LastPass is one of the biggest third-party password supervisors out there and it used to hold that position for a good reason. The free LastPass strategy supported several types of gadgets, the paid plan was a beneficial upgrade for $12 per year, and it was decently straightforward and easy to use. Even when the business struggled with numerous security events, its reactions appeared to warrant the benefit of the doubt.
Over time, includes got cut from the complimentary strategy and the price of the paid plan went up. Competing password managers also began pushing more innovative features. And then came the major breach in 2022, one in which information in consumers’ vaults were stolen and revealed as not fully secured. Oof.
A long while back, I started an account with LastPass to maintain the passwords for a loved one and even after in 2015’s hack, I didn’t leave immediately. (Change is difficult for this person). After some gentle, extended coaxing, I got the green light to change them to another password supervisor at last, and I’m so thankful to finally move on to greener pastures. LastPass’s issues are simply too many to stick it out … including when you’re actually in the process of leaving.
If you’re still with LastPass and been wondering if you should leap, here’s what tipped me over the edge and why I don’t intend on ever returning.
LastPass’s disclosures about its 2022 security breaches resembled viewing a train wreck in slow movement. First came the preliminary statement in August, which claimed that no client information was impacted– simply a designer environment. 3 months later came an upgrade that consumer information was affected. Nearly a month after that, the company revealed that consumer details and password vaults had actually been stolen. Not only that, but elements in those vaults (consisting of URLs) had not been secured.
As discussed above, LastPass was no stranger to security incidents before this breach, but none were as shocking as this one. Customers of online password managers typically trust that their service is safeguarded enough that their information– even if encrypted– can’t be accessed by unauthorized celebrations. Hearing after a breach that vault information was unencrypted was a bit blindsiding.
And possibly there’s excellent reason from an engineering viewpoint for why some information– like URLs, how often you use an entry, when you last updated an entry, etc– would not be secured. But that brings us to the second method LastPass skewered my trust in them, which is …
Bad interaction
So, obviously, I don’t understand what it takes to run an organization where you’re not just protecting actually sensitive details, however you’re actively handling threats to that information on a regular basis.
Good interaction is quite basic– immediacy and complete openness go a long way. A healthy dosage of preemptive notices works wonders, too. The way LastPass breaks its news to customers could use a lot of improvement on all 3 fronts.
In mid-July, I logged in to make a last check of the account I was deserting, just to see a message that my password iterations had actually been raised to 600,000. Modern cryptography standards advises 600,000 versions, which is probably why LastPass chose to increase customers widely to that level.
But this occurred in July 2023. That is, 6 months after the disclosure in December about everyone’s vault information being taken. A half year passed in which people who did not examine that holding up in December (like I did) and increased it (like I also did) were entrusted much lower models (like mine was before I fiddled with it).
It says a lot that my first thought was, “What kind of security issue did they have this time to trigger this?” That my second one was, “Why is this taking place now?”
The e-mail describing this modification came several hours after I made a quick online search to figure out just what the heck was going on. Another copy came in the next day. The contents did not discuss the timing nor the motivating factor behind the boost.
When upon a time, LastPass’s web interface was fairly good. Maybe not the slickest, but it felt modern-day enough.
Nowadays, it feels much more bare-bones compared to rival password managers. Incognito browsing means that your design will never remain saved– it constantly reverts the view to LastPass’s default.
LastPass has the logs of what devices I’ve utilized and my consistent, relentless use of the web user interface for years and years. Being nagged constantly is not going to make me alter that practice.
This section was filled with far saltier language till I remembered you all (and my editor) would read it. Roll up your sleeves, because we’re entering the unclean details with this one.
You ‘d believe that possibly, if you were leaving a service, business would be incentivized to make the procedure as easy as possible– thereby increasing the possibilities you may return one day. LastPass tries for this, but it does not do it consistently. And fortunate me, I got caught up in whatever advancement hole that enables sloppy password exports.
Normally, when you switch password managers, you’ll export your vault data to a CSV or XML file. They’re standard file formats that can be easily read throughout various programs (in theory, anyway). LastPass only exports to CSV for this function and the specifying characteristic of the comma apart values format is that (as you ‘d anticipate from the name), commas are utilized to suggest separate information fields.
Keep in mind: If exporting all your passwords to an unencrypted format like CSV or XML, saving it to an encrypted folder on your PC will assist secure them as you shift in between LastPass and a new password supervisor.
I wish to be clear– I’m the type of person that if something goes wonky, I like to comprehend why. And when my export came out a mess, with a bunch of entries including orphaned information, I attempted to understand what I was seeing.
That possibly they were causing entries to be split up and read as various entries (with information ending in the wrong fields, to boot). That didn’t discuss why some entries with no commas at all got split up.
I still had no clear responses by the time I ended up by hand cross-checking every single entry versus the originals in LastPass, a needed evil because the information was unreliable, however importing and tidying up the mess was still faster than producing all the entries from scratch in the brand-new password manager.
Trying various internet browsers and techniques of export (i.e., initiated through the web interface vs the web browser extension) didn’t clear up the confusion. Turns out the web interface does not export all entries (Firefox) or straight up returns a blank CSV file (Chrome), however both Firefox’s web interface export and the Chrome browser extension had the same issues with data stability. When I attempted exporting on a test account, the data fields for each entry came out ideal (even if some were still missing in the web export).
As best as I can tell, either the age of the account influences how the information is saved and parsed on the servers, or the use of certain unique characters in non-password text fields triggers some sort of bug in the export script. Either way, you can’t trust you’re actually getting all your passwords out intact. Hours into the laborious procedure of restoring my import, I seriously thought about abandoning the process in favor of password resets for every service, and letting the brand-new password manager capture them. I suggest, I was going to have to do that anyhow as a last precaution provided the LastPass security breaches?
