This means LastPass users will need to go through their vault and take extra steps to protect themselves, such as changing all passwords.
Start by enabling two-factor authentication on as many accounts as possible, especially high-value accounts such as email, financial services, and frequently used social media accounts. That way, even if an attacker compromises your account’s password, they can’t actually log in without a one-time code or hardware authentication key you’ve added as a “second factor.” Then change the passwords for all sensitive and important accounts. Then change any remaining passwords stored in your LastPass Vault.
Now that you’ve done all of this (or at least as many things as possible), it’s ripe for the switch to a new password manager. Changing your account allows you to add your account to new services. WIRED recommended 1Password and the free service Bitwarden and some alternatives. Given that LastPass suffered a series of security incidents in the past before this latest and most disastrous breach came to light, we have been recommending LastPass since the company scaled back its free service a few years ago. Is not.
“100 percent, yes people should switch to other password managers,” said one senior security engineer, who requested anonymity because of his professional relationship with LastPass’ security team. . “They failed to do what they were supposed to offer: cloud-based secure credential storage.”
Security folks have broadly emphasized that the LastPass situation should not deter you from using a password manager in general. Also, if you’re a loyal LastPass user, change your password in your vault, and on every account you give it to, he’ll enable two-factor, and even if you don’t migrate somewhere in the process, every single thing in your vault You must change your password.
“As someone with experience handling and communicating EU data breach notices, I believe that LastPass’ chosen communication strategy may undermine user trust,” said Lukasz Olejnik, independent privacy researcher and consultant. said. “The big question is also timing. The first investigation started months ago, so why do it right before the end of the year holidays?”
As Jeremi Gosney, a longtime password cracker and senior principal engineer on the Yahoo security team, I have written This week, in a broad series of posts on the situation, said: I’ve been recommending it for years and defending it openly in the media…but things change. “
