LastPass breach gets worse

One of the most frustrating things about the LastPass leak is that they still haven&#x27;t provided all the information needed to determine whether a customer is at risk.<p>For example, it&#x27;s clear backups were stolen, but they won&#x27;t say how old the backups were, or what their retention policy is. So even if you changed your password to a stronger one, with more rotations, it may be that the attacker got hold of very old backups with weaker security. I&#x27;ve asked their support team for information about time windows of backups stolen, if they have a retention policy and whether it was adhered to, but they won&#x27;t share that information. Instead we are left with a blog post that is more than a month old, no recent updates, and questions remaining unanswered. I&#x27;m a paying &#x27;enterprise&#x27; customer, and they are meant to be ISO270001 compliant, so a retention policy should be a pretty simple thing to share.

The fact they&#x27;re drip-feeding how bad this breach actually was is terrible enough and yet their entire product is built on nothing but trust.<p>Part of me wonders if this was an intentional strategy: Downplay during the initial media round then very quietly reveal this was a worst case scenario.<p>Personally I&#x27;m never touching them again - anecdotally everyone I know who was an individual customer has migrated away and inside companies lots of engineers have stopped adding new passwords.

After using LastPass for years, this breach led me to do something I should have done long ago: remove my bank account &amp; email account passwords from it (and change them, of course). My wife did the same thing. At some point I&#x27;ll probably switch password managers, but the basic realization was that those passwords are qualitatively different than the rest and should never, ever be trusted to any password manager.<p>So now I remember ~3 passphrases, instead of 1, and sleep much better at night.

Whilst not good, this seems to be bad news for some GoTo products but not specifically Lastpass:<p>&gt; a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere<p>Lastpass is a GoTo product, so in general the multiple security breaches undermine confidence in all their products. Your password manager is not something you want low confidence in.

Makes me pleased to be a loyal Zetetic Codebook[1] (née STRIP) customer.<p>The thought of storing my passwords on a web&#x2F;cloud-based service always struck me as the dumbest thing anyone could do as it would be only a matter of time until such a service was hacked.<p>I started using Zetetic after learning about them via a 2012 Black Hat conference presentation[2] where they took a bunch of password managers and STRIP came out on top. I figured if it was good enough for them, it was good enough for me. The product has only got better and better since 2012 (note that the presentation PDF is out of date in terms of security, they have <i>of course</i> changed hash and substantially increased rounds ! see their website for detail).<p>Their support is first-class too.<p>[1] <a href="https:&#x2F;&#x2F;www.zetetic.net&#x2F;codebook&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.zetetic.net&#x2F;codebook&#x2F;</a> [2] <a href="https:&#x2F;&#x2F;media.blackhat.com&#x2F;bh-eu-12&#x2F;Belenko&#x2F;bh-eu-12-Belenko-Password_Encryption-Slides.pdf" rel="nofollow">https:&#x2F;&#x2F;media.blackhat.com&#x2F;bh-eu-12&#x2F;Belenko&#x2F;bh-eu-12-Belenko...</a>

How many more times can we shout it. KeePass with Syncthing.

I have recently moved away from lastpass onto 1password and find myself with some 1000+ credentials that I will now have to change. Been working though the list and made a small dent of 50 accounts so far... There must be a quicker way to do this?

Updated a blog post from November in January, classy move.<p>Not to mention <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;LastPass#Security_incidents" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;LastPass#Security_incidents</a>

I just migrated over to 1Password and deleted my LastPass account. Better late than never, I suppose.<p>It was surprisingly easy- for all of LastPass&#x27;s faults, at least they don&#x27;t use shady vendor lock-in practices (like making data export needlessly difficult). And 1Password has a LastPass-specific import page, which made the migration dead-easy.

I am so happy I left and destroyed my account before this breach and went with Bitwarden.<p>They showed red flags a long time ago!

Years ago, I told them privately of a vulnerability in their implementation of 2FA. They dismissed it as a non-issue.<p>A couple of weeks later they sent out a statement &quot;clarifying&quot; how their 2FA had a caveat. It was basically marketing bullshit glossing over the fact that they don&#x27;t enforce 2FA locally (sorry, details are very vague in my memory now, but I remember it being a serious mis-implementation).<p>Clowns.

I spent part of my holiday break cleaning up after this mess, resetting hundreds of credentials. On the plus side, it provided a much needed opportunity for some house cleaning.

The other difficulty is it appears there is little-to-no support for API&#x2F;automation:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;lastpass&#x2F;lastpass-cli&#x2F;issues&#x2F;602">https:&#x2F;&#x2F;github.com&#x2F;lastpass&#x2F;lastpass-cli&#x2F;issues&#x2F;602</a><p><a href="https:&#x2F;&#x2F;github.com&#x2F;lastpass&#x2F;lastpass-cli&#x2F;issues&#x2F;624">https:&#x2F;&#x2F;github.com&#x2F;lastpass&#x2F;lastpass-cli&#x2F;issues&#x2F;624</a><p><a href="https:&#x2F;&#x2F;github.com&#x2F;lastpass&#x2F;lastpass-cli&#x2F;issues&#x2F;604">https:&#x2F;&#x2F;github.com&#x2F;lastpass&#x2F;lastpass-cli&#x2F;issues&#x2F;604</a><p>...their CLI tool is de-facto deprecated (unsupported) and has several unreliability issues (ie: `lpass ls&#x2F;userls ...` reports differing amounts of values depending on when a user was added to the folder or not). Basically `lpass ls ... | xargs -n1 ...` cannot be trusted, and you can only get an accurate list of passwords (or users) from the actual GUI.<p>It makes automation, auditing, reporting, near impossible.

First rule of security breaches: it’s always worse than they let on.

From paying customer, to deleted account.

And my stance against &quot;cloud based password managers&quot; -- and really, paid password managers -- is vindicated. Never!<p>I have evolved a little on using software to track passwords though, and I&#x27;m using Unix Pass quite happily now. It&#x27;s just a short bash script that is very readable, and uses GPG as a backend.<p>Edit: What&#x27;s doubly nice is how elegantly it scales from a simple folder of gpg encrypted text files to a multi user synchronized git repository on everyone&#x27;s phone.<p>But all that&#x27;s optional, and only requires you to trust other tools that you already regularly depend on.

What does everyone think about just using Apple&#x27;s Keychain for everything? Seems that for Keychain the most serious threat is actually being rando-banned by Apple and losing access to my stuff.

What happens to the serial security recidivists? Where are the regulators? LastPass has had security incident after security incident, how are they still allowed to operate?

In the comments on Reddit someone linked to a podcast where they broke down what this really means in terms of how &quot;secure&quot; your leaked encrypted vault is.<p>The TL;DR is even with 100k+ iterations of PBKDF2 an attacker can crack a password with 40 bits of entropy in about 71 days if they had access to 200 modern GPUs. For comparison if there were only 1 iteration instead of 100k the same type of password could be cracked in 61 seconds.<p>50 bits of entropy changes things a bit. Now it takes 1 year instead of 71 days but if you&#x27;re a high value target they can just ramp up the number of GPUs to reduce the time.<p>The difference between 40 and 50 bits of entropy for a password look like this:<p><pre><code> 40 bits: !climb33 50 bits: ClimbS1@ 40 bits: any 9 lower case letters 50 bits: any 11 lower case letters </code></pre> The takeaway I got is you&#x27;re probably ok if you have a really good password (150+ bits) with 100k+ iterations but if I were using Lastpass personally (which I&#x27;m not) I would absolutely re-roll everything and never use the product again. I personally use a command line tool called `pass` which stores everything locally. This story interests me though because I am mildly involved with someone who is using Lastpass and I suggested they re-roll everything. I&#x27;m happy to see someone did the math, it&#x27;s the exact information I wanted to know.<p>The podcast show notes are on page 6 which has more numbers and practical examples: <a href="https:&#x2F;&#x2F;www.grc.com&#x2F;sn&#x2F;SN-905-Notes.pdf" rel="nofollow">https:&#x2F;&#x2F;www.grc.com&#x2F;sn&#x2F;SN-905-Notes.pdf</a>

Has this soured the concept of a password manager? Instead of many different accounts and passwords you also add one more account that gives you access to everything. Backdooring yourself.<p>People will say you have to use one because you might reuse a password. If a hacker gets a hold of it they will have access to other accounts. Hopefully many use different emails and&#x2F;passwords but even if they don&#x27;t an attacker doesn&#x27;t have a list of websites this works on and will try to login to major sites which usually alert the user. If your lastpass account has been hacked they know all sites large&#x2F;small and will have an easier time stealing info&#x2F;money from smaller sites with lower protections and can blackmail you because you saved your pornhub account (with a privacy email address) in lastpass.<p>People are going back 5 years trying to get information from a company they have no relationship with. This company kept your passwords after you left. Once you give them to lastpass they are no longer secured even if you decide to leave..10 years later coming in through that backdoor you left open.

GoTo considered harmful

We’re finished with LastPass. We are actively moving employees away from it and will never touch their products again.

A good advice I was given a long time ago and I have since followed:<p>When you need to admit a mistake or apologize, get it all out and be truthful about it. Effectively get it over and done with.<p>People do appreciate honesty, but will strike back with retaliation if they find out you only appeared honest. Telling a half truth is no better than lying.

as a keepass user, i cannot be more happy.<p>contrary to popular belief, maintaining a file synchronized is not difficult.<p>This &quot;breach&quot; is just as good as assuming google or apple or any other bitwarden or any other cloud password manager is broken because they all work in the same way &quot;we promise to keep it secure&quot;. this is different from storing a keepass file on the same google cloud because an attacker has to break into your cloud login first, then hope to find your keepass file. Then try to break that file.<p>as opposed to breaking into your google account and seeing the passwords or by breaking into bitwarden or 1password or something else.<p>if someone has a login to 1password of 10 people, there is good reason to assume there will be passwords stored.

Maybe an overkill, but i use cryptomator, which encrypts the files, the files are synchronized with nextcloud of remote location, but i suppose you can use whatever software you want. Inside that there is a <a href="https:&#x2F;&#x2F;keepassxc.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;keepassxc.org&#x2F;</a> It works on a phone too, cryptomator open vault with finger, open keepassxc with finger, well not the quickest way but it will do. I still have some useless passwors in chrome but for not important stuff.

Can someone explain it to me like I am 5 years old. Why would I take all my passwords, centralize them and place them onto a 3rd party site? Why is this security best practice?

there is only 1 rational course of action: (1) export and delete your lastpass account (2) import to new PW manager, in my case bitwarden (3) change all your passwords

I use them too, but password managers feel like they’re building atop a poor foundation. I’d like if we could go further in the direction of site login using a big, well-known identity provider (sure, let there be some independent one if you don’t want to trust Google or Facebook). Failing that, this incident does show the virtue of the old-fashioned method of writing down the passwords and keeping them somewhere safe.

What product supports Cross Platform (minimum of Windows, Mac, iOS) that is easy to setup for non-technical people?

From the top of the reddit post:<p>&gt;&quot;For those that may not have seen it, since instead of a new post they “updated” the one from November…Looks like it’s even worse than they first let on&quot;<p>Can anyone say if they notified their customers that they had updated the original post?

Wow! This should definitely not be downplayed, they have lost users&#x27; trust for good.

If I have 2FA set up, would I still need to change the passwords (despite the leak)?

My personal password policy is. Never store passwords in PW-managers to important things that can be accessed without MFA. Especially not work related things.<p>I have not figured out where to store those backup codes though.

Is there a reason why I shouldn&#x27;t just store my passwords in Firefox?

According to <a href="https:&#x2F;&#x2F;layoffs.fyi" rel="nofollow">https:&#x2F;&#x2F;layoffs.fyi</a> a company named “GoTo Group” based in Indonesia recently laid off 1200 employees, however they appear to have no obvious relation to “GoTo Company” which owns LastPass.<p>Under the circumstances, a staffing shakeup in the CISO office sometimes occurs in companies after this kind of accident.<p>Does anyone know what the situation is like inside LastPass headquarters?<p>After a previous LP incident I noticed a number of senior security officer positions advertised on the LastPass Careers site.

A reddit thread about another company. Can anyone link me to where the LastPass announcement changed?

I use KeepassXC with password + yubikey challenge response. My mental model is that this encrypts my database using my password combined with the yubikey response. With this configuration- it appears that I should be able to put my database anywhere in the open.<p>Which leads me to my point: If the password manager is properly used then why do we care if the encrypted databases were leaked?

if i closed my LastPass account a year ago (migrated to a different pass manager), am I in a problem?

I’ve been sitting on what I think <i>might</i> be the last straw to break the proverbial camel’s back but I didn’t think readers had any more bandwidth to hear more about this breach. I have my reasons to believe there’s a good chance LP knows of a means by which the master keys if some users may have been once compromised long before this incident.

[...sound of offline password managers&#x27; users munching on popcorn intensifies...]

moved everything important off LastPass a while back; still using it for convenience on pwds&#x2F;accounts that I don&#x27;t care that much about, but using KeePass offline for anything of consequence. Not really ready to trust Bitwarden.

A question for those &quot;starting to migrate away&quot;. Why bother changing passwords that you then put back into LastPass?<p>Change the passwords yes, all of them, but if you&#x27;re going to put the new ones back in to be re-exported by your adversary you may as well save yourself the time and stay with the already breached ones.

I asked the tech lead at a past job if he&#x27;d have been willing to resign over his decision to store our keys in the &quot;cloud&quot;, using LastPass. He never responded.

It sure sounds like they&#x27;re doomed.

So glad I switched to KeepassXC

What idiot transfers all their passwords to a small private company

Sucks that LastPass has these significant problems. From purely a product perspective it&#x27;s pretty good. I used it for years quite happily as it kept myself and wife in sync with all of our accounts&#x2F;passwords across all of our devices and browsers. LastPass is one of only a handful of products that truly works on virtually all platforms and browsers. Windows and Mac, home and corporate devices, mobile, you name it.