And why it's important to read beyond the headlines.
I received several comments in late August, 2022 from a variety of sources after the announcement that LastPass had suffered a breach. The comments ranged from "I'll be interested to see what you have to say" to "Now that LastPass has been hacked again, what should we use instead?"
Here's the thing: it's important to read beyond the headlines. Taking alarmist headlines at face value without understanding the relevant details can lead you to make unnecessary decisions.
For my part? I'm continuing to use LastPass. I'll explain why, and what I think you should do.
Become a Patron of Ask Leo! and go ad-free!
The LastPass hack
The reported hack into LastPass does not involve any user data and does not warrant abandoning LastPass. LastPass was forthright in publicizing the breach. However, trust is critically important when using a password vault. So even if this unnecessarily causes you to lose trust in LastPass, there are many excellent alternatives.
It's all about trust
I want to start by saying that trust is important. You need to trust the password vault or password manager you choose to use.
The reason is fairly simple: if you don't trust the software, you're less likely to use it.
It's important that you use a password manager.
Therefore, it's important you trust your password manager.
If this or any other situation leads you to trust LastPass (or any software) less, then use something else that you do trust. In the case of LastPass, that means investigating a different password manager.
I totally understand why, reacting only to the headlines and without understanding the details, you might feel like you need to make a switch. I have an upcoming article on exactly which password managers you might want to consider. There are many decent and reliable alternatives.
But LastPass remains at the top of my list.
The breach
LastPass disclosed the breach here. In short, the account of a LastPass developer was compromised. Using that account, hackers were able to get into LastPass source code. Apparently some of it was stolen, and some of it contained what LastPass considered to be trade secrets.
That's it.
The important thing to realize about the breach is that no user information was compromised. In other words, as a LastPass user, my account credentials were not compromised, my LastPass vault was not compromised, my LastPass stored information was not compromised, and none of the entries in my LastPass database were compromised.
None.
LastPass's announcement goes into more detail, but the bottom line for the average user is that you are not affected.
LastPass's response
LastPass made this information public. They were forthcoming about the details of the breach. They provided a detailed FAQ that consumers can refer to understand exactly how worried they should be.
My take is that LastPass has done the right thing. This increases my confidence in LastPass to do the right thing in the future should anything ever happen again.
What's the risk?
That's not to say that there isn't risk here. The risk is not imminent, but it does exist.
Without knowing the details of exactly what the hackers stole in terms of source code, it's difficult to assess the risk. The implications could be completely benign. On the other hand, the trade secrets that were supposedly included in the breach could potentially allow a hacker to better understand how LastPass works and how they might exploit any vulnerabilities they discover.
Pretty much like open-source software.
I trust LastPass to understand what's been taken, understand the risks of what's been exposed, and take remedial action should that be appropriate.
Why I'm not worried
One of the things that's important to realize about software development is that it rarely happens on live systems.
What that means is that while making changes to software for an online service such as LastPass, the changes are made in a separate, isolated environment that does not have access to "real" live data. Even if a hacker successfully accessed a developer's account, it's highly unlikely that that developer had access to live data.
So the hacker did not have access to our password vaults.
But what if they did?
Even LastPass can't see your data
One of the features of most password vaults is that they do not store your password and have no way of decrypting your vault until you supply that password when you sign in. So a hacker, even if they were able to grab a copy of your encrypted vault, would be unable to view its contents.
I'll say that again: a hacker who gains access to your password vault on LastPass's servers cannot view its contents. Period.
And I'll also say this again: that did not happen in this breach. No user data was exposed.
Do this
You do not need to abandon LastPass. I am not abandoning LastPass.
However, trust matters. If you no longer trust LastPass, I have an upcoming article that discusses several reliable and trustworthy alternatives, such as Bitwarden, 1Password, and KeePass.
Want more pragmatic answers without the clickbait hype? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
What do you think about Roboform for an alternative?
It’s legit. I used it many years ago. I have an article upcoming on alternatives — stay tuned.
I had switched from LastPass to Bitwarden because I prefer the features available in Bitwarden. Any password manager worth using encrypts data on the users machine before storing it on a server. Without the master password the data is useless. And, master passwords don’t get stored anywhere.
