January Letter

Last days for LastPass?

Hi there, 

I've been using LastPass since 2014 and have recommended the password manager to others for just as long. Even in light of the hacks in years past, I've defended LastPass because passwords and vaults weren't stolen, and their "Zero Knowledge" design proved effective.

I don't think I've ever ended a speech or presentation before answering "LastPass" to the inevitable and most oft-asked question from audiences "What password manager do you recommend?" As they say on Wall Street, I'm very long LastPass.

But the hack reported on December 22nd is different.

This Time It's Different

The fact is anybody can be hacked at any time - the risk cannot be entirely avoided. So, we take a measured response when a vendor is hacked and consider our next steps. And let's face it, changing a software tool we've become comfortable with and accustomed to is the last thing we want to do, including yours truly.

Well, we're taking the plunge in the case of LastPass.

While anyone can be hacked, the state of readiness and effectiveness of incident response must be evaluated. While in times past, LastPass has made the grade, in this case, they have not.

This article is about "what to do" versus the "why?" of the matter. I'm linking two credible sources for more of the gory details behind the hack and the "why?" of my decision. First, this one from Wired magazine.

Yes, It's Time to Ditch LastPass - Wired

https://www.wired.com/story/lastpass-breach-vaults-password-managers/

And this is from one of the world's top cybersecurity gurus, Bruce Schneier, who says the hack is "... not an epic disaster, but bad enough."

LastPass Breach - Bruce Schneier

https://www.schneier.com/blog/archives/2022/12/lastpass-breach.html

LastPass - Should I Stay or Should I Go?

What to do? You have two options, and we suggest considering them both, making your decision, and then acting promptly according to your choice.

- Stay with LastPass?

We know some people and organizations from our professional network that plan to stay with LastPass. The stolen password vaults are encrypted and can only be accessed using the vault's master password. If you use good password hygiene (long passwords – more than 16 characters, and unpredictable), it is improbable the master password can be hacked using "brute force" password hacking software.

If you decide to stay with LastPass as your password manager, then here are your steps to staying safe:

1. We recommend changing your LastPass master password and, for sure, making it long and random. I use 22+ characters for master passwords, which should not be less than 16 characters.
2. If your password was less than ideal before the breach announced on 12/22/2022, change the master password and passwords to your important stuff like banks, investment accounts, credit agencies, etc. 
3. Of course, enable MFA or multi-factor authentication on every account it is made available.

- Move to another password manager?

Spoiler alert - personally and professionally, I'm moving to 1Password. For the last five years, while I've answered "LastPass" to the question about my preferred password manager, I parenthetically would add that if I were starting anew, I'd use 1Password.  To me, their user interface is better, and the tool feels more personal and less "institutional." Plus, it was clearly gaining favor with those in the know.

To be sure, moving from LastPass to 1Password is a chore and inconvenience I'd rather avoid. But I take password security very seriously and felt it was time to bite the bullet and move on. And it hasn't been all that bad.

The export and import functions between the two apps went without a hitch. All my passwords and notes were moved with little adjustment needed. The rest of the switch was about familiarity with the user interface and adjusting some long-time habits. Like anything new, spending a little time with their FAQs and videos makes the process faster and more solid for long-term use.

Why 1Password?

LastPass suffered two breaches over four months in 2022. The second one revealed that while LastPass encrypts its password vaults, it does not encrypt all data, such as URLs, email addresses, phone numbers, and associated IP addresses. That's a miscalculation and disappointing to many users that expected better from the recognized leader in password management software and services.

• 1Password does encrypt all data associated with user accounts.
• 1Password is highly transparent about its security design documentation. LastPass does not publish this detail.

1Password is an industry leader in password vault services and has never had a breach. If you do your research via google-search or other methods, you will see 1Password is considered today's "best-in-class" password manager for many meaningful differentiators.

Need help?

Here are some tools to help you fast-track the move from LastPass to 1Password as your password manager.

•  1Password is inducing LastPass subscribers to move with an offer to credit your LastPass subscription here:  https://1password.com/switch

The best article on how to create great passwords, by one of science's foremost cryptographers, Dr. Bruce Schneier:

• https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

Here's a video instructing the export/import functions for moving your data from LastPass to 1Password:

• https://www.msn.com/en-us/news/technology/how-to-export-lastpass-passwords-to-1password/ar-AA16cJ8i

- Personal Computer Coach -  

There is nothing as effective as having an expert take you step by step and coach you toward self-sufficiency using a password manager. 

Click the image above or the link below to arrange for a computer coach from Total Digital Security:

https://www.totaldigitalsecurity.com/computer-coaching-services

Whatever you do, you must beware of this

LastPass PHISHING! Everyone should expect to see an increase in phishing emails that spoof LastPass and are designed to hack you.

It is predictable that the most sophisticated and ambitious hackers and cybercrime syndicates will deploy their best phishing weapons in the months to come.

As always, be on your toes with your inbox and SMS text, and never click on anything without going to the website directly yourself.

Click to read more about how to protect from phishing.

Thanks for reading,

Brad Deflin

Click for browser view

Take the ShieldTest

Looking for a cybersecurity webinar or speaker for your group? Reply to this email or click below:

Computer Coaching and Tutoring

Our approach is about learning new life skills for increased satisfaction, privacy, and security with personal technology.

• Clean and optimize your computer or set up a new one.
• Learn to use a password manager and backup files.
• Set up your browsers for convenience and privacy.
• And much more.

Contact us for more.

Staying Safe Online

A concise guide.

• Checklists and best practices.
• Think you've been hacked?
• Smarter passwords.
• Use a VPN every day.

For previous CyberAdvisor Letters:

To view Blog posts: