One of the most frustrating things about the LastPass leak is that they still haven't provided all the information needed to determine whether a customer is at risk.
For example, it's clear backups were stolen, but they won't say how old the backups were, or what their retention policy is. So even if you changed your password to a stronger one, with more rotations, it may be that the attacker got hold of very old backups with weaker security. I've asked their support team for information about time windows of backups stolen, if they have a retention policy and whether it was adhered to, but they won't share that information. Instead we are left with a blog post that is more than a month old, no recent updates, and questions remaining unanswered. I'm a paying 'enterprise' customer, and they are meant to be ISO270001 compliant, so a retention policy should be a pretty simple thing to share.
At this point you should assume you're breached. If they aren't going to give you the details, you should assume the worst.
I have asked all of my team to change their passwords. We use LastPass via our parent company and will be switching off LastPass soon for our team. LastPass never would've been my choice, it was made before I joined.
But assume you're breached, change it all now, and ideally you're not going to stay with LastPass. Their communication sucks, which is just icing on the cake in this entire situation.
Export from LP and start migrating, starting with changing common social IdPs like Google, Facebook, Twitter, Github, Apple, Microsoft/Live/Xbox/Outlook. Update the password of remote access programs like Parsec, and your cell phone provider's password. Then go through your TOTP generator and start changing everything in your TOTP generator (especially since you might be using LP Authenticator - if you are, then move to a different authenticator at the same time). Next: banking, your work payroll, investment accounts, Tax/IRS, shopping. From here one out start going through the list by the amount of money involved. If you doubt that then go through them ordered by the amount of data involved.
If you get lost and stuff seems too hard, if your replacement product lets you sort by age then just sort by oldest and hit 5 today. Hit 5 more tomorrow. Keep chipping at it. At this point you might as well change one every single day.
I’ve always felt like there’s a startup in there that can reliably change all your passwords for you. Probably something like one time $299, which sounds expensive, until you realize the pain of doing this.
Depending on how it was implemented, that could just increase the attack surface. Assuming it's a cloud service, now we have another company that has all your passwords, that can be breached. A better way would be desktop software that runs on your local machine and logs in to each web site by itself and changes all your passwords, without using any remote compute or storage, outputting a local file with all your new passwords (don't make the same mistake again using a cloud password manager).
I love web scraping, maybe I can update this prior idea. With the high proliferation of botting, a lot of sites are now resistant to this type of scripting, but at this low volume of interaction, it may be doable with some effort like Undetected Chromedriver.
Vault rotation++. I was bitten by this switching authenticators when one didn't have an export at the time. It was such a massive pain to login and remove, add, setup and annotate, store secrets and repeat.
This was also the final straw for our organization, we have initiated a company-wide reset of any credentials stored in in their service (thanks, LastPass) and are definitely not going to be renewing. The frequency of recent breaches, and especially the opaque manner in which they have been handled have destroyed any credibility they may have once had with regard to being trustworthy enough to store important secrets.
That reads like you're resetting credentials and then putting the new credentials back in LastPass, and then possibly maybe moving away from LastPass at some point in the future.
Given how little LastPass has disclosed, and the negligence we already know about, we should not only assume we're breached, but we should also assume LastPass is still storing critical data in cleartext, they don't have a "zero knowledge architecture", and their systems are still vulnerable to intrusion and exfiltration.
That's good advice. I already made that assumption when the leak was first publicised and changed all of my important passwords the same day. I'm just trying to decide whether it's worth changing the hundreds of other low value passwords that were once stored in LastPass. I migrated to another service a few years ago, but I'm concerned the attackers have got hold of older backups, containing sensitive data that I had deleted, but with LastPass's poor communication, there is no way of knowing.
Honestly, even before this latest update, it's safest to assume that your data will be decrypted at some point, and get started changing everything now.
Luckily I had already switched over to Bitwarden, but I still had around 250 accounts to go through, although about 40 entries ended up being duplicates, defunct sites/products, or so old that the accounts were already deleted due to inactivity.
If you haven't started rotating all of your credentials already, this news should definitely get you started on it!
I did the Lastpass->Bitwarden migration around Christmas, and it was probably 6 hours all told just changing passwords for the accounts I administer. The good thing is, you get pretty fast at changing them after a while.
She probably had an account that had a very low number of iterations. LastPass never updated those unless someone knew to do it manually, so if it was an old account she likely had 5,000 iterations out of the recommended minimum of 100,000.
If your master password has enough entropy, you're safe with 1 iteration. It's not a great idea, and what "enough" is can be ambiguous. But if your master password is provably 70 bits of entropy or so, you should be fine.
But it's probably easier to just change your passwords anyway. At this point I wouldn't be suprised if the story gets even worse somehow.
The title should be updated to reflect that this wasn't data from LastPass but from other products under the Gogo umbrella.
> Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.
I don't think it was intentional: this is one of those places where ripping the band-aid off is far better than slowly dragging it out. The drip-fed reveal increases the raw number of headlines about the breach and drills the idea "GoTo is bad at security" into people via spaced repetition. If they said "our entire company was pwned" on day one, they would have had their day in the media and by now only HN would still be grumbling about it.
