I've been using LastPass since 2014 and have recommended the password manager to others for just as long. Even in light of the hacks in years past, I've defended LastPass because passwords and vaults weren't stolen, and their "Zero Knowledge" design proved effective.
I don't think I've ever ended a speech or presentation before answering "LastPass" to the inevitable and most oft-asked question from audiences "What password manager do you recommend?" As they say on Wall Street, I'm very long LastPass.
But the hack reported on December 22nd is different.
This Time It's Different
The fact is anybody can be hacked at any time - the risk cannot be entirely avoided. So, we take a measured response when a vendor is hacked and consider our next steps. And let's face it, changing a software tool we've become comfortable with and accustomed to is the last thing we want to do, including yours truly.
Well, we're taking the plunge in the case of LastPass.
While anyone can be hacked, the state of readiness and effectiveness of incident response must be evaluated. While in times past, LastPass has made the grade, in this case, they have not.
This article is about "what to do" versus the "why?" of the matter. For more of the gory details behind the hack and the "why" of my decision, I'm linking two very credible sources. First, this one from Wired magazine:
Yes, It's Time to Ditch LastPass - Wired
And, this from one of the word's top cybersecurity gurus, Bruce Schneier, where he says the hack is "... not an epic disaster, but bad enough."
LastPass Breach - Bruce Schneier
Should I Stay or Should I Go?
What to do? You have two options, and we suggest considering them both, making your decision, and then acting promptly according to your choice.
- Stay with LastPass?
We know some people and organizations from our professional network that plan to stay with LastPass. The stolen password vaults are encrypted and can only be accessed using the vault's master password. If you use good password hygiene (long passwords – more than 16 characters, and unpredictable), it is improbable the master password can be hacked using "brute force" password hacking software.
If you decide to stay with LastPass as your password manager, then here are your steps to staying safe:
- We recommend changing your LastPass master password and, for sure, making it long and random. I use 22+ characters for master passwords and it should not be less than 16 characters.
- If your password was less than ideal before the breach announced 12/22/2022, change the master password and passwords to your important stuff like banks, investment accounts, credit agencies, etc.
- Of course, enable MFA or multi-factor authentication on every account it is made available.
- Move to another password manager?
Spoiler alert - personally and professionally, I'm moving to 1Password. For the last five years, while I've answered "LastPass" to the question about my preferred password manager, I parenthetically would add that if I were starting anew, I'd use 1Password. To me, their user interface is better and the tool feels more personal and less "institutional." Plus, it was clearly gaining favor with those in the know.
To be sure, moving from LastPass to 1Password is a chore and inconvenience I'd rather avoid. But I take password security very seriously and felt it was time to bite the bullet and move on. And, it hasn't been all that bad.
The export and import functions between the two apps went without a hitch. All my passwords and notes moved with little adjustment needed. The rest of the switch was about familiarity with the user interface and adjusting some long-time habits. Like anything new, spending a little time with their FAQs and videos makes the process faster and more solid for longterm use.
LastPass suffered two breaches over four months in 2022. The second one revealed that while LastPass encrypts its password vaults, it does not encrypt all data, such as URLs, email addresses, phone numbers, and associated IP addresses. That's a miscalcultion and disappointing to many users that expected better from the recognized leader in password management software and services.
- 1Password does encrypt all data associated with user accounts.
- 1Password is highly transparent about its security design documentation. LastPass does not publish this detail.
1Password is an industry leader in password vault services and has never had a breach. If you do your research via google-search or other methods, you will see 1Password is considered today's "best-in-class" password manager for a range of meaningful differentiators.
Here are some tools to help you fast-track the move from LastPass to 1Password as your password manager.
- 1Password is inducing LastPass subscribers to move with an offer to credit your LastPass subsciption here: https://1password.com/switch
The best article on how to create great passwords, by one of science's foremost cryptographers, Dr. Bruce Schneier:
Here's a video instructing the export / import functions for moving your data from LastPass to 1Password:
- Personal Computer Coach -
There is nothing as effective as having an expert take you step by step and coaching you toward self-sufficiency using a password manager.
Click the image above or the link below to arrange for a computer coach from Total Digital Security:
Whatever you do, you must beware of this
LastPass PHISHING! Everyone should expect to see an increase in phishing emails that spoof LastPass and are designed to hack you.
As always, be on your toes with your inbox and SMS text, and never click on anything without going to the website directly yourself.
Click to read more about how to protect from phishing.
Cybersecurity click for more about cybersecurity for private clients, home, family offices, and home offices.