It might be the last straw for some.
LastPass recently updated their breach post — Notice of Recent Security Incident — to include some troubling information: encrypted information had been copied.
After years of being able to say this had never once happened, we can no longer say that.
I want to talk about why it’s not a reason to panic, (unless your own security was lax), but that it might be a time to re-evaluate my recommendation of, and your use of, LastPass.
Become a Patron of Ask Leo! and go ad-free!
What to do about the LastPass breach
Personal information and encrypted data was stolen from LastPass. If you have a weak LastPass master password, you are at some slight risk of your vault information being compromised, so you should begin changing passwords. Vaults protected by strong master passwords remain secure. You don’t need to leave LastPass, but it’s understandable that you might. Do not avoid password vaults completely, however; choose an appropriate replacement instead.
What to do
To cut to the chase:
- If your LastPass master password was appropriately strong, you don’t need to do anything. The contents of your password vault are not at significant risk.
- If your LastPass master password is not appropriately strong, consider changing the passwords of all “important” accounts stored in your vault as soon as possible, and all accounts eventually.
And if, like me, you’re beginning to lose faith in LastPass, it might be time to consider a switch.1
The most important thing to know is that you don’t have to do anything, or switch immediately, or switch in a panic. Unless you don’t have a strong master password as described above, your information remains secure, and you can take your time to make a reasoned choice.
What happened
It’s a long saga. Here’s the key paragraph from the LastPass blog post:
Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
In English:
- In August, someone hacked into their network.
- Technical information was stolen, but no actual customer information was compromised at that time.
- That technical information was used to successfully phish a LastPass employee.
- The attacker gained access credentials from that employee to the information stored by LastPass.
- That allowed the attacker to steal some information.
While it’s unclear how many LastPass users are affected, they do go on to list the types of information stolen:
- Company names
- End-user names
- Billing addresses
- Email addresses
- Telephone numbers
- IP addresses from which customers were accessing LastPass
- URLs of websites for which passwords had been saved
- A backup of customer vault data
It’s the last one that has everyone concerned.
What did NOT happen
The attacker did not gain access to the unencrypted contents of any vaults. In other words, the attacker did NOT gain access to the information you and I store in our LastPass password vaults.
All they got was an encrypted blob that contains that information. Without the decryption key — your master password — they cannot access the contents of your vault. And LastPass does not know, nor do they store, your master password. Only you know it, and it’s only used on your device when you sign in to LastPass.
However.
The reason there’s such a strong focus on your master password is that if it’s weak, it’s conceivable a hacker could mount a successful brute-force attack on the encrypted blob and decrypt it.
It’s unlikely, but possible.
It’s unlikely because the other breached information is more likely to be used successfully with much less effort on the hacker’s part.
What’s more likely to happen
More phishing.
By that I mean the combination of information that was compromised, like your name, email address, and knowing what services you have accounts with, can be used to mount what is likely to be a very convincing phishing attack. Conceptually, you would get an email that looks very legitimate, addressing you by name and including other accurate personal information in an attempt to fool you.
Some percentage of those attacks will likely be successful, much like the LastPass engineer was fooled, I would assume.
Why I’m disappointed
It’s very possible — likely even — that this was just a series of unfortunate events at LastPass. It’s possible that they’ve been as appropriately transparent as they could be about what’s been happening along the way.
I’m reluctant to “punish” them for transparency. As someone pointed out to me, just because a company reports no security incidents doesn’t mean there are no security incidents. Responsible disclosure should be applauded.
However.
Some of the steps in the series of events seem as though they should have been avoidable. I could be wrong. Some of the information seems like it should have been made public sooner. I could be wrong about that as well.
And while I’m in no way a conspiracy guy, I have a hard time arguing with those that point out the update by LastPass was suspiciously timed regarding the Christmas holiday, when so many people — most notably journalists who might make an even bigger deal of this — are less likely to act or publish.
Nothing requires our trust more than the software we use to store secure information.
