I will begin that a password vault for personal and enterprise use is one of the best practices and solutions everyone should use. This post along with the situation with one particular company should not deter anyone from using a password vault or think you can be more secure with a home=grown password management solution. (Hint – You can’t).
If you are a long-time listener to my Security In Five podcast, you know my support and drive for password vaults and participate in my support for LastPass. However, when things change so can and should an individual’s opinion. My support and inclusion of LastPass as a viable, secure, and trusted password vault solution is over.
LastPass has suffered a few security breaches over the last few years mainly focusing on non-customer data or the password vaults themselves. I stood by thinking they would turn things around and increase their security practices exponentially by learning from a mistake. I don’t blame a company for a breach, mostly depending on how the breach occurred, but repeat breaches chip away at my support. Especially for a security company.
The lastest breach of LastPass occurred in August of 2022. When LastPass initially announced it they stated that some customer information was accessed. That information is what I tag as ‘phone book’ information: names, emails, phone numbers etc…
However, on Dec. 22, a few days before Christmas when most IT shops are in limited operating mode at the end fo the year, LastPass released a statement that backups that included customer password vaults were downloaded. What is concerning is that LastPass claims the vaults were not initially downloaded in August, but accessed later from the data breached in August to access the backups through an employee.
The second part of the response to the vault breaches shifted the blame, passively, to the users if their vaults are cracked. Security professionals around the industry saw straight through their response and began to poke holes in not only their words but in the LastPass technology.
The claim is that it could take millions of years to crack the vaults. This is partially true on the surface. The problem with this statement is it 100% relies on the user’s ability to create strong master passwords on the vaults. A dictionary attack can brute force open a vault in minutes, days, weeks… far less than millions of years. The second part is that not everything is encrypted. LastPass has URLs unencrypted. You may think that’s a benign data point, but to a hacker knowing where you have accounts can provide them piles of information to take the next steps. In addition, LastPass grabs and stores URLs verbatim. As an example, those URLS might be a password reset page that isn’t properly expired. That means the reliance on the website’s security may also contribute to further malicious actions.
More technical details can be read here – https://www.theverge.com/2022/12/28/23529547/lastpass-vault-breach-disclosure-encryption-cybersecurity-rebuttal
Lastly, LastPass’ claims of certain crypto practices have turned out to not be accurate for everyone. In fact, a few years ago LastPass changed the master password default minimum length to 12 characters, yet they didn’t force users to change. If you have an 8 character master password, like many others may still have, that reduces the complexity of vaults getting cracked. The final security flag is unlike other vaults, the LastPass master password is the key. If you can crack that, you can access the vault. Where as 1Password’s scheme is the master password is tied to a secret key. If a hacker gets the vault and cracks the master password they still need the secret key, that the user has, to access the vault. Therefore making the vault nearly unhackable from the outside.
Why I dumped Lastpass
As the details emerged from this breach I made the decision that my time with LastPass was over, immediately. I have no clue if my vault was part of the breach, but we all have to assume it was and act accordingly.
LastPass’ public response was very poor, filled with half-truths, tried to shift blame to the users if vaults are cracked and the timing of the announcement a few days before Christmas was less than ideal.
After reviewing a few other solutions, the LastPass application is not the best out there from a feature function perspective and right now far from the most secure.
How I moved
Here are the things I spent the last several days doing to protect my 400+ accounts.
Side note – Multi-Factor authentication enabled on LastPass would only slow down a hacker from accessing your vault through the LastPass authentication services, the application. An encrypted vault is encrypted with your master password and MFA has nothing to do with that.
- Immediately changed my LastPass master password.
- This is a preventative move for anyone accessing the vault from today forward but does nothing to prevent a copied vault from getting cracked from my old password.
- Reset every single account in my vault. Deleted accounts I no longer used.
- Enabled two-factor authentication on every single website that offered it.
- I decided to go to 1Password (Paid Service), so I created a vault over there.
- You can export your entire LastPass vault to a clear text CSV file and import it directly to 1Password. Very easy and worked flawlessly.
- Be very aware of this!!!! Treat that file like gold. Put it into a digital vault, print it and put it in your safe or digitally shred it when you are done.
- Once I checked out the functionality of my accounts in 1Password and all the apps on mobile, desktop and web were working as expected I purged my LastPass vault.
- Canceled my renewal.
- I also created a Bitwarden (Open Source, Free) vault and will be using two vaults going forward.
As a 20+ year security professional, I would highly recommend that if you are a LastPass user to seriously consider moving to something else. Breaches happen, but I operate and think with a security hat that companies can emerge from a breach stronger and better than before. I still stick with companies and do businesses that have suffered major breaches… if they respond and improve at a level I expect. LastPass has not. Multiple breaches over the years through poor practices, less than stellar security choices with the product that is not as good as they should be for a vault solution, and their business response was amateurish with a tone that the media and public would accept but the security professionals saw through it.
There are better products out there and it’s OK to move. Just because I was a LastPass loyalist for years doesn’t mean I stick with any company forever no matter what. Like any relationship that loyalty and trust can be broken and lost… for me, I moved on and am happier and fell more secure because of it.
Be aware, be safe.
This is not a sponsored post, all recommendations to products are the opinion of the author.