I think what's actually happening is that they're just really bad at security. Either every few weeks they discover something new or they still haven't successfully locked the attacker out.
I do think they are being very intentional in how they release and frame things, and one of the things dripping it out can do also is produce some level of fatigue on reporting it. It definitely seems like they knew some things before it came out - some people have looked at changes to their site and there are new or updated marketing changes that in retrospect seem very correlated to what we're learning now. Not definitive proof, but very concerning.
I also think you are correct to a point, they are really bad at security so it is also possible that some of these things are just coming out also.
This assumes everyone sees all the headlines. This approach is very bad for people paying attention, but the type of people to pay attention to this kind of news would probably be unwilling to go near LP again if it was revealed all at once. Their play might be to assume the initial headlines get the most coverage so soften the message there, then wait for a general audience to tune out and reveal the worst parts.
When it comes to important stuff I think it’s important to trust no one.
I’m sure LastPass tried really hard to protect data. But everything fails eventually. If there’s things that are life threatening or financially devastating then I don’t think I can afford to audit people sufficiently to trust them with the info.
This is also why I can’t imagine ever using Plaid/Mint/etc that require my bank credentials just to do minor stuff like make payments or read transactions.
These password managers are in a tough spot market wise as they aren’t smart enough to secure super important stuff and for unimportant things, iOS/chrome password management is pretty good. I don’t mind if my audible account gets rooted, but it would be very bad if my bank or brokerage gets rooted.
Things are improving bit by bit. BofA and Chase both have OAuth and pretty granular permissions now. Citi and Wells Fargo have OAuth APIs too, though I haven't worked with them personally. That's the top 4 consumer banks, but many credit unions are stuck in the past. Credit unions in general need to wake up about how far behind they are in IT investment, and use a common IT vendor to modernize.
> I’m sure LastPass tried really hard to protect data. But everything fails eventually.
Sure, but password managers available over the internet are especially vulnerable. They're major centralized honeypots given the data they handle, and leaks are probably worth millions on the black market. To think that any company could handle this responsibility is naive at best.
Password managers are an entire section of software that shouldn't exist. They're too confusing and a chore to use for the general public, even if users are educated about their importance, and would like to secure their accounts. Many non-technical people don't bother or care at all.
The way forward is to get rid of passwords altogether and make passwordless authentication the norm. There have been some usability improvements in recent years in this area, to the point where it could reach mass adoption, but the change needs to start with developers.
I was a LastPass user for many years, many years ago, and trusted them, but have since moved all my passwords offline. And I would very much like not to worry about maintaining accounts, updating passwords, etc. Ugh, what a chore.
> [Password managers are] major centralized honeypots given the data they handle, and leaks are probably worth millions on the black market.
My knowledge in this area is admittedly limited but shouldn't password managers be fully encrypting your data with a key only you have (like 1Password). The way I understood it was that these leaks shouldn't be a problem because the data is worthless without the master key. Although I guess LastPass wasn't doing it that way.
I was specifically talking about _online_ password managers in that quote. Even in the best case scenario that they do follow all best modern security practices for storing the data at rest, there are countless exploit opportunities while the data is in transit, especially considering the clients are web browsers, with their own security issues. Not to mention the vulnerability from rogue employees, social engineering, etc.
Entrusting _any_ company with the secrets to your digital life is a bad idea in general. I know that 1Password is the darling in this space, but breaches are a matter of time. They only need to mess up once. Their entire business reputation relies on being 100% secure, which is impossible. I'm not surprised LastPass is reluctant to share more information; they want this to go away as soon as possible so that business can continue as usual. It also wouldn't suprise me if there were other breaches that were never made public, at LastPass, 1Password, or any of these companies.
> I was specifically talking about _online_ password managers [...] considering the clients are web browsers
Is that an actual thing?! I'm only familiar with password managers that use the Internet to synchronize, i.e. it's still 100% possible to apply the cryptography such that the service vendor or anyone else cannot read your passwords stored or in transit.
I can maaaybe imagine password managers with a web interface that however still decrypts locally, client-side.
TLS does a good job at this, and I'm not assuming it's compromised. But it's complex to setup correctly, and I'd rather avoid the need to transmit sensitive data everytime I access my credentials, and entrust my most critical information with a 3rd party, all to support a service that shouldn't exist to begin with.
Password managers are currently a necessary evil, so if you must use them, use an offline one, and sync across devices via any other secure mechanism.
Not just that, this drip feed of information makes formulating a proper response very difficult.
If, for example, you deleted your account after the first report in August (a rational decision), you have no way of checking what iterations setting you had, now that people are talking about it.
It's also unclear whether you will receive any data breach notifications detailing the exact impact to your data, since your account is now deleted - do they keep a history for "post-fact" situations like this?
And of course, if you didn't keep a backup of your passwords before deleting your account, you'd have to reset everything to be sure.
Terrible, awful company with no respect for their users.