Our trust in LastPass is being eroded.
Do this
Don’t panic, but do review your security.
If you’ve been using a weak master password, now’s the time to start changing passwords for the accounts in your vault. Take this as an opportunity to do it correctly: long, strong passwords, unique to each site. While you should change your LastPass master password to something secure as well, that won’t help the current situation; that horse has left the barn.
Now is also a good time to revisit adding two-factor authentication to your accounts that support it. Then, even if an account password is compromised, the hackers still can’t get in.
I don’t believe you need to leave LastPass, but I understand if you decide you do. As I said, trust is critical. I expect to evaluate and make a new recommendation in the coming weeks.
As always, be on the alert for phishing attempts. Be skeptical.
What you should not do is stop using password managers altogether. A password manager is still significantly safer than any of the alternatives.
Adenda
Update: Long time tech journalist Ed Bott reminded me of something in his Substack post he apparently wrote at the same time as I was drafting this article. From Is it time to replace your password manager?
LastPass got gobbled up by LogMeIn back in 2015. And then in 2021, LogMeIn announced it was planning to spin LastPass off as a separate company. Astute observers of the software industry know that this playbook rarely works out well. At the very best, your employees are distracted by the whole M&A song and dance. At worst … well, here we are.
Honestly, I’d not considered how the whole LastPass ownership game of hot potato might affect what’s happening within the company. It’s another reason, albeit without hard evidence, to at least be concerned.
Podcast audio
Footnotes & References
1: I don’t yet have a specific recommendation, but I’m researching it. There are several good alternatives.
Thank you. Reading that LastPass update was on the list to do today and you’ve made it easily digestible. I guess one thing in your recommendations is not clear to me. Why start to change all my passwords? If they got an encrypted blob that they can’t do anything with unless they have the master password, then what does it matter if I keep the same password for all the sites?
Except for 1 or 2 which I might need when I’m not on my own laptop and can access my vault, all my passwords are generated by LastPass. If they’ve got the websites I visit and my email address, it will take them thousands of years to guess my bank’s password.
I would think the biggest risk would be phishing to get someone’s master password. And there’s absolutely no way that I would type that into anything other than logging into my vault. It certainly wouldn’t be after receiving an email from “LastPass” claiming to need to do some account maintenance so I should “click here and log in before I lose my vault.”
I do see the value of changing the master password so that if someone happens to fall prey to the phishing scheme they would give out their new master password which wouldn’t help decrypt the blob they stole, would it?
If your master password was weak, the encrypted blob is vulnerable to brute force attacks.
Your wiffle-waffling on the terminology baffles. Did they get a “blob,” or did they get a “blog?” Granted it doesn’t much matter, but still there is a difference between the two, and someone as knowledgeable as you should be more clear…
Or it could just be a typo. Fixed. A very Merry Christmas to you as well.
All passwords are not the same. While storing some passwords in a password manager makes sense for some (not all) people, storing all your passwords there has never made sense. A small number of passwords are simply too important to trust to software.
There are downsides to every method. Notebooks can be stolen etc. You can store the passwords in a strongly encrypted spreadsheet, but that’s software. KeePass doesn’t store your data in the cloud, so some are recommending that. It’s not as convenient as you have to have a copy of the vault on every computer you use. You can carry it around on a flash drive, so at least it’s portable that way. I haven’t used it yet but I’m considering it.
A little over a year ago, I switched from LastPass to Bitwarden. The reasons I switched was LastPass had changed how the browser extensions worked in a way I didn’t care for and a family plan with Bitwarden costs less than a LastPass subscription or other password managers.
I set the master passwords for the users in my group as pass phrases, including punctuation and a bit of obfuscation and enabled two factor authentication as well.
When I was using LastPass, I used the same policy, so even if my information was still being stored by LastPass in an archive after a year, it would still be protected. A quick inventory resulted in all Yubikeys being accounted for.
Bitwarden takes some time and a bit of effort to set up, but once everything is in place, it is easy to use and maintain.
