I don't think I've ever ended a speech or presentation before answering "LastPass" to the inevitable and most oft-asked question from audiences "What password manager do you recommend?" As they say on Wall Street, I'm very long LastPass.
But the hack reported on December 22nd is different.
This Time It's Different
The fact is anybody can be hacked at any time - the risk cannot be entirely avoided. So, we take a measured response when a vendor is hacked and consider our next steps. And let's face it, changing a software tool we've become comfortable with and accustomed to is the last thing we want to do, including yours truly.
Well, we're taking the plunge in the case of LastPass.
While anyone can be hacked, the state of readiness and effectiveness of incident response must be evaluated. While in times past, LastPass has made the grade, in this case, they have not.
This article is about "what to do" versus the "why?" of the matter. I'm linking two credible sources for more of the gory details behind the hack and the "why?" of my decision. First, this one from Wired magazine.
Yes, It's Time to Ditch LastPass - Wired
https://www.wired.com/story/lastpass-breach-vaults-password-managers/
And this is from one of the world's top cybersecurity gurus, Bruce Schneier, who says the hack is "... not an epic disaster, but bad enough."
LastPass Breach - Bruce Schneier
https://www.schneier.com/blog/archives/2022/12/lastpass-breach.html
LastPass - Should I Stay or Should I Go?
What to do? You have two options, and we suggest considering them both, making your decision, and then acting promptly according to your choice.
- Stay with LastPass?
We know some people and organizations from our professional network that plan to stay with LastPass. The stolen password vaults are encrypted and can only be accessed using the vault's master password. If you use good password hygiene (long passwords – more than 16 characters, and unpredictable), it is improbable the master password can be hacked using "brute force" password hacking software.
If you decide to stay with LastPass as your password manager, then here are your steps to staying safe:
- We recommend changing your LastPass master password and, for sure, making it long and random. I use 22+ characters for master passwords, which should not be less than 16 characters.
- If your password was less than ideal before the breach announced on 12/22/2022, change the master password and passwords to your important stuff like banks, investment accounts, credit agencies, etc.
- Of course, enable MFA or multi-factor authentication on every account it is made available.
- Move to another password manager?
Spoiler alert - personally and professionally, I'm moving to 1Password. For the last five years, while I've answered "LastPass" to the question about my preferred password manager, I parenthetically would add that if I were starting anew, I'd use 1Password. To me, their user interface is better, and the tool feels more personal and less "institutional." Plus, it was clearly gaining favor with those in the know.
To be sure, moving from LastPass to 1Password is a chore and inconvenience I'd rather avoid. But I take password security very seriously and felt it was time to bite the bullet and move on. And it hasn't been all that bad.
The export and import functions between the two apps went without a hitch. All my passwords and notes were moved with little adjustment needed. The rest of the switch was about familiarity with the user interface and adjusting some long-time habits. Like anything new, spending a little time with their FAQs and videos makes the process faster and more solid for long-term use.
Why 1Password?
LastPass suffered two breaches over four months in 2022. The second one revealed that while LastPass encrypts its password vaults, it does not encrypt all data, such as URLs, email addresses, phone numbers, and associated IP addresses. That's a miscalculation and disappointing to many users that expected better from the recognized leader in password management software and services.
- 1Password does encrypt all data associated with user accounts.
- 1Password is highly transparent about its security design documentation. LastPass does not publish this detail.