There's not really any benefit to deleting the account other than forgetting they're untrustworthy and accidentally using them in the future. I would think it's better to change all passwords (at each service, not at lastpass) and leave the account at lastpass active, precisely to be in the know for such things in the future. That's unless I'm misunderstanding something about their service that makes it better off to delete the account. I've never used them.
They still have a list of accounts, email, usernames, even if the passwords have been rotated, plus whatever happens to be in secure notes and the like. Deleting the account is really easy (has to be for EU customers) and they're obliged to delete all data they hold on the user (under EU law), so I don't see any reason to let that kind of data sit around on an untrustworthy party's servers. I certainly won't need a reminder that they're untrustworthy.
> Part of me wonders if this was an intentional strategy: Downplay during the initial media round then very quietly reveal this was a worst case scenario.
Seems like a poor strategy. This is like an infected wound that keeps on festering. A turd that will not flush. A house guest that won't take multiple hints it's time to leave. Better to just get it over with in one go; next week the news cycle will be something else and it will be over; now it's in several news cycles again and again.
This sort of thing, will all encourage us to 'naturally' move towards a government backed, biometric solution. Which will of course be phone based, will hold your wallet, id and medical information, and will be provided to us by kindly corps such as twitter, google, apple, microsoft, meta, etc.
surprisingly the government based sites i use let me use email for 2fa which is better than phone since i can add 2fa for my email as well. It’s the banks that keep insisting i use a phone for 2fa. I have moved away from ally because of this
And each drip paints a bigger crosshair on the back of keypass wrt supply chain attacks (the only angle where keepass isn't inherently better than others). I wish lastpass all the best in terms of improving their communication!
After using LastPass for years, this breach led me to do something I should have done long ago: remove my bank account & email account passwords from it (and change them, of course). My wife did the same thing. At some point I'll probably switch password managers, but the basic realization was that those passwords are qualitatively different than the rest and should never, ever be trusted to any password manager.
So now I remember ~3 passphrases, instead of 1, and sleep much better at night.
I disagree, mostly because the password manager is more than just a place to store passwords. The origin binding also prevents you from typing the password on the wrong domain. For many people they’re probably more likely to get phished for a memorized password than pwned for a managed password.
Yet another point of absurdity. Only if I live in California do I have the right to demand a company clear all my personal data. Meanwhile we have multiple large organizations that have hemorrhaged data to the world and caused irreparable harm to individuals, with little or no consequences. We're all held hostage by tech.
I wonder if there's an app/extension that streamlines remembering/autofilling usernames but not passwords. I doubt many people would be into it, but it would be the best of both worlds for the case you describe, I think.
Or simply a personal allow list of origins, with a happy green indicator prominently overlaid onto login forms on those origins you've saved -- doesn't even need username storage.
Maybe even a community-sourced allow list, but that would need some seriously trusted management (including purging upon domain registration expiry/transfer) but that would mostly duplicate the domain warnings that browsers already offer, anyhow.
You can create an item without a password for this purpose - it would show an indicator if you have an account at a given domain, would even autofill the user name
But you still get to save the critical password from the poor security of password managers
> the critical password from the poor security of password managers
Just because one restaurant has a bad health inspection score and is constantly making everyone who eats there sick does not mean all restaurants are bad. People who just lump "password managers" into one group are fundamentally assuming that one bad password manager means that all password managers are automatically bad, we just somehow don't know it yet. Don't bother eating at restaurants ever again if you feel that way, I guess. I know people who have gotten sick eating at restaurants, but that doesn't stop me from finding good restaurants.
Most password managers have a very good security track record. Users creating and remembering their own passwords does not have a good security track record at all.
Better to use a completely offline password manager (which risks you losing your backups or getting into a conflicting sync state) than no password manager at all, but a password manager that actually encrypts all your data end to end (which LastPass does not) and requires a strong key to unlock (such as the 2SKD method, which again... LastPass does not) is extremely safe, even if you don't trust "the cloud", because you don't need to trust the cloud.
a much more convenient mitigation - create an item without a password, so it would autofill username (and not autofill if you're being phished, so domains wouldn't match), so all you'd have to do is enter the password from memory
Doesn't cease to amaze me with what confidence people recommend these "Switch to 1Password", "Just use BitWarden". I switched to KeePassXC because it seems all the cloud-based password managers have the same endgame: get hacked.
> It takes ~5 min to export and import.
Only 5 minutes, and you've just doubled your attack surface area. Congrats.
I was always a bit wary of these services. They sound great, and the convenience is amazing, but I have not much of an idea how everything works behind the curtain.
I went with unix pass installed inside of a FreeBSD jail. It's more complex than auto-filling with a browser plugin (though those exist), but as long as I can get an SSH terminal I can get to my passwords, and various other bits of data. You have to allow password login from sshd (which isn't ideal, but I was going for "access from anywhere I can get an SSH session), so your passphrase had better be good. And you need to have terminal discipline to be sure you clear the screen if shoulder-surfing is an issue.
But it has the advantage of knowing exactly what's going on at all times. And, for added benefit, there are only a handful of things you need to have printed out and stored in a safe or whatever so that your family can access all of the encrypted important stuff if you get struck by lightning.
