TL;DR: Last Pass is broken. All passwords at the time of the breach were taken. They also got internal secrets from a laptop and can now probably throw computational power at anything they want to decrypt.

Switch. Do not use. Change everything you have if you were using it. Treat everything as breached.

  • xXthrowawayXx [none/use name]
    ·
    2 years ago

    I was under the impression that lastpass was storing passwords encrypted and even when you use their website without the browser extension it decrypts locally.

    That’s what Bitwarden claims as well and seems to be standard across the different services.

    • tagen
      ·
      edit-2
      1 year ago

      deleted by creator

      • groundling20XX [none/use name]
        ·
        2 years ago

        This isn’t too realistic even if someone has a cracking program based on the way LastPass encrypts information. Even after this breach your passwords in LastPass are probably still safe, but you should rotate your mfa.

        • tagen
          ·
          edit-2
          1 year ago

          deleted by creator

          • xXthrowawayXx [none/use name]
            ·
            2 years ago

            Brute forcing encrypted data takes a monumental and in most cases nonexistent amount of computational power.

            I don’t expect it to stay that way, but realistically speaking it’s not something to worry about.

            • tagen
              ·
              edit-2
              1 year ago

              deleted by creator

              • xXthrowawayXx [none/use name]
                ·
                2 years ago

                not in this case. lastpass, like all the other password managers i know of and a bunch of other cryptographic services, don't handle the master passphrase in plaintext when theyre receiving it from the app or browser or whatever, so at worst when they apply it to the encrypted block of data that represents the users other passwords it's salted, hashed and expanded out to the length required by the encryption strength. at that point it doesn't matter how strong or weak the master password that was used is or isn't.

                for the purposes of brute forcing the encrypted file.

                if they're doing the absolute bare minimum to have the user data in a file encrypted by the master password.

                it really seems like im defending those ding dongs so uhh... let me be clear: i haven't used lastpass for about seven years now.