For the past several years, I’ve been a vocal supporter of encouraging everyone to use a password manager.
However, the password manager that I have been recommending has been steadily going downhill for the past few years (being bought by an equity firm will do that). Recently, though, it has made the tech and security news by not only having multiple breaches of their private network(s), but they just recently announced that some amount (they won’t (or can’t) say how much) of customer data has been stolen and it turns out they weren’t always using the best security practices.
For me, that’s the last straw. I’m leaving LastPass. What follows is a brief summary of what happened (at least, what we know) and what you should do if you’re a LastPass user.
LastPass is no stranger to security incidents. By itself, this is not a bad thing, provided that:
- The company (and employees) learn from each incident.
- That the company implements its security in such a way that ensures maximum data protection even if user data is stolen. Mistakes happen, especially with big companies and complex networks, but encryption is mostly a solved problem, provided it is implemented correctly. This is why it’s this second point that I feel that LastPass has let me (and other users) down on.
Here is a quick summary of the most recent breach (you can read about others on the LastPass Wikipedia page):
- In August of 2022, LastPass posted on their blog that they had recently “detected some unusual activity” in the LastPass development environment. They elaborated that the compromise resulted in the theft of “portions of source code and some proprietary LastPass technical information.” They went on to say that no master passwords, password vaults, or user personal information had been compromised.
- An update on September 15, 2022, elaborated on the August hack. In this update, they stated that “the LastPass Development environment is physically separated from, and has no direct connectivity to, our Production environment” and that they “have deployed enhanced security controls including additional endpoint security controls and monitoring. We have also deployed additional threat intelligence capabilities as well as enhanced detection and prevention technologies in both our Development and Production environments.” All of this sounds good – while it’s obviously bad that someone penetrated their development network, LastPass seemed to have security precautions in place to keep that from spreading.
- The first hint that things were about to go south was from the November 30, 2022 update. This update mentioned a second security incident involved a shared cloud storage service (probably AWS) that is shared by LastPass and its affiliate GoTo. The fact that this is shared is one red flag. The update went on to say the hacker was “using information obtained in the August 2022 incident” and they were “able to gain access to certain elements of our customers’ information”. This is red flag number two. Especially considering that – according to their September update – they had improved their detection and prevention capabilities.
- The final shoe to drop (so far) was on December 22. This update gives a vague idea of what was taken from the second security incident. The answer is LastPass backups, which include the following information:
- Customer account information: end-user names, companies, billing, and email addresses, telephone numbers, and IP addresses.
- Encrypted customer vault data.
As you might imagine, this is a pretty major “oopsie” from a password manager. However, this wouldn’t be a reason to leave if it weren’t for the following additional mistakes (or omissions) LastPass has made recently.
- LastPass is framing this incident as two separate attacks when it actually appears to be a “lateral” move. Note that LastPass has not said when the second security incident occurred. It could be because it happened immediately after the one in August (when they stated that no customer information was taken), and LastPass doesn’t want to admit they spoke too soon in declaring customer data “safe”.
- While some of the data is encrypted (passwords, secure notes, etc.), not all of it is. Unencrypted data that was stolen includes site and user metadata. While this doesn’t seem like a big deal, it means that the hackers can see information like the specific bank that a person uses. Combine this with the user metadata stolen (names, email addresses, physical addresses), and this can allow for some *very* convincing phishing attacks. Additionally, since the metadata includes company names, the hackers can target people who work at specific companies that may be more likely to hold sensitive information.
- LastPass has a spotty record of following best practices on encryption. LastPass updated its password requirements in 2018 – but did not enforce this change for existing users. LastPass updated their software in 2018 to encrypt passwords more than 100,000 times – but existing accounts were not automatically updated, even when LastPass claimed they were (many accounts used a much less secure 5,000 times or even fewer).
- These older accounts (which probably had a great quantity of sensitive information) were simply less secure against password breaches, due to the fewer iterations and shorter master passwords. And since these vaults have been stolen in this less-secure state, there is improve the security of these vaults. They simply will be more vulnerable forever. LastPass put user data in real danger due to this oversight.
- Related to the above point – LastPass isn’t saying when the stolen backups were made. If these were backups from pre-2018, they are much less secure. Additionally, if the stolen backups were from users that have not manually updated their master password and encryption, they are much less secure than LastPass PR wants you to believe.
So, with all these issues, I’m finally “motivated” to leave LastPass.
If you’re also a LastPass customer looking to move or looking for a password manager, here are my current recommendations.
Where to Move
While there are a lot of options for password managers, the big three that seem to get the most recommendations are:
I have experience with both 1Password and Bitwarden, so I’m only going to speak on those two (although I have no reason to reject Dashlane, I just haven’t used it).
I like both 1Password and Bitwarden. 1Password seems to have slightly better applications and browser extensions, while Bitwarden is less expensive and open-source.
If you’re an individual, I highly recommend going with Bitwarden, since they have a “free forever” plan that costs $0 and covers just about everything the average person could want. If you’ve never had a password manager, or you’re a single person coming from LastPass, this should be your first stop. If you (for whatever reason) can’t stand the UI, give 1Password a try, but their individual plan is $36/year with a 2-week trial.
If you’re a family and need to share/synchronize passwords, you won’t find a free plan. 1Password’s family plan costs $60/year, while Bitwarden’s is $40/year. Both of these give access to several users, with the ability to synchronize selected passwords/secure information (while keeping some information private).
I don’t think you can go wrong with either of these password managers. If you want the least-expensive option, I don’t think you’re giving up much by going with Bitwarden. If polish and ease of use are high priorities (and you don’t mind paying a little more) then I think 1Password will get you even better security along with some UI improvements.
More About The LastPass Breach
If you’re wanting to read even more about the LastPass breach, including more technical descriptions of some of LastPass’ issues, here are some great resources:
- Security researcher Jeremi Gosney: https://infosec.exchange/@epixoip/109585049354200263
- Four blog entries from Wladimir Palant’s security blog:
- #1 LastPass Has Been Breached: What Now? https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/
- #2 What Data Does LastPass Encrypt? https://palant.info/2022/12/24/what-data-does-lastpass-encrypt/
- #3 The LastPass Breach PR Statement Explained. https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/
- #4 The Significance of Password Iterations. https://palant.info/2022/12/28/lastpass-breach-the-significance-of-these-password-iterations/
- Security Researcher Steve Gibson (PDF): https://www.grc.com/sn/SN-904-Notes.pdf