Security Banner with Transparent Bottom

What am I doing about the LastPass breach?

Background

Remembering all your passwords is difficult.  We've been recommending since 2013 that folks use a password manager to securely create and store your passwords so that you don't have to remember them.  The natural fear has always been that the passwords stored in the cloud would be stolen, which is why password managers use strong encryption to keep them safe.

LastPass [1], the password manager of choice here at the IAS for years, recently announced that their data store of user password safes had been breached and those encrypted safes had been stolen [2].

Don't panic

If you chose a secure password to secure your password vault within LastPass, you should be ok.  It will take many decades for someone to be able to successfully brute force your main password.  The encryption being used to store your passwords is AES-256, which has been proven to be quantum resistant [3].  This means that when quantum computers are big enough to be a threat to encryption standards being used today, our LastPass vaults are still resistant to being cracked.

Plan your next move, but take your time

This is definitely still disappointing news to come from LastPass.  There is an undeniable level of trust lost due to this breach, and I wouldn't blame anyone for looking at another solution.  There are a number of password vaults out there to choose from, you just have to weigh the options of which one works best for you.

Here at the IAS, we are taking a look at a number of possible alternatives.  This has been a project on our list for a number of years due to other reasons, cost and application performance being the major two.  This most recent issue is yet another reason why we are going to look for another alternative.

There are several articles that list possible alternatives.  Just do your research and make sure to pick one from a trusted, mainstream company that has all the features you want [4][5][6][7].

Whatever you decide, continue using a password safe.  This is the type of breach they are designed to withstand, and the security benefits from using one far outweigh the potential risks of having the database stolen.

Make sure to use a secure vault passphrase

Whatever you decide to do, make sure going forward to use a secure vault passphrase, and don't re-use that passphrase anywhere else [8].

What else am I doing?

At this point, nothing.  I'm continuing to use LastPass until I've found a viable alternative that does everything I want.  I'll be sure to update the blog when we decide which solution to use.  I'm watching my accounts for fraudulent activity (like I always do anyway).  I'm paying attention to the news to see if anything changes, and I'm continuing forward.

Safe computing!
Brian

References

  1. https://www.lastpass.com/
  2. https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
  3. https://www.qusecure.com/aes-256-is-quantum-resistant-capable-of-withst…
  4. https://www.cnet.com/tech/services-and-software/best-password-manager/
  5. https://www.pcmag.com/picks/the-best-password-managers
  6. https://www.tomsguide.com/us/best-password-managers,review-3785.html
  7. https://www.passwordmanager.com/best-password-managers/
  8. https://www.ias.edu/security/policies/password