Perhaps best to call it the “Last warning you’ll ever need to flee LastPass” breach.

Best summary and take I’ve seen is from Wladimir Palant:

Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren’t amused, this holiday season became a very busy time for them. LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.

Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn’t want to mention.

And over on infosec.exchange, Jeremi M Gosney writes:

But things change, and in recent years I found myself unable to defend LastPass. I can’t recall if there was a particular straw that broke the camel’s back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass…

The entire list is worth a read, if you’re curious to relive all of LastPass’ sins. You can also find support in his thread for the things 1Password and BitWarden are doing right.

All in all, choosing a password manager is hard because managing a bunch of passwords is hard. For the moment, 1Password and BitWarden are top choices and are doing things that can seem user-hostile (wtf is this Random Key, 1Password?) but actually improve overall security. You don’t know you need it until a breach like LastPass’ happens, and then…

If there is any light at the end of this tunnel, it is Passkeys. A Passkey is a new (to you) way to authenticate to a website or service, although it relies on tried and tested technologies which have been around for quite some time1.

A simple example is that you have a cell phone, (presumably) only you can authenticate to that device using FaceID or a fingerprint or a password, and that device can contain a secret that is accessible only once it is unlocked. Using the magic of cryptography2 that device’s secret can prove to a website or service that you are who you say you are, and log you in without ever typing in a password.

Expect this soon.

Previously:


  1. Public key cryptography, that is. ↩︎

  2. Again, the public key stuff. ↩︎