> I went with unix pass installed inside of a FreeBSD jail.
> And, for added benefit, there are only a handful of things you need to have printed out and stored in a safe or whatever so that your family can access all of the encrypted important stuff if you get struck by lightning.
Presumably this print out includes an instruction manual for using FreeBSD, opening a terminal on a FreeBSD machine, launching a shell inside a jail, and accessing this "user friendly" software? Exactly how technical is your family?
Forgive my disbelief that this is an actual solution for anyone but yourself.
> but I have not much of an idea how everything works behind the curtain
Any good password manager documents this stuff very well. LastPass has a very shallow white paper that constantly refers to encrypting "sensitive data", but they never define what that sensitive data is, which is suspicious, and it turns out that LastPass doesn't encrypt everything, which everyone who cares about this stuff has known for years. In the 1Password document, they talk about how every item in the vault is encrypted, and every item contains various fields such as Title, URL, etc. 1Password encrypts everything.
1Password also talks about the benefits of using a user password plus a generated 128-bit "Secret Key" (2SKD), which is a security feature I strongly appreciate.
>Presumably this print out includes an instruction manual for using FreeBSD, opening a terminal on a FreeBSD machine, launching a shell inside a jail, and accessing this "user friendly" software
I never said, nor meant to imply, that it was user friendly. But, yes, showing a moderately intelligent person how to access it is easily done with a set of instructions, maybe a single printed page. Not "user friendly," but certainly usable. If I am a smoldering corpse, they can rescue whatever is stored there relatively easily. Since the software is ridiculously stable, the instructions will be equally stable.
It's not a universal solution by any means. I tossed it out there as an alternative. I'm sure you really love 1Password, and if it works for you, fantastic. I'm distrustful of any service in general, but maybe 1Password is 100% rigorous in all of their security measures. I have no idea, as I don't work there, or know anybody who works there. I'm relatively confident in mine, as I built every step of it (which wasn't much), and it has very few moving parts.
GoTo has been bad for a while. I recently sent their team a support ticket for their GoToWebinar API (API response contained completely different/wrong data). They said it's not that much of a problem and said they weren't gonna fix anything. Hilariously bad.
If that wrong data contained emails, etc. Then that would be a data breach and legally they need to fix, inform affected users, and report the data breach. If they said they weren't going to fix it, report it.
I'm on hold with lastpass enterprise support as I type because upon reviewing our account we found a super-admin that is 'blank', no text appears but it has been granted policy access to all shared folders. This is nuts. We use SSO so iirc the keys were 128bit x2 which was supposed to be completely unaffected by the dump. Perhaps not. Screenshot here: https://freeimage.host/i/H0RICCu
I didn't realize that Lastpass was part of the same company who brought us GoToMeeting.
It makes me wonder if this is all a result of GoTo general culture permeating into Lastpass. GoToMeeting and Webinar feel hilariously outdated, and I think that people use them mostly because corporate inertia.
We are heavy users of GTM, and have been for over a decade.
Initially, it was FAR AND AWAY the best and most reliable option for meetings. It worked well across platforms, and the screensharing -- especially the ability to see a participant's screen, not the host's screen -- was stellar. This was key for us; we're a small software company, so GTM sessions to help client IT install, or help a customer with a problem, or even get the system configured initially, were all our bread and butter.
Sadly, GTM over time has fallen prey to the same thing that ails lots of older products: it just keeps getting worse, and it feels almost deliberate. We do not give two shits about video, but they're pushing it hard. Sharing controls change revision to revision, which makes it harder for us to coach customers on how to use the tool. Lag and delay has become a real issue.
Makes me pleased to be a loyal Zetetic Codebook (née STRIP) customer.
The thought of storing my passwords on a web/cloud-based service always struck me as the dumbest thing anyone could do as it would be only a matter of time until such a service was hacked.
I started using Zetetic after learning about them via a 2012 Black Hat conference presentation where they took a bunch of password managers and STRIP came out on top. I figured if it was good enough for them, it was good enough for me. The product has only got better and better since 2012 (note that the presentation PDF is out of date in terms of security, they have of course changed hash and substantially increased rounds ! see their website for detail).
+1 for Codebook. I’ve been using it for ~5 years and haven’t had an issue, I feel secure in managing where my vault is stored and haven’t had issues with syncing. It’s a one-time fee per device type - I paid for iOS, macOS, and Windows without any hesitation.
Additionally their support is really good. They added a feature on iOS version (and Android I assume) which copies the TOTP when you use codebook to auto fill a login. However it cleared the clipboard when the TOTP code expired which was sometimes too soon - I suggested they add a buffer of ~15-30 sec which most TOTP validators allow, giving the user a bit more leeway in pasting it. They added it in the next version.
Some cons though: They do lack Linux support. Syncing is manual (I think they mentioned the next big update will make it more automatic), and there aren’t any family/team sharing capabilities. For these reasons I would really only recommend it for tech-savvy individual use. I’ve recommended it to a few colleagues and they have had great experiences and continue to use it for several years now.
I have recently moved away from lastpass onto 1password and find myself with some 1000+ credentials that I will now have to change.
