LastPass is a password management tool used to store, share, and manage passwords used by some departments and individuals at Davidson. On December 22, 2022, LastPass informed customers about a recent security breach. This article provides more information about that security breach, and next steps for securing your information.
About the LastPass Cybersecurity Incident
In December 2022, LastPass notified their users about a security incident that put passwords stored in LastPass at risk. Since some departments and individuals at Davidson College use LastPass to protect their secure information, we wanted to make sure you were aware of this incident, how it may affect you, and next steps affected users should take.
During this event, a bad actor was able to download a copy of a LastPass backup that included unencrypted customer account information (name, email, etc.), as well as encrypted data from customer vaults including website usernames and passwords, secure notes, and form data.
While the most sensitive information in LastPass vaults (like passwords) was encrypted, the likelihood of an individual LastPass user’s data being breached depends on the strength of an individual’s LastPass master password.
- LastPass vaults that were protected by strong master passwords, particularly those of significant length and used nowhere else on the internet, are at lower short-term risk from this incident.
- LastPass vaults where the master password can be easily guessed, is shorter in length, or has been used on another website that was itself breached, are at significantly more time-sensitive risk.
Regardless of the strength of your master password, due to the seriousness of this security breach, all LastPass users should take action to protect your information.
Next Steps for Davidson Users
Due to the magnitude of this data breach, all users of LastPass should:
- Update your LastPass Master Password.
- Update your Davidson credentials if they were stored in LastPass.
- Consider changing all personal passwords stored in LastPass, especially critical ones like banking and healthcare sites.
- Consider migrating to another password manager. Davidson T&I has evaluated potential replacements and recommends BitWarden and 1Password for personal use. These services provide information about how to migrate passwords from LastPass into their platform.
Note: Departments and individual users that have been using LastPass to store and share significant amounts of Davidson system passwords and other sensitive information are strongly encouraged to begin using a T&I-provided college password management system currently in development. More information about this is below.
Is It Still Safe to Use a Password Manager?
Despite the risks of using a password manager, it is far more secure to utilize one than to reuse passwords across multiple systems. Creating unique and strong passwords for each of your online accounts is difficult, so often we create one strong password and use it across multiple accounts, or create multiple simple passwords that are easy to remember. Both methods put online accounts at risk.
Password managers help mitigate this risk by allowing users to create one very strong master password and use it to unlock the rest of your passwords. Much like seat belt use reduces traffic deaths even if seat belts sometimes can cause injury, a password manager still reflects the lowest-risk way to protect secrets like site passwords.
Next Steps for Individuals and Departments Using LastPass for Davidson Business
Davidson Departments and employees that use LastPass to store Davidson credentials should plan to transition all Davidson account information and passwords off of LastPass. Davidson T&I is in the final stages of selecting a new password manager for official College use.
If you store a significant amount of Davidson-related information in your password manager, or had been using LastPass to share access information with others in your department, you may be eligible to access this new Davidson-provided password manager.