Ah, I get it. I just re-read it. You are recommending changing all passwords if your master password was weak. I agree with that. You were not recommending changing all passwords if you have a strong master password (unless of course you want to). Got it now. Thankfully my master password is strong … part of the reason for using LastPass in the first place. Much easier to remember a couple different strong passwords and let LastPass remember all the other complicated ones, instead of having to remember many strong passwords (or worse, reusing passwords). It’s amazing how many there are when you start looking at all the entries in the vault.
I use KeePass, not LastPass. No automated backups with them; all my password database backups, both local and online (I use both) are manual and have nothing whatever to do with KeePass itself.
Also my Master Password is 16 (not just 12) characters long, and uses a random string of letters both upper- and lowercase, numbers, punctuation and symbols, all remembered via an easy-to-remember mnemonic I invented many years ago. (It is by far the most secure passphrase I have outside of KeePass itself.)
I highly recommend KeePass. It’s available for Android as well as Windows (both versions generate and use the same database, so they’re interchangeable!), and it can encrypt using Twofish rather than AES for those (like me) who fear AES is so ubiquitous as to make a universal target for cryptanalysis. (Twofish was a runner-up in the AES competition and is every bit as competent a cipher as the current AES, Rijndael — it’s just not as widely used!)
Get KeePass here:
https://keepass.com
I don’t see waiting 4 months to tell us of a breach is anything near transparent. That alone is reason to mistrust LastPass. They were transparent in the past, but it seems with the new owners, they have grown lax with their security. I’m with Ed Bott on that one. Time to switch.
And an employee of a security company getting phished? I’ve lost confidence in them.
I’m not worried about my passwords in this case. My master password is long and random., but LastPass have allowed my personal contact information to be compromised which is a guarantee of targeted phishing and spam. The hackers may not have our passwords, but they have a list of every website we log into which is a rreat tool to have for targeted phishing.
“waiting 4 months to tell us of a breach”
This is what I struggle with. If they were purposely waiting, then indeed, that’s incredibly bad.
HOWEVER, were they waiting for some kind of analysis, research, or investigation that literally took that long? I can also understand caution and not releasing half-baked information.
We may never know. ¯\_(ツ)_/¯
Would you agree that eventually everything in each vault or “blob” will be discovered? Best case is that this will take much time and passwords can be changed but unfortunately some “secure notes” contain info that is hard or impossible to change.
Depends on your definition of “eventually”. For all practical and pragmatic purposes the answer is no: not everything will eventually be discovered, for a variety of reasons. Literally: sure, if someone some hundreds or thousands of years from now takes an interest, they can probably throw the technology of the day at it. Will they? I’d be shocked.
My Master Password is long and strong, comprising of 29 mixed characters which are not a phrase and easy for me to remember. Even my wife cant remember it even though I did tell her lol. Thinking it would take a billion years to crack. I will be too old then to care lol. So I will remain loyal to LP for 20 years of safe keeping so far. If anyone should complain, perhaps they should start with themselves and their week password. If all is true what I read here from Leo, I have no fear.
If I were using LastPass I would have switched to a better secure program.
If you are still comfortable to keep using this vulnerable program then be smart and activate the available 2-step authentication, this will make you much more secure.
Leo, et.al., I am unfamiliar with LastPass, but have been following this breach issue. I agree that VERY strong (long, random, mix of characters, etc.) are essential. For many years I have been using Roboform. Never had a problem – of which I am aware.
Leo, if you are going to look at other password managers, I recommend you include Roboform in your research.
Keep on keepin’ on. I look forward to your missives every week.
Sorry to hear about LastPass but I’m not surprised.
If your computer is not in your physical control it is not secure.
If your data is not in your physical control it is not secure.
If you are not physically backing up your data it is not backed up.
Are you sensing a pattern? The old saying is “if you want a job done right you have to do it yourself”. Surgery notwithstanding. If recent history has taught us anything it is that you just can’t rely on other people or corporations to do something that you are capable of doing yourself. Online storage is subject to the whims of the current owner. Companies get bought up and companies go bankrupt.
