Yesterday LastPass, the password manager I’ve had a relationship with for longer than I’ve been married, finally sent an update to the “security incident” from last fall. And I’m so disappointed, disheartened and discouraged that I’m switching providers and encouraging you to do the same.
LastPass Mucked This Up
Here’s what LastPass should have done after the breach:
- Own up to its mistakes.
- Quickly and clearly explain what happened.
- Clearly explain what we need to do.
- Clearly walk us through those steps.
Here’s what LastPass did after the breach:
- Got their lawyers to write their responses.
- Dragged out the communication over multiple months.
- Wrote long, confusing descriptions using jargon, convoluted paragraphs and evasive language.
- Made it hard to understand what to do to protect ourselves.
Why I Am Dumping LastPass
As I mention in the video below, I’m canceling LastPass and taking my team and family off it, too. I’m not really concerned about their ongoing security… I’m leaving because the way they handled the situation is not fair to their users. The communication is so dense and technical that most users will probably just shake their heads and ignore it. I don’t think my husband will sit down and try to decipher the jargon to figure out what to do, and I know he won’t follow their convoluted instructions on what to change.
We deserve better than this, LastPass.
What You Should Do If You Are Sticking with LastPass
- Change your master password
Make sure it’s long (12+ characters), complicated (lowercase/uppercase/numbers/etc.) and, most of all, 100% unique.
- Change all your passwords
We know that backups of your password vaults are in the hands of the bad guys. I don’t know what the risk level is for someone breaking into your vault because I can’t figure out exactly what they’re telling us. But I strongly recommend you change all your passwords (or at least financial/important ones).
- Change your iteration counts
Yeah, I didn’t know what that was either. And their help article didn’t help much. But it has something to do with… something. I don’t know. Here’s what they say to do.
What Should You Switch to If You Leave LastPass
Great question! I am in the process of vetting options for our team. LastPass was soooo easy, and I will miss it. But I don’t trust it anymore, so we’ll find other solutions.
In the meantime, both 1Password and Dashlane are offering credits for your remaining subscription on LastPass (or any other manager you’re switching from). They’re both quality tools, and neither has been hacked (yet).
Reminder: What Happened to LastPass Can Happen to Any Password Manager
No password manager is going to be 100% safe, and they’re all rich targets for bad guys. I still trust password managers over my own memory or other tools like a spreadsheet or my address book. The reason I’m leaving LastPass is because of the way they handled this mess. They lost my trust, and I’m out.