Is it time to replace your password manager?

I still don't trust LastPass. And neither should you.

There are very few software products that have as much brand equity as LastPass. It was an early leader in the password manager category, and for its first few years it had the kind of word-of-mouth publicity that software marketing exec dream about.

And then, in 2011, the company’s admins reported an “anomaly” in their network traffic, after which they forced every user to change their master password. The result was, to put it bluntly, a total shitshow. The company has long since memory-holed the blog post containing the security bulletin and the many updates to frustrated users who were stuck without access to their password databases, but the Internet Archive never forgets.

Software marketing execs have nightmares about having to write things like “Record traffic, plus a rush of people to make password changes is more than we can currently handle.”

And then there was another incident. And another, and another and another and another … I had almost lost track until I read today’s blog post from LastPass, blandly titled "Notice of Recent Security Incident." It starts out, “We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.”

That software marketing exec is now gobbling Tums like they were candy.

It gets worse.

To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. 

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Which is kind of the definition of nightmare scenario for someone who runs an online service that promises to keep your secrets safe from outside attackers.

I deleted my LastPass account with extreme prejudice years ago, and I have no regrets. I also have no schadenfreude about the company’s current troubles, although I can say with some confidence that this outcome was thoroughly predictable.

LastPass got gobbled up by LogMeIn back in 2015. And then in 2021, LogMeIn announced it was planning to spin LastPass off as a separate company. Astute observers of the software industry know that this playbook rarely works out well. At the very best, your employees are distracted by the whole M&A song and dance. At worst … well, here we are.

If you currently have a LastPass account, I think this is a wonderful time to explore alternatives. And by “explore alternatives,” I mean export your data, delete your LastPass account, and start fresh with a company that has a better handle on the challenges of securing extremely sensitive customer data.

A few years back, I wrote a review of password managers for ZDNet. It’s still up to date and worth reading: “The 6 best password managers: Easily maintain all your logins.”

If you’d prefer the short version, it goes something like this:

If you can afford a few bucks per month, I recommend 1Password. If you would rather not pay or you just prefer open-source options, get Bitwarden.

But don’t keep using LastPass.

If you don’t currently have a password manager, well, you should. I’ll have more to say about that in the new year.