Earlier in the year, I was talking about using a password manager to secure your passwords. I have been using LastPass for the past 8 years. As I discussed previously, LastPass had a security breach last summer. That breach involved the exposure and loss of their customer database. This handed the black hats all of the encrypted data of their customers. It was simply a matter of time before the bad guys used password cracking tools to decrypt customer password files.

So I did the sensible thing and changed all of my passwords, beginning with the most sensitive ones: email passwords, passwords to financial websites, and on down the list to the least important. It took several weeks to change hundreds of unique passwords. I also changed the master password. The next step that I took was to add MFA by using Yubikey. All of my data is now secure, and anything they have is no longer relevant.

I don’t blame LastPass for the fact that they had a breach. Everyone is a target, and a company like LastPass is a bigger target than most. No, what made me upset was that the breach happened in August, but they didn’t disclose it until November. They denied that the bad guys had gotten encrypted password wallets at first, then finally admitted in December that the password wallets had been lost. So the bad guys had our vaults for months before LastPass bothered to tell anyone. Months to brute force passwords, time to steal, and time is all they need.

They still are slowly releasing information in dribs and drabs. It comes out that the database was stolen because one of their engineers was permitted to have access to the servers from his home computer. That computer was compromised, which allowed the hackers to access corporate information. Now, password vaults are all encrypted and no one but the user has access, but still. Who does this? Home access to sensitive information? There is also the fact that they hid this information for over 9 months. That’s just too shady for me.

I didn’t want to change from LastPass, but this is the last straw. They just are not trustworthy. This isn’t the time to be cute and try to spin this from a PR perspective. This is a much bigger deal than just bad publicity. People’s information that YOU are supposed to safeguard is at stake. I no longer recommend LastPass as a viable password vault application.

LastPass is no longer for me, and it shouldn’t be for you, either. I want cloud storage of my passwords, because it allows portability between laptop, cell phone, etc. So I switched my password wallet over to 1password. The cost is $60 a year for the family plan, which allows up to 5 people to use the account. 1password is also compatible with Yubikey.


14 Comments

It's just Boris · April 20, 2023 at 5:55 am

I’ve been using 1password for a long time now, and find it works well.

One caveat … I bought a copy when you could still buy, not rent, the software, and have flat out refused to “upgrade” to a subscription that requires me to use their cloud storage, rather than one of my choice. (I am increasingly irritated at “life-by-subscription”)

Fortunately you can still download the old version of the browser plugin and desktop app (although it’s been made harder to find over the years), and the mobile app will work with the older version’s libraries.

At some point I’ll likely need to switch to an open source manager. But for now, 1password has served me well.

Anon · April 20, 2023 at 8:57 am

Be sure and use a very strong password in order to access the manger. Nothing worse than someone hacking your “Cow1234” password and feeding Betsy some unauthorized straw.
Anon

    Fido · April 20, 2023 at 4:43 pm

    Also be sure that the “one” very strong password is never used anywhere on the net. It should never leave your computer, and should never be stored on your computer other than as a hash. If you ever accidentally type it on a website (say, logging in), immediately change it everywhere you have used it.

oldvet50 · April 20, 2023 at 8:58 am

I still do not understand the ‘cloud’. Isn’t it someone else’s computer and why would I want to put any of my data there? For fiscal security, I have a credit card with a $500 limit that I use for online transactions. If it gets hacked, I am not financially ruined. I think an EMP will make all this moot anyway.

    D · April 20, 2023 at 11:07 am

    It sounds like you understand “the cloud” just fine.

    I use GoPass. Linux command-line for the win: https://github.com/gopasspw/gopass

    “pwgen -sy 32″ is great for generating passwords:

