SN 900: LastPass Again

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

Steve included a quote from Elon Musk in this episode; it’s discussed at @1:27:35 in the show:

I can’t exactly say why, because it’s one of those things where, it’s like: my biological neural net said, ‘it is important to buy Twitter’ and just like with a digital neural net, you can’t really exactly explain why the neural net is able to understand an image or text – the collective result of the neural net says this is an important decision, or this is the right action, and my biological neural net concluded that it was important by Twitter and that if Twitter was not bought and steered in a good direction, it would be a danger for the future of civilization, and so… that’s why I bought it.

@Leo asserted this quote “as clear as mud”. Elon’s statement seems lucid to me. Elon had a gut feeling or maybe a hunch that it was important to buy Twitter. He had a similar gut feeling in 2004 when he contributed $7.5M to the Series A investments in Tesla Motors and joined the company’s leadership. He thought this EV vehicle company – with his leadership – would have a positive impact on the future of civilization. Until about a year ago, there was near-unanimous agreement that Mr. Musk’s hunch on Tesla was correct.

Steve Jobs was legendary for his hunches. Steve’s neural networks informed him that the cellular carriers had no business controlling any of the content or functionality of the OS for his [proposed] iPhone. He pitched this to all of the carriers, and all but Cingular told him and Apple to take a hike. But Apple won, both companies profited handsomely from that initial exclusive deal, and the landscape of wireless service worldwide was forever changed. This 2008 WIRED article talks about many of the details of Apple’s breaking down the carriers’ “walled garden”.

Leo has over 30 years in broadcast/netcast/podcast media. I don’t know if he has ever contemplated the impact on civilization of his work, but he is clearly a fount of passion, knowledge, and experience. Steve Gibson’s pioneering work with SQRL should have a positive impact on computerdom – even if he is never fully appreciated for his work. And Steve and Leo’s work for 900 episodes of Security Now! has definitely had a positive impact for all online users. It has undoubtably made civilization at least a little bit safer for everyone. OTOH, both of them have had failures: initiatives that will make no public difference to the world. That’s true of everyone.

Elon has gut feelings. Power to him! He uses a way of labeling those gut feelings that some don’t like. I don’t really care, and I’m not sure why anyone should care. If Leo thinks Elon’s message is “clear as mud” from that discussion, I wish he’d elucidate his opinion with a couple of paragraphs here. I wish that Steve would do the same – either here or on his podcast. Thanks.

I think a good/actually best replacement is Keepass. Open source, everything is encrypted, and you have total control over the vault location. I checked the iterations and the default is 1,000,000. It may not be as automated in some ways but it really isn’t hard to use.
Features - KeePass

If they go out of business, you still have everything, you don’t lose control.

I used to use it at a previous employer, it is fine, if you have a dedicated machine, but if you are constantly moving around machines, it is a pain. Yes, you can keep it on a Cloud Drive, but that isn’t any better than using a dedicated cloud service, like BitWarden (which is also open source). You have to enable the Cloud Drive on every device you want to use KeePass on. It also means you have to keep your cloud service password in your head, in order to access the cloud drive, in order to access your safe.

It also means it can become infected, if you use it on a machine that is infected with a virus, and it will automatically spread to all your other devices (using the same OS). The same is true, if you use a USB key.

Using a cloud password safe has many advantages and conveniences, but at the cost of complete security.

We have a policy at work, no external USB devices that aren’t from the company and aren’t encrypted, so using a personal stick would be grounds for dismissal. Likewise, attaching non-authorised cloud drives is ground for dismissal. Opening the password safe in the browser is not…

There are many different way of doing password security. It always comes down to which way makes the most sense in your situation, there is no right solution that will work for everyone.

1 Like

So after listening to this episode I made the decision to leave Lastpass.
If I do the following have I created a situation that even if the vault is hacked that there’s minimal reason to be worried given I’ve done everything I can to prevent the cracking.

  1. Set all website passwords to 20+ random (text, symbols, numbers) characters.
  2. Set iterations to the max, e.g. 2M
  3. Switch to PW manager that uses scrypt or argon2 to eliminate brute force cracking method from being viable.
  4. Ideally set the master password to 20+ random (text, symbols, numbers) characters. Suboptimal but still viable is to use the first letter of each word in a phrase to create 20+ character string that is personal and memorable to me only, e.g. MdaIafboIki!Tmms2ad.CIbw? (My dog and I are friends but only I know it. This makes me sad twice a day. Could I be wrong?)

What am I missing?

1 Like

I would say you are reasonably secure, for the time being, as long as the PM is doing its job properly.

But… I would change the order, 3, 2, 4, 1. Change your password after you have moved to the new manager. :wink:

The passphrase is difficult, if it is too complex, you will never remember it and have to write it down, or you will leave it unlocked on your trusted devices - I have mine set to close after 30 minutes of inactivity, so I often need to re-enter the password several times a day. I also had to reset my work PC this week, which meant re-activating my safe in a new profile with 3 different browsers… A right royal pain! :smiley:

Edit: I forgot, don’t forget MFA.

1 Like

Thanks big_D!
One other question, do you know of any PW managers besides Dashlane that uses Argon2?

I don’t, I know several are looking at it, but I think most are still on PKDBF2, because is is FIPS-140 compliant, which is needed for many certifications and use in many industries. But I expect to see many starting to switch this year and at least offering it as an option.

