LastPass master passwords may have been compromised

“LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted ‘credential stuffing’ activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,” LastPass spokesperson Meghan Larson told us. “It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”

Wow… 2 things come to mind:

  1. multiple attempts; which would mean it is a directed and concerted effort to hack LastPass accounts
  2. master passwords; I would imagine Master Passwords are unique and not like anything used elsewhere as they would thus defeat the purpose of having LastPass or any password manager at all.

That said it is hard to believe master passwords would be successful with credential stuffing as LastPass would want to make us believe.

Another reason to always switch on 2FA and preferably also have a YubiKey or something attached to your password manager.

This is why I stuck with 1Password as they do 2FA, YubiKey and also have a Secret Key, which renders the master password alone useless.

3 Likes

As above:

It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed

Yup saw that and hope it’s right.

Fingers crossed no one gets caught out using a multi-use master password. If so, why have a password manager?

1 Like

But at least it’s not an electron app :roll_eyes:

8 Likes

I don’t know why people would reuse a master password. Well I hope it’s “credential stuffing” and not something with lastpass

1 Like

To me that’s irrelevant, because it’s not even a question of whether it’s possible - it’s known that it is. It’s just a question of whether it happened in this case.

If it can happen, it almost certainly will - it’s just a matter of when.

I bet master password reuse is high. People cannot help themselves. One reason I like the additional secret key method is it assumes people will be lazy with their password and gives them a second one that they can’t set themselves.

1 Like

I understand the value of a yubikey, but I’ve had 2FA devices fail and am hesitant to rely on them again. Also, it would complicate end of life planning.

The secret key did not come into use until 1Password.com went subscription and started storing your passwords on their server. Then they killed local vaults. So now everyone needs two passwords to access their stuff. They should change their name to 2Password.com

5 Likes

I always register 2 hardware keys and only if there are also account recovery codes available. Instructions for EOL and access to keys have all been accounted for.

1 Like

Sounds like you got things covered.

This is a timely article.

1 Like

Spurred on by the end of year subscription review I’ve made the move from 1Password to Strongbox. The Christmas offer of 49.99 (GBP) one-time purchase for Mac and IOS was a great deal.

1Password was great, but KeePass via Strongbox is just as good for my needs, Browser auto-fill works great and the app itself is good plus the extra options like use of a pass key file are nice.

2 Likes

I’m trialing Bitwarden now.
1Password has been reliable, but I like that Bitwarden is open source, has been externally audited, and is free/cheap. It also is more polished and usable than others I’ve tried.
1Password’s $5/mo for family passwords is a bit much.

Isn’t Bitwarden $40 a year for family? So not that big a difference.

There’s only two in this family, so $10/yr.

We use Bitwarden at work and I’ve got no complaints. I personally prefer 1Password having used both for several years now. Overall I feel 1Password is just more polished, and because of the addition of a secrets key, which is not two factor authentication, was also a big factor for me. 1Password has a blog article on what the secret key is: Secret Key - What Is It And How Does It Protect Users? | 1Password

For those concerned about emergencies or end-of-life situations, they also have that covered: Implement a recovery plan for your family | 1Password. I’ve worked this into my families emergency binder/plan so they know how to get to them and access everything when the time comes.

1 Like