Beloved, Use a Password Locker but Make Sure it's Not LastPass
Happy Sunday T & Ters,
In a recent newsletter, I wrote about online security and password lockers. Password lockers allow you to create longer, randomized passwords that are more secure than whatever you’re likely to come up with and memorize. The locker then stores them in an encrypted file on your device.
I spent most of Wednesday evening going through the annoying but important process of migrating my passwords off one of those lockers, LastPass. It’s a long story but I think it’s one worth sharing with you.
I started using LastPass in 2016. The service had its ups & downs. At one point, I paid for the premium version but they moved to a pricier monthly sub model and I slid back down to the free tier. The company provides an important service, but they’ve had an extremely rough run of things as of late that I think is worth detailing.
On August 25, 2022 LastPass detected "unauthorized" access to their servers. In their press statement about the incident, they buried this bit of terrible news in paragraph five:
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
I am far from an expert in this area—that seems bad though. But it was really just the beginning. They followed that up with an announcement on September 15 about a subsequent breach that read roughly “Yeah, we were breached but your data and passwords are safe. Trust us.”
Then on November 30, they released a statement saying, “we have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information… We are working diligently to understand the scope of the incident and identify what specific information has been accessed.”
This was followed by two other company statements encouraging customers to “stay vigilant” and follow “security best practices,” advice the company clearly should have been taking themselves.
In January, the wheels started falling off the wagon as the company started to drip, drip more news about the access hackers were able to get.
On January 3, a John Doe filed a class action lawsuit on behalf of LastPass users over “failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach.” This is when it finally hit me. They hadn’t been breached in August as an isolated incident. The hackers had ongoing access to LastPass’ servers for months.
On January 23, LastPass admitted, “we also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups.” Also on January 23, they reported, “the threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups.”
Again, I’m no expert in cyber security but you don’t have to be one to see where this is going. Hackers attacked LastPass and the company’s security infrastructure utterly failed. This is when I started exploring alternatives and talking about the issue on the Channel 253 Member Slack.
Then on March 10, Matthew Gault from Vice posted an episode of their Cyber podcast titled LastPass Isn’t Safe and Your Hiking App May be Tracking You. In that episode, Gault quoted Joseph Cox who summarized the situation succinctly:
“The hacker against LastPass was resourceful and persistent, but also that LastPass was not treating its own crown jewels with the serious security practices it should have. A LastPass engineer was accessing critical services from their home computer and network. LastPass had difficulty distinguishing between the activity of the worker and that of the hacker. The sensitive information—in this case, customers’ password vaults that need the user’s master password to decrypt, but could theoretically be brute forced at some point—were stored less in a bank vault and more in a closet.”
That was the last straw for me. The situation is clear: responsible internet users that have concerns about their security and privacy should use randomized passwords and password lockers but those lockers should absolutely not be on LastPass. They simply can't be trusted.
This week I deleted my locker on LastPass and moved to a different service provider. In doing so, I changed my master password and will slowly change my passwords on essential services like banking and investment apps. This is a time suck for sure, but it sucks way less than finding my accounts drained or my zombie Twitter account got hacked and is promoting some crappy NFT project.
Recommendations and Bits for the Week Ahead
First, it’s Ramadan in the Gulf. Last night we had our first of what will hopefully be many Iftars (the dinner where Muslims break their fast) of the season. Ramadan is an amazing occasion. On one hand, it’s like Christian lent but with commitment. On the other hand, it’s like a month of Thanksgiving dinners. On a third hand (yes, I know that’s not how hands work), it’s a time of repentance, forgiveness and getting right with the Creator, like Easter. On the fourth hand, have you heard of Iftar Cannons? The entire society contorts around the occasion. Working and school hours are shortened and the entire country shifts into a more nocturnal mode. Every park in the city will be full of kids playing deep into the dark tonight. I feel blessed to be an observer and a part-time participant in the occasion.
Segundo, we lost one of my favorite character actors this week. Lance Reddick played Lieutenant Cedric Daniels on The Wire, Police Chief Irvin Irving on Bosch, and Special Agent Phillip Broyles on Fringe. His death inspired an exchange with reader P.E. We began talking about the books of the writers of The Wire: George Pelecanos and Richard Price, in particular. I’ve previously read and highly recommend Price’s Lush Life from 2018 and I started 2011’s The Cut from Pelecanos this week. I am loving it. Give either a read.
Lastly, spring break has arrived in the Gulf and Hope and I are headed to Thailand later today, ergo the earlier than usual email. On Monday, we’ll celebrate our thirteenth wedding anniversary—yay us! There may or may not be a newsletter next week depending on wifi and vibes.
Excelsior!
As always, if you have any thoughts or feedback about the newsletter, I welcome it, and I really appreciate it when folks share the newsletter with their friends.