    3dtN:-fWYuwA`0/.’KQ,6]RW[)vz6PDn S2sTK^7CNW0#,ga-D0#[9J7k*uu6l46y
    SU1e|vz,>(3\b(b_@h&6!fG>e5c6*s>” NC=sC[EnWi2-[1R:wYb+ElS[tuhbkL8^
    P.@g)%*Tibx>,BD|x-S*=hfysJV8c|W8 iP&3RsrCAC?84Ei{3*r$MIq3h#dPFPh1
    Y$zLDz5U?s^g|bbq=1{[)’PI@V/v:X]\ K”b8CtL[S$^@noMkjUyb,i=%3+!9g0uf
    XA@`5″3rJgI3X?YqNrK\q8X%qrBUCFuj a~&SU8tgZpxnCUUL*)WO!Zny#]O?WlFS
    (l5I)v6^JM.*[UYS}QBZ7i{(.JmH)A;8 g)ynL-eoSK:@P\.&{pahNZ”{-f’di6Y?
    QY(L/’Up\}B?&QNwDPZ\=I8$t(G|7|-) t-Ye+&@=4Cu1LL^%MZ=d8l@0i+y[[1}E
    d@F;k]PMHad>dSozv~zMAD(In<\84uGqo\Zc);w"wN
    xI^@o`pg.V_pN9YS1JiqD2+]8hF6zFXy Qp):Kkg`6S85QW~SZf)&R,$nrVACQuZe
    Bh)ZT|wW+;Iz-/\;wm0ybrP?/<w*^.D3 ubb{i'WYzA&EXRd_U|!.D6^cjd_J<U4D
    C$6B^bLP3 ($)x[#|NVgbIpE4p`v8.E1m{Z04otmo_
    ^cQ*=rKL&\UBVRjRJ;B@4aZ(b@ubRtrKD.PBX41<&[bm(I
    ^bR7z$/p('hm&XHD*S!i@]!6P^SIvD4! %J2^uR.XwpDs[rZBxo(*i<}jFW{j}CX|
    6J=<4ksr\?_-mlgO(F~M]B]jWm{7gW[+ $hiv8rHX3z`n9?pm#DHO30.{-BDKb<VL
    #"D@cs!57kW0nNe{v^&kGSs?QZ!MPAI+ 1snNId^BvR]7E*2|]G"7\\7add<ZJ,w/
    Vp@q"O@/;#=PJI-T+k2c2Zr2(X![gqQi (?pV@6$WK\EOq-wOx9Roloc:M rRnk:;4!}b8{HY4,s2=ZJ;/STGH,(~!p
    Is7xao*1#m”XzE0H*%!g#ySY|dsLoonQ kw(jZMb$9G+|ao/w$PFZMRJL”Fa3d&\R

    Winterborn71 · April 20, 2023 at 12:20 pm

    Your’e exactly right, there is no cloud, it’s on someone else’s computer, that is getting paid to host the site/data management etc etc. They do backups and all that stuff so while an EMP would get some, it’s hugely unlikely to get all, as the offsite is shielded etc. I doubt even a Carrington event would get it all anymore. And that literally lite the telegraph lines on fire it was so bad.

Curmudgeon · April 20, 2023 at 10:47 am

I use KeePassXC, which is the password manager included in TAILS. TAILS is what Edward Snowden used to get his information out securely. If it is good enough for TAILS it is good enough for me. There is no charge or subscription for KeePassXC, and it is cross-platform. I also email my encrypted password database weekly to a couple of my trusted email accounts (riseup.net and protonmail). This gives me offsite storage for the database, in addition to the multiple USB sticks that I have at home and in my vehicle.

JB · April 20, 2023 at 1:37 pm

You might look at KeePassXC. You can put the database file on a cloud service like Dropbox to make it portable between devices, but there is no central repository to be hacked containing the grand prize of data on thousands of users like there is for LastPass and other services that store passwords for multiple people. Somebody would have to target you specifically to get your database file before then brute-forcing it.

Jen · April 20, 2023 at 2:10 pm

Manager not Manger. Please.

    Divemedic · April 20, 2023 at 8:33 pm

    Oops
    Typo

liberty · April 20, 2023 at 3:30 pm

I’ve been using Enpass (enpass.io) for several years and have been pleased with it. Local data, share using Dropbox, OneDrive, etc. If you want the “cloud” computer to be one you control, Enpass also supports NextCloud and WebDAV. Like everyone else, they are moving toward a subscription model, but it is still possible to purchase outright.

steve · April 20, 2023 at 4:35 pm

I’ve been using Password Safe from Sourceforge for decades

Old phat pharrt · April 21, 2023 at 5:18 am

Just use a decent old fashioned notebook, and write them down. Use a dedicated Chromebook exclusively for anything finance related.

Password managers are just a massive juicy target.

grumpy51 · April 23, 2023 at 11:04 am

Any thoughts/experiences with the PW generator on Apple (iPhone, Macs)??

Comments are closed.