Been working though the list and made a small dent of 50 accounts so far... There must be a quicker way to do this?
The functionality provided by such an API could be limited to disabling the account until the password is manually reset given that the client provides a valid email and password. The blast radius for that would be pretty small.
I don't use 90% of the entries in my password manager on a monthly basis so anything that allows me to delay the password change on hundreds of accounts until I need to use the account again would be valuable.
I don't think this matters that much. Most accounts are just for random websites that don't let you use basic functionality without a login. Being able to manage such accounts efficiently & without dark patterns in one program would be a massive time-saver, but whether a bad actor takes a few seconds or a few minutes to take over my important accounts I'm screwed either way.
I remembered that and before I learned more about the breach and was feeling "breaches happen" about things (I have strong master password) my thought was to use that to update passwords by age... but they actually removed the feature! That seemed so user hostile it made me mad enough that migrating somewhere where I can work with password age became my goal. Then as I've learned more about the breach, their design and their response it's just put wind in my sails.
Bitwarden isn't much better, but they do have a cli technical users can cobble something together. (I ultimately decided to skip on Bitwarden also)
I imagine you can triage that quite heavily; change the critical ones (bank/email/etc.), then change anything where passwords and usernames have been duplicated. Anything else is probably pretty low priorty both in importance or criticality.
Because telling your boss you will be spending the next 3 working days going through all your password might not be the best use of time and might want to spread it out a bit. Especially when most of them are obscure website that are not likely to be the first target in a password leak.
I just migrated over to 1Password and deleted my LastPass account. Better late than never, I suppose.
It was surprisingly easy- for all of LastPass's faults, at least they don't use shady vendor lock-in practices (like making data export needlessly difficult). And 1Password has a LastPass-specific import page, which made the migration dead-easy.
Password reuse is the most common way people are breached. Until there’s pervasive WebAuthn passkey support, that means you need a way to store unique passwords for everything you use and that can’t be algorithmic because different sites have conflicting policies.
Other password managers don’t have Last Pass’ long history of security concerns. They also have hardening against this specific scenario. For example, 1Password assumes they could be breached and includes a strong random key which is unique per-user so in an event like this the attacker would have to do a lot more work to break vaults:
The point is to allow oneself to use a different password for each website, and strong ones at that. The time required to memorise a large number of strong passwords is significant, and a password manager alleviates that.
> By migrating from one to the other, aren't you exposing yourself to the exact same risk?
My main gripe with LastPass is that they did not encrypt everything. Vast amounts of important information (email addresses, billing addresses, telephone numbers, IP addresses, website URLS ) were not encrypted on user's local machines with the master password, and subsequently have fallen into the hands of a malicious actor.
I would feel much better about LastPass if the security genuinely was safeguarded by a strong master password. But they've demonstrated that it's not.
Other password managers, as far as I can see, provide much greater protection in terms of encrypting everything. That's why I'd feel better about using them.
The alternative right now is to use the same password everywhere. That's even worse.
If one site is breached you have to go change your password everywhere. By using a password manager if one site is breached you just have to change that one password for that site. Using the same password everywhere is a real concern that should be avoided at all costs.
LastPass's breach is the exception to the rule. Generally speaking password managers have had a far better go of things than LastPass has.
By far, using a quality (LastPass is not one of them and frankly never has been) password manager is likely going to be the most secure thing that any average user uses every day.
This breach is much the same as the typical media stuff, hyperbole does no one any good. One bad thing happens and the sky is falling (hyperbole). No, the sky is falling for that app (LastPass) but not for every password manager. You have two really good options: Bitwarden and 1Password. I, personally, wouldn't touch any others that are cloud based. Local password managers are another matter, but they're simply a non-option for me and I'm not willing to give up the convenience, or the administration abilities that come with it in a business environment.
> The alternative right now is to use the same password everywhere. That's even worse.
Or to just use the browser's saving functionality and never push your passwords online in the first place. They're probably only using one primary device like me; I generally don't log in to stuff on my phone, or personal stuff on my work laptop/work stuff on my personal laptop.
If their habits are like mine then these cloud password services are pretty pointless.
You're unlike most people in that regard. I'm signed into services on at least two or three devices -- a desktop, a laptop, and my phone.
Also, with your setup, what happens if the computer with the browser containing all of the saved passwords is destroyed somehow?
I don't know if this has changed, but a few years ago the stored passwords in Chrome were stored unencrypted in a sqlite3 database. (on Linux, at least) I'd use an audited service such as Bitwarden or roll my own Keepass thing before using the browser's saved password feature. All it would take is one RCE exploit in a browser to expose your passwords.
I think that using multiple devices is probably by far the most common use case. Personally I have my own PC, a work laptop, and a phone that I regularly use, and a tablet that I use irregularly (but often enough that I want my account information available).
Years ago, I told them privately of a vulnerability in their implementation of 2FA. They dismissed it as a non-issue.
A couple of weeks later they sent out a statement "clarifying" how their 2FA had a caveat. It was basically marketing bullshit glossing over the fact that they don't enforce 2FA locally (sorry, details are very vague in my memory now, but I remember it being a serious mis-implementation).
...their CLI tool is de-facto deprecated (unsupported) and has several unreliability issues (ie: `lpass ls/userls ...` reports differing amounts of values depending on when a user was added to the folder or not). Basically `lpass ls ... | xargs -n1 ...` cannot be trusted, and you can only get an accurate list of passwords (or users) from the actual GUI.
It makes automation, auditing, reporting, near impossible.
What’s the best way to delete an account? Overwrite all password values? Wait a month, overwrite again, wait a month, delete? It’s hard to tell what’s sufficient to reduce risk of someone who breaches in the future will use my data.
I doubt LastPass deletes my data when I delete my account. I even wonder if to comply with GDPR, they just disassociate the data from me so it can never relink, but keep the data so it can be used, sold, or rented.
> What’s the best way to delete an account? Overwrite all password values? Wait a month, overwrite again, wait a month, delete?
The only sensible approach is to change every password on every site that you’ve ever stored credentials in LastPass for. Any attempt to change the passwords is just hoping hay their backups are better secured than their prod database (they are almost certainly not), and also that the data wasn’t popped before you changed them (which they almost certainly were, probably multiple times).
Delete your account, but revoke/update all those passwords asap as well. Since the site/url and email addresses were not encrypted, I’d be changing the email address on at least critical accounts as well where I can.
Best is to rotate all your stored passwords and not store the new ones in lastpass, delete all the items, and change the lastpass master password. Check any notes for sensitive info before overwriting and then deleting the entry and assume someone else will read what you had there.
For important accounts you should probably update your passwords.
Assuming you aren't reusing passwords, you shouldn't need to track down every online store you once bought something from. But your should consider updating your passwords for bank accounts, Paypal, Amazon, Google and whatever else would be a major headache if it were compromised.
I honestly don't want to be locked out of my passwords, just because Apple decides to block my account for "abuse", because I use iTunes Music Fitness Plus from wrong country or whatever.
There are all these "lol we blocked you for abuse, good luck doing anything :^) I guess complain on twitter lol" horror stories that I don't want to be locked down to one provider that does _everything_, the way Google or Apple does.
Even the fact that I have all e-mail at Google that can randomly ban me for "abuse" makes me scared, but I don't want to figure out how to move all my mail history to ProtonMail or AOL or whatever. I will need to have that as a risk.
I think we seriously need legal regulation for that. A company should not be able to take your personal data hostage like that. If they really want to ban you, you should at least be able to legally request a copy of all your data.
I moved to Protonmail for precisely this anxiety, and can tell you that there's not much to "figure out". It's pretty painless, they have a guide for it, and despite what I think about Google, their "Take Out" service isn't too bad.
This is what I have been doing since migrating away from LastPass. It has been great so far (and free). I’d say that I wish I could share passwords like in LastPass/1Pass but honestly my wife always struggled with that, so it’s easier to just AirDrop a credential if we need to share. It’s also integrated so well with Apple products that my wife was using it without even realizing it. I suspect the same will happen with my daughters.
Yes, it's only convenient on Apple devices. But it's still doable if you don't access that much stuff on other devices, e.g. when I need to access something on my Windows computer (which basically exists to run Microsoft Flight Simulator), I just manually retype passwords from my iPad.
I use a mix of Keychain and MacPass (keepass compatible). I will add something to MacPass, then sign in with it and let Keychain remember it. Notes however:
1. I do not use the MFA capability of Keychain at all. Putting your MFA, username and password in the same store is fucking stupid. I have a hardware TOTP token. Backup codes for that are however kept in Keepass.
2. I keep an offline backup of everything. Never trust a cloud backup!
3. All vendors are ephemeral, regardless of their size. Everything I have I have a carefully planned exit plan for.
As other people have pointed out, your keychain is on disk, but if you lose the Mac and find out your MFA codes don't work or something (this does happen) then you're SOL. Keep a backup.
I'm not sure about apple's cloud stuff, but the keychain is an actual just a file on your system. It is password protected, but it is just your login/sudo password (depending on which file it is).
I just had my keychain corrupt last night while I was testing the SecItemAdd API. So keep that in mind, maybe make backups. I was pretty shocked that you can corrupt the keychain using just the API, the entire security process started to lock up too. I had to (manually!) delete the entire keystone and start from scratch. Luckily I don't rely on it much.
It is worth noting that after you back it up to a remote location, it may not be a very secure concept anymore.
Keychain is perfectly fine if you're all in on Apple stuff. I am, so I could start using it today. A downside is that it doesn't have much in the way of a dedicated UI, especially on iPad/iPhone. Compare the 1Password app to Settings > Passwords on a phone. Keychain also only handles passwords, and not TOTP, notes, software licenses, etc.
In the comments on Reddit someone linked to a podcast where they broke down what this really means in terms of how "secure" your leaked encrypted vault is.
The TL;DR is even with 100k+ iterations of PBKDF2 an attacker can crack a password with 40 bits of entropy in about 71 days if they had access to 200 modern GPUs. For comparison if there were only 1 iteration instead of 100k the same type of password could be cracked in 61 seconds.
