The LastPass Debacle

You will probably have read about the LastPass security incident(s) that took place last year and, perhaps, have seen the belated response from LastPass. Turns out a bad actor got access to an employee’s laptop by exploiting a weakness in the Plex media server software – something that had long since been fixed but the employee hadn’t felt the need to apply the update.

I am a long-standing LastPass user (since 2013) having long recognised the need for somewhere to securely store my passwords. Unsurprisingly I have accumulated quite a few passwords in those ten years – over 1,700 to be precise.

When the news first filtered out that LastPass had a breach it wasn’t clear exactly what had been taken and so I decided to sit tight and wait for more information. I waited and I waited and I waited during which time LastPass suffered a second breach! Eventually, it became clear that all the vault information had been taken and even though most of it was encrypted I still felt vulnerable. Worse than that I was disturbed by how LastPass handled the whole affair and their lack of transparency

Therefore, I decided to move to another password manager and settled upon 1Password mainly because it had a good reputation and was recommended by Troy Hunt, someone I respect.

So far, so good

My initial experience of 1Password was good even if it did require a conversation with support. The native LastPass to 1Password export wasn’t working and so I was advised to do the move via CSV. I don’t know whether things would have been any better using the native transfer but all my passwords and other information transferred just fine and I was quickly up and running.

It was just as well that the transition worked smoothly as I quickly discovered that you cannot have two password managers coexisting happily in your browser and on your phone at the same time. In order to make any progress I had to remove LastPass. At least this forced me to get on with migrating over and updating my passwords.

The more I have used 1Password the more I like it. The user interface is clean and easy to navigate and it has some great features such as telling you when a site has multi-factor authentication available.

BUT!

Whatever home I chose for my passwords I knew that the transfer was going to be painful. I calculated that changing on average three passwords a day the 1,700 I had in my vault was going to take me a year and a half to change them all. Gulp!

I have started with the most important such as financial institutions, email accounts etc but it is slow going. Of course, some are quicker than others in that the site no longer exists so I just delete the entry and move on. Others though take more time as the change password is not obvious or in doing so every device you are logged in with that account gets logged out and you spend the rest of the evening sorting that.

Is it any better?

Of course, the big question is how much better is 1Password than LastPass in terms of keeping my data secure? Who’s to say that there’s not a 1Password employee at home with the same issue on their laptop? I’ll never know of course and it really is a roll of the dice and finger-crossing exercise. I remember a while back when another cloud-based service I use, Carbonite, lost data from thousands of their customers – fortunately, I wasn’t one of them.

In the end, you simply have to make a decision based on the information that is available. I figure that the convenience of having my passwords available across all devices outweighs the risk that is associated with that – even if it does mean that I have to spend the next year and a half changing all my passwords!

Leave a Reply

Your email address will not be published. Required fields are marked *