LastPass Data Breach: It’s Time to Ditch This Password Manager
This means that LastPass users should go through their vaults and take extra steps to protect themselves—including changing all of their passwords.
Start by enabling two-factor authentication for as many of your accounts as possible, especially high-value accounts like email, financial services, and heavily used social media accounts. This way, even if attackers compromise the passwords of the accounts, they can’t actually log in without the one-time code or hardware authentication key that you added as a “second factor.” . Next, change the passwords for all those high-value and sensitive accounts. And then change all remaining passwords stored in your LastPass archive.
Since you’re doing all of this (or at least as much as you can), it’s time to switch to a new password manager. You can add accounts to new services as you change them. WIRED recommends 1Password and the free Bitwarden service along with some alternatives. We haven’t recommended LastPass since the company scaled back its free services a few years ago, as LastPass has had a string of security problems in the past before the latest, most serious breach. This is even revealed.
“One hundred percent true, people should switch to other password managers,” said one senior security engineer, who requested anonymity because of his professional ties to people on the LastPass security team. “They failed to do the only thing they had to offer—cloud-based secure credential storage.”
Security experts all stress that the situation with LastPass shouldn’t deter people from using password managers in general. And if you’re a loyal LastPass user, you should still change your vault password, enable two-factor for every account that offers it, and change all passwords in your vault even when you’re not moving. elsewhere in the process.
“As someone with experience in handling and communicating EU data breach notices, I would say the communication strategy has worked,” said Lukasz Olejnik, an independent privacy researcher and consultant. LastPass choices can undermine user trust.” “The big problem is also time. Why do it right before the end of the year holidays when the initial investigation started months ago?”
As Jeremi Gosney, a longtime password cracker and senior principal engineer on the Yahoo security team, Written this week in a series of articles on the situation: “I used to support LastPass. I recommended it for years and defended it publicly in the media… But things have changed.”