50 bits of entropy changes things a bit. Now it takes 1 year instead of 71 days but if you're a high value target they can just ramp up the number of GPUs to reduce the time.
The difference between 40 and 50 bits of entropy for a password look like this:
40 bits: !climb33
50 bits: ClimbS1@
40 bits: any 9 lower case letters
50 bits: any 11 lower case letters
The takeaway I got is you're probably ok if you have a really good password (150+ bits) with 100k+ iterations but if I were using Lastpass personally (which I'm not) I would absolutely re-roll everything and never use the product again. I personally use a command line tool called `pass` which stores everything locally. This story interests me though because I am mildly involved with someone who is using Lastpass and I suggested they re-roll everything. I'm happy to see someone did the math, it's the exact information I wanted to know.
I think this misrepresents password entropy. For example forcing a capital letter mostly results in lusers capitalising the first letter (and losing about 1 bit versus having the choice of case for every character). Requiring "special characters" further decreases the entropy (certainly in theory, and I assume in practice).
I used https://www.omnicalculator.com/other/password-entropy to calculate it by the way. I threw out a few examples but you're right, it does come down to individuals knowing what to do or not. Those aren't meant to be good examples of passwords to use in practice.
For the record, it's pretty easy to do this by hand. The calculator assumes the attacker knows how many of each kind of character there is, which is a weird assumption so I'll not use that. Anyway you can take the base-2 log of the number of possibilities, or more easily add the entropies of each character (if they're not related). If you take e.g. the 64 symbols of Base64 as your allowed space you get: n*log_2(64)= 6n bits of entropy for an n-character password.
Give that most brute forcing is probably going to be done with wordlists and various permutations, I found this site to be interesting for estimating real password strength: https://lowe.github.io/tryzxcvbn/
Pass has clients on iOS and Android, but there was some blocker with my GPG key on YubiKey last time I tried.
Ended up on Bitwarden (Vaultwarden in my closet really) instead for web passwords. Admin passwords stayed in pass because I want to be sure I have them. Git is local to the device even if the server burns down.
You can rsync the whole directory of passwords elsewhere and then connect there from your phone using SSH. If you're handy with `pass` you probably have an SSH client on your phone anyway (I use Prompt on iOS). Some people might think you're weird for using SSH from your phone though, fair warning.
That's a good question to ask the podcast host (the source of those numbers).
On the reference page I linked it mentions:
> Having 40 bits of entropy is approximately 1,000 times weaker than 50 bits since bit strength scales exponentially. In other words, random bits are worth a lot because each additional truly random bit, on average, doubles the time required to crack.
71 days vs 365 days is about a 5x multiple. I'm not sure how all of that ties together.
Has this soured the concept of a password manager? Instead of many different accounts and passwords you also add one more account that gives you access to everything. Backdooring yourself.
People will say you have to use one because you might reuse a password. If a hacker gets a hold of it they will have access to other accounts. Hopefully many use different emails and/passwords but even if they don't an attacker doesn't have a list of websites this works on and will try to login to major sites which usually alert the user. If your lastpass account has been hacked they know all sites large/small and will have an easier time stealing info/money from smaller sites with lower protections and can blackmail you because you saved your pornhub account (with a privacy email address) in lastpass.
People are going back 5 years trying to get information from a company they have no relationship with. This company kept your passwords after you left. Once you give them to lastpass they are no longer secured even if you decide to leave..10 years later coming in through that backdoor you left open.
contrary to popular belief, maintaining a file synchronized is not difficult.
This "breach" is just as good as assuming google or apple or any other bitwarden or any other cloud password manager is broken because they all work in the same way "we promise to keep it secure". this is different from storing a keepass file on the same google cloud because an attacker has to break into your cloud login first, then hope to find your keepass file. Then try to break that file.
as opposed to breaking into your google account and seeing the passwords or by breaking into bitwarden or 1password or something else.
if someone has a login to 1password of 10 people, there is good reason to assume there will be passwords stored.
i dont know about you but i have been using keepassdroid and another client from F-droid for years now..... maybe this was because as you said " low quality and often poorly supported closed source clients"...
The occasional times I haven't been able to log into my bank because I was on a computer that didn't have my kdbx file, or the small worry I have of keeping it up to date in multiple places while transitioning my main system.. are no bother compared to constant worry that someone might have my logins because of some security breech.. That said I just give apple everything when on that echosystem. ¯\_ (ツ)_/¯.
Keepass2Android is excellent if you have an Android phone. You can use that with Syncthing to synchronise files, and InputStick to emulate a keyboard over Bluetooth if you're using a non-personal computer.
Maybe an overkill, but i use cryptomator, which encrypts the files, the files are synchronized with nextcloud of remote location, but i suppose you can use whatever software you want. Inside that there is a https://keepassxc.org/
It works on a phone too, cryptomator open vault with finger, open keepassxc with finger, well not the quickest way but it will do.
I still have some useless passwors in chrome but for not important stuff.
