![]() LastPass is secure, comes with more additional features than most competitors, and is pretty cheap. For example, top password managers likeġPassword and Dashlane are excellent alternatives to LastPass and have never suffered a data breach or other serious security incident. While we still recommend LastPass as one of the best password managers in 2023, there are many other options for customers looking to switch providers given these revelations. If you’re currently using LastPass, you should make sure you’re using a strong and unique master password that you haven’t shared with anyone. Though a threat actor did gain access to encrypted information, this does not mean they were able to decrypt the vast majority of it. Since all user data is secured by LastPass’s 256-bit AES encryption, the only way a hacker can access it is through a customer’s master password. As of September 2023, independent researchers have linked the theft of tens of millions of dollars worth of cryptocurrency to LastPass data breaches. If you’re looking to pick up a password manager, you should check out PCWorld’s roundup of the best ones available today.Update September 2023: LastPass customers’ password vault information, including website usernames, passwords, secure notes, and form-filled data, was exposed during a major data breach in 2022. I mean, I was going to have to do that anyway as a final precaution given the LastPass security breaches, right? Hours into the tedious process of salvaging my import, I seriously considered abandoning the process in favor of password resets for every service, and letting the new password manager capture them. Either way, you can’t trust you’re actually getting all your passwords out intact. Meanwhile, when I tried exporting on a test account, the data fields for each entry came out perfect (even if some were still missing in the web export).Īs best as I can tell, either the age of the account influences how the data is stored and parsed on the servers, or the use of certain special characters in non-password text fields triggers some kind of bug in the export script. Turns out the web interface does not export all entries (Firefox) or straight up returns a blank CSV file (Chrome), but both Firefox’s web interface export and the Chrome browser extension had the same issues with data integrity. Trying different browsers and methods of export (i.e., initiated through the web interface vs the browser extension) didn’t clear up the confusion. LastPass only exports to CSV for this purpose and the defining characteristic of the comma separated values format is that (as you’d expect from the name), commas are used to indicate separate data fields. They’re basic file formats that can be easily read across different programs (in theory, anyway). Generally, when you switch password managers, you’ll export your vault data to a CSV or XML file. ![]() And lucky me, I got caught up in whatever development hole that allows for sloppy password exports. LastPass tries for this, but it doesn’t do it consistently. You’d think that perhaps, if you were leaving a service, the business would be incentivized to make the process as easy as possible-thereby increasing the chances you might return someday. Roll up your sleeves, because we’re getting into the dirty details with this one. This section was filled with far saltier language until I remembered you all (and my editor) would be reading it. Strangely, exporting through web interface requires going through a verification process, but the browser extension will cough up the CSV immediately. But that brings us to the second way LastPass skewered my trust in them, which is… Bad communication Hearing after a breach that vault data was unencrypted was a bit blindsiding.Īnd perhaps there’s good reason from an engineering perspective for why some details-like URLs, how often you use an entry, when you last updated an entry, etc-would not be encrypted. Customers of online password managers generally trust that their service is safeguarded enough that their data-even if encrypted-can’t be accessed by unauthorized parties. Not only that, but elements in those vaults (including URLs) had not been encrypted.Īs mentioned above, LastPass was no stranger to security incidents before this breach, but none were as shocking as this one. Nearly a month after that, the company revealed that customer information and password vaults had been stolen. Then three months later came an update that customer data was affected. First came the initial announcement in August, which claimed that no customer data was affected-just a developer environment. LastPass’s disclosures about its 2022 security breaches was like watching a train wreck in slow motion.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |