houstonI can’t believe nobody asked for my thoughts on the LastPass breach(sarcasm).
Firstly any company that holds anything that even resembles sensitive data should be using data perimeter concepts to prevent their cloud storage from being accessed without a deeper foothold.
Secondly, organizations that use LastPass have a lot of work ahead of them, but not nearly as much as companies who have not mandated a password manager and allow employees to decide. There are easily dozens or 1000’s of current and FORMER employees who didn’t have any mandate for strong “management passwords” or MFA. And the company has NO IDEA, no way to get the vaults, no way to explain this to regulators..
And finally, the intermixing of company and personal secrets in a password manager seems extremely dangerous in hindsight. I would highly recommend discouraging this type of co-mingling or sadly, some draconian policy where companies declare any password manager accessed from a company owned or managed device or network is subject to inspection by the company (yuck).
Firstly any company that holds anything that even resembles sensitive data should be using data perimeter concepts to prevent their cloud storage from being accessed without a deeper foothold.
Secondly, organizations that use LastPass have a lot of work ahead of them, but not nearly as much as companies who have not mandated a password manager and allow employees to decide. There are easily dozens or 1000’s of current and FORMER employees who didn’t have any mandate for strong “management passwords” or MFA. And the company has NO IDEA, no way to get the vaults, no way to explain this to regulators..
And finally, the intermixing of company and personal secrets in a password manager seems extremely dangerous in hindsight. I would highly recommend discouraging this type of co-mingling or sadly, some draconian policy where companies declare any password manager accessed from a company owned or managed device or network is subject to inspection by the company (yuck).