It’s time to move on. The questions are, to what and how quickly?
“The time has come,” the Walrus said,
“To talk of many things…”
– Lewis Carroll
The last month or so of news and articles and general hysteria and misinformation (in both directions) around the LastPass breach have been challenging. Faced with all the conflicting information, it’s been difficult to sort out truth from fiction and make rational decisions.
Particularly since some of those decisions might involve a lot of inconvenience.
My recommendation is that it’s time to leave LastPass behind, but of course it’s not quite as simple as that. I’ll review what I think needs to happen and the path that I’ve embarked on myself (and why).
Become a Patron of Ask Leo! and go ad-free!
- If you’ve been considering LastPass… don’t.
- If your LastPass master password was weak, immediately change passwords for important accounts such as financial accounts and your primary email account(s).
- Choose a new password manager. 1Password or Bitwarden are my recommendations.
- Migrate your vault to the new tool.
- Change passwords over time.
- Keep using a password vault.
The elephant in the room
LastPass has handled this entire situation horrifically. After watching these last weeks, I’ve given up hope that they will ever do so to my satisfaction, and thus recommend choosing a different password manager.
There’s exactly zero data that the contents of anyone’s vault has been compromised.
However, enough information has surfaced to make it clear that LastPass is no longer to be trusted.
- The URLs of your vault entry were not encrypted, only usernames, passwords, and secure notes.
- “Old” LastPass accounts used a slightly less secure encryption of the master password, and users were never told to update.
- LastPass’s communication has been disappointing, to put it politely.
LastPass has let us down, and it’s time to move on.
The “weak password” thing
There is a small chance that if you have a “weak” password (which implies it pre-dates the improved master password encryption I mentioned above), your encrypted data could be vulnerable to a brute-force attack. I don’t consider this likely, as hackers will probably have better results with the treasure trove of exposed information, like the URLs, to improve their phishing attacks for a lot less work.
However, it’s possible. If your LastPass master password is not appropriately strong, consider changing the passwords of all “important” accounts stored in your vault as soon as possible, and all accounts eventually. Consider adding two-factor authentication to those accounts that support it for even more security.
Changing all your passwords can be a major inconvenience, but this is a “better safe than sorry” situation.
In my case, even though my LastPass master password was long and strong, I changed the passwords at all my financial institutions.
A new password manager
Both provide functionality roughly equivalent to LastPass, both are popular, and both come highly recommended from a variety of sources. The biggest practical difference is that 1Password does not have a free offering, whereas Bitwarden does. I’m comfortable recommending either.
The reason I personally am now using 1Password is because their Teams offering handles using separate vaults for separate organizations. Since there are organizations I support that use password management tools, it’s important that it be easy for myself and others on the team to access both our own vaults, and the organization vault, as seamlessly as possible.
Both 1Password and Bitwarden are cloud-based, making your vault(s) available on multiple devices simply by signing in. If you’re now cloud-shy (as I am not) then I would point you at Keepass, an open-source tool that maintains its encrypted vault locally, leaving it up to you to store, copy, synchronize, and use as you see fit.
Set up the new tool
Whichever tool you select, when you set up your account, make certain to:
- Choose a long, secure master password.
- Save that master password somewhere secure.
- Take advantage of any and all recovery or account security offerings.
For example, 1Password offers you the opportunity to create an “Emergency Kit”, a downloadable PDF containing all your account information with a place for you to write in your master password. Create that and save that in a secure location.1
Most tools include browser extensions to make password capture and entry easy. They may include programs you can run on your computer to manage your account and vault, secure web access, and apps that allow you to access your vault from mobile devices. Choose the combination of tools that works for you — usually the browser extension — once you’ve created your account.
Migrating the easy(ish) way
The most common way to migrate from one password manager to another is to:
- Export your data from the password manager you’re using. (Instructions for LastPass are here.
- Import your data into your new password manager. Instructions vary depending on the tool you use.
- Save a copy of your export file somewhere secure, much like a backup.
- Delete the copy of the export file you used for import so as not to leave the information on your computer unencrypted.
- Eventually, stop using the old tool, uninstall its components, and (optionally) delete the account.
In concept, it’s fairly simple, and most tools do it well.
The basics transfer over nicely: the URLs, user IDs, and passwords of the accounts you have stored in your vault. However, any additional information, ranging from equivalent URLS to secure notes to stored credit card information, may or may not transfer depending on the capabilities of the tools involved. This is why I recommend saving the export file somewhere safe. That way, should some data not have transferred directly, you’ll always have access to the information later should you need it.
For the record, while I recommend this as the approach most folks should take, it’s not what I’m doing.
Migrating the hard(ish) way
After exporting my LastPass database, I examined the .CSV file and discovered that it had over 1,000 entries. I’ve been using it for some time, and things accumulate.
So my approach to migrating has been to essentially start over. As I visit sites and need to sign in, I grab the credentials from my backup,2 enter them, and instruct 1Password to save them. This way, my 1Password vault will contain only those entries I actually use.
The downside is that I’ll need to do this for months to come. Far in the future, I’ll need to sign in to a site for the first time since I switched, and it won’t yet have a 1Password entry.
Change passwords over time
The remaining question is what to do about the passwords in LastPass. Again, and to be clear, no actual passwords were compromised in the LastPass breach, only encrypted data. The risk is that the encrypted data could be brute-force attacked and decrypted. That risk ranges from extremely small to miniscule, depending on the strength of your vault’s master password.
But it’s not zero.
I’m not a fan of forced periodic password changes. They tend to cause more security issues than they prevent.
However, there’s nothing at all wrong with changing passwords to important accounts — or any accounts — because you want to.
Assuming you had a strong master password, in theory you shouldn’t need to change any passwords. I changed a few anyway because it made me feel better.
And when it comes to security, trusting in and feeling good about your situation is important.
Keep using a password vault
One of the first questions I got after recommending 1Password to someone was this:
How do we know they won’t get breached in the future, and we find ourselves right back in the same place?
Seriously. There’s no guarantee that any of the software or services you use anywhere for anything won’t suffer a catastrophic breach, and that includes whatever tool you choose to manage your passwords.
There’s no such thing as perfect security.
There is only more secure and less secure.
You can stack the deck in your favor and reduce the odds that you’ll ever be impacted by a breach in the future, but you cannot guarantee it’ll never happen, no matter what approach you use.
I remain firmly convinced that using a reputable password manager, including those with a cloud-based component, is safer than any alternative you might devise. Most importantly, it enables using long, unique, and truly random passwords for every site, which is perhaps the single most important thing you can do for password security. Every other alternative I’ve seen proposed compromises that or the fundamental security of how the passwords are saved and stored.
If you’re using LastPass and you have a weak master password, start changing passwords to your important accounts.
If you’re using LastPass at all, it’s time to move to another tool. It doesn’t have to be immediate, and you need not panic. LastPass has simply failed us too many times. While I’m not concerned about my data having been compromised (again, no actual credentials have yet been exposed), I no longer trust them to do the right thing moving forward.
Password management is nothing without trust.
Hopefully, you trust me to give you good advice about staying secure. Subscribe to Confident Computing, my weekly newsletter. Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: You can create the emergency kit at any time, but I strongly recommend doing so when setting up the account.
2: Two approaches: I have the export stored securely and can reference it at will. The other approach is to have a separate browser — Brave, in my case — that still has LastPass installed. I can then access my vault directly therein to copy/paste whatever I need. A third approach, I suppose, would be to visit LastPass.com on the web and access the vault that way.