Personal & Commercial Post-LastPass-Breach Password Management Approaches

Earlier this month LastPass revealed that they had been breached and then a few days later that that their customer’s encrypted password data was stolen. Following a couple of years of controversy including earlier breaches and price rises, this latest breach hasn’t been a particularly good look for them. I’ve been an LP user for a few years, but this latest breach has me concerned - particularly because their customer data vaults have been exposed.

Quick disclaimer: I’m not specifically a security expert but I’ve been the CTO at a small tech firm for the last 6 years and data breaches are one of the topics that keep me up at night and make me sweat at work on a regular basis. I probably spend an unhealthy amount of time thinking and worrying about this stuff

Making Good Use of Time Bought with LastPass’ Strong Encryption

Well, the good news is that LastPass uses pretty strong encryption to store customer password vaults so, in the best case for users, it might take hackers years or centuries to break in to your account depending on the strength of the password you chose. Wladimir Palant gives a bit more detail about the tactics that an attacker might use and how long this might take.

You can also use this tool to estimate out how secure your password is and how long it might take a very dedicated hacker to crack your vault. NB: do not use your actual master password in the test tool but an analogy of it. For example if your real password was TopSecretPassword123 you might try a different combination of a 3,6 and 8 letter word followed by some numbers: BarDemonsAbstract567. This works because the tool uses the length of your password and the type of each char (number, letter, symbol) to estimate its difficulty

You might also want to see if your password is on a list of leaked passwords that have previously been cracked because an attacker is bound to try these first rather than guessing randomly.

In summary, unless you are famous (to the public or to security services) or your password appears on a list of leaked passwords, you might not be in immediate danger. However, my personal stance is to assume the worst and start changing all my passwords (I’m balancing a few minutes of inconvenience now for peace of mind versus the potential for hours of stress if someone breaks into an important account).

Should I keep using LastPass? What About this other Cloud-based Password Manager?

Since the breach, people been recommending a plethora of other cloud solutions. BitWarden seems to have a very good reputation and others include 1Password and Dashlane. Now, don’t get me wrong, all of these providers certainly have a better reputation than LastPass at this point in time (as far as I can tell from a quick bit of searching, none of them have suffered serious breaches). However, I take the somewhat pessimistic view that security breaches are pretty much inevitable at successful companies that grow beyond a certain point because:

1. Employing more people to do more ‘stuff’ increases the odds of both human error and malignant intent.
2. Big companies with more data make juicier targets for would-be hackers
3. As companies move from focussing on growth in new markets to focussing on profitability and reducing costs, leadership teams sometimes raise the axe to expensive processes and teams like cyber-security, reducing the quality of their protections against breaches.

These three issues have the potential to combine explosively, sometimes shattering the reputation of a once-loved company overnight.

I’m not making any specific allegations about the providers I’ve listed here. However, I would not be surprised if, in the next few months or years time, we see a current ‘darling’ of the password manager market appearing in the news under similar circumstances to LastPass.

If you subscribe to this “hacks are inevitable” viewpoint then there are a couple of ways to look at things. Either you continue to use cloud-based password managers and accept that you’re likely to need to change all of your passwords every few years after a breach, maybe jumping from incumbent provider to scrappy password startup because they haven’t been hacked yet and, they’ve got a great reputation. Or, you might take the view that keeping your passwords in the cloud on someone else’s computer is not a good idea and that you should look for local solutions.

I’m not willing to stick my neck out on the line and make a recommendation either way here: I’ll leave that as an exercise for the reader.

Some Local/Non-Cloud Solutions for Personal Protection

KeePass + SyncThing

Firstly I’ve received a couple of recommendations to use KeepassXC which is a local-only password manager which stores your vault on your computer using strong encryption. The Keepass vault is compatible with the KeepassDX app for android and you can use SyncThing to provide real-time peer-to-peer sync between the devices (the implication of peer-to-peer being that the data is never stored in an intermediary cloud service - it is only ever transferred directly between devices you control).

Of course you could sync your vault using something like DropBox or Google Drive if you are comfortable with trusting those services. Another concern would be backups - if you lost both your phone and laptop at the same time (e.g. in a house fire) you’ve lost your password vault. With SyncThing you could also send a copy of your vault to multiple devices - your partner’s phone, a network drive you have in your garage etc. I personally use Restic to make encrypted backups to a cloud storage provider, adding another layer to the security onion in terms of encryption and obfuscation and of course hoping that my cloud storage provider won’t get hacked for a little while and that when they do, there are enough layers of protection to buy me time to reset the passwords I care about.

