> The forced logout + MFA resync events are taking place as we increase all customer's password iterations.<p>Typically you just need to wait for a user to log in, then validate the password against the old hash and create a new stronger replacement hash. Ending all sessions is a good way to log everyone out and force that. But I'm confused.<p>If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?<p>The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right?
Genuine question: why are there still LastPass users?<p>I mean, if you have a password manager, it means that you somehow care about your passwords. If you have LastPass, it means that you chose something that was not the default Google Wallet or Apple whatever-it-is-called.<p>Are there so many LastPass users who haven't followed the news in the last 2 years?
I recently discovered Vaultwarden (<a href="https://github.com/dani-garcia/vaultwarden">https://github.com/dani-garcia/vaultwarden</a>) and love it. It's basically single Rust binary (self-compiled: <a href="https://github.com/dani-garcia/vaultwarden/wiki/Building-binary">https://github.com/dani-garcia/vaultwarden/wiki/Building-bin...</a>) with a SQLite3 database running on my own server, implementing the Bitwarden server API. I can use all the official Bitwarden apps on my phone and desktop, but have the backend and backups under my own control.
1Password is probably the best kept secret when it comes to password managers. I don’t understand why not more IT professionals advocate this software.
I don't like any of this. Your passwords need to be with you, not rely on a server.<p>I use keypass, it stores all passwords in a file, encrypted. The file can be stored in Onedrive/Dropbox/ etc.<p>But the point is, if all the aervers in the world go down, I have all my passwords in a local copy. There is also an android app.<p>You can even edit the database file independantly on desktop and on mobile and it will be able to merge two cobflicting files<p><a href="https://keepass.info/download.html" rel="nofollow noreferrer">https://keepass.info/download.html</a>
I genuinely don't know why people don't use offline databases like keepass. The conveinance of online password management is not worth the hassle they can cause. All be it lastpass appears to be tge worse!
Why would LastPass let you "unsubscribe" from critical security emails like "hey you're gonna be locked out"? Or have they tied critical emails to marketing garbage emails in their communication preferences?
I recently had to start using Lastpass for work and I am absolutely mind-boggled at what an all-around terrible piece of software it is. I have my complaints about 1Password but those are peanuts compared to the mile long list of show-stopping bugs and UX problems I experience every day with LP. Irredeemable garbage.
I don't use a password manager. You shouldn't, either, probably, unless you want to share passwords with a group or something.<p>I have a file of hints which are only meaningful to me. Even if a malefactor got hold of the file, it wouldn't help them. (no, I'm not going to give examples; if you can't think of some combinations of characters that only you can remember, then fine, use a password manager). I'm always thinking of new ones, too.<p>You don't need a unique one for every site, either. Having 15 or 20 that you choose at random means that an invalidated one doesn't affect <i>everything</i> you do.<p>Occasionally, the Hint file has an actual gibberish password with no hint, where I have to copy/paste it. I think this is fine once in a while.<p>All I really have to remember is the password for the place where that file is stored, and my email's. Often it happens that my stored hint doesn't work (maybe I forgot to update it), but every site has a Forgot Password link.
I jumped ship to Bitwarden at the beginning of the year, and haven't logged into LastPass in some time, although I forgot to delete my vault and account.<p>I suppose there's some assurance that if I'm indefinitely locked out of the account then at least hackers are, too?
Why anyone would continue to use their service after their amateur hour
operation was revealed is beyond me. That's not to say their competitors are guaranteed to be better. Really, you shouldn't depend on any offsite service for password management. Use something like Pass (<a href="https://www.passwordstore.org/" rel="nofollow noreferrer">https://www.passwordstore.org/</a>), self-hosted bitwarden or at worst, GPG encrypted text files (which is essentially what Pass does).
Hate to say it but these remaining users were and are fools for not having jumped ship like yesterday. This is not a serious + competent password manager product/company. Hopefully they had backups or they are in for a world of hurt dealing with the worse mess of being stuck in such an absurd loop.
It's scary when a company ships a security feature with a buggy "happy path," because it generally means the engineers who built it don't follow personal best security practices themselves.<p>An example is whether a website's login form works with browser autofill. If it doesn't, it probably means the person who built that page doesn't use browser autofill, which means they probably use the same password on all their personal accounts, which is terrifying. (Bad example for a product that's supposed to replace the browser's built-in password manager, but you get the idea.)
I still use my licensed 1Password version from like 10 years ago. I share passwords over Dropbox to my other computers and I cut and paste passwords. It’s not hard at all and I don’t have to pay a subscription.
No matter how many compromises, how many DoS events / lockouts, or how many other times internet-based password managers royally screw up, it never ceases to amaze me how people continue to trudge back to these sorry services.<p>"It's so convenient!"
"I don't like having to manually sync between devices with <100% local password manager>!"<p>Convenience addicts making excuses for their next hit of convenience... no matter how severely convenience harms them.
Ok. I'll take the advice here. I am a time-constrained Lastpass user. I'm aware of the issues but not thw seriousness. I will abandon the platform now, but I could use your help:<p>1- is industry gold standard 1password or bitwarden ? Key requisite: edge or FF browser extension. (I dont use mobile password management apps and will never do so)<p>2 - in light of the LP breaches. Do I change all my pw accounts, the master LP account, or both??
The problem of needing a current login session in order to access support is a fairly common failure mode in some organisations.<p>Strangely enough, some places don't fix it when they learn about it. I'm not sure why though, as that makes no sense to me.
One reason I left LastPass was because it kept bypassing 2FA (or incorrectly presenting it when it for whatever reason wasn’t required) - I could just press cancel and then there all my passwords were. The macOS app was … wild
the blame the user responses reported in this story are just hopeless. Also, as far as I can tell, untrue: I cancelled my lastpass subscription after the last horrific breach and migrated to a new password manager while changing my critical passwords, but every once in a while I have to use lastpass to dig up an old unimportant password for something that didn't make the list for immediate changes... and I've never seen any kind of message about resetting MFA.
It's just issue after issue with LastPass. Is it just apathy that is keeping people using them? There are much better options out there that are cheaper and better.
To borrow a refrain from crypto; "Not your keys, not your passwords."<p>Hope people don't fall for the stupid thing that Google/Apple et al are trying to do, either.
I do not understand why people need to use these things, maybe they make it easier and more secure for Cell Phones ? I never use my Cell Phone for anything Finance or Medical Related.<p>But for me, I keep an encrypted text file and get the passwords my using emacs or vim. I generate passwords using:<p>tr -cd "[:alnum:]" < /dev/urandom | fold -w 16 | sed 10q<p>and with the result I may replace 1 character with what they call a "special character". To me that avoids a lot of worry.
The entire website is written in PHP. I have nothing against the language, but it's a major red flag when you would expect it to be using Java instead like most bank and government websites do.
I am completely over the idea of storing secrets inside of one of these 3rd party systems. I've currently got a team member writing an internal secret storage app for our organization.<p>Creating a SQL schema with a "Secrets" table and maybe some audit logging and organizational extras should take a seasoned developer ~30 minutes. Throwing a CRUD web app on top of this and making it accessible to your employees - maybe another day or 2.<p>I really don't know why you'd risk this sort of stuff with a 3rd party. It just boggles my mind. What are they doing that you can't do? Even a 3 person startup can probably find time around a weekend to knock this out once and for all.<p>Edit: clearly I missed an important point. We don't care about browser integration. I am not going for 1:1 feature replacement. If you seriously believe "a safe place to keep internal text" is an extremely hard problem that absolutely must be outsourced, I don't know why you would even be involved in technology.