Leaving LastPass...

Why the LastPass security breach might be worse than you currently think.

Leaving LastPass...
Image: guardiansafeandvault.com

Sure, it's become obvious in the last few weeks why people should be seriously reconsidering their choice of password manager. However, for most people it's not blindingly obvious beyond the breach itself, why, from a technical perspective they should be avoiding LastPass completely.

I'll go into some technical details later, but I want to bring up something I haven't heard discussed properly... Two-Factor Authentication, and how it has been affected.

After listening to a two-hour "Security Now" podcast with Steve Gibson and Leo LaPort, they covered the technical details of the breach very well, but one comment near the end of the show had me worried. Steve mentioned that you should (roughly 1:52:30) "take the time to scan through your vault [...] changing the login passwords of any of your important accounts which are not also protected by some form of strong second factor authentication"

Really, unless protected by two factor authentication? But, my two factor secrets were stolen as well!

I abandoned LastPass after being bought out by LogMeIn. I've generally paid for password managers, but not only did they double the basic subscription cost, they removed features form the lower plans, and restricted the free tier from syncing multiple types of devices (mobile / web browser plugin / etc.). This directly affected my family and friends who weren't able to pay for a subscription at all. So, I left - partly in solidarity, but mostly because of my waning approval of the new owners.

I've been using BitWarden ever since. The free tier is as good, if not better than the paid LastPass paid tier. There is however one feature that's missing unless you pay BitWarden: built-in two-factor authentication support. So, I use Authy, and Microsoft Authenticator (for work), and I've tried others in the past... including LastPass Authenticator!

(I don't use Google Authenticator because it doesn't have any way of backing up your codes. If you lose your device, you need to start from scratch with every platform you have two-factor enabled on.)

Anyway, as I usually do, I've tried multiple products over the years. Authy is great, but I prefer the user interface of LastPass Authenticator. This is a totally separate product to LastPass Password Manager, and it's always free, so I didn't think much of it.

Until the breach.

Because, in order to backup your authentication secrets, Authenticator uses your LastPass account. Now I deleted my LastPass account completely years earlier, so I have no password vault, but it still relies on the application itself to be installed and logged in to backup. So I did that.

Now, all of my authentication tokens are in the wild. Available to who knows.

So, even though I have no LastPass vault to be stolen (I hope... depending on the dates of the backups stolen... which they have not confirmed in any way) All of my two facto codes have to be reset now as well just in case.If you are one of the unlucky users who lost both your password vault and your two-factor authentication backups, you have way more to worry about than you think. And it literally is time sensitive.

More to come...