LastPass shared with its business customers in a top-down order to prioritize response (advice for individual customers can be viewed here):
Master Passwords
Usernames and master passwords, which create a unique encryption key, should be at least 12 characters long, according to LastPass. The longer the master password the better, particularly when all available character sets are used.
“Remember that length wins over complexity,” LastPass said.
Administrators should set policies that require:
- A minimum character length
- Minimum character sets
- A change when reuse is detected
- And prohibit the use of previously used passwords
Security reporting in the admin console will identify users relying on weak or reused passwords, and organizations should consider forcing those users to reset their master passwords, LastPass said.
Critical credentials saved in shared folders accessed by users relying on a low iteration account, the number of rounds performed during the client-side encryption process, must be rotated. Businesses should set the recommended minimum of 600,000 iterations for all users.
LastPass said it will soon require all personal accounts to meet this standard and will notify business administrators before the change occurs.
Super admins
Users with privileged access — super admin — should always maintain exceptionally strong master passwords and a high iteration count. Identify super admins using a weak password and rotate all critical credentials.
These accounts should only be set up for “break glass” situations that require special access and at least one super admin should maintain non-federated access.
Shared secrets
Businesses need to reset MFA secrets for all non-federated users who have enabled MFA access to their vaults and use authenticators from LastPass, Google, Microsoft or Grid.
This process will require users to login, verify location and go through the reenrollment process for MFA apps.
LastPass encourages users of Duo Security, Symantec VIP, RSA SecurID and SecureAuth to regenerate the shared secret for each MFA instance and enter the shared secret into the respective MFA app configuration in the admin console.
SIEM Splunk integration
Customers that use the SIEM Splunk integration must reset their instance token. LastPass said it will invalidate these tokens for all customers that don’t take this action on April 30.
Unencrypted data exposure
Businesses should run security reports in the admin console to see all URLs that might have been exposed, and communicate to employees the risk this poses for credential stuffing, phishing and social engineering attacks.
What else?
LastPass encourages businesses to run a weak security report to identify users with a weak security score and prompt those users to change those passwords in their vault. Administrators should also enable the control dark web monitoring policy.
Business customers should conduct an ongoing risk assessment and governance of shared folders, especially those containing sensitive access information for third-party services.
These folders should only be shared with users that have strong master passwords, high iteration counts and require specific access on the principle of least privilege.
