Management Assistance Program

Trust Issues with LastPass Password Manager

By Jim Calloway

During the last couple of months of 2022, I taught several CLE programs on ethical issues with lawyers’ use of technology. Password managers are one key to ethical digital security because you can create extremely long passwords no one could guess, and you won’t be tempted to use the same password for many sites, which creates a security weakness. These tools typically make it easier to incorporate multifactor authentication, which provides even greater security.

Several times I was asked the question, “What if hackers breach the password manager? Won’t they have access to all my passwords?” In response, I explained how the passwords are stored in encrypted vaults under a “zero knowledge” scenario. That means the company does not have the password to access your vault, so it can’t be stolen from them. They protect encrypted vaults like the crown jewels. But even if one was stolen from the company, the only way they could access the file was through a brute force attack, trying thousands of possible passwords. This could take a long time – many years.

Even though LastPass reported a breach in August 2022, they assured the public that none of the encrypted vaults were downloaded. They kept up with that story for quite a while. Then, on Dec. 23, they publicly admitted that some vaults were stolen. Naked Security had very detailed coverage in its post “LastPass finally admits: Those crooks who got in? They did steal your password vaults, after all…

What does that mean for LastPass users?

Here’s what Naked Security says:

Back in August 2022, we said this: “If you want to change some or all of your passwords, we’re not going to talk you out of it. [… But] we don’t think you need to change your passwords. (For what it’s worth, neither does LastPass.)”

That was based on LastPass’s assertions not only that backed-up password vaults were encrypted with passwords known only to you, but also that those password vaults weren’t accessed anyway.

Given the change in LastPass’s story based on what it has discovered since then, we now suggest that you change your passwords if you reasonably can.

Note that you need to change the passwords that are stored inside your vault, as well as the master password for the vault itself.

That’s so that even if the crooks do crack your old master password in the future, the stash of password data they will uncover in your old vault will be stale and therefore useless – like a hidden pirate’s chest full of old banknotes that are no longer legal tender.

 However, you should change your master password first, before changing any passwords inside the vault, as a way of ensuring that any crooks who may already have figured out your old master password can’t view any of the new passwords in your updated vault. [Emphasis added.]

But as Naked Security noted, some users’ personal information was stolen and can be accessed by the criminals:

Not literally on the night before Christmas, but perilously close to it, LastPass admitted that:

The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

Loosely speaking, the crooks now know who you are, where you live, which computers on the internet are yours, and how to contact you electronically.

So if you are a LastPass user, I think you should read the entire Naked Security article, change your master password in LastPass and then change the passwords for any accounts with client or financial information.

I won’t recommend LastPass as an appropriate solution any longer. You must trust your password manager, and the way LastPass responded to the breach has revealed this isn’t a company many of us will want to trust any longer.