LastPass Compromise
Date: 2022-12-24 · Word Count: 383 · Reading Time: 2 minutes
If you use LastPass your present from them this year is that your passwords are compromised and you should change them. While you’re at it, consider changing to another platform. The recent compromise puts your passwords at risk and their security practices mean they are not a good platform to use.
Password managers are an excellent tool. They allow for using strong passwords everywhere and not having to re-use any (because there’s only so far human memory goes). If you’re not using one I strongly suggest you change that. https://bitwarden.com/ is pretty good and open source.
Having said that, they’re not without their flaws. One of the most important things is that such organisations are open about compromises and other ways in which customer data might have been compromised. LastPass is not that. They also have a history of other practices which are questionable from a security perspective.
And some which are not merely questionable, but downright objectionable; such as storing all user URLs unencrypted.
One of the issues here is, unfortunately, a pretty general one when it comes to password managers: having a strong master password. If your master password is simple, then it can be easily brute forced if the encrypted vault is compromised. So, make something really complex. For example, mine is over 50 characters long. It is worth having in an offline format too (for example, alongside your will or other documents which are stored securely) so that if you pass away your family can get into things.
There is a trade off here. Typing in the master password can be a pain in the neck. This is simplified if you have TouchID or other technologies which can act as a proxy (so you’re only typing it every now and again). You do want to do so regularly enough that you can remember it though.
Some other points:
- Turn on 2 Factor Authentication (2FA) for everything you can. If you need a manager for this, I suggest https://www.authy.com
- Be aware of phishing scams. Scammers know LastPass has been compromised so they can send you something that looks like a legit email asking you to change your password. If you get email asking you to to change a password, do not click the link. After all you’ve recently changed them…