GlyphDec 23, 2022

While you should stop using LastPass in favor of better password manager soon, I think it's important to keep a few things in perspective:

1. This isn't your fault. LastPass fucked up. It was reasonable to trust them, and they betrayed your trust. (Infosec folks: Do not shame people for not knowing this. If we knew and they didn't, that's on us. We should have communicated this better.)

Show threadGlyphDec 23, 2022
2. You are still in a way better position, having used a password manager, then you would have been if you just reused passwords or used some predictable scheme for them. This is NOT some kind of proof that password managers (even cloud password managers) are inherently a bad idea. The alternatives are worse.
Show threadGlyphDec 23, 2022
3. Your passwords are now almost certainly crackable, particularly if you've had an account for a long time. It looks like LastPass has never upgraded the difficulty factor on their KDF, which is very bad. But "crackable" is not the same as "cracked". It is eminently possible to crack a password in a couple of days, but *each* password is going to take at least a few hours on some very high-end hardware; attackers will need to be motivated.
Show threadGlyphDec 23, 2022
4. Don't panic. Find your highest-priority passwords, reset a few (the top 10, let's say) with your new password manager. But then, set a recurring task for yourself to reset 1 password every few days. Maybe for the short term make it 1 every day. But don't freak out and ruin your holiday resetting hundreds of passwords. It takes a distressing amount of time, and unless you're a really high-value target you're not going to be first on the list to get hacked.
Show threadGlyphDec 23, 2022
5. Panic a *little* bit. Right now, today, you're at relatively low risk of having all your accounts compromised. In 6 months, you're going to be at very high risk. The data's out there, and attackers will be sifting through it. Take that recurring task seriously. Stick to it, and keep rotating credentials. Once you're through the backlog of this pile of LastPass stuff, keep doing it as basic infosec hygiene. Passwords should not last forever.
Show threadastroboyDec 23, 2022
@glyph That's why you should trust only open source software for these kinds of things.
Show threadShecky - Third WheelDec 23, 2022
@astroboy @glyph you mean open source never has vulnerabilities?
Yeah, right.
Try this means do your own research and find what fits your risk level.
Show threadSimson Garfinkel
@siliconshecky @astroboy @glyph I don’t think that most users can do their own research. And I told many not to use LastPass but too many newspaper columnists were recommending it.
Dec 25, 2022 at 9:34pmWeb
Show threadGlyphDec 25, 2022
@xchatty @siliconshecky @astroboy unironically whenever anyone says “do your own research” it’s an indication that the social institution whose job it is to manage that issue and educate the public about it is failing. In this case, infosec writ large
Show threadGlyphDec 25, 2022
@xchatty @siliconshecky @astroboy users are not qualified to do their own research *or* assess their own risk. If they *do* do their own research they’ll most likely just develop extremely misguided ideas about password entropy. Hell, *I’m* barely qualified to do that and I’ve got years of relevant technical experience.
Show threadShecky - Third WheelDec 25, 2022
@glyph @astroboy @xchatty calling them Users instead of people is the start of the problem, cause reality is you and I are “users” also.
Second, the majority of us talk down to them so why should they listen to us anyway?
You and I are not qualified to assess an individuals risk off the bat anyway as we do not know them. They on the other hand, evaluate their risk for almost everything on a daily basis. What they need is a resource they can trust and will treat them like a person to ask questions of.
That is called doing their own research.
Show threadGlyphDec 25, 2022
@siliconshecky @astroboy @xchatty most laypersons do not understand the basics of threat modeling and do not understand what questions to ask. But I will grant that there is a tremendous amount of unhelfpul and snide condescension in the industry, and there’s not really any such thing as a trustworthy practitioner in infosec in the same way one can go get treated by a doctor, retain a lawyer, or be advised by a fiduciary.
Show threadGlyphDec 25, 2022
@siliconshecky @astroboy @xchatty Like I could tell you “you should listen to your lawyer, don’t try to wing it in a courtroom” but who exactly *should* you listen to in infosec? The employees of the major corporations who built the product that you’re using? The author of a book on personal security? Some random dude on social media? (Hello)
Show threadGlyphDec 25, 2022
@siliconshecky @astroboy @xchatty Probably yes, and on an individual level there are many such people in those roles who *are* worth listening to, but on an institutional level there are no safeguards to verify that those people are trustworthy or competent or that their interests are aligned with your own. Hence: institutional failure.