LastPass has been in the news a lot recently. Whether you’re a LastPass user already or are thinking about subscribing, you’re probably wondering whether it’s safe to use following the recent hacks.
The short answer is no, but this is only partly because of the 2022 hacks.
As a password manager which holds all your logins – maybe including usernames and passwords for online banking and other critical services – it should be completely trustworthy.
Although we’d be wary of any online or cloud-based service claiming to be 100% safe and hack-proof, it really isn’t a good look if you handle millions of users’ passwords and suffer repeated breaches.
In the past, we’ve given LastPass the benefit of the doubt on numerous occasions. It was hacked in 2015 when users’ email addresses and password reminders were accessed.
Then, in 2017, a vulnerability was found in its browser extension which could have been used to steal your passwords. This was patched, but a similar thing happened in 2019 where the last-used password was vulnerable.
Then, in August 2022 LastPass posted on its blog that a machine used for development had been compromised but that there was no evidence that customer data or passwords had been accessed.
LastPass said no action was required because the master password and encrypted vaults (containing the logins and passwords) remained safe.
Unfortunately, this turned out to be overly optimistic: just a few months later, hackers used information they’d obtained in August to hack into LastPass again, this time accessing user email addresses, phone numbers and IP addresses.
They did this by scamming a LastPass employee and managing to get the necessary information to access some cloud storage that LastPass uses to keep customer data and the password vaults.
The passwords, usernames and any notes in those vaults are, of course, encrypted, but not all the data is: LastPass confirmed that they also contain unencrypted URLs of websites.
Hackers would need to guess your master password in order to decrypt the information in those vaults, but since they can use software to speed up that process, it’s only a matter of time before they manage to crack some, especially if you used a weaker password with fewer than 12 characters – something that’s possible if you haven’t changed it since before 2018.
I’m a LastPass user. What should I do?
If you use a strong password, you should be ok – says LastPass – because generally available software would take “millions of years” to crack it.
“Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices. We routinely test the latest password cracking technologies against our algorithms to keep pace with and improve upon our cryptographic controls.
The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”
The problem is that if the hackers already have a copy of your vault, which is encrypted with your old password, then changing your LastPass master password now won’t make any difference because it will only change the encryption of the version that LastPass stores, not the copy the bad guys have.
This means your only option is to change the passwords for accounts within the vault so that if the hackers do ever manage to decrypt your vault, the passwords they get won’t work any more.
It’s a lot of hassle and takes a lot of time to change hundreds (even dozens) of passwords, but it is obviously worth doing this for any bank or other accounts to do with your finances in order to mitigate the risk. That includes accounts for any online shopping sites which store your payment details, such as Amazon, and don’t forget about PayPal and others.
Should I still use LastPass?
No. It’s simply impossible recommend that you continue to use it. The history of breaches and vulnerabilities was bad enough, but the fact that the bad guys have now managed to get hold of encrypted password vaults is the straw that broke the camel’s back.
There’s also the fact that LastPass’s code is ‘closed source’. Unlike open source software, this means that no-one outside of LastPass can inspect the code it uses to check for any vulnerabilities. There are open source password managers, including Bitwarden and KeePass.
We’ve already said you should change any passwords for important financial accounts, but you should find another password manager and migrate your passwords to that.
Most password managers work like LastPass and store your password vault in the cloud. They do this to make it easy to sync those logins between all your devices, but some do offer a ‘self-hosted’ option where you can store your vault locally on your device. That’s better from a security point of view but it does tend to mean it’s not as easy to sync new logins and password changes across all the devices you use.
But security and convenience rarely go hand in hand, so it really depends upon how much you want to keep your passwords safe as to whether or not you trust a cloud-based password manager.