I’ve used Lastpass for years. I keep thinking I should switch after all the “issues” but my god it’s “full of stars” after this long and I’m lazy. I keep looking at Bitwarden, not sure how the migration is though.
You know you can really easily transfer passwords from one manager to another. I was using LastPass before they lost their minds and it was so simple to switch to 1Password. It was literally just a download of the file and upload it to 1Pass.
You convinced me. I’ve switched over to Bitwarden, as well as trying out the built in authenticator. You were correct, easy peasy. So now I’ll keep both for a month and watch for hiccups (not really expecting any) and delete my Lastpass account after that. Thank you very much.
I’m no cryptography expert, but is it that big of a deal if hackers made away with the encrypted password data? LastPass says they encrypt with AES-256 so I figure that’s not getting cracked anytime this century. I’m more concerned about the unencrypted data, e.g. the Website URLs
The problem was that they were grandfathering existing users without notification every time they increased their PBKDF2 iterations. I think the current recommendation is 100,100 iterations, and LastPass was implementing that for new users. But it wasn’t updating that for existing users, resulting in some having as few as 5000 iterations, making that user’s encrypted data much easier to crack. You could change the iterations in the settings, but that required knowing that you needed to do this, and LastPass should have either changed it automatically or notified users that they needed to change it.
I was paying LastPass to be the security expert so I didn’t have to learn all the ins and outs of data encryption, and they failed at that task.
After looking into this more, I’m definitely planning on switching from lastpass, but I did wanna clarify a couple things first.
Between this blog post, and this forum thread linking to this other blog post, I’m under the impression that LP’s number of PBKDF2 iterations used isn’t a big deal as long as your master password is secure, and I feel like that’s always gonna need to be the case no matter how much we want the password manager to take over.
That said if the crux of your point is that they didn’t do ANYTHING to address customers’ eventual concerns to low PBKDF2 iterations, whether that be via notification or forced config update, then that seems fair.
https://www.theverge.com/2022/12/22/23523322/lastpass-data-breach-cloud-encrypted-password-vault-hackers That’s why LastPass isn’t save.
I’ve used Lastpass for years. I keep thinking I should switch after all the “issues” but my god it’s “full of stars” after this long and I’m lazy. I keep looking at Bitwarden, not sure how the migration is though.
You know you can really easily transfer passwords from one manager to another. I was using LastPass before they lost their minds and it was so simple to switch to 1Password. It was literally just a download of the file and upload it to 1Pass.
You convinced me. I’ve switched over to Bitwarden, as well as trying out the built in authenticator. You were correct, easy peasy. So now I’ll keep both for a month and watch for hiccups (not really expecting any) and delete my Lastpass account after that. Thank you very much.
Thanks. I’ve been telling myself I need to do it. I’ll look into Bitwarden a bit more, maybe 1Password.
I’m no cryptography expert, but is it that big of a deal if hackers made away with the encrypted password data? LastPass says they encrypt with AES-256 so I figure that’s not getting cracked anytime this century. I’m more concerned about the unencrypted data, e.g. the Website URLs
The problem was that they were grandfathering existing users without notification every time they increased their PBKDF2 iterations. I think the current recommendation is 100,100 iterations, and LastPass was implementing that for new users. But it wasn’t updating that for existing users, resulting in some having as few as 5000 iterations, making that user’s encrypted data much easier to crack. You could change the iterations in the settings, but that required knowing that you needed to do this, and LastPass should have either changed it automatically or notified users that they needed to change it.
I was paying LastPass to be the security expert so I didn’t have to learn all the ins and outs of data encryption, and they failed at that task.
After looking into this more, I’m definitely planning on switching from lastpass, but I did wanna clarify a couple things first.
Between this blog post, and this forum thread linking to this other blog post, I’m under the impression that LP’s number of PBKDF2 iterations used isn’t a big deal as long as your master password is secure, and I feel like that’s always gonna need to be the case no matter how much we want the password manager to take over.
That said if the crux of your point is that they didn’t do ANYTHING to address customers’ eventual concerns to low PBKDF2 iterations, whether that be via notification or forced config update, then that seems fair.