Is it safe to use the LastPass password manager?

Lately, LastPass has been in the news a lot. Whether you’re already a LastPass user or considering a subscription, you’re probably wondering if it’s safe to use after the recent hacks.

The short answer is no, but that’s only partly because of the 2022 hacks.

As a password manager that stores all of your logins – possibly including usernames and passwords for online banking and other important services – it needs to be completely trustworthy.

While we’re wary of any online or cloud service that claims to be 100% secure and hack-proof, that’s actually not a good thing if you’re handling millions of user passwords and suffering repeated hacks.

We have repeatedly given LastPass the benefit of the doubt in the past. It was hacked in 2015 when users’ email addresses and password reminders were accessed.

Then, in 2017, a vulnerability was discovered in its browser extension that could be used to steal your passwords. This has been fixed, but a similar one happened in 2019 when the last used password was vulnerable.

Then, in August 2022, LastPass posted on its blog that the computer used for development had been compromised, but there was no evidence of access to customer data or passwords.

LastPass stated that no action was required as the master password and encrypted vaults (containing logins and passwords) remained secure.

Unfortunately, this turned out to be too optimistic: just a few months later, hackers used the information obtained in August to hack LastPass again, this time gaining access to users’ email addresses, phone numbers and IP addresses.

They did this by tricking a LastPass employee into getting the necessary information to access the cloud storage that LastPass uses to store customer data and password vaults.

Passwords, usernames, and any notes in these vaults are of course encrypted, but not all data is encrypted: LastPass has confirmed that they also contain unencrypted website URLs.

Hackers will need to guess your master password in order to decrypt the information in these vaults, but since they can use software to speed up the process, it’s only a matter of time before they manage to crack some of them, especially if you used a weaker password. with less than 12 characters – this is possible if you did not change it until 2018.

I am a LastPass user. What should I do?

If you’re using a strong password, you should be fine, says LastPass, because it would take “millions of years” to crack open source software.

“Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to try to guess master passwords by brute force for those customers who follow our password guidelines. We regularly test the latest password cracking technologies against our algorithms to keep up with and improve our cryptographic controls.

An attacker can also target customers with phishing attacks, credential spoofing, or other brute-force attacks against online accounts associated with your LastPass vault. To protect yourself from social engineering or phishing attacks, it’s important to know that LastPass will never call, email, or send text messages asking you to click a link to verify your personal information. Except when you are logging into your vault from the LastPass client, LastPass will never ask you for your master password.”

The problem is that if hackers already have a copy of your vault that is encrypted with your old password, then change your LastPass master password now won’t make any difference, because it will only change the encryption of the version that LastPass keeps, not the copy that the bad guys have.

This means your only option is to change the passwords for your vault accounts so that if hackers ever manage to decrypt your vault, the passwords they get will no longer work.

Changing hundreds (even dozens) of passwords is a lot of hassle and time, but it’s obviously worth doing it for any bank or other account linked to your finances to reduce the risk. This includes accounts for any online shopping sites that store your payment details such as Amazon and don’t forget PayPal and others.

Should I still use LastPass?

No. It is simply impossible to recommend continuing to use it. The history of hacks and vulnerabilities was bad enough, but the fact that the bad guys managed to get their hands on encrypted password vaults was the straw that broke the camel’s back.

There’s also the fact that the LastPass code is “closed source”. Unlike open source software, this means that no one outside of LastPass can review the code it uses to check for vulnerabilities. There are open source password managers, including Bitwarden and KeePass.

We have already said that you should change any passwords for important financial accounts, but you should find another password manager and transfer your passwords to it.

Most password managers work like LastPass and store your passwords in the cloud. They do this to make it easier to sync those logins across all your devices, but some offer a “self-hosted” option where you can store your storage locally on your device. This is better in terms of security, but it usually means it’s not easy to keep new logins and password changes in sync across all the devices you use.

But security and convenience rarely go hand in hand, so how much you want to keep your passwords secure depends on whether you trust a cloud-based password manager.

Similar stories