Wladimir PalantDec 26, 2022

Writing more about #LastPassBreach feels like beating a dead horse. But I had a look at the official statement again and it is highly misleading. I felt the need to provide some context that #LastPass is willingly omitting.

“Again, it seems that LastPass attempts to minimize the risk of litigation (hence alerting businesses) while also trying to prevent a public outcry (so not notifying the general public). Priorities…”

https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

What’s in a PR statement: LastPass breach explained

The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.

Almost Secure
Show threadfatwelshbuddha 🏴󠁧󠁢󠁷󠁬󠁳󠁿
@WPalant excellent read. as a LP user, my password iteration was set at 5000, and I changed it to 100,100 as per the LP blog last week. I guess I should increase it further?? Would you suggest I ditch LP and go elsewhere - if so, where? Have tried 1Password and didn’t like it.
Dec 30, 2022 at 9:35amWeb
Show threadWladimir PalantDec 30, 2022

@fatwelshbuddha Yes, increasing it at least to 310,000 (per OWASP recommendation) would be advisable.

Also, you should strongly consider changing all your passwords. Accounts with 5000 iterations and less will likely be targeted first.

Personally: yes, you should definitely consider changing to a competitor who does a better job at keeping your passwords secure. People usually recommend 1Password or Bitwarden.

Show threadfatwelshbuddha 🏴󠁧󠁢󠁷󠁬󠁳󠁿Dec 30, 2022
@WPalant thanks for the feedback. will update the iterations. as for changing passwords, I have sooooo many, but I’ll focus on the master one and financial sites. I’ll think about a change but I’m so embedded with the way LP works I’m somewhat reluctant to swap and trust ongoing security will be beefed up.