LastPass security breach - how to proceed?

fwafwow

WKR
Joined
Apr 8, 2018
Messages
5,576
LastPass had a security breach and the details keep getting worse. For those who use a password manager, what are you doing?

Here are my current thoughts/plans:
  1. Change my Master PW - but this is of limited value
  2. Change the PWs on all of my financial accounts (done)
  3. Changing all of my other PWs - but that is a bit of a pain in the arse (even using LP) - and for non-financial accounts, I'm not quite as worried
Going forward, I'm debating whether to
  1. switch to an alternative for LastPass (Bitwarden and 1Password are mentioned a lot)
  2. switch to one of the above, but use it only for my most sensitive (financial) accounts and keep it off the cloud
  3. switch to multiple PW managers and divide at least the financial access between/among them
  4. go back to paper - and keep a duplicate somewhere - at least for the most important accounts (which is safe, or safer, from hacking but a complete pain)
 
Last edited:
Joined
Aug 23, 2019
Messages
472
I try to keep MFA on as much as possible, especially for banking credentials. It’s not perfect yet, but close enough to keep me content.

I also make sure to use a completely different password for higher security accounts, and anything that contains sensitive information.
 
OP
fwafwow

fwafwow

WKR
Joined
Apr 8, 2018
Messages
5,576
I try to keep MFA on as much as possible, especially for banking credentials. It’s not perfect yet, but close enough to keep me content.

I also make sure to use a completely different password for higher security accounts, and anything that contains sensitive information.
My question wasn't phrased correctly, so I will edit. I was looking for feedback among those who made the decision (for better or worse) to use a PW manager. I'm doing all of the above but due to the shear number of PWs, I had decided to go with a PW manager. There are pros and cons to using a PW manager, so I'm trying to decide whether to completely change (next to impossible due to volume), just switch apps/platforms, or do something in between.
 

mflo

Lil-Rokslider
Classified Approved
Joined
Dec 24, 2020
Messages
267
Location
NM
FWIW, I've used 1password for the past few years and have been very pleased with the way it works, across multiple devices.
 
Joined
Oct 17, 2019
Messages
345
Location
Wisconsin
I'd planned to stick with LastPass but now you have me second guessing. I'd expected LastPass would now have stronger security measures in place going forward.
 

Marbles

WKR
Classified Approved
Joined
May 16, 2020
Messages
4,499
Location
AK
I use Keeper and have been happy with it. I would certainly continue using a password manager.

If I'm not mistaken (don't use LP, so not payed close attention) the following holds:

You passwords should be encrypted, so the file with them must be bruit forced. If your master password is good, it is unlikely the file will be compromised any time soon. If your master password is week, all bets are off.

If you had a strong master password I would change financial, email, and any sensitive passwords as well as enable two factor authentication on those accounts. Then I would not worry about it.

If your master password was weak:
- generate a strong master password, using the password managers tool and write it down while you get it memorized.
- change financial, email, and sensitive passwords (to include Rokslide so no one uses your account for fraud).
- enable two factor authentication on you password vault and all sensitive accounts.
- cancel credit cards you use to shop with online (if you save your card information)
- continue to use a password manager as no one wants to type in complex 20 character passwords from paper, or generate them for that matter.
- if you are really concerned, you could delete all your infrequently used logins and reset the passwords as you use the accouts (would work well if switching to another password manager) or reset whenever you first log back into the account.
- as I don't save financial information on most sites, I don't worry about most random websites.

Using two password managers would just expose you to twice the risk of one being compromised. I cannot think of a way to compartmentalize effectively, the only reason I would do so is if I thought a well resourced entity was specifically targeting me, and how I would compartmentalize would be directed at protecting from that threat. As with the maximum of strategy, trying to be strong everywhere results in being weak everywhere.

If you have very sensitive information, an encrypted file on an air gapped and encrypted devices would be my choice. It is more trouble than it is worth for everything I do. I don't even have good enough reason to keep an air gapped device. As much as I want them, I don't have Assa Abloy Protec 2 locks either as I'm too cheap (I do have high security locks though, so yes, I'm a little paranoid for most people).
 
OP
fwafwow

fwafwow

WKR
Joined
Apr 8, 2018
Messages
5,576
I use Keeper and have been happy with it. I would certainly continue using a password manager.

If I'm not mistaken (don't use LP, so not payed close attention) the following holds:

You passwords should be encrypted, so the file with them must be bruit forced. If your master password is good, it is unlikely the file will be compromised any time soon. If your master password is week, all bets are off.

If you had a strong master password I would change financial, email, and any sensitive passwords as well as enable two factor authentication on those accounts. Then I would not worry about it.

If your master password was weak:
- generate a strong master password, using the password managers tool and write it down while you get it memorized.
- change financial, email, and sensitive passwords (to include Rokslide so no one uses your account for fraud).
- enable two factor authentication on you password vault and all sensitive accounts.
- cancel credit cards you use to shop with online (if you save your card information)
- continue to use a password manager as no one wants to type in complex 20 character passwords from paper, or generate them for that matter.
- if you are really concerned, you could delete all your infrequently used logins and reset the passwords as you use the accouts (would work well if switching to another password manager) or reset whenever you first log back into the account.
- as I don't save financial information on most sites, I don't worry about most random websites.

