Change your passwords — LastPass has been hacked, again (and Apple Passkeys can’t come quick enough)

[iMore.com]

Another LastPass hack represents a big opportunity for Apple's nascent Passkeys security system) Full story from the iMore Blog...

 

[imwjl]

I don't know what's gone on with management here, but this is another emotive and not very good article. Their admission of what read like some sort of cross tenant hack does not warrant this sort of message because users were not compromised. When it has been appropriate LastPass has forced password updates.

 

[Annie_M]

The quality of the article is debatable, but I agree with many of its points. Personally, I have shied away from password managers for this very reason. I'll be very interested (and eager) for the release of Apple's Passkeys.

 

[HelloNNNewman]

Yeah... this is a crap article and poorly put together. There isn't even a citation for the quotes they posted. There's a bunch of quotes saying the company said this and that - but where did you pull the quotes from? What are you quoting? I'd cal it a click-bait article, but it's like opening a can of pop(soda) and finding it warm and flat.

Plus - who uses LastPass now? Most left that crap software behind and moved on to other free services like Bitwarden when LastPass dropped their free version and moved to a subscription-only model. I moved to Bitwarden and never looked back!

 

[Lee_Bo]

I moved to 1Password when LastPass was hacked the first time.

And I tried the read the iMore article but holy schnikes and ads are soooooo bad now. I guess I’ll reinstall an ad blocker.

 

[Up_And_Away]

The quality of the article is debatable, but I agree with many of its points. Personally, I have shied away from password managers for this very reason. I'll be very interested (and eager) for the release of Apple's Passkeys.

Apple’s Keychain is the most limited of the bunch but for what it does within the Apple ecosystem, it’s very good. Imho it’s as secure as a password manager an get.

 

[imwjl]

Yeah... this is a crap article and poorly put together. There isn't even a citation for the quotes they posted. There's a bunch of quotes saying the company said this and that - but where did you pull the quotes from? What are you quoting? I'd cal it a click-bait article, but it's like opening a can of pop(soda) and finding it warm and flat.

Plus - who uses LastPass now? Most left that crap software behind and moved on to other free services like Bitwarden when LastPass dropped their free version and moved to a subscription-only model. I moved to Bitwarden and never looked back!

LastPass is among some that work or scale aka enterprise features. I'm pretty sure they brought back a free version but that's not my core point explained to Annie below.

The quality of the article is debatable, but I agree with many of its points. Personally, I have shied away from password managers for this very reason. I'll be very interested (and eager) for the release of Apple's Passkeys.

You need to be aware of confirmation bias. If you take a modern workplace where there can be 15 to 5000+ staff and then factor in how often staff use Internet for HR or payroll matters you have your fast answer for how a password management system cuts risk.

Put another way, maybe the two of us can have a pretty good manual or self-managed system. The way my department also serves staff for HR needs and the firm is generous with help for employees produces stats that show a password management system is overall best.

 

[FFR]

The amount of times this company gets hacked is unbelievable. At this point lastpass users are begging to be compromised.

 

[HelloNNNewman]

3297784[/URL]]LastPass is among some that work or scale aka enterprise features. I'm pretty sure they brought back a free version but that's not my core point explained to Annie below.

LastPass did offer a very limited ‘free’ version (still do) when they switched to subscription-based model. For years I used their products on a couple different computers along with mobile phones and tablets to sync passwords. Their subscription model only allows you to use the service for free on 1 (one) device now. I switched over to Bitwarden and never looked back. Free service that syncs across an unlimited number of devices.

To your point directed towards Annie’s comment: A password management system can cut risk, but any solution introduces its own risks as I’m sure you are aware. A password manager is great for companies to help employees securely access sites with unique passwords, and lower FTE time spent on helping users with login issues - not to mention meeting any audit requirements. But depending on how large that company is, LastPass or any other that have a syncing function is not always a secure enough option. Because of attacks on password manager companies like this along with the surge of BitB attacks, our company, which employs several thousand across multiple countries, now blocks all password management services and only allows employees to use one application (KeePassXC) that encrypts passwords directly on that employee’s device. It additionally only auto-populates login forms when the URL of the form matches the details saved in the vault/database (along with utilizing MFA where available). One level of protection will never be truly secure, but these password services are huge targets and created a new risk target for companies - with even higher risk implications for those companies that deal with a large amount if PII data.

 

[imwjl]

LastPass did offer a very limited ‘free’ version (still do) when they switched to subscription-based model. For years I used their products on a couple different computers along with mobile phones and tablets to sync passwords. Their subscription model only allows you to use the service for free on 1 (one) device now. I switched over to Bitwarden and never looked back. Free service that syncs across an unlimited number of devices.

To your point directed towards Annie’s comment: A password management system can cut risk, but any solution introduces its own risks as I’m sure you are aware. A password manager is great for companies to help employees securely access sites with unique passwords, and lower FTE time spent on helping users with login issues - not to mention meeting any audit requirements. But depending on how large that company is, LastPass or any other that have a syncing function is not always a secure enough option. Because of attacks on password manager companies like this along with the surge of BitB attacks, our company, which employs several thousand across multiple countries, now blocks all password management services and only allows employees to use one application (KeePassXC) that encrypts passwords directly on that employee’s device. It additionally only auto-populates login forms when the URL of the form matches the details saved in the vault/database (along with utilizing MFA where available). One level of protection will never be truly secure, but these password services are huge targets and created a new risk target for companies - with even higher risk implications for those companies that deal with a large amount if PII data.

I am familiar with KeyPass and others and don't care to argue. Most people don't have the resources of a large IT department, and a lot of things people do require some compatibility and ease that make KeyPass more of a challenge.

Our outside audits have shown even with the possible weaknesses in a password manager system such as KeyPass alternatives the total of staff in and out of work have had fewer problems. Support for what I'll say something better than nothing.

With so many security issues the weakest link being human, training, and smarts, I'm sure managed/system type solutions will remain popular. You also bring up the important point of no one system. Most enterprises and lots of individuals pursue that too.

I won't deny the benefits or advantages for KeyPass, but above all poke people to not do a lot of common outdated ways to manage private and security.