LastPass security breach - how to proceed?

[fwafwow]

LastPass had a security breach and the details keep getting worse. For those who use a password manager, what are you doing?

Here are my current thoughts/plans:

1. Change my Master PW - but this is of limited value
2. Change the PWs on all of my financial accounts (done)
3. Changing all of my other PWs - but that is a bit of a pain in the arse (even using LP) - and for non-financial accounts, I'm not quite as worried

Going forward, I'm debating whether to

1. switch to an alternative for LastPass (Bitwarden and 1Password are mentioned a lot)
2. switch to one of the above, but use it only for my most sensitive (financial) accounts and keep it off the cloud
3. switch to multiple PW managers and divide at least the financial access between/among them
4. go back to paper - and keep a duplicate somewhere - at least for the most important accounts (which is safe, or safer, from hacking but a complete pain)

 

[accountantsanonymous]

I try to keep MFA on as much as possible, especially for banking credentials. It’s not perfect yet, but close enough to keep me content.

I also make sure to use a completely different password for higher security accounts, and anything that contains sensitive information.

 

[fwafwow]

I try to keep MFA on as much as possible, especially for banking credentials. It’s not perfect yet, but close enough to keep me content.

I also make sure to use a completely different password for higher security accounts, and anything that contains sensitive information.

My question wasn't phrased correctly, so I will edit. I was looking for feedback among those who made the decision (for better or worse) to use a PW manager. I'm doing all of the above but due to the shear number of PWs, I had decided to go with a PW manager. There are pros and cons to using a PW manager, so I'm trying to decide whether to completely change (next to impossible due to volume), just switch apps/platforms, or do something in between.

 

[mflo]

FWIW, I've used 1password for the past few years and have been very pleased with the way it works, across multiple devices.

 

[WhatToHunt]

I'd planned to stick with LastPass but now you have me second guessing. I'd expected LastPass would now have stronger security measures in place going forward.

 

[Jskaanland]

Ive been using 1password for about 7 years now and I've been very happy with it.

 

[Marbles]

I use Keeper and have been happy with it. I would certainly continue using a password manager.

If I'm not mistaken (don't use LP, so not payed close attention) the following holds:

You passwords should be encrypted, so the file with them must be bruit forced. If your master password is good, it is unlikely the file will be compromised any time soon. If your master password is week, all bets are off.

If you had a strong master password I would change financial, email, and any sensitive passwords as well as enable two factor authentication on those accounts. Then I would not worry about it.

If your master password was weak:
- generate a strong master password, using the password managers tool and write it down while you get it memorized.
- change financial, email, and sensitive passwords (to include Rokslide so no one uses your account for fraud).
- enable two factor authentication on you password vault and all sensitive accounts.
- cancel credit cards you use to shop with online (if you save your card information)
- continue to use a password manager as no one wants to type in complex 20 character passwords from paper, or generate them for that matter.
- if you are really concerned, you could delete all your infrequently used logins and reset the passwords as you use the accouts (would work well if switching to another password manager) or reset whenever you first log back into the account.
- as I don't save financial information on most sites, I don't worry about most random websites.

Using two password managers would just expose you to twice the risk of one being compromised. I cannot think of a way to compartmentalize effectively, the only reason I would do so is if I thought a well resourced entity was specifically targeting me, and how I would compartmentalize would be directed at protecting from that threat. As with the maximum of strategy, trying to be strong everywhere results in being weak everywhere.

If you have very sensitive information, an encrypted file on an air gapped and encrypted devices would be my choice. It is more trouble than it is worth for everything I do. I don't even have good enough reason to keep an air gapped device. As much as I want them, I don't have Assa Abloy Protec 2 locks either as I'm too cheap (I do have high security locks though, so yes, I'm a little paranoid for most people).

 

[fwafwow]

I use Keeper and have been happy with it. I would certainly continue using a password manager.

If I'm not mistaken (don't use LP, so not payed close attention) the following holds:

You passwords should be encrypted, so the file with them must be bruit forced. If your master password is good, it is unlikely the file will be compromised any time soon. If your master password is week, all bets are off.

If you had a strong master password I would change financial, email, and any sensitive passwords as well as enable two factor authentication on those accounts. Then I would not worry about it.

If your master password was weak:
- generate a strong master password, using the password managers tool and write it down while you get it memorized.
- change financial, email, and sensitive passwords (to include Rokslide so no one uses your account for fraud).
- enable two factor authentication on you password vault and all sensitive accounts.
- cancel credit cards you use to shop with online (if you save your card information)
- continue to use a password manager as no one wants to type in complex 20 character passwords from paper, or generate them for that matter.
- if you are really concerned, you could delete all your infrequently used logins and reset the passwords as you use the accouts (would work well if switching to another password manager) or reset whenever you first log back into the account.
- as I don't save financial information on most sites, I don't worry about most random websites.

Using two password managers would just expose you to twice the risk of one being compromised. I cannot think of a way to compartmentalize effectively, the only reason I would do so is if I thought a well resourced entity was specifically targeting me, and how I would compartmentalize would be directed at protecting from that threat. As with the maximum of strategy, trying to be strong everywhere results in being weak everywhere.