I back up my data regularly to two external devices (always two copies). Passwords are stored locally in an encrypted vault.
That is not to say that my data/computers are completely secure. In spite of my best efforts I am still likely vulnerable to hacking (hasn’t happed yet in almost four decades) and viruses/malware (ditto). A fire could destroy everything which is why my son keeps a copy of our family photos, videos, and tax documents at his house.
But we’ve seen how internet companies care only about their bottom line and how best they can profit by harvesting and selling our personal information. Why would you ever trust them to store your data and passwords?
Reverend Jim, I posted my reply before reading yours. We think alike. Happy to know I’m not a solitary wacko.
Re: “I expect to evaluate and make a new recommendation in the coming weeks.”
Thank you! I don’t know if I’ll change from LastPass or not (inertia is, after all, the most powerful force in the universe), but I’d like your recommendation. One thing to bear in mind is not only the security but also how easy or difficult it is to migrate from another password manager.
Best practice in switching PW managers?
I used LastPass up to a year ago when I lost the master PW and cant access LastPass. I switched to Google PW manager and now have two split PW managers.
As easy as this?
Am I right in deleting LastPass from my PC and using Google to go back and enter new passwords as needed? The last thing I want is problems with my passwords while on the go.
I’ve used Password Safe for Windows (7-10) for twenty years and keep my encrypted database on a thumb drive, so it’s never on my computer. I have the database backed up on a couple of external HDs. Use a 16-letter phrase to unlock it when needed. Over twenty years, I’ve created about 120 different passwords for this or that. It happens.
Is Password Safe a pretty good solution, if you usually use passwords only at home? Seems safe to me and very convenient and free. I’ve always been very leery of cloud solutions for my passwords.
Call me paranoid, but I don’t trust my financial records to anyone, no matter how much they assure me they’ll never do me harm.
So what to do?
My solution (?) is to:
1) create a Word file
2) holding all my usernames and passwords,
3) unique passwords created by random-generators
4) like 4s8s9DfG4xFF&0$H&ds^,
5) the Word file updated whenever a password is changed or created,
6) the Word file stored on three small thumb drives,
7) one hidden at arm’s length from my computer,
8) the other two, backups of course, hidden in our house where a burglar would never find them.
I recognize this may not work for everyone. For example, I don’t do computing outside the house nor ever on the phone. Our house is all-electric, so no chance of a gas fire. Anyway, I live across the street from a fire hydrant and the fire house is only a mile away.
Lot of problems with my plan, I know, but it’s worked for me so far. One day, though, I’m going to look into BitWarden.
Are the passwords on thos flash drives encrypted. If not, they are vulnerable to having yout accounts compromised. Simple 7Zip encryption is fine if you have a long, over 14 character password.
Mark, the flash drives used to be encrypted but not any more.
1) I’m hosed if I can’t remember the password, locked out from all the others.
2) My children won’t be able to manage our accounts should their parents both die unexpectedly. (Yes, they get along well.)
But I’m not really sure I’m doing the right thing. Will look into 7zip, thanks.
If you give your kids the passwords now, they can help you recover the files if you forget. Unless there are things you don’t want your children to have access to while you are alive, you can give them duplicates of those flash drives.
This is a very informative article, thanks Leo. In some ways it vindicates my decision not to use a password manager, although I did try to set one up when I read your recommendation to use Last Pass some year or so ago. What stopped me was that I simply couldn’t understand the instructions (and still can’t). Must be the way my seventy-two-year-old brain works. A simple example of someone using it would have clarified my confusion. Fortunately there wasn’t one, so I deleted the software and continued using 18 character passwords. I live in Australia, and we have had two major attacks in past months (Putin’s thugs, no doubt). The companies were Medibank Private (health insurance) and Optus (Singapore based ISP). Both hacks stole private information but no financial data (they say).
