Episode 141: How LastPass Made Itself Obsolete

Everyone needs a password manager these days and many people were using LastPass. Unfortunately, LastPass made some pretty horrible mistakes that mean that these people should look for an alternative now. Here’s why.


This is a companion discussion topic for the original entry at https://privatecitizen.press/episode/141/
1 Like

Thanks for calling me an insane geek! :slight_smile: (I use KeepassXC, and I sync its database between my devices using Syncthing.)

But seriously, thanks for the episode! I was aware of the whole kerfuffle, but I didn’t realize it was a backup of unknown age that was exfiltrated. I stopped using LastPass in 2019 and deleted the vault, so I thought I was not affected. You’ve just prompted me to give my passwords a good revision, especially the old ones.

Thanks for the episode.

I am/was a LastPass user as well, although it seems that I was not burnt as much as you did, my iterations count was 100100.

When I first heard of the issue, the scope of the breach was not known, and I didn’t feel the motivation to change it, as the expectation was that even in the case of a breach, adhering to good practices should keep a user safe.

I still believe that I would not be affected, as I have a randomly generated master password.

But on further reveals, I also started to lose trust: on one hand, regarding keeping URL data un-encrypted, and the un-justifiable mess with keeping low iteration numbers.

For me, I believe that when LastPass started, it provided state-of-the-art protection, and maybe was one of the pioneers to bring password managers to the masses. But obviously, the landscape has changed, and it seems that it didn’t keep up.

So now I’m also making the switch to Bitwarden, which for now seems to be keeping up with the times.

I haven’t been able to listen to this episode yet, but I might have some info to communicate.

I also use KeePass, but I host the database file on my Nextcloud instance. Since this Nextcloud instance is on a personal server, it is much less known than a major service provider such as Lastpass when it comes to a hacking target.

KeePass on my laptop and cellphone are both set up to connect to this Nextcloud database file, so it syncs well between devices.

Both my laptop and cellphone allow me to use my Yubikey in conjunction with a password to access KeePass, so my password database is protected by 2FA.

And finally, since current standards are 256 bit encryption, I use a 43+ character password for everything to maximize entropy, along with using lowercase, uppercase, numbers, and symbols. I use the password generator function in KeePass for pretty much all my passwords. Granted, I sometimes have to lower the password level for some instances that do not support that, but it seems most places are getting with the times now.

Yeah, I switched to pretty much the same setup from LastPass, except I hosted my KeePass file on Dropbox – since if the crypto is good and you use a solid password with enough entropy, where you host the file really doesn’t matter.

The only reason I switched to OnePassword (and now Bitwarden) is for added comfort.