LastPass - Should I stay or should I go
Reacting to the latest news surrounding the breaches at the Password Manager vendor
With the recent details emerging of the breach at LastPass, like many existing customers of the service, I too have wrestled with the thought of leaving to an alternative provider. Based on what we know so far, I’ve chosen to stay. It’s worth noting that this is just a decision point in time (which could change should further information emerge), is based on my own personal risk “barometer” and may not necessarily be the same thought process if I were selecting a password manager as a first-time customer. It’s also worth noting that I have no commercial relationship with LastPass, either personally or through my employer.
First off, let’s get this out of the way – I still believe password managers are an absolute must, and for as long as passwords remain the de facto means of authentication on the internet, will be a position that will remain. I could wax lyrical about the reasons why, but I’d rather leave it to one of the absolute authorities on such subjects (although I’m obviously biased) - the UK’s National Cyber Security Centre: https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers
Security is about risk management, trading usability and convenience with security, finding a happy middle ground that satisfies your own appetite for risk, without annoying you in having to do it. I use multiple devices and want the convenience of being able to access my passwords across them all. An offline manager (that only ever stores passwords to a local file), whilst arguably more secure, didn’t have that same level of convenience. At the point at which I became a LastPass customer, they had some of the better device portability amongst their competitors, although I imagine that’s likely less true today. As a product, I am now familiar with it, and it’s integrated across a number of my devices – I’ve even got my 11yr old son using it (and preaching to his friends about the benefits of password managers). One aspect of convenience is the inconvenience of having to migrate over to a new product – this inertia to change is not unique to the issues at LastPass, but it will need to be for more than just a protest vote.
Every company is at risk of getting breached, every software vendor will at some point supply buggy code, and of course, Internet Rule 34. With the exception of that last suggestion, how “secure” a company is, comes down to how they respond to those events, either by taking preventative steps that reduces the impact, how they repair/rebuild from the incident and in how they work to try and prevent it from happening again. My point here is that even if I did jump to an alternative password manager, there is no rule that says they won’t suffer a similar security breach in the future. Whilst you can get a sense of how a company may be able to withstand a breach, you can never guarantee it. I saw one pithy comment (now lost to the eons of time) that said (and I paraphrase as best as my memory allows):
“If you jump ship every time something goes wrong, you’ll eventually run out of ships”
In general, my experience suggests that companies often choose to heavily invest in security in response to a major breach. Part of it is about recognising the need to take things a bit more seriously than they had previously, part of it is having become only too aware of where their gaps were, but it’s also partly about trying to rebuild trust with customers/partners. Again, never a guarantee, but I’ll be paying close attention to what (if anything) LastPass do next.
If we believe the latest information from LastPass, the lost archives had passwords that were encrypted. There's a few different views on just how well encrypted, but it's probably fair to say that they were a little better encrypted than many services that I've come across. Is it still defeatable? Of course it is - the question is just how much time, money and effort an attacker is willing to extend to break it. Especially when each vault will have its own separate master password to try and break, and I am just one user out of millions of customers that LastPass have.
A single factor (pun intended) should never be the only thing keeping your accounts secure. Passwords are known to be weak, and as a general rule, people pick rubbish passwords – another great resource from the National Cyber Security Centre is a good example of that: https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security. Any decent website or service knows this, and so implements additional layers of security. That may mean enforcing (or at least allowing) for multi-factor authentication, such as number matching via an SMS, or even better, some form of TOTP. It may mean a Zero-Trust type approach, where every aspect of the transaction is inspected, from whether you’re using a known and trusted device, to the location (IP address) you’re trying to access the service from. Whilst some of this will be done behind the scenes, over the last few years, I’ve taken steps to configure my accounts as “paranoid” as I can – without compromising too much on the convenience. I know that if the password was ever compromised for a subset of my core accounts, that a) they wouldn’t really be able to do anything with it; and b) I’ll get alerted to it.
So, what will I be doing?
If nothing else, this has been a good prompt for a little spring cleaning:
Rationalise down the stored passwords I have across my LastPass as well as other password stores such as those stored to my iCloud.
Clearing out and closing down accounts on services that I may have used once upon a time but have been long since abandoned.
Going over my accounts that I do still use and check for additional security features such as Multi-Factor Authentication or login notifications and enabling them.
Resetting the passwords for a few of those core accounts, such as my email, where password reminders/resets are likely to be sent for all the other accounts.
Finally, it’s worth refreshing a few statements I said at the top:
This is based on my own personal risk barometer. Others will likely be aghast at how blasé I seem to be!
This is based on the information currently known at time of writing. Incidents evolve, more knowledge is revealed, more assumptions and myths are broken. This is not a position set in stone.