After LastPass breach
This is a public service announcement to fill in the blanks for those affected by the LastPass security breach regarding its severity, and some potential next steps for your consideration.
Official LastPass Press Release (Thursday, December 22, 2022):
- LastPass: Notice of Recent Security Incident - “We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.”
Security community reactions
-
What’s in a PR statement: LastPass breach explained - “Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. […] Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn’t want to mention.”
-
LastPass breach from a Password Cracker’s Perspective - “Apart from all of the other commentary out there, here’s what you need to know from a password cracker’s perspective!”
-
LastPass Default Key Derivation Functions (KDFs) - The default KDF iterations uses by LastPass from 2008 to now.
-
Why 1Password or Bitwarden as alternatives - “ … a good number of people questioned why I recommend ditching LastPass and expressed concern with me recommending people jump ship simply because they suffered a breach. Even more are questioning why I recommend Bitwarden and 1Password, what advantages they hold over LastPass …”
-
The LastPass disclosure of leaked password vaults is being torn apart by security experts - “The company announced last week that users’ password vaults had been stolen. Things have gone downhill from there.”
My personal response
My family and I have been steadfast customers of LastPass for more than 10 Years and spending a significant portion of my holiday time migrating away from LastPass was not what I had in my holiday plans!
At the same time, I am also kicking myself for not doing this earlier when Consumer Reports, in its independent assessment of password managers, DID NOT have LastPass as one of their recommendations! I let inertia and complacence get in the way of making a change at that time, and that is a lesson learned for me on taking prompt action, and the consequences of not doing so!
After looking into its security model and reading its security design whitepaper (PDF) we have chosen to migrate to 1Password, and combine it with Authy for Time-based One-Time Passwords (TOTP).
If you choose to go down this path, there are some decisions you will need to make regarding how to configure the combination.
While it is a straight forward decision that the 2FA TOTP code for 1Password itself should be separate and stored in Authy, the next decision you have to make is if the TOTP codes for the accounts you are storing within 1Password should be stored separately in Authy or use the option within 1Password itself to store the TOTP codes.
Read “Why is it a good idea to store 2FA tokens in 1Password?” for a perspective from the Principal Security Architect at 1Password.
Separately there are two configuration choices to be made in Authy:
cyberLinks: random and relevant
- A Well-Known URL for Changing Passwords - “Currently, if the user of a password manager would like to change their password on example.com, basically all the password manager can do is load example.com in a browser tab and hope the user can figure out how to update their password themselves. The goal of this specification is to do the simplest possible thing to improve this situation, by defining the
/.well-known/change-passwordwell-known resource.”