Lastpass Recent Incident
Lastpass in the recent has been an excellent password manager and I was one of the many supporters. The problem with it now is that it is going down hill. They seem to not want everyone to know just how severe this incident is and have not really done the job that we should of expected. In December they sent out a small notice to people and reference their blog post. Who is going to go look at a blog post around Christmas. I sure as heck was to busy with other stuff to worry about a small email telling people to check out the blog post. LastPass you should of done better and put out the warning bells for everyone to know just how much you screwed up.
In there blog post:
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
Vault and Robbers
You see this isn’t very nice how much information they didn’t send out on the email. This should of been “Danger, Will Robinson, Danger!” type of warning. Yet, Lastpass didn’t sound the alarm. Shame on you for not doing the right thing. As you can see they got your vault data and mine, althought they can’t really use it without the master password but it is only going to take time and then they will have all our passwords for sites across the internet. There’s the problem they don’t seem to care that it got out. The threat actors will use GPU’s and other hardware to finally figure out one user at a time their passwords and it could be years before they get to yours or it could be next month depending on how good you Master Password was. Was it long or was it Short? What about enterations? Did you bump it up to keep it from getting hacked and making it harder for them to figure out your Master Password?
The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.
As you can see even Lastpass has stated they will eventually do that to each and every vault password they can, but did you their suggestions? Probably not and I wouldn’t blame you because we don’t always have time to keep track of what they recommend.
They claim it could take thousand of years for threat actors to crack the Master Password:
f you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology.
However that isn’t alwasy true if they have enough computers put enough effort into cracking a vault it could be sooner and not later. The way technology is growing and the speeds of comptuer now would mean threat actors could start usurping people processing powers and have thousands of computers world wide to crack the Master Password keys. That is how Bitcoin came into being but we wouldn’t know it until it could be too late.
Is it time to switch to another Password Manager?
I’m inclined to switch to Bitwarden just because it is open sourced and I really feel like at least I won’t have to worry about my passwords being leaked. I will also probably go through every site that I visit and change my password and also use 2FA (2nd Factor Authentication) to prevent threat actors from taking control of my accounts. I’m going to explore my options but I am more and more thinking about going somewhere else where my data can be safer than with Lastpass. What’s your throughts on this? are you staying with LastPass or are you Planning to go somewhere else?