And, I can personally empathize with the friction you will undoubtedly receive if you make this suggestion. Again, either way, there is no certainty here.Īgreed, making this decision for yourself is much a different beast than making this decision for an organization. OP is going to have to make a subjective judgment call on whether he is better off making the move, taking the hit on adoption and the impedance of users learning a new system, or better off taking the risk of staying with the current architecture. Like you, I would prefer to have some hard numbers to make a decision, but you just can't do that with a risk profile. Is the overall risk, factoring in the absolute likelihood that these LastPass vaults, with their flawed encryption, WILL get stolen again, due to demonstrated LastPass incompetence?
#LASTPASS CHANGES MARCH PASSWORD#
If members in his organization stop using a password manager completely (either in the short term or long term), he has increased risk on that surface. A password manager does not ELIMINATE risk, but it helps moderate risks in ways that are hopefully easier to manage and control.īack to the original subject on this thread, I can't say for sure that OP would be best served by moving from LastPass. You should use a password manager because it has less risk than not using one (reused passwords, an unencrypted text file, etc.). The theft of the encrypted vaults was merely the second shoe dropping. The primary lapse was poor encoding (encryption) of the vaults. The failure of LastPass was only secondarily about the disclosure of the encrypted vaults. Should you desire to do so, you will need to re-link your accounts by following the instructions in Using LastPass Family Benefits.įor additional information on recommended steps for securing your personal LastPass account as a result of this security incident, please refer to the Security Bulletin provided by LastPass which can be found by visiting: …Ĭontinue to be vigilant as it relates to social engineering or phishing attacks to gain access to user information.No, they would not have had a different outcome. If you have a personal or family LastPass account that was previously linked with your OHIO account, it will no longer appear in LastPass after your account is reset. You will need to re-link any personal or family accounts. We understand that this will be a cumbersome process, but ask that you prioritize this activity and any password changes associated with high-value credentials such as your OHIO credentials, admin credentials, and any credentials associated with access to SSNs, credit card information, or any other highly sensitive data.ģ. Your passwords stored within your LastPass vault will need to be reset.ĭue to the high value associated with the credentials stored in OHIO’s LastPass vaults, once your account has been reset, you then need to change the passwords stored within your LastPass vault.
You will now be able to log into LastPass with your OHIO email and password like before.Ģ.
This action will complete the reset process. You will be prompted to enter the temporary password again and select Save Master Password. Upon entering the temporary password to log into LastPass, you will then be prompted to enter your Ohio University email/password and accept a multi-factor authentication request to access the service. Your temporary password will be relayed to you via Teams chat. Please note that you will receive a notification email from LastPass about this change, but no action is required regarding this email. Over the next few days, you will be contacted via Microsoft Teams chat by an OIT employee, at which time the OIT employee will change your LastPass password to a temporary password.
What does this mean for you as a user of LastPass? On March 1, 2023, LastPass posted an updated notification as it relates to the previously communicated cybersecurity incident.īased on the most current information provided by LastPass, we will be implementing their recommendation to reset our OHIO accounts in an effort to reduce the risk associated with this incident. Based on the information provided by the vendor at the time, no action was requested of you outside of awareness that you may see an increase in phishing attempts as a result of this incident. On December 23, 2022, we notified you of a cybersecurity incident involving the University’s third-party password management tool, LastPass.
0 kommentar(er)