At the risk of stating the bleedn’ obvious, the world is now reaping the whirlwind of having ditched face-to-face business dealing for the convenience (and resultant unemployment) of online business dealing. I’m not advocating returning to the days of queuing up at the bank to chat with a bank teller who actually knows you, but being ‘forced’ to identify yourself by numbers rather than your face has put all our digital identifiers in the hands of strangers in countries and companies we’ll never know. And they aren’t our friends.
All technology has its downsides. This has been true since the Industrial Revolution. Technology has been replacing human workers for the past 200 years and probably earlier to a lesser degree. But apart from the downsides, technology has been making our lives more comfortable and safer. One example is online shopping vs shopping in a brick-and-mortar shop. I’ve done a lot of on-line purchasing. I’ve never had my credit card compromised on-line. I had my credit card compromised twice after handing my card to people for processing and two forged checks against my account. Now, all shops and more and more restaurants are implementing systems where the personnel never touch payment cards. So much for personal contact.
Everything has its pros and cons, but technology has been evolving since the invention of the spear, and will continue evolving.
I switched to Nordpass and NordVPN a couple of years back and im glad I did now.
Too many hacks and compromises at LastPass over the past eight or more years. The most recent “breach” is not their first. I gave up on them years ago as I lost trust in them. Members of our computer group have many times talked about LastPass and with the many problems over the years – probably nobody in our group uses their services. We’ll again be talking about LastPass, I’m sure, at our January 2023 meeting.
And very few in our group trust any password manager with their most important login information – like financials.
Thanks to Leo for the article and awareness to his readers.
Well Leo,
It is really quite simple: if one delegates (anything whatever) one is always at the mercy of the integrity, competence, good will or whatever of the trustee – period. Caveat emptor, simple to say, bloody difficult to live by. Sucker is born and sheep is shorn every minute – that has been with us for decades, yet how many of us can abide this wisdom? Password security? If you cannot look after it yourself – well, there is always this Last Pass and many other alternatives for you. Recommended by uncle Leo of course.
BTW I lived in BC when “the Willy wooden shoes” was the then current puppet running the show. It was a really nice place then, from what I read it is not so nice now.
Regards.
PS: No need to publish this drivel …
With all the info I saw and indeed what you presented, presents somewhat of a
quagmire of determining just what company and/or companies will be or is, the best manager of passwords today.
People said the CLOUD would never be hacked…well, you can kiss that off…
Just how many levels of protection does the typical company have such as LastPass really have or should have?
Thanks Leo for the great info you and your staff present to us on a regular basis.
Where did you hear people say the cloud can’t be hacked? I don’t believe it was a reputable computer guru.The cloud is made up of computers, and computers can be hacked.
With a proper backup and encryption regime, your data can be protected, but computers will always be hackable.
I’ve been very happy with Dashlane (mostly the multi-platform syncing) and have learned how to handle its idiosyncracies, but am fully aware that all wallets are subject, at some point, to potential breach. Threat actors have the advantage, like water on a stone, to keep probing and pushing and testing and the publishers have little idea of what’s happening on the computers of the hacker. It’s sad to be resigned to the notion that at some point, your supposedly secure wallet could be partially or completely compromised. I simply appreciate the time that the wallet I use does its job, and I hope for the best. I use 2FA, try to stay on top of the latest social engineering and phishing attack modes to recognize them when they are sent my way.
I use LastPass and have for many years, since I changed from my original PW Manager, Roboform when they raised their rates. As for the phishing possibility, what’s new? I’m not worried, and vigilance and common sense is gold. My master password is a line from an obscure poem my dad used to recite to us kids. When I later recalled the poem from memory I accidentally switched some words around, so that’s the version I use, punctuation, spaces and all. Easy for me but impossible for anyone else. Of course I also use 2FA.
Since I’m not the president or prime minister of a major country and have considerably less (VERY considerably less) money than Elon Musk, i’m not worried about anyone brute-forcing my master password (especially considering the 2FA). There’s a LOT more low-hanging fruit around than my pitiful few hundreds to warrant expending the effort.