LessPass

I learned about LessPass from Doug Belshaw who ditched LastPass for it “before it was cool” to do so in 2017. This is a really clever solution for password management. LessPass doesn’t actually store any of your passwords. Instead, it uses your master password (like the one you use for a LastPass vault), combined with the URL website you want to log into and your username to generate a password on-the-fly. In effect that means that you no longer have to worry about syncing your password vault as there is nothing to sync - just use the LessPass app to generate your password on your phone or your computer and as long as you enter the same username, website address and master password it will come out the same.

LessPass offer desktop browser extensions and a mobile app which can optionally store your master password behind your biometric login (e.g. fingerprint) to speed up logging in from your mobile device (quicker if your master password is long but slightly less secure, reader’s choice on whether to use it.)

If you are worried about remembering which usernames and websites you need to log in to (or which of LessPass’s settings you used to generate the password), LessPass also offer a free service which can remember which usernames and websites you have logged into, but they don’t store your master password anywhere which means that if a hacker got a copy of their database they wouldn’t even be able to verify that they’d got your password right without trying to use some of the values that the app generated to log in (and you’d expect those services to have rate limits and to eventually block accounts who try lots of incorrect passwords). If you want to take advantage of this service but are feeling particularly paranoid about hosting your usernames via their service you can also self-host it.

Of course with LessPass there’s no need to worry about backups as long as you have access to their software, and you know the websites and usernames you care about and your master password.

To me, there’s something about LessPass that feels a little too much like magic - I’m kind of waiting for a cryptographer to come along and tell me why I shouldn’t use it and what the major flaw with it is. However, until that day, it seems like a really great approach and I’m definitely up for trying it out.

Open Source Funding

KeePassXC, SyncThing and LessPass are all open source projects which are free at the point of use but obviously cost money to develop. My ask of readers thinking of switching to one of these solutions would be to consider donating the money you would have spent on SaaS licenses for one of the cloud password managers to whichever solution you end up going for:

For solution 1, consider splitting your SaaS fee across these projects evenly

• KeePassXC Donations Page
• KeePassDX (PayPal and LiberaPay Donate Links at Bottom of Page)
• SyncThing Donations Page

For solution 2, please donate to the LessPass team via the LessPass OpenCollective Page

Some Strategies for Business/Commercial Password Protection

If you are in an IT leadership role in a business you’re probably thinking “sending keepass files over slack doesn’t sound like a scaleable solution” and you’d be right. The above solutions are suggestions for personal password hygiene. Likewise LessPass probably isn’t an option in a commercial setting as you’d be reliant on either shared credentials or copying and pasting generated passwords - both of which completely defeat the point.

For internal applications you can use SAML/SSO solutions in combination with multi-factor authentication solutions (ideally physical hardware keys) so that each employee can authenticate against multiple services using only their primary email/intranet account.

I’d absolutely assume that you do also need some kind of password management solution because if you don’t supply one your employees will absolutely start sending each other passwords unencrypted over slack. A hypothetical (and lets face it, pretty horrifying) conversation might look like this:

Account Manager “can you change something for me on the customer’s system?”

Business Consultant “I’m busy with another client right now, but you can log in with your client’s email address and hunter2 and do it yourself…”).

Firstly, make sure that you have explicit policies and processes for password sharing in your employee handbook and make sure that your team know about it. At my current company we run mandatory cyber-security training annually and as part of onboarding for new staff. Secondly, give your team tools that empower them to share credentials as securely possible. If that’s via some kind of cloud-based password management platform then you can at least keep an eye on what is happening and, if and when that system is breached, you know which of your employees’ credentials may have been compromised (versus in a shadow-IT scenario where you have no idea that employees are using a system that has recently been compromised).

Conclusion

In conclusion, password security, like many of the topics that I think about and write about, is complex and multifaceted. If you are a LastPass user, I’d strongly recommend changing your master vault password and all the passwords that you care about over the next few days if you can (and if you are a high profile activist or celebrity, do this yesterday). As for what to do next? Well, that’s up to you. If you believe that there won’t be another LastPass breach for a little while you might change your passwords and stick with them. You might trust another upstart cloud-based password manager company for a few months or years until they inevitably get breached. You could try one of the local-only approaches I’ve suggested but, I’d suggest that you never assume it’s 100% foolproof, be ready for the unlikely scenario in which a SyncThing vulnerability is announced or someone does indeed work out that LessPass’ magic isn’t secure.

We live in a modern, interconnected world where we interact with the cloud someone else’s computer every single day. So, when it comes to security and passwords, don’t put all of your eggs in one basket. A good security model is a lot like ogres an onion in that it has layers - in fact this layered approach is exactly what LastPass have done right and why I’m not sounding the big red klaxon shouting “CHANGE ALL YOUR PASSWORDS RIGHT NOW”. Do your homework and don’t give companies the benefit of the doubt when it comes to your personal and private information.

One last thing: Should I use a password manager? GOD YES! Don’t let this breach put you off password managers. They’re better than sticky notes on your monitor.