If you have very sensitive information, an encrypted file on an air gapped and encrypted devices would be my choice. It is more trouble than it is worth for everything I do. I don't even have good enough reason to keep an air gapped device. As much as I want them, I don't have Assa Abloy Protec 2 locks either as I'm too cheap (I do have high security locks though, so yes, I'm a little paranoid for most people).

Thank you very much for the detailed reply. You are right about LP and the risk is limited to brute force - at least based on what has been communicated so far, combined with commentary from other sources. The way the company handled the breach has caused me to lose faith in them, so I’m definitely switching.

I’m beginning to think that I’m overreacting (shocker). My master PW is probably good enough (25+ characters), based on computing power today and the fact that there is no reason to target me specifically (I don’t have sensitive info or a job that merits scrutiny). All but one of my financial accounts have MFA, and I think that last one will come soon - and I’m hoping for improvements to MFA.

The two PW managers was a thought of not putting all eggs in a single basket, but it would probably be more of a hassle than it’s worth.

Now I’m going to look into those locks…

 

[wesfromky]

As was mentioned by Marbles - as long as your master password is solid (and it sounds like it is), the risk of exposed passwords is pretty small, esp with accounts that have MFA. One thing that may have been exposed, unencrypted, was all of the urls. Which may be an issue if those have tokens in them, or they may be used to more effectively try to phish you, since the attackers would know more about you and be able to craft more specific phishing emails.

For what it is worth, I have been using 1Password for a long time. No idea if they are more secure then lastpass, but they have been very transparent with any security issues that have arisen and have blog posts that detail their crypto and security architecture. I use a local install of keeppass for work, and we also have an enterprise solution as well.

 

[Billy Goat]

 

[fwafwow]

...so yes, I'm a little paranoid for most people).

So about my paranoia.... I'm not sure of the accuracy of the "password strength calculators" I found, but my now changed master password would take between 1k years and some ridiculously longer time (a period I'm not even familiar with the number).

I should focus more on important stuff. Like convincing myself to buy a new rifle. Or to track my incoming holster and scope covers so Mrs. Fwafwow won't intercept them. Or memes.

 

[NorthIDHunter]

 

[thegrouse]

So about my paranoia.... I'm not sure of the accuracy of the "password strength calculators" I found, but my now changed master password would take between 1k years and some ridiculously longer time (a period I'm not even familiar with the number).

I should focus more on important stuff. Like convincing myself to buy a new rifle. Or to track my incoming holster and scope covers so Mrs. Fwafwow won't intercept them. Or memes.

It depends on the speed of the computers used for the brute force. 25 characters sounds pretty solid though

 

[tony]

Nobody will ever figure out I use abc123 for everything!
If your into podcasts give this one a listen
This guy knows security
Privacy Security & OSINT by Michael Bazzell

 

[jimh406]

Most browsers will save your password. Frankly, I'd rather trust most browsers than a password manager.

Turn on two-factor authentication if you haven't.

 

[fwafwow]

Nobody will ever figure out I use abc123 for everything!
If your into podcasts give this one a listen
This guy knows security
Privacy Security & OSINT by Michael Bazzell

The podcast was a good and bad recommendation. Good in that the guy knows what he's talking about and there is a recent podcast that seems pretty on point (not about LastPass specifically, but on 2FA and password managers generally). It's bad in that it has caused me to open another rabbit hole - whether to use a hardware token or some other separate way to protect my email PW.... Is there a name for being addicted to rabbit holes?

@jimh406 - thanks. I know that most browsers will save a password, and sometimes I let that happen and even use the browser to also suggest the PW. But I'm not sure to what extent the browser remembered passwords are kept safe - at least when I am synching across various devices. My sense is that those PWs are not encrypted, so I never let my browsers either generate the PW, or save the PW, for sensitive accounts. YMMV.

 

[BigSky]

We are clearly at the mercy of both big tech and government oversight/overreach.

 

[fngTony]

 

[Billy Goat]

... Is there a name for being addicted to rabbit holes?

I don't know, but I had a dog years ago that was addicted to rabbit holes, he would stare down them for hours, just waiting for something to pop out. Usually with his head halfway in.

Pip.


So if nothing else we could call getting addicted to rabbit holes Pipping.....

 

[Marbles]

Password strength calculators are mediocre. A password of 0plm(OKN8ijb&UHV will show as strong on many, but is really incredibly bad. However, if your password was randomly generated, they are probably decent.

Major browsers are not a secure way to store passwords. There may be a browser that is, but it is not any of the common ones.

For rabbit holes, you should look into the weakness of USB. Basically, if a USB device has been plugged into any machine that is not secure, it has the potential to compromise everything on your device. USB charging station can be rigged to exploit devices plugged into them as well. Stuxnet exploited the weakness of USB and was able to destroy an Iranian nuclear enrichment facility, which was more secure than most of us could be if we tried. The weakest link in a secure system is the human.

Also, pick up the book Sandworm if you have time.