Bitwardenīitwarden is a password manager with basically the same offerings as LastPass: a web vault/cloud service, mobile app, and browser extension with free, premium, and families subscription options. Then taking it a step further, I started investigating the possibility of self-hosting and ended up choosing Bitwarden/ Vaultwarden. After doing a bunch of research I narrowed my list down to 1Password and Bitwarden. That all changed right after Christmas when I received that e-mail and started reading about the resulting fallout on the internet. There are lots of password managers out there but having been a LastPass customer since the early days (July 2010), I didn’t really pay much attention to them since I wasn’t interested in switching and was happy with my current setup (and intertia is hard to overcome). I spent a lot of time last week changing all my critical passwords and 2FA codes but do your own homework (I recommend listening to Steve Gibson’s Security Now! podcast, episodes #904 and #905). There’s lots of good analysis available on the breach, its impact on LastPass customers, and how to protect yourself. I’m just going to focus on my own migration here. So yeah, after 12 years as a LastPass Premium/Families customer, I’ve switched. Even worse, since the initial announcement, there has been zero further details provided by LastPass, even on their own support forums (which are now full of message threads with other angry customers also leaving) and no mention of the breach at all on their homepage! But not everything in your LastPass vault is encrypted, specifically URLs and now that this unknown threat actor has a list of LastPass customers, their vaults, and the URLs in those vaults, let the phishing attempts begin! Not to mention they have time to brute force the encryption on those vaults with poor master passwords. But don’t worry, they said! As long as you’ve got a strong master password, you should be fine. Two days before Christmas, every LastPass customer like myself received an e-mail informing us that, in a nutshell, back in August 2022 an unauthorized third-party had acquired LastPass vault backups from a cloud service. Unless you’re not interested in tech news or have been under a rock for the past two weeks, you’ve probably heard about the latest LastPass breach debacle.
0 Comments
Leave a Reply. |