Rival Password Manager 1Password And A Security Researcher Call Out LastPass…. As They Should

The issues with LastPass and their habit of getting pwned and having customer data in the wild is a big deal as the data in question happen to be customer’s passwords for their online lives. But LastPass has played this down by saying this:

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time. 

Well, this didn’t go over well with Wladimir Palant who picked apart what was said by LastPass and said this:

Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn’t want to mention.

I encourage you to read the full post as Palant really rips into LastPass in a systematic way that makes it crystal clear why he feels the way he does. But he’s not the only one. 1Password has piled on with their own statement. And it’s damming:

That “millions of years” claim appears to rely on the assumption that the LastPass user’s 12-character password was generated through a completely random process. Passwords created by humans come nowhere near meeting that requirement. As I have been saying for more than a decade, humans just can’t create high-entropy passwords. Seemingly clever schemes to create passwords with a mix of letters, digits, and symbols do more harm than good.

Unless your password was created by a good password generator, it is crackable.

Translation, LastPass users may be in deep trouble according to 1Password.

The fact is LastPass really dropped themselves in it. As a result, I am now of the belief that LastPass users should do the following in this order:

  • Turn on two-factor authentication for as many of your accounts as possible, particularly high-value accounts like your email, financial services, and highly used social media accounts.
  • Change all the passwords that are stored in LastPass for every online service that you have to something totally different. Starting with high-value accounts like your email, financial services, and highly used social media accounts.
  • Stop using LastPass and delete all LastPass data.
  • Switch to a password manager that is either local and encrypted, or in the cloud under your control and encrypted. I use eWallet which supports both use cases. But 1Password and BitWarden are other options.

The fact is that LastPass users are in immediate danger as highlighted by 1Password and by Wladimir Palant, and they need to take immediate action to protect themselves. Because clearly LastPass can’t keep them safe.

Leave a Reply

%d bloggers like this: