FlintMar 1, 2023

ICYMI LastPass sent out a security bulletin on Monday 2/27, to LastPass Business Administrators with a punch list of things to do. There's quite a bit of stuff in here:

#LastPass #LastPassBreach #LastPassBreachRecovery

https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators

Security Bulletin: Recommended Actions for LastPass Business Administrators - LastPass Support

Your organization’s security is vital to our mutual success, so we’ve created this guide to help you respond to the recent LastPass security incident in a way that meets your security posture and environment’s needs.

Show threadSean KilleenDec 29, 2022

OK, #1Password is great so far.

* Imported things from LastPass easily.

* Super easy to set up.

* UX seems very polished on mobile/web/desktop

* I like the idea of vaults -- much cleaner for sharing in a family setup.

* It tells me which of my sites have 2FA available that I'm not using. I love that.

Cancelled my LastPass auto renew. Going all in on this I think.

#LastPassBreachRecovery

Show threadSean KilleenDec 29, 2022

Alright, I did some more reading and came to the conclusion that the issues with LastPass don't appear to be because they were hosted in the cloud, or because they're a big target -- it's the cumulative result of many mistakes. Given that, I'm not going to go the self-hosted route, and am just going to move to 1Password.

I may still do the Terraform for self-hosted Bitwarden as a community / learning exercise, but right now I'm prioritizing migration speed.

#LastPassBreachRecovery

CL Lantz, PhDDec 29, 2022
My favorite way to spend my holiday break is changing all my passwords because LastPass lied about what they encrypt and about their breach. #LastPassBreachRecovery
Michael CarducciDec 28, 2022

Yesterday moved over to 1Password. I changed a lot of passwords. I also realized I have recovery keys in my old LP secure notes. Rotate those, too, I guess (that was dumb). Moving forward, I need to find somewhere secure to store those… separate from passwords.

Although I had a reasonably secure master password I’ve learned enough about their shoddy practices leave me with no confidence my encryption key hasn’t been compromised other ways. #LastPassBreachRecovery

Michael CarducciDec 28, 2022
It was time… #LastPassHack #LastPassBreachRecovery
Show threadSean KilleenDec 27, 2022

I'm torn between moving to #1Password which people love and seems to have much better practices, or to #BitWarden because I can self-host for some additional security through obscurity (plus I've got a bit of love for the fact it was written in #dotnet ).

I'll likely end up trying both out since it's a significant investment to move things. But whether I'll move things is no longer a question. My trust is broken.

#LastPassBreachRecovery

Show threadSean KilleenDec 27, 2022

Picking up here: this article is a great summary of the bad vibes I got from the LastPass PR statement: https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

It also helped me see that 100,100 iterations isn't the current recommended amount. First order of business tonight is to set it to the recommended standard of 300k+ as mentioned in the article.

This also makes it clear to me: I've got to migrate away from LastPass, no matter how painful. So, what's the next move?

#LastPassBreachRecovery

What’s in a PR statement: LastPass breach explained

The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.

Almost Secure
Show threadSean KilleenDec 27, 2022
@jonty yep, I checked this based on their post. My account was set to 5,000 rounds. I updated it and re-encrypted everything. After I received two different 2FA prompts from different services in a small span, I'm treating my vault as compromised. I'm doing a thread under #LastPassBreachRecovery where I'm sharing my mistakes, insights, and recovery process.
Show threadSean KilleenDec 26, 2022

Oooh one last tip: as part of this, I'm adding "#BreachPriority" to the notes field for any item I think I need to take action on immediately. I can search for this in the (likely) future event something happens to take faster action and get better signal/noise across all my stored accounts.

#LastPassBreachRecovery