Using two password managers would just expose you to twice the risk of one being compromised. I cannot think of a way to compartmentalize effectively, the only reason I would do so is if I thought a well resourced entity was specifically targeting me, and how I would compartmentalize would be directed at protecting from that threat. As with the maximum of strategy, trying to be strong everywhere results in being weak everywhere.

If you have very sensitive information, an encrypted file on an air gapped and encrypted devices would be my choice. It is more trouble than it is worth for everything I do. I don't even have good enough reason to keep an air gapped device. As much as I want them, I don't have Assa Abloy Protec 2 locks either as I'm too cheap (I do have high security locks though, so yes, I'm a little paranoid for most people).
Thank you very much for the detailed reply. You are right about LP and the risk is limited to brute force - at least based on what has been communicated so far, combined with commentary from other sources. The way the company handled the breach has caused me to lose faith in them, so I’m definitely switching.

I’m beginning to think that I’m overreacting (shocker). My master PW is probably good enough (25+ characters), based on computing power today and the fact that there is no reason to target me specifically (I don’t have sensitive info or a job that merits scrutiny). All but one of my financial accounts have MFA, and I think that last one will come soon - and I’m hoping for improvements to MFA.

The two PW managers was a thought of not putting all eggs in a single basket, but it would probably be more of a hassle than it’s worth.

Now I’m going to look into those locks…
 

wesfromky

WKR
Joined
Nov 23, 2016
Messages
1,106
Location
KY
As was mentioned by Marbles - as long as your master password is solid (and it sounds like it is), the risk of exposed passwords is pretty small, esp with accounts that have MFA. One thing that may have been exposed, unencrypted, was all of the urls. Which may be an issue if those have tokens in them, or they may be used to more effectively try to phish you, since the attackers would know more about you and be able to craft more specific phishing emails.

For what it is worth, I have been using 1Password for a long time. No idea if they are more secure then lastpass, but they have been very transparent with any security issues that have arisen and have blog posts that detail their crypto and security architecture. I use a local install of keeppass for work, and we also have an enterprise solution as well.
 
OP
fwafwow

fwafwow

WKR
Joined
Apr 8, 2018
Messages
5,576
...so yes, I'm a little paranoid for most people).
So about my paranoia.... I'm not sure of the accuracy of the "password strength calculators" I found, but my now changed master password would take between 1k years and some ridiculously longer time (a period I'm not even familiar with the number).

I should focus more on important stuff. Like convincing myself to buy a new rifle. Or to track my incoming holster and scope covers so Mrs. Fwafwow won't intercept them. Or memes.
 

thegrouse

Lil-Rokslider
Joined
Feb 11, 2021
Messages
249
Location
Texas
So about my paranoia.... I'm not sure of the accuracy of the "password strength calculators" I found, but my now changed master password would take between 1k years and some ridiculously longer time (a period I'm not even familiar with the number).

I should focus more on important stuff. Like convincing myself to buy a new rifle. Or to track my incoming holster and scope covers so Mrs. Fwafwow won't intercept them. Or memes.
It depends on the speed of the computers used for the brute force. 25 characters sounds pretty solid though
 

tony

WKR
Joined
Nov 13, 2015
Messages
1,022
Location
WV
Nobody will ever figure out I use abc123 for everything!
If your into podcasts give this one a listen
This guy knows security
Privacy Security & OSINT by Michael Bazzell
 

jimh406

WKR
Joined
Feb 6, 2022
Messages
1,198
Location
Western MT
Most browsers will save your password. Frankly, I'd rather trust most browsers than a password manager.

Turn on two-factor authentication if you haven't.
 
OP
fwafwow

fwafwow

WKR
Joined
Apr 8, 2018
Messages
5,576
Nobody will ever figure out I use abc123 for everything!
If your into podcasts give this one a listen
This guy knows security
Privacy Security & OSINT by Michael Bazzell
The podcast was a good and bad recommendation. Good in that the guy knows what he's talking about and there is a recent podcast that seems pretty on point (not about LastPass specifically, but on 2FA and password managers generally). It's bad in that it has caused me to open another rabbit hole - whether to use a hardware token or some other separate way to protect my email PW.... Is there a name for being addicted to rabbit holes?

@jimh406 - thanks. I know that most browsers will save a password, and sometimes I let that happen and even use the browser to also suggest the PW. But I'm not sure to what extent the browser remembered passwords are kept safe - at least when I am synching across various devices. My sense is that those PWs are not encrypted, so I never let my browsers either generate the PW, or save the PW, for sensitive accounts. YMMV.
 

Marbles

WKR
Classified Approved
Joined
May 16, 2020
Messages
4,499
Location
AK
Password strength calculators are mediocre. A password of 0plm(OKN8ijb&UHV will show as strong on many, but is really incredibly bad. However, if your password was randomly generated, they are probably decent.

Major browsers are not a secure way to store passwords. There may be a browser that is, but it is not any of the common ones.

For rabbit holes, you should look into the weakness of USB. Basically, if a USB device has been plugged into any machine that is not secure, it has the potential to compromise everything on your device. USB charging station can be rigged to exploit devices plugged into them as well. Stuxnet exploited the weakness of USB and was able to destroy an Iranian nuclear enrichment facility, which was more secure than most of us could be if we tried. The weakest link in a secure system is the human.

Also, pick up the book Sandworm if you have time.
 
Top