March 2

The Last Straw with LastPass

5  comments

Yesterday LastPass, the password manager I’ve had a relationship with for longer than I’ve been married, finally sent an update to the “security incident” from last fall. And I’m so disappointed, disheartened and discouraged that I’m switching providers and encouraging you to do the same.

LastPass Mucked This Up

Here’s what LastPass should have done after the breach:

  1. Own up to its mistakes.
  2. Quickly and clearly explain what happened.
  3. Clearly explain what we need to do.
  4. Clearly walk us through those steps.

Here’s what LastPass did after the breach:

  1. Got their lawyers to write their responses.
  2. Dragged out the communication over multiple months.
  3. Wrote long, confusing descriptions using jargon, convoluted paragraphs and evasive language.
  4. Made it hard to understand what to do to protect ourselves.

    Why I Am Dumping LastPass

    As I mention in the video below, I’m canceling LastPass and taking my team and family off it, too. I’m not really concerned about their ongoing security… I’m leaving because the way they handled the situation is not fair to their users. The communication is so dense and technical that most users will probably just shake their heads and ignore it. I don’t think my husband will sit down and try to decipher the jargon to figure out what to do, and I know he won’t follow their convoluted instructions on what to change.

    We deserve better than this, LastPass.

    What You Should Do If You Are Sticking with LastPass

    1. Change your master password
      Make sure it’s long (12+ characters), complicated (lowercase/uppercase/numbers/etc.) and, most of all, 100% unique.
    2. Change all your passwords
      We know that backups of your password vaults are in the hands of the bad guys. I don’t know what the risk level is for someone breaking into your vault because I can’t figure out exactly what they’re telling us. But I strongly recommend you change all your passwords (or at least financial/important ones).
    3. Change your iteration counts
      Yeah, I didn’t know what that was either. And their help article didn’t help much. But it has something to do with… something. I don’t know. Here’s what they say to do.

    What Should You Switch to If You Leave LastPass

    Great question! I am in the process of vetting options for our team. LastPass was soooo easy, and I will miss it. But I don’t trust it anymore, so we’ll find other solutions.

    In the meantime, both 1Password and Dashlane are offering credits for your remaining subscription on LastPass (or any other manager you’re switching from). They’re both quality tools, and neither has been hacked (yet).

    Reminder: What Happened to LastPass Can Happen to Any Password Manager

    No password manager is going to be 100% safe, and they’re all rich targets for bad guys. I still trust password managers over my own memory or other tools like a spreadsheet or my address book. The reason I’m leaving LastPass is because of the way they handled this mess. They lost my trust, and I’m out.


    Tags

    business essentials, passwords, security, utility


    You may also like

    Canva Deep Dive: Magic AI Secrets

    Canva Deep Dive: Magic AI Secrets
  5. Doing the same – switching to 1Password I think. It’s only been a couple of days but I like what I see so far.

  6. 1Password is a much superior tool… I’ve used it for years and it’s been engineered from the ground up to be hacker-proof. I sleep well entrusting my information there.

  7. We’ve been trying out 1Password at work. I have to say, so far I am not a fan. It asks me for my master password a LOT, as in more than once a day, which I find super irritating. I’m going to vet dashlane on my own as I have a geeky friend who uses it and likes it.

  8. Thank you. I’m looking forward to your suggestions for another password manager. Totally agree about the code jargon. Don’t make me read about business subscribers when I have a family subscription.

  9. {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
    >