I'm Switching From LastPass to Bitwarden - And You Should, Too
TLDR
- Steve Gibson and the folks responsible for Twit's Security Now podcast have recently released an excellent episode that details the LastPass hack. Check it out!
- LastPass released a series of statements between August 25, 2022, to December 22, 2022, outlining a persistent attack on their product that started with breaching the development environment and leading to unauthorized entities obtaining encrypted customer vault data.
- LastPass made two significant mistakes in handling this breach, ultimately penalizing their most loyal customers by not retroactively enforcing hardened security measures as the computing landscape changes.
- I'm switching to Bitwarden because it's affordable, open-source, and easy to use.
In this post, I'll be taking a deep dive into the LastPass hack and why I'm switching from LastPass to Bitwarden, an alternative password manager. I'm not an online security expert, but my job requires me to stay up-to-date on the latest cybersecurity news and trends, so I take protecting myself and my clients seriously. Since breaches happen regularly these days, we all need to know how to stay safe online and protect our data from malicious actors.
I'm breaking down what was discussed on the Twit Security Now podcast from January 3—"Leaving LastPass - How LastPass Failed, Steve's Next Password Manager, How to Protect Yourself," to help provide helpful information to those interested in online security but who may not have the ability or interest to follow complicated discussions about it. Not only will I detail the breach specifics and discuss Bitwarden as a worthy replacement—I'll also provide helpful tips on how you can bolster your cybersecurity practices.
So sit back and get ready for some helpful insight! Watch the full podcast linked below for an in-depth discussion of online security. Read on for a summary of essential elements concerning the breach, along with advice for staying secure online.
LastPass Breach Overview
Here's a timeline of events:
August 25, 2022 - LastPass releases a statement that they'd "detected some unusual activity within portions of the LastPass development environment two weeks prior." They admit to a third-party actor gaining access to a compromised computer and taking source code and proprietary LastPass information.
September 15, 2022 - LastPass releases a more in-depth statement on the breach and the forensics investigation they performed with Mandiant. They shared that the hack occurred over four days in which the development environment, segregated from production and customer vault data, was accessed. They ensure that the bad actor has no access to encrypted password vaults.
Quick Tip: In the development space, a development environment is used to build and test a website or app. It is separate from the production environment, the actual product people can visit online.
November 30, 2022 - LastPass updates its statement divulging that the information gathered during the previous breach allowed unauthorized parties to access "certain elements" of their customer data. They admit to not understanding the full nature of this information but lay out plans to continue their investigation until they do.
December 22, 2022 - LastPass informs customers that the third-party threat actor was not only able to pull unencrypted data from customer vaults like emails and website URLs, but they were also able to "copy a backup of customer vault data from [an] encrypted storage container."
Whew! The last one is the real doozy!
I Gave Some Bad Advice
I admit it. I goofed. So, excuse me while I pull my foot out of my mouth. In a previous post, "Useful Software Subscriptions for the Techy in Your Life," I placed password managers on the list of software subscriptions worth spending your hard-earned dollars on. I still think that's true. But at the time, I recommended LastPass. Womp.
Once the most recent details on the breach were released, I quickly updated my post, removing LastPass as a password manager recommendation. I provided some advice on how current LastPass users should respond. I should've stopped at the recommendation removal because the rest of my advice was wrong. Yes, I'm leaving the update intact - I believe in transparency. And hopefully, I'll continue to earn your trust in doing so.
In my previous post, I told you to change your master password to harden the protection of your password vault - especially if you didn't have a strong master password. But, do you know what's missing from this advice? That only protects you in case of future breaches. Yikes! While changing your master password is still a good idea, it does not protect the vaults currently in the hacker's possession. So, any passwords you had stored during the hack could be susceptible to a hack. This is why it's essential to use your password manager correctly. Check out this insightful post, "5 Ways You Are Using Your Password Manager Wrong" from our friends at PasswordManager, to ensure you're getting the most out of your password management tool.
Quick Tip: Use a passphrase for your master password. A passphrase password is a form of authentication that uses long strings of words instead of combinations of characters. Passphrases are usually much longer than traditional passwords, making them harder to guess or crack with brute-force attacks. They are much easier to remember and are often used with two-factor authentication to add an extra layer of security when logging into accounts.
So what else can you do?
If you plan on sticking with the LastPass password manager, change the password associated with every account currently in your vault that's important to you. Keep reading to learn how I'm doing this on my account.
Second, you should increase the encryption iterations on your master password. To do this, navigate to Account Settings > General > Advanced Account Settings. Under the security heading, you should see an option for Password Iterations. Ensure this is set to 100,100. I'll explain why this is important in the next section.