That’s a VERY dangerous opinion to hold.
For example, identity theft doesn’t care at all what you have. What they care about are setting up accounts and taking out loans in your name, that a) gets them cash, and b) leaves you holding the bag. Compromising your existing accounts — again, regardless of how much wealth you do or do not have — is one way the process begins.
On one hand you and I are not interesting as individuals, and yet on the other hand we are all interesting as potentially useful tools and unwitting victims in a variety if scams.
I too passed on Lastpass when they had their first breach. One is enough to lose my trust. Ran through a few after that:
Roboform – Was ok but never at the caliber worth paying for. Customer service sucked. Clunky old school interface and privately owned (no transparency or open source code). Now it seems to only appeal to old-timers who don;t know the difference and don;t keep up with newer , better technology. The “Buick” of password managers.
Keepass – A great tool if you’re willing to give up a lot of convenience, having to manually update every machine you have it on every time you make a change. Sorry, it’s just too much work unless you have less than maybe 20 passwords. Then I’d consider it.
Dashlane – too expensive for what it offers and didn’t like the interface. It gets positive press but I don’t see the big deal here.
1Password – this would be my second choice. It’s a little too cutsey-graphic laden like it’s aimed at Gen Z only. A bit pricey. Relentless upselling tactics.
Bitwarden – my first choice and very happy with it. Appears the most “serious” based on their professional (company) division, open source code, low cost and “mature” interface. They send out reports and updates on security. Customer service has been great when needed. I pay $10 annually for the premium plan
Hi Leo,
I’ve tried a couple of password managers in the last couple of years. I tried Roboform many years ago and that was a wild ride. So many problems I finally moved on. In the last couple of years I’ve tried Dashlane and for some stupid reason Roboform. Both had a tendency to change 1 particular setting in the browser that didn’t want changed. In the browser settings under Payment Methods it kept allowing “Allow sites to check if you have payment methods saved”. As far as I’m concerned my payment methods are my business and my business alone. Both kept changing the setting to allow. I’d reset it and they would change it back. I contacted Dashlane and they said it had to be allowed so I could make online payments. I disagreed and after discussing this with them I decided that Dashlane just wasn’t for me anymore. Then, due to what I can only claim as insanity on my part, I paid for Roboform. When I set it up Roboform did exactly what Dashlane did and allowed sites to check for payment methods. Again, I contacted them and they couldn’t give me a reason this was happening nor how to prevent it. 6 days after I paid them I asked for a refund. I might just as well of asked the PM of Canada to send me a check for a million dollars. Irregardless of their 30 day money back guarantee. I never heard back from them and never got a response to any inquiries after asking for the refund. I removed Roboform from my system and reverted back to a method I used years ago. It’s never let me down and the info can’t be hacked. I keep it on a thumb drive and only use it on a computer that has no internet access. My passwords are extremely long and somewhat scary. I’m a very private person and don’t mind taking these extra steps to keep my info secure and only on my system. I only order items from Amazon and they don’t require me to make payment methods available. I for one won’t be using password managers again. I don’t believe they’re worth my time if I can’t control what changes they make to my browser. They may be useful to some and that’s good. They just aren’t useful to me anymore. Just my side of the coin. Hope I’m not stepping on anyone’s toes. That’s not my intention. Just stating my side on the great password manager debate.
Take care Leo and be safe. Happy New Year
If they offered a 30 day money back guarantee, I’d contact my credit card company or PayPal or whichever service you paid them through and try to get the charge reversed. I don’t know what you mean by “check for payment methods”. I Looked at the Roboform Manual online, and there was no mention of payment methods
I am (hopefully) OK with my Master Passcode, but I am still concerned that someone will gain entry to my vault.
Although I can (and have) now changed all my “important” account logins – with 2FA – my big issue is with Secure Notes. I had never thought of this until I read some of the comments above.