1 Like

I don’t understand the rush to leave Lastpass. If you were a user, the data was leaked. Leaving won’t change that.

After being burned, Lastpass will certainly focus more on security. That makes staying a reasonable choice, given the almost certain beefing up of security. Leaving for another provider doesn’t guarantee more security.

You’re assuming they will continue to have money to focus on anything… That’s probably not a good assumption. I presume the problems they previously had were because money was tight already (venture capital investors tend to load the company up on debt and then cut every corner while they polish the turd for resale.) And now, with many people leaving because of the problems, they’re going to have even less money for hiring smart staff who care to fix their issues. As the old saying goes… “fool me once shame on you… fool me a second time, shame on me…” So I wouldn’t be the fool that waits for the next serious issue to emerge.


After the first time, yes, I’d give them the benefit of the doubt. Everybody is under attack and anyone can get hit… So you would expect them to take more care going forward. I said this, the first time they got hacked, but getting hacked and losing customer data seems to be a hobby at LastPass…

I’d turn on 2 factor authentication everywhere it’s possible, and ideally not by an SMS message, that someone with access to your telecoms provider account could switch to a new SIM / device. So even if a password / master password were captured, they can’t do a lot without the 2nd means of authentication.

If you had your bank card details, driving licence, passport, social security number, in your vault (form filler), they may well end up in the public domain, obviously along with your name, email addresses, home address, birth date, all user names, school and college library card numbers and the organisations names. Not to mention a list of every site and organisation you’re connected to. To make identity theft, and / or phishing attacks likely, for decades.

If only someone had enabled 2 factor authentication on their account, so their master password wasn’t sufficient, when captured by a key logger, on a non LastPass device and network, to open the whole enterprise, and subsequently leak the companies customers details, employees details, along with the code base. The likely €20 million euro fine, for a major GDPR violation, may be but a drop in the ocean of the legal costs over a plainly avoidable breach.

Also raises questions over past GDPR, SOX (before going private), PCI-DSS, … audits of the organisations processes and procedures.

This is one run on sentence that I don’t understand. If it means what I think it means, then I have to say that there 2FA does not apply to LastPass vaults that would have been stolen direct from LastPass. 2FA is ONLY a protection against getting the raw vault directly from LastPass, but it doesn’t supply any protection for the data in the vault if an attacker manages to end-run the front end 2FA check. Basically 2FA protects the password from outsiders because it is applied at the “gates”. Once the attackers breach the “gates” then all that protects the vault is AES256 key which is protected by your master password alone.

1 Like


At the risk of permitting misinformation to stand I am leaving this post present, because it represents an indication of the problem that we face in the future. This clearly appears to be someone using a GPT type tool to quote irrelevant BS. (See others of the users posts as well.) The user has been restricted, and may face suspension in the future if this continues.


The lack of Multi-Factor-Authentication permitted someone to use the key logged Developers credentials to gain access to the LasPass corporate network, there gobble LasPass’s AWS credentials, to access their AWS buckets that they’d failed to enable Multi-Factor-Authentication on, to and make off with the companies business.

Mandating multi factor authentication, on all access to the the LastPass corporate network, the development environment, VPN, AWS environment, … as has been best practice since the mid 1990’s, post the appearance of the ACE / RSA secure ID system, would have likely prevented the breach in the first place.

Even simply imposing a few MAC access white-list on various sub-nets of the corporate network, and authorised IP subnets access to the cloud backup environments, let alone enabling and mandating the use of token based multi-factor authentication would have made a key logged Developers username and password alone, of little use, assuming they hadn’t reused their password in all their own personal accounts, at which only the developer would have issues.

Preventing a Developers credentials being sufficient to remotely gain access to the Corporate network, and particularly the Development environment to be able to gobble the code base, and grab a copy of the AWS SSH private keys, if not more, to be able to at their leisure login from anywhere in the World, to the remotely hosted corporate backups, would have prevented this cluster ####.

Having documented processes that mandate multi factor authentication, and access lists have been a Data Security compliance requirement for SoX, ISO, PCI-DSS, GDPR, … audits, for twenty something years, along with keeping records that note when every employee was informed and trained on their need to understand and comply with the applicable Data Security regs. SoX predated the founding of LasPass, and prior to going private in 2020, notionally compliant, which makes you wonder.

Given the haul of partially encrypted customer vaults along with a number of application keys, if not a repository of vault recovery keys makes the data tainted, and likely to leak at some point. If copies of the Web Server SSL certs were grabbed at the same time, ongoing man in the middle attacks are a possibility, till the certificates that permit the possessor to spin up an authenticated LasPass site expire, they possibly have the code base, and customer vaults to sin up a straight clone a bit of DNS hijacking could see receive some traffic.

FYI: AWS offers a variety of multi-factor authentication methods, eg.

All the reports I’ve read have said MFA was enabled and used by the developer? So not sure why people are saying they should have enabled MFA?

E.g. from PCMag…

’ According to LastPass, the hacker planted keylogging malware on the home computer, enabling them “to capture the employee’s master password as it was entered, after the employee authenticated with MFA (multi-factor authentication) and gain access to the DevOps engineer’s LastPass corporate vault.”’

1 Like