How Did LastPass Fail to Protect Users’ Data?
As cyber criminals found increasingly advanced methods to breach security, LastPass saw the need for improved protection. In 2018 they implemented updated master password criteria, including increasing the minimum character length and combining numbers with both uppercase and lowercase letters - measures that have since become industry standards.
However, they didn't enforce these new master password complexities for existing customers. Any loyal LastPass customer with an account from 2018 and earlier may now be at the mercy of a hacker with computers and tools that are significantly faster at brute-force attacks.
Like most other password managers, LastPass does not know your master password. It encrypts them using a method called hashing.
What's password hashing? Password hashing, also known as Password-Based Key Derivation Function (PBKDF), is the process of transforming a plain-text password into a random string of characters, known as the hash, using a one-way cryptographic function. This process is designed to add additional computation time to each key derivation so hackers can't easily guess passwords even if they have access to a user's hashes. It also ensures that even if two different users have the same password, their passwords will be hashed differently.
When LastPass increased the password complexity requirements for master passwords in 2018, they simultaneously realized that hashing your master password, even 5,000 times over, wasn't enough. They increased that number to 100,100 PBKDF.
But they again failed to enforce this requirement for their existing customers. That means there are encrypted password vaults in the hands of bad actors being "protected" by a weak master password and 5,000 PBKDF iterations (recall the update you may have had to make to your account settings above). This is akin to mobile companies providing the best deals only to their new customers, leaving existing, loyal customers twisting in the wind.
LastPass has been an unfortunate example of how not to safeguard customer data, providing a case study for other businesses in the space. To demonstrate committed security and trustworthiness, any such business should apply enhanced protection methods retroactively across their customers--that way, everyone's information is held securely with little additional effort on the customer's part! With this approach, every user can rest assured knowing they're taking full advantage of all measures available when managing sensitive data online.
Why I'm Choosing Bitwarden
First off, Bitwarden is an open-source password manager. Open-source software makes the codebase of its product freely available to the public. It is crucial not to confuse this excellent feature as a security vulnerability incapable of securing your passwords. Your stored customer data remains encrypted and secure, just as it was meant to be.
But why might this be an important factor in choosing one password manager over another? Open-source software provides transparency and accountability, which helps ensure that users get the most secure product. Additionally, open-source development allows users to contribute their ideas and improve existing features if they wish, which isn't typically allowed with closed-source programs.
Security experts can examine potential vulnerabilities more than they could with a closed-source system by having access to the entire codebase of an open-source program. This ability, combined with its level of customization, has led many reputable sources in the field of cyber security to give Bitwarden high marks for its strong security profile.
Second, it has an incredible free tier option. You can house unlimited passwords on unlimited devices. No other password manager offers this option; frankly, it's crazy that Bitwarden does. I hope their forever-free promise stands.
However, if you're like me and have proselytized the importance of password managers to friends and family - and now they're all signed up - you can opt for the family plan. At a measly $40 A YEAR, you can have up to 6 users on your account.
Third, it offers nearly all of the usability conveniences that convinced my friends and family to use LastPass. It has an intuitive desktop application, great mobile applications for all the major OSs, and extensions available for most major browsers. It also provides access to some great integrations for those of us who like to tinker.
Two Ways to Transition From LastPass to Bitwarden
You can do this the easy way or the hard way.
The simplest way to transition from LastPass to Bitwarden is to export your vault as a CSV from LastPass and upload it to your new Bitwarden account. Because this CSV file will be a list of all your passwords, unencrypted, for the love of pizza - do not save it in the cloud! Please save it locally to your machine and then quickly delete it when you're done. Bitwarden has an excellent tutorial on transitioning from LastPass - check it out!
The second way to do this - and how I've chosen to do it myself - is to update your most sensitive account passwords using Bitwarden immediately. That includes passwords for healthcare services and banking institutions. Then, slowly transition your LastPass passwords as you log in to accounts you regularly use. I would only recommend this method if you have hundreds of passwords stored in LastPass, would like to audit and cull down your account, and had a solid master password at the time of the hack.
{{hireme="/assets/ctas"}}
I have been a LastPass user for years. After the latest revelation, I turned off the auto-renewal on my subscription and never looked back. I've been using Bitwarden for the past two weeks and have been happy with it. It's quick and easy to use, and with its open-source codebase and strong security profile, users can rest assured that their sensitive information remains encrypted and secure.
The free tier option allows unlimited passwords on unlimited devices, while the family plan offers a great value at just $40 per year for up to 6 users. If you're looking for an easy way to keep track of multiple logins without compromising privacy, I highly recommend giving Bitwarden a try today!