Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


            Lastpass Publishes More Details about Its Data Breaches

   Adam Engst

   In 2022, password management service LastPass suffered its latest
   significant breach, this one resulting in the loss of customer vault
   data (see '[1]LastPass Shares Details of Security Breach,' 24 December
   2022). Months later, the company has finally provided significantly
   more information about the breach, what data was compromised, and how
   users should respond. The new information is helpful, but it doesn't
   make me regret switching to 1Password.

   In a [2]carefully worded blog post, LastPass CEO Karim Toubba lays out
   a more-detailed timeline of two chained incidents, with the [3]first
   setting the stage for the [4]second. He then points readers to a pair
   of security bulletins with recommended actions: one for [5]LastPass
   Free, Premium, and Families users and another for [6]LastPass Business
   users. Finally, he summarizes what actions LastPass has taken to
   [7]better secure its systems. I particularly appreciated [8]the
   extensive list of all the data types accessed, with notes about which
   fields were encrypted and which were not.

   Notably, the company says that it hasn't heard from the attacker nor
   seen any indication of the data being used.

     There has been no contact or demands made, and there has been no
     detected credible underground activity indicating that the threat
     actor is actively engaged in marketing or selling any information
     obtained during either incident.

   If you're interested in security stuff, the various posts are worth
   reading, and LastPass has done a much better job of communicating this
   time, even if it's overdue. In particular, if you're still using
   LastPass, I recommend [9]following the company's advice to:
     * Ensure the strength of your master password
     * Increase the number of password iterations
     * Turn on or reset multifactor authentication
     * Review the Security Dashboard
     * Turn on dark web monitoring

   LastPass hasn't yet made the last two options available to LastPass
   Free users, but the company says it will enable them shortly.
   Interestingly, LastPass has dramatically increased the number of
   password iterations. Some long-time users were still set at what is now
   an absurdly low 5,000, while newer users had 100,000 iterations. The
   default is now 600,000'that's a big change.

   I wonder what Karim Toubba must be going through. He joined LastPass as
   CEO in April 2022, and the first breach occurred just months later, in
   August 2022. The company has likely been in crisis mode ever since, and
   the extent of the changes (combined with the actual breach, of course!)
   suggests that its previous security stance was problematic. We hope the
   adults are now in charge and are taking the right steps to prevent
   future breaches.

Switching to 1Password from LastPass and Authy

   On top of my irritation with LastPass's interface, functionality, and
   reliability, the breach was the final straw, so I switched to
   [10]1Password and [11]imported my data from LastPass. I chose the
   approach of exporting data from LastPass and importing it into
   1Password because 1Password's direct import capability doesn't work if
   you have multifactor authentication turned on in LastPass. I wasn't
   comfortable disabling that, even temporarily.

   I'm not quite ready to delete all my data from LastPass, but that's on
   my list once I'm confident that 1Password has all the capabilities I
   want. I realize that some people haven't been happy with the changes in
   1Password 8, but as someone who didn't particularly use previous
   versions, I haven't been perturbed. While not perfect, 1Password has
   been significantly more elegant than LastPass, which never provided
   anything resembling a native Mac or iOS experience. That was especially
   true in the last few weeks I used LastPass, when it felt like the
   company was making rapid changes in an effort to show users that it was
   doing something.

   I particularly like using my Apple Watch to unlock 1Password on my 2020
   27-inch iMac and my watch or Touch ID on my M1 MacBook Air. LastPass
   introduced app-based multifactor authentication a while back, but it
   never properly accepted input from its watchOS app, forcing me to pull
   out my iPhone every time to confirm login in its iOS app. I've
   subsequently reset LastPass's multifactor authentication to use a
   normal time-based one-time password (TOTP) that I stored in 1Password,
   which auto-fills it whenever I log in to LastPass on my Mac'a distinct
   improvement over tapping a button in LastPass's iPhone app.

