It might be obvious that any LastPass users should want to migrate away from the service given the recent data breach they’ve had but it’s not that simple, especially when you’re fully in with the service. To put that in to context, I’ve been a user for about eight years, fully paid up with an annual plan that I share across the family; we’re all pretty heavy users and I had over 500 passwords stored in the service to give you some context. The service works well, a few autofill niggles aside, it’s a user friendly way to manage all the many passwords we need to generate these days and takes a lot of the heavy lifting away. They also offer a multi factor authentication OTP service which synchronises all the tokens so that when you lose your phone it’s not the end of the world, you just resync your new device and you’re back up and running.
All that sounds too good to be true and, unfortunately, it is. Putting all your eggs in one basket is never a good idea and is not something I would advocate in a professional setting but from an ease of use perspective, which is imperative to get the family onboard, it’s actually a good answer. That is until they get breached!
Getting breached isn’t something unexpected in security, we expect it, plan for it and have mitigation actions ready to roll so that we can quickly recover and get back to normal. The snag with the LastPass breach is that they didn’t encrypt all the data, some fields were plaintext the full disclosure took months for them to admit to and they also lost some undisclosed account data.
That last point has been interesting; just before Christmas 2022 I got vished (a scam via the phone) by someone who knew some of my personal details such as the last few digits of my credit card number and home address. LastPass state in their breach notification that, “there is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment”, but it is suspicious timing and while LastPass may not store “complete credit card numbers”, they may store the last few digits as they can be seen when logged in to the account section.
The LastPass breach notification is pretty vague in advising customers what to do and relies heavily on the security of the master password being strong. This is a fair point and my LastPass master password had 33 characters and ~190 bits of entropy, so pretty strong, but it still contained dictionary based words so that I could remember it and could therefore be attacked by a dictionary/rainbow table attack which would reduce the effort required (although that is still pretty unlikely). So I have a strong password and LastPass tell me that I don’t need to do anything despite the attackers having a complete copy of all my data but that doesn’t stack up very well so here’s what I decided to do:
Begin the migration away from LastPass to Google Password Manager. As a household we’re all in with Google with Assistants, Pixel phones and Chromecasts all over the place so this makes sense (despite the obvious privacy concerns with the use of Google but, to be honest, that ship has sailed)!
My theory is also that the security at Google is likely to be significantly better than that of LastPass given the economies of scale that they have. Google Password Manager isn’t as sexy but it does seem to have come on leaps and bounds since I last used it and it’s working well so far. Native integration into the browser is also a much better idea than being reliant on third party apps so that’s another tick in the box.
To migrate away from LastPass I took an export of my data in csv format and edited out all of the nonsense fields that I didn’t need and didn’t fit the data model. I then imported this directly into Google Password Manager via Chrome which took a good few attempts because of some data quality issues but I got there eventually. Finally, I uploaded an encrypted and password protected version of the data to cloud storage for the just in case scenario and then properly deleted the file from my device.
Begin the migration away from LastPass OTP to andOTP. This I should have done a long time ago, or never got into the LastPass OTP ecosystem in the first place to avoid the eggs in a single basket situation but we are where we are.
andOTP is an open source OTP manager for Android which syncs with Google Drive so over a period of time I can migrate all of the ~40 OTP codes across by resetting them. This isn’t a quick win and will take some time so I focussed on the sites which are the highest value (banking/email/etc) and will chip away at the rest as I get to them. Having an encrypted backup in Google Drive means that when I lose my phone I can still resync all my OTP codes onto my new device.
Identify my key passwords and change them anyway. LastPass don’t specify the need to do this but should my encrypted data get brute forced then the impact would be too high - identity theft and financial theft for starters. Again, I identified the high value accounts that I had such as Google (my email provider which is used for the validation of lots of other sites), banking, online shopping (Amazon) and key tech services such as Home Assistant and AWS.
Change my LastPass master password and multi factor options. Because I’m using another password manager, I no longer need to know my LastPass master password so it can now become a stupidly long/complex/random string that gets stored in Google Password Manager and means that should the attacker reverse my password from their stolen hashes then they won’t be able to log in to the LastPass web portal and access any of my online data.
Take a hard copy of my Google Password. My Google password is now my master password for everything Google related including my passwords so I’d better not lose it. It’s also something I don’t know - it’s a super strong/long/complex password that there’s no chance on Earth I would ever be able to remember so having a printed out copy locked away in a safe place means that should the worst happen I can still get access to my account (I have backup copies of OTP secrets/FIDO keys for just the same reason - not necessarily in the same format/location though). 😉
My LastPass subscription doesn’t expire until July 2023 so I’ve cancelled auto renewals and will keep the service running until that point. It’s not been easy to migrate away, it’s consumed a significant amount of time to perform all these actions and I’ll have to invest a similar amount of time for the other members of the family too, but it’s given me the kick I needed to break some bad habits that I’d fallen in to with the LastPass service and, let’s face it, taking some time to refresh all my key passwords is never a bad thing anyway.
As a result, I now have a much stronger security model in place with hopefully a less fiddly autofill solution given the native integration into Android and Chrome. The real test will be in the family migration away from LastPass which I’ll get to once I’ve ironed out the nuances of using a new suite of services. It’s definitely a shame to have to migrate away from LastPass, reinforced by the high cost of doing so, and probably overkill in all honesty, but the impact of my data being accessed is just too high to take any chances and that’s something I think LastPass have not taken seriously enough or even acknowledged.