When setting up a password vault, most password managers warn that the master password needs to be something a user can remember because they do not have the capacity to recover it. Forget the password and the vault is unrecoverable.
When I saw the news about LastPass, I read the whole story and realized it was not a disaster for users. Competitors and critics will try to make the breach a bigger deal than what it was, but LastPass did a good job explaining what happened.
Even though I switched from LastPass, I still recommend it myself. Bitwarden’s family plan costs less than others, but Bitwarden takes some effort to set up for multiple users.
Hi Leo. You wrote: “the account of a LastPass developer was compromised…”
In your article, you never addressed the elephant in the room:
HOW did the developer’s account get compromised ???
That’s the REAL question here.
This was not disclosed. I don’t consider it “the elephant in the room” at all because there are so many possibilities, and it’s something both auditable, and correctable. My money’s on a successful phishing attack, since that’s so common these days.
Roboform is great, I’ve been using it for years. The reason I switched from Last Pass to Roboform is purely because Roboform is better at actually filling out forms – something that is essential for me as one of my hobbies is entering competitions. As passwords managers, both are absolutely fine.
I’ve been a LastPass user since 2009 or so. While it helps me a ton, the customer service has gone down over time as they got acquired (it happens, Leo has an article on it).
Recently on the Android, they just got rid of their browser just like that, which I didn’t like. I had liked using the LastPass browser because it was the one place where I know cookies and history will be deleted.
Also, I haven’t liked their constant price increases.
Started with Roboform maybe 12 yrs ago., but customer service is terrible and I became concerned they are private and no open source. Antiquated website and klunky interface. Considered Lastpass but they had just sustained their 1st breach and now a second one. No thanks. I finally settled on Bitwarden 2 yrs ago and no looking back. Open source, great support (even for free users and I am premium at only $10 a year). I feel very comfortable with Bitwarden as a better alternative to Lastpass (and even 1Password which would probably be my second choice if BW were not available).
Leo, you did say something that gave me pause: “One of the features of most password vaults is that they do not store your password and have no way of decrypting your vault until you supply that password when you sign in.” Does this mean LastPass can “see” the contents of your vault while you are signed in? Can the contents be seen “in the clear”?
In order for the vault — any vault — to work, of course they have to be able to “see” the contents in order to be able to fill it in for you. With LastPass that happens ONLY on your machine, and never on LastPass’s servers.
No. The encrypted vault is stored on LastPass’ servers, but the encryption, decryption, and insertion into the webform happens exclusively on your computer or device.
I have been using a password vault for many years but was informed (by them) that they are dropping support at the end of the year. I can export the contents of my vault to a .CSV file, but I need to know what password managers would support importing such a file. The company that is dropping support made a suggestion, but the product they suggested is not one that I’ve seen mentioned here on askleo nor anywhere else. Maybe my situation is very uncommon, but I have not seen information from the products that I’ve seen mentioned as to what abilities they have to import data from another password manager. When you publish your upcoming article, would it be possible to include information on “importability” ?
I know LastPass allows you to import. What I would do in your shoes is try the free version (of whatever tool you are considering) and performing an import to see how well it behaves.
I have a related comment/question on LastPass, though not necessarily related to this incident. What do you think of websites that don’t let you paste a password when you create them? I am creating an account on Quest Diagnostics right now. It lets me paste a username, but won’t let me paste in the password field. So then I can’t easily use a 23 character LastPass generated password. I ended creating an 8 letter password. The website still allows autofill when logging, but no pasting when creating the password.
Annoys the heck out of me. If it’s a situation where I can, I walk away. They’re FORCING poor security.
A long password, something like: correct horse battery staple is a great password. I’ve added the capital letter, the numbers and the question mark because many websites require those.
How do I make a secure password if I can’t use special characters?
You don’t need to use special characters unless the site requires it then you can use.
C0rrect h0rse battery staple!
On PCs the best way to create a super strong master password is to switch to a foreign language like Japanese, Farsi, or Swahili for instance BUT type your master password in English language with easy to remember words with some numerals.