   1Password's support for TOTP has been a big win. I started with
   authentication apps early, when Google Authenticator was the only game
   in town. When I learned that its data wouldn't transfer to a new iPhone
   (it can now if you can scan a QR code on the old device), I switched to
   the free [12]Authy ecosystem of apps, which has worked acceptably and
   syncs across my Macs, iPhone, and iPad. (I tried LastPass Authenticator
   briefly, but it's available only for the iPhone and iPad, and I hate
   turning to my iPhone when logging in on the Mac.)

   Authy provides the [13]Authy Desktop app for the Mac, but every time I
   want to log in to an account requiring two-factor authentication, I
   have to launch Authy Desktop, search for the website (I have 28
   accounts), click a button to copy the code, switch back to my Web
   browser, and paste the code. I thought about automating the process
   with Keyboard Maestro, but it would be nothing more than fragile
   monkey-clicking. The way 1Password auto-fills the TOTP as the next step
   in the login process has been a huge relief.

   (Glenn Fleishman reminds me that you could opt instead to use Apple's
   multi-platform support for TOTPs, but that works only within Safari in
   macOS. If you use other browsers or apps, you have to bring up Safari >
   Preferences > Passwords or the Passwords settings/preference pane,
   authenticate, search, click, and copy; see his article, '[14]Add
   Two-Factor Codes to Password Entries in iOS 15, iPadOS 15, and Safari
   15,' 7 October 2021. And, of course, then there's the whole iCloud
   Keychain vulnerability if your iPhone and passcode were stolen; see
   '[15]How a Thief with Your iPhone Passcode Can Ruin Your Digital Life,'
   26 February 2023.)

   Moving my two-factor authentication setup from Authy to 1Password has
   been fussy and time-consuming. Amazon Web Services was the only service
   that allowed me to register 1Password as an additional authentication
   device. For all other accounts, I've had to reset two-factor
   authentication or turn it off and back on. The threat of being
   completely locked out of an account is scary, so I'm careful to add the
   new TOTP to both 1Password and Authy (again) before I delete the old
   account in Authy. While I don't anticipate using Authy after I get
   everything set up in 1Password, it feels like a useful backup if
   storing the TOTP in 1Password alongside the account credentials feels
   problematic. Remember to record one-time or 'scratch' codes if a site
   offers them when enabling two-factor authentication'they can be a
   lifeline if you have a TOTP blowout.

   Much as with the Wall Street Journal's coverage of iPhone passcode
   thefts, I've come to see the LastPass breach as an opportunity to
   rethink my approach to password security. I wasn't entirely happy with
   LastPass before the breach but couldn't muster the enthusiasm for
   switching. By cleaning up duplicates and other cruft in 1Password
   organically, as I need to use the associated sites, I can nibble away
   at a task that would be too enormous to face all at once'I have over
   900 logins. I'll ultimately have a better handle on my passwords than
   ever before.

   But I'll still be happy if passkey support'see '[16]Why Passkeys Will
   Be Simpler and More Secure Than Passwords,' 27 June 2022'becomes
   widespread quickly such that I don't need all these stinkin' passwords!

References

   1. https://tidbits.com/2022/12/24/lastpass-shares-details-of-connected-security-breaches/
   2. https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/
   3. https://support.lastpass.com/help/incident-1-additional-details-of-the-attack
   4. https://support.lastpass.com/help/incident-2-additional-details-of-the-attack
   5. https://support.lastpass.com/help/security-bulletin-recommended-actions-for-free-premium-and-families-customers
   6. https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators
   7. https://support.lastpass.com/help/what-have-we-done-to-ensure-lastpass-is-safe-to-use
   8. https://support.lastpass.com/help/what-data-was-accessed
   9. https://support.lastpass.com/help/security-bulletin-recommended-actions-for-free-premium-and-families-customers
  10. https://1password.com/
  11. https://support.1password.com/import-lastpass/
  12. https://authy.com/
  13. https://authy.com/download/
  14. https://tidbits.com/2021/10/07/add-two-factor-codes-to-password-entries-in-ios-15-ipados-15-and-safari-15/
  15. https://tidbits.com/2023/02/26/how-a-thief-with-your-iphone-passcode-can-ruin-your-digital-life/
  16. https://tidbits.com/2022/06/27/why-passkeys-will-be-simpler-and-more-secure-than-passwords/

.