I use KeepassXC too, and Dropbox for database sync. Probably not very secure, but I store root password only in my head, and secret key offline. Never used mobile client though, not sure if they can be trusted.
Because using a password manager as intended solves several well-known and very common password-related attacks like credential stuffing.
A password manager makes it possible for the average person to have high length, completely random passwords for each and every site, and to have them available on all of their devices.
That makes it a lot less likely that people will do bad things like re-using passwords, having short passwords, or writing them down.
My LastPass account would have been in the breach, but as my vault was protected with 151,000 iterations and a very long password, it'd take an attacker a long time to be able to get to my Hacker News password, which they'd find was 50 random characters long and looked something like jtES^cqhPj3@&rgPW5#frmDpf#^gGyf3eRoPH#fUZWJQGNFJvW
It's a recommended practice (I hate the term "best", everything depends).
Why? Quite easy actually - having random passwords is better than reusing the same everywhere. Random passwords are impossible to remember by a regular human, hence you need a password manager. Using a local file as a password manager poses a usability/availability risk (you have to sync it yourself, you have to back it up yourself, you have to make it available on all devices without putting it at risk, you have to secure it, etc.), hence cloud-based password managers are better for the average person, especially coupled with MFA for critical accounts (banks, email, etc.). If you're a highly technical or highly security conscious person, or under threat, the equation changes of course, but the recommendation for a cloud-based password manager isn't meant to apply to everyone, just most people.
You have to consider what the security landscape looked like when LastPass got going in 2008. The common practice for non-technical people was (or still is) to reuse the same password everywhere. A password that's really easy to remember like "p@$$word".
In this context, the common alternative to LastPass isn't best practice, it's worst practice.
You can publicly post an encrypted password file and dare hackers to break it, assuming your password is >80bits of entropy. All this worry about cloud storage and web access is due to ignorance about encryption.
I use them too, but password managers feel like they’re building atop a poor foundation. I’d like if we could go further in the direction of site login using a big, well-known identity provider (sure, let there be some independent one if you don’t want to trust Google or Facebook). Failing that, this incident does show the virtue of the old-fashioned method of writing down the passwords and keeping them somewhere safe.
MFA means that you're not immediately exploitable. It doesn't mean that you can't be phished — and remember that someone with your LastPass vault can make some pretty convincing targeted phishing messages — if your 2FA is anything other than a FIDO2/WebAuthn key. This has become routine and there are toolkits for attackers to make it easier so it's definitely not an emergency but not something you want to slack on.
It also doesn't doesn't help if there's any way around the MFA process. For example, could the attacker convince a minimum-wage support person / chatbot that you need to reset your MFA? Many companies skimp mercilessly on support costs and that makes this easier than it should be. I've even seen sites where your MFA can be reset using an email challenge!
According to https://layoffs.fyi a company named “GoTo Group” based in Indonesia recently laid off 1200 employees, however they appear to have no obvious relation to “GoTo Company” which owns LastPass.
Under the circumstances, a staffing shakeup in the CISO office sometimes occurs in companies after this kind of accident.
Does anyone know what the situation is like inside LastPass headquarters?
After a previous LP incident I noticed a number of senior security officer positions advertised on the LastPass Careers site.
I use KeepassXC with password + yubikey challenge response. My mental model is that this encrypts my database using my password combined with the yubikey response. With this configuration- it appears that I should be able to put my database anywhere in the open.
Which leads me to my point: If the password manager is properly used then why do we care if the encrypted databases were leaked?
I’ve been sitting on what I think might be the last straw to break the proverbial camel’s back but I didn’t think readers had any more bandwidth to hear more about this breach. I have my reasons to believe there’s a good chance LP knows of a means by which the master keys if some users may have been once compromised long before this incident.
moved everything important off LastPass a while back; still using it for convenience on pwds/accounts that I don't care that much about, but using KeePass offline for anything of consequence. Not really ready to trust Bitwarden.
A question for those "starting to migrate away". Why bother changing passwords that you then put back into LastPass?
Change the passwords yes, all of them, but if you're going to put the new ones back in to be re-exported by your adversary you may as well save yourself the time and stay with the already breached ones.
What idiot keeps all their money in a bank instead of securing it themselves?
Sometimes it’s preferable to pay the professionals, especially if you’re not an expert. I’ve recommended LastPass to my grandparents for years because it’s better than using their grandkids’ names as passwords everywhere.
Sucks that LastPass has these significant problems. From purely a product perspective it's pretty good. I used it for years quite happily as it kept myself and wife in sync with all of our accounts/passwords across all of our devices and browsers. LastPass is one of only a handful of products that truly works on virtually all platforms and browsers. Windows and Mac, home and corporate devices, mobile, you name it.
1Password works everywhere too, and it works much better than LastPass from everything I've heard and seen.
1Password also actually encrypts your entire vault, and it uses a strong, generated secret key in addition to your password, so even if a user does not use a strong password, their vault would still be very hard to crack.
The new addon for Firefox doesn't just work but instead is unable to match the current URL to entries. You have to switch off the "Advanced autofill" which is automatically turned on nearly every day. The android autofill doesn't "just work" but that may Android's fault.