Earlier in the year, I was talking about using a password manager to secure your passwords. I have been using LastPass for the past 8 years. As I discussed previously, LastPass had a security breach last summer. That breach involved the exposure and loss of their customer database. This handed the black hats all of the encrypted data of their customers. It was simply a matter of time before the bad guys used password cracking tools to decrypt customer password files.
So I did the sensible thing and changed all of my passwords, beginning with the most sensitive ones: email passwords, passwords to financial websites, and on down the list to the least important. It took several weeks to change hundreds of unique passwords. I also changed the master password. The next step that I took was to add MFA by using Yubikey. All of my data is now secure, and anything they have is no longer relevant.
I don’t blame LastPass for the fact that they had a breach. Everyone is a target, and a company like LastPass is a bigger target than most. No, what made me upset was that the breach happened in August, but they didn’t disclose it until November. They denied that the bad guys had gotten encrypted password wallets at first, then finally admitted in December that the password wallets had been lost. So the bad guys had our vaults for months before LastPass bothered to tell anyone. Months to brute force passwords, time to steal, and time is all they need.
They still are slowly releasing information in dribs and drabs. It comes out that the database was stolen because one of their engineers was permitted to have access to the servers from his home computer. That computer was compromised, which allowed the hackers to access corporate information. Now, password vaults are all encrypted and no one but the user has access, but still. Who does this? Home access to sensitive information? There is also the fact that they hid this information for over 9 months. That’s just too shady for me.
I didn’t want to change from LastPass, but this is the last straw. They just are not trustworthy. This isn’t the time to be cute and try to spin this from a PR perspective. This is a much bigger deal than just bad publicity. People’s information that YOU are supposed to safeguard is at stake. I no longer recommend LastPass as a viable password vault application.
LastPass is no longer for me, and it shouldn’t be for you, either. I want cloud storage of my passwords, because it allows portability between laptop, cell phone, etc. So I switched my password wallet over to 1password. The cost is $60 a year for the family plan, which allows up to 5 people to use the account. 1password is also compatible with Yubikey.