LastPass breach: time to change password managers

The LastPass breach that has been making the news since last week is becoming worse than many of us expected. To summarize: last month, LastPass CEO Karim Toubba said that “threat actors had accessed certain elements of customer info.” But what has emerged is that hackers actually breached LastPass cloud infrastructure and copied the entire company’s customer password vault database. Now is definitely the time to change password managers, and we have the best LastPass alternatives listed below.

LastPass CEO Karim Toubba has tried to maintain confidence in its platform by stating that the hackers have not been able to copy or learn customers’ master passwords. The master password is used to decrypt each customer’s individual LastPass password vault, and therefore gain access to all passwords.

Toubba elaborates, “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

Cybersecurity experts sound the alarm on LastPass breach

But cybersecurity experts across social media and news publications are sounding the alarm on LastPass and their response—or lack of.

Wired spoke to Evan Johnson, a security engineer who worked for LastPass for more than seven years.

Johnson has criticized his former employer’s poor response. “In my opinion, they are doing a world-class job detecting incidents and a really, really crummy job preventing issues and responding transparently. I’d be either looking for new options or looking to see a renewed focus on building trust over the next few months from their new management team.”

The hackers responsible now have a critical asset: time. “With vaults recovered, the people who hacked LastPass have unlimited time for offline attacks by guessing passwords and attempting to recover specific users’ master keys.”

Jeremi Gosney, Senior Principal Engineer at Yahoo, summarized his concerns in a new post on Mastodon:

Steps you must take if you are a LastPass customer

If you are a LastPass customer, there are several steps you must take immediately to protect yourself from any fallout from the LastPass hack.

  • Change all passwords for accounts that are stored within LastPass. Now.
  • Enable two-factor authentication on every eligible account that is stored within LastPass. This is especially essential for any high-value accounts such as financial or email. This will prevent attackers from logging into your accounts without a one-time token code or hardware authentication key.
  • Now is the time to change your password manager. While countless companies suffer breaches, the egregious frequency of attacks against LastPass is nothing short of concerning. Better alternatives exist on the market, and now is the time to change password managers.

Best LastPass Password Manager Alternatives

There are four great password managers that we recommend as alternatives to LastPass: Bitwarden, 1Password, Dashlane, and Proton Pass.

Bitwarden

Bitwarden is a completely free, open-source password manager for personal use. Bitwarden fully encrypts all of your data before it ever leaves your device, and only you have access to it. Even the Bitwarden team cannot unlock your protected data. Bitwarden seals your sensitive information with end-to-end AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256.

Bitwarden only charges if you intend to use it for a business, or for families. In the case of families, it is a flat charge of $40 per year and provides 6 premium accounts which include advanced two-factor authentication, emergency access, Bitwarden Authenticator, and security reports. Otherwise, the standard, individual tier is free.

Bitwarden for Business is able to integrate with single sign-on (SSO) providers and your directory services for federated identities and access.

Bitwarden supports most major mobile and desktop operating systems: Linux, macOS, Windows, iOS, and Android. There is no official ChromeOS support, so you’ll have to just rely on a browser plugin.

Bitwarden does support Windows Hello and Touch ID for Windows and Apple biometric authentication if that’s appealing to you.

1Password

1Password is a paid, subscription-based password manager and comes highly recommended amongst the cybersecurity and infosec community if you’re looking for a premium, subscription service. In terms of security and privacy, 1Password is encrypted, and only you hold the keys to decrypt it. 1Password boasts that they “can’t see your 1Password data, so we can’t use it, share it, or sell it.”

Like many password managers, there are supported mobile and desktop applications for Windows, Linux, macOS, iOS, Android, and even ChromeOS. Plugins for web browsers are available, and if all else fails, there is even a command line utility too.

You can try 1Password today for free for 14 days, so if you’re not quite sure on which password management tool to choose, this is a great way to take a test drive. For individuals, it’s $2.99 per month, $4.99 per month for families, and business plans start as low as $7.99 per month.

Dashlane

Dashlane is available in multiple tiers: an always-free, individual account that supports only one mobile device, or a paid subscription for individuals, families, and businesses with many advanced features.

Dashlane boasts that they “have never been breached. And our zero-knowledge patented encryption means not even we can see your passwords.” The company continuously scans 20+ billion breach and hack records to ensure no threat goes undetected as part of its “Site Breach Alerts” notification service.

Other helpful tools such as password generators with adjustable complexity and strength ratings, and re-used password alerts are all available within a couple clicks. A VPN service is also included at Premium subscription pricing.

Dashlane has completely ditched its desktop software applications and now completely operates from its web portal, browser plugins, and mobile applications (iOS and Android).

Also new to the platform is support for “passkey” or passwordless authentication which enables logging into websites without usernames and passwords. It instead relies upon your smartphone or device to act as an authenticator.

Like 1Password, Dashlane also provides a free trial and in this case for 30 days. Dashlane starts at free for personal use, $2.75 per month for Advanced personal, $4.99 per month for Premium personal (includes a VPN), and $7.49 per month for Family plans.

Business licenses start as low as $2 per seat per month and up to $8 per seat per month. It’s also capable of fully integrating with existing identity providers such as Google Workspace, Microsoft, Azure, Okta, OneLogin, DUO, jumpcloud, and more.

Proton Pass: Free Open Source Password Manager

Proton Pass is a new free, open source password manager from the creators of Proton VPN. Proton Pass has two tiers available, with a basic membership tier offering free password creation and management, unlimited devices, and 10 “hide my email aliases.” A special introductory price of $1 a month (normally $4.99 a month) includes the basic tier and unlimited “hide my email aliases”, an integrated 2FA authenticator, the ability to organize items within multiple vaults, and auto-filling credit card information.

If you want to go all-in on Proton services, which now include password management, secure VPN, encrypted email, calendar, and file storage, you can subscribe to the Proton Unlimited membership at $9.99 a month.

Proton Pass is available as a browser extension for Google Chrome, Firefox, Edge, Brave, and more. A dedicated app is also available for Android and iOS devices.

This article has been updated as of 7/2/2023 to reflect the addition of Proton Pass.