LastPass Hack: The CRUCIAL Problem No One Is Talking About

I switched from LastPass to Bitwarden when the hack happened, and actually find BW to be superior. And FWIW, I'm in the infosec business. I'd become anxious about LP after its aquisition by LogMeIn (which didn't have a stellar security record). Wish I'd acted sooner.

There’s also an additional problem you didn’t mention - LastPass not updating customers’ hash iteration value. They changed the default to 100,000+ iterations, but people who created accounts a decade ago had iteration counts of 5000, or even

An updated password manager video would be awesome. As well as how to make the process of migrating easier. Right now the challenge is momentum - it’s hard to just get started.

Another problem with this is that it makes people lose trust in password managers, which ultimately leaves them more vulnerable. I like your advice of not having your most valuable passwords in your manager and to switch managers early if you hear of a breach. Hopefully it is sinking in that people need to take an active approach to security.

Thanks so much for talking about this. I love that you bring issues like this to a wider community, on top of always talking about safer ways to keep our private information actually private!

I'm glad I'm not the only one that pays attention to the words used like "such as" in statements.

Switched to Keeper. The bad part is the vault data that was stolen is not going to be impacted by what you change now, so it can be scanned for years to try and get new credentials that are still in place. What users should really do is change every single password in their lastpass list, save on a different service or locally, and drop all go-to products from this point forward.

Great breakdown. I hadn't considered the Session ID issue in the URL until your video. As much as I loved Lastpass, this breach was the last straw for me.

Absolutely love this video! Great explanation of what happened.

>makes secure password manager

As a network Sysadmin geek myself I love your videos. Will spoken clear and to the point.

My suggestion, no matter where you record your passwords, is to use and store a partial passwords, but to have a secret code, e.g., three ending characters you add to every password. And never record that secret code anywhere except maybe on the side of your bottom dresser drawer. That way if your UN/PW is hacked you're safe because the hacker has only a partial password. Also protected if you have a written list.

great video and love how u break it down so easily that anyone thats not very tech savvy can understand.👍

That's a really good point. I already had those thoughts when I read about it as well, thankfully though this should really only affect either the websites you recently added (which might still have a valid session ongoing), I really hope there are no websites around that never change the session. But as you said, you can't know so it's always the safest to change the passwords to make sure.

Hardware 2FA needs to be a universal option.

11:37

Thank you! I love the tech videos, but this is great information!😎

Thank you for explaining this in detail, I know nothing about security, more of an hardware guy. So this thought me a lot. Session hijack achievement unlocked.

I'm glad I switched a long time ago to Bitwarden. Your video on showcasing different password managers really helped me on making my decision.

Great information! You gave me more to think about on this hack.