LastPass has shat the bed

[mjwilson]

If you're using LastPass as a password manager, they had a pretty serious breach and attackers have got hold of encrypted vaults. If they can crack your master password then they can get everything, so you should probably be:

1) changing your master password
2) changing all passwords which you have in LastPass
3) probably move to a new password manager.

I'm looking around for a replacement, and 1Pass and BitWarden seem to be pretty popular. Or KeePass if you don't want to have passwords in the cloud any more.

[Sebastian Cobb]

I moved to Bitwarden when lastpass hobbled their free tier and restricted either mobile or desktop devices.

Export/import was easy. It does one job well.

Although it's bad that they've been got, the way it's designed (decrypted at the client side with master password) is the entire selling point, versus not doing that.

[touchingcloth]

BitWarden is pretty much identical to LastPass. I use the latter for work but that's a paid corporate account, and the free BitWarden does everything that paid LastPass does except for sharing vaults with other people.

I'm not too worried about the LastPass breach as I don't use my vault password for anything else...

[olliebean]

LastPass seem to have had a few of these security breaches, although this seems to be the worst to date. I switched to BitWarden a while back, and have deleted my LastPass account.

[Jerzy Bondov]

Yeah I switched over to Bitwarden a while ago but stupidly left my LastPass going - with the same master password as well! Deleted it now and changed the password just to be safe.

[mjwilson]

I'm not too worried about the LastPass breach as I don't use my vault password for anything else...

I think I am probably pretty safe for the next 100,000 years but, as others have said, LastPass have had so many issues now, and this last one seems to be getting more serious every time they make a new announcement, that they don't really deserve to have users any more.

[touchingcloth]

I think I am probably pretty safe for the next 100,000 years but, as others have said, LastPass have had so many issues now, and this last one seems to be getting more serious every time they make a new announcement, that they don't really deserve to have users any more.

Yeah, I'm glad I don't save any personal passwords in there and just use it for work accounts, and I don't think I'd be tempted to use it personally after I leave my current company.

I wonder to what extent they are a target due to their number of users rather than due to specific vulnerabilities, though. Kind of like how Macs are no longer as impervious to viruses as they were once held to be due to everyone writing them for the much greater number of Windows machines. There's always a part of me that worries about having my banking details stored in BitWarden, and I always wonder whether it's worth shifting to Apple's password manager instead.

This is one of the many reasons I'd never go in for crypto, I think.

[Sebastian Cobb]

Surely the best option there is not laying your trust in a particular vendor or their marketing abilities and having appropriate multi-factor to mitigate.

[mjwilson]

Surely the best option there is not laying your trust in a particular vendor or their marketing abilities and having appropriate multi-factor to mitigate.

Yeah I guess, but if one vendor has consistently been shit, and others haven't, as far as we know, that feels like it should make a difference.