IMSS will not renew the LastPass contract in March 2023, so we recommend you no longer use this software. We are evaluating options and will provide updates as soon as possible.
Due to recently disclosed information regarding a security breach at LastPass, the Caltech IMSS Information Security team is recommending that the Caltech community not store any further passwords in LastPass and begin to take actions on those accounts that have been stored there.
The data taken in the LastPass breach included password vault data of their customers. The account passwords in the vault were encrypted by the master password chosen by each user. Caltech's password requirements for this were stringent enough to withstand a brute force attack for a period of time, but those who have used a LastPass master password that is used for other accounts should change the account passwords they stored in LastPass as soon as possible. Others should also begin to change all account passwords that have been stored in LastPass, and this can be done on a non-urgent basis but should not be forgotten.
Please be on the lookout for increased phishing attempts that appear to know what accounts you hold. The vault data that was stolen from LastPass included unencrypted URLs for the sites in the vault. Criminals may use this information about LastPass customers to attempt to trick them into providing a password.
- Change the LastPass master password: Those of you that used a LastPass master password that is also used for other accounts should change the account passwords stored in LastPass as soon as possible. Others should also change the passwords stored in LastPass, and this can be done on a non-urgent basis but should not be forgotten.
- Change passwords: We recommend that, at your earliest convenience, you change the passwords you have stored in LastPass, beginning with your most critical or sensitive accounts. If two-factor authentication is available, we highly recommend that you make use of it.
IMSS Information Security is currently looking at potential replacements for LastPass password management tool and will make an announcement very soon. While the incident with LastPass has been disappointing, using a password management utility, with unique and random passwords for each account, is still the best way to keep your accounts secure.