In case you haven't heard, popular password manager LastPass released an updated statement on December 22nd with some terrifying details to anyone who uses their product. Basically, customer's password vaults are now in the hands of hackers.
Now that some security experts have had the chance to read the statement and assess the damage, LastPass is getting absolutely roasted.
LastPass’ December 22nd statement was “full of omissions, half-truths and outright lies,” reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent it’s being; he accuses the company of trying to portray the August incident where LastPass says “some source code and technical information were stolen” as a separate breach when he says that in reality the company “failed to contain” the breach.
Even one of their competitors, 1Password, has decided to weigh in.
But what concerns me about all of this is the impact on users, and the ongoing challenge of remaining safe and secure online. I mean think about the type of person who uses LastPass. These are people who are trying to be safe online. Instead of relying on a single password for everything (I know people who still do this), or maintaining a document or note with all of their passwords (yep, I know people who do this, too), they went so far as to start using dedicated software for this. But now they're being punished because they basically chose the wrong product.
While a lot of LastPass's mistakes pertain to their system architecture decisions on what pieces of data to encrypt or not, one piece that I find interesting is various decisions to require, or not require, users to adopt more secure master passwords for their vaults. Not only were users with eight character passwords not required to change them to twelve characters, as pointed out by Wladimir Palant of Almost Secure:
That’s because LastPass didn’t ask existing customers to change their master password. I had my test account since 2018, and even today I can log in with my eight-character password without any warnings or prompts to change it.
So LastPass required twelve characters for the past four years, but a large portion of their customer base likely still uses passwords not complying with this requirement. And LastPass will blame them should their data be decrypted as a result.
Woof. Not only that, but users weren't encouraged to generate particularly strong passwords. From Jeffrey Goldberg of 1Password:
The LastPass account password “best practices” advice linked to in their announcement says nothing about using a password generator, so it would be incorrect to assume that users are generating their LastPass passwords using a strong password generator.
So where does this leave us? First of all, if you're reading this:
- Please, please use a password manager that helps you generate unique passwords for every account you have on the web, like 1Password, Bitwarden, or even iCloud Keychain (if you're an Apple and Safari user).
- Please, please use multi-factor authentication (MFA) where available, ideally not through SMS (hopefully your password manager can offer this, too).
- If you were using LastPass – stop. Move to 1Password (I've been a happy customer for years), or Bitwarden, or iCloud Keychain.
- If you did have passwords saved in LastPass, (after moving to another password manager) start generating new passwords ASAP, beginning with the services and accounts that you use most frequently or contain the most sensitive information.
- Be very careful of any suspicious emails, texts, claiming to be from one of these services, attempting to "phish" for your password. These LastPass hackers can see URLs in the data they got, because they weren't encrypted, so they can target users based on the services they actually used.
But beyond that, this breach shows us just how far we have to go to keep users safe. Will something like Passkeys be a viable solution? Even if it is, how long will it take for it to be widely adopted?
In the meantime, stay diligent, and help your friends and family to do the same.