All the people using LastPass who might have not followed the company blog or Twitter should be aware that there has been a security incident at their data centers. Apparently they detected some suspicious activity within their network. They have written a blog post about what parts of their data has been compromised and what is secure. To summarize it the account email addresses, password reminders, server (per user) salts and authentication hashes were stolen. At least to me it is not very clear what “authentication hash” means exactly but further down their post they explain that users without two factor authentication are prompted to change their master password. In addition to that, they encourage users to change passwords on other websites if they reused their master password – who would do that anyway right?
Personally I use 1Password because waaaay back I got a free license. However recently I thought very hard about switching over to LastPass because they are a lot more active than AgileBits and because my iPhone sync does not work anymore. Additionally in contrast to their name AgileBits is quite slow in adopting new security relevant features. Sure they managed to adopt TOTP(time-based one time passwords – those fancy changing numbers) recently but they officially stated that support for external authentication devices like the Yubikey are probably not going to be supported. If you think about the fact that a TOTP token saved next to your password is pretty useless. Sure it does minimize the chance of your account being bruteforced, but if you use a password manager and your passwords are still easy to bruteforce then I suppose you are doing it wrong.
the past or the cloud
LastPass in contrast does support hardware tokens like the Yubikey and seems in general a lot more active in enhancing their products beyond eye candy. There have been two factors that kept me from switching to LastPass in the past. First you need to pay annually for their premium service, which you need in order to use hardware tokens, and in addition to that your data is stored online. A company whose central service is to provide a security mechanism does probably a better job at protecting your stuff than you do on your own computer. However at least to me the fact that I hand over my data to a third party that I need to trust has always been a turn off. Another thing to consider is the fact, that central storage services that store sensitive data are a far more attractive target for sophisticated and motivated attackers since there is a lot more to get.
My concerns have been proven right, even the most noble and motivated companies can get breached. I have not found an alternative to 1Password or LastPass that is offering the functionality that I expect from a password manager in 2015 and that does offer a certain degree of aesthetics. If you do know of a tool that does all the data keeping locally, offers two factor authentication and is pretty please let me know. Until then, all you LastPass users should change their master password. And while you are at it you should probably think about removing all your old short crappy passwords, that I am sure you still have, as well.
Thank you, your comment successfully submitted
your comment has been submited, it might take a while to be moderated.