I use Secure Notes for many things – including identity information for my wife and I – with Social Security numbers and other data for the 3 relevant countries that we are citizens/permanent residents of.
These Secure Notes also contain all of our banking/financial information – except for access codes, of course.
I thought this is exactly what Secure Notes are for – but apparently I didn’t think this through properly. The lack of this feature is why I didn’t choose some of the LastPass alternatives.
And a Master Passcode re-prompt is worthless extra security if a hacker is already into your vault …
So this is now much more than a little scary – and I can’t do a thing about it …
Here is what contributed to the data breach at LastPass. It is called Private Equity or PE.
Private Equity Just Gave Your Bank Password to Hackers from Matt Stoller at Substack
{Copyrighted material removed}
Feel free to LINK to the material, but I can’t allow copy/paste of copyrighted material. -Leo
Here is the link to Matt Stoller’s article on the Private Equity takeover of LastPass and the data breach that followed. Sorry about that cut and paste. My point is a Private Equity takeover of businesses that you trust could disappoint you because Private Equity is not that interested in protecting your data.
https://bit.ly/3X6wBFs
So how does one know if the LP master password was “strong enough?” Mine is a 25+ character phrase but all letters, periods, and spaces.
That’s strong enough. Special characters are overrated in passwords. They offer more security than not having them, but more characters offer more protection even if it’s all letters.
See the sidebar in the article: “Appropriately strong master password:”
Leo, Do you still use Lastpass as your primary password manager? If so, have you changed all of you passwords contained in that vault as well as you master password?
I have an update coming up. The answer’s slightly more complicated than yes/no. :-)
Hi Leo, This article says the entire Lastpass vault is actually NOT encrypted DESPITE LASTPASS CLAIMS ( when it is sent to Lastpass) https://hackernoon.com/psa-lastpass-does-not-encrypt-everything-in-your-vault ( I’ve see this said on other posts on the internet too…) I believe only the “user name” and “password” for all the data ( several fields ) stored for each site is ACTUALLY encrypted. For example each site URL not encrypted, The class of site not encrypted ( ie mail , banking etc ) not encrypted either and the notes field for each site not encrypted either etc etc . If this leakage of information ( from a Lastpass vault ) is available to hackers I think the situation is changed. Please note when I mention the notes filed , Last Pass does have a faculty to save encrypted notes, Above I mean notes associated with each user name / password entry stored in last pass. This seems series to me , but I do not reaaly have enough knowledge to be sure or not. Can you comment . Thank You.
This isn’t new, and was present in their press release. That the URLs are unencrypted is definitely bad, allowing hackers to create more targeted phishing attacks, among other things. What matters most is that notes and username/password are securely encrypted.
That’s another strike against LastPass. It’s seems extremely negligent not to encrypt the entire vault. It’s probably even easier than encrypting just passwords and notes
https://hackernoon.com/psa-lastpass-does-not-encrypt-everything-in-your-vault-8722d69b2032 Correct link
Leo , More Info on another issue …. Google the words
Lastpass “password iterations” low value
turns up intesting links
In particular this one
https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/
https://palant.info/2022/12/28/lastpass-breach-the-significance-of-these-password-iterations/
This is why you’ll also see the common recommendation to change all you passwords immediately if your master password was weak. That’s where this comes into play.
What ever happened to the internet? That beautiful thing we all loved in the nineties. Like much of what mankind touches it has turned into a monster. This octogenarian is starting to minimize his use of the internet. Taking time to smell the flowers. There’s certainly a lot to be said for mattresses – that old fashioned way of protecting that which is important. Protect yourself – and yours. Don’t rely on someone or something else doing it for you.
Leo,
LastPass has finally commented on the breaches. I’m interested in your opinion of them has changed in light of this lengthy document they’ve released.
Nope. They’ve lost my trust. My position remains the same: there’s generally no urgency to move, and with proper security (outlined in one of their bulletins) you could even stay. But I’ll no longer recommend them.