I’ve paid for LastPass since 2013. All of my passwords are randomly generated, including my master. LastPass says I’m okay (obviously), but Verge, Ars Technica, and other “privacy”-related commenters say otherwise.
So am I okay, or do I need to change ALL of my passwords? Just master? Should I leave LastPass? (I don’t really care for Bitwarden’s UI, but I assume I’d get used to it if I switched.)
(Edit: removed password character length)
You will have to change ALL passwords. LastPass has been storing them in a way that can be brute-forced with relatively low effort.
Yes, you should leave LastPass as soon as possible, they’re not trustworthy (and haven’t been for quite some time).
This post explains more precisely the password issue with LastPass LastPass breach: The significance of these password iterations | Almost Secure
Unfortunately LastPass’s quality is not something that was particularly unknown.
I have flagged your post. It is very unwise to tell the internet what is your password length as this decreases the options massively.
What so you base this off?
From my understanding it wasn’t such likely if the master password was decent.
I thinking generally this is good advice when switching to a different password manager now but I don’t think the user is directly at risk because of the leak.
Also Lastpass is not the best password manager. I would suggest to pick on of the current recommended solutions and keep your 2FA separate from it. In that way you keep a very decent level of security.
Also the amount of characters that you disclosed is relatively low. I would suggest to use as long as possible, for things you have to remember always use randomly generated passphrases.
I’m aware this is the blog of a competitor but it still shows some of the bad practices.
Another password manager was cracked (Critical Security Flaw Reported in Passwordstate Enterprise Password Manager). Would that mean that password managers might become at risk and you should consider fleeing away from them ?
No, it just means you should use ones, that are developed by people who know what they’re doing, and are properly audited.
Interesting perspective on the discussion. I agree it’s more important to see what they will do with the situation.
It does not change that LastPass is not recommended as they are definitely not privacy friendly and others offer a better solutoin.
I appreciate this person’s perspective. That said, it took me about an hour to switch from LastPass (eight-year member) to Bitwarden across all my devices. The “hardest” part has been teaching myself my new master. Nothing else has changed, save for the colors of the logo.