• Home
  • Blog
  • Media
  • Contact Me
  • Newsletter
  • Bowlings Abroad
  • Nerd Farmer Podcast
  • Teaching Civil Liberties
  • Supporting Undocumented Students
Menu

Nate Bowling: American Teacher Abroad

Street Address
City, State, Zip
Phone Number

Your Custom Text Here

Nate Bowling: American Teacher Abroad

  • Home
  • Blog
  • Media
  • Contact Me
  • Newsletter
  • Bowlings Abroad
  • Nerd Farmer Podcast
  • Teaching Civil Liberties
  • Supporting Undocumented Students

Beloved, Use a Password Locker but Make Sure it's Not LastPass

March 26, 2023 Nathan Bowling

I use a password locker and think you should too but there's one provider you should avoid because they seem to have lost the plot

In a recent newsletter, I wrote about online security and password lockers. Password lockers allow you to create longer, randomized passwords that are more secure than whatever you’re likely to come up with and memorize. The locker then stores them in an encrypted file on your device. 

I spent most of Wednesday evening going through the annoying but important process of migrating my passwords off one of those lockers, LastPass. It’s a long story but I think it’s one worth sharing with you.

I started using LastPass in 2016. The service had its ups & downs. At one point, I paid for the premium version but they moved to a pricier monthly sub model and I slid back down to the free tier. The company provides an important service, but they’ve had an extremely rough run of things as of late that I think is worth detailing.

On August 25, 2022 LastPass detected "unauthorized" access to their servers. In their press statement about the incident, they buried this bit of terrible news in paragraph five:

“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

I am far from an expert in this area—that seems bad though. But it was really just the beginning. They followed that up with an announcement on September 15 about a subsequent breach that read roughly “Yeah, we were breached but your data and passwords are safe. Trust us.”

Then on November 30, they released a statement saying, “we have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information… We are working diligently to understand the scope of the incident and identify what specific information has been accessed.” 

This was followed by two other company statements encouraging customers to “stay vigilant” and follow “security best practices,” advice the company clearly should have been taking themselves. 

In January, the wheels started falling off the wagon as the company started to drip, drip more news about the access hackers were able to get.

On January 3, a John Doe filed a class action lawsuit on behalf of LastPass users over “failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach.” This is when it finally hit me. They hadn’t been breached in August as an isolated incident. The hackers had ongoing access to LastPass’ servers for months. 

On January 23, LastPass admitted, “we also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups.” Also on January 23, they reported, “the threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups.”

Again, I’m no expert in cyber security but you don’t have to be one to see where this is going. Hackers attacked LastPass and the company’s security infrastructure utterly failed. This is when I started exploring alternatives and talking about the issue on the Channel 253 Member Slack.

Then on March 10, Matthew Gault from Vice posted an episode of their Cyber podcast titled LastPass Isn’t Safe and Your Hiking App May be Tracking You. In that episode, Gault quoted Joseph Cox who summarized the situation succinctly:

“​​The hacker against LastPass was resourceful and persistent, but also that LastPass was not treating its own crown jewels with the serious security practices it should have. A LastPass engineer was accessing critical services from their home computer and network. LastPass had difficulty distinguishing between the activity of the worker and that of the hacker. The sensitive information—in this case, customers’ password vaults that need the user’s master password to decrypt, but could theoretically be brute forced at some point—were stored less in a bank vault and more in a closet.”

That was the last straw for me. The situation is clear: responsible internet users that have concerns about their security and privacy should use randomized passwords and password lockers but those lockers should absolutely not be on LastPass. They simply can't be trusted. 

This week I deleted my locker on LastPass and moved to a different service provider. In doing so, I changed my master password and will slowly change my passwords on essential services like banking and investment apps. This is a time suck for sure, but it sucks way less than finding my accounts drained or my zombie Twitter account got hacked and is promoting some crappy NFT project.

In Personal Tags Cyber Security, LastPass
← A Nation of AccidentsThe Already Forgotten War →

POWERED BY SQUARESPACE