> The forced logout + MFA resync events are taking place as we increase all customer's password iterations.
Typically you just need to wait for a user to log in, then validate the password against the old hash and create a new stronger replacement hash. Ending all sessions is a good way to log everyone out and force that. But I'm confused.
If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?
The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right?
> The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right?
They were stolen but weren't very clear about it.
From their summary of their latest security incident[1] it says attackers stole:
> Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
This summary links to a page[2] with more information, but actually on this page they give less information, saying only:
> [Customer Secrets accessed includes] Multifactor Authentication (MFA) seeds - MFA seeds assigned to the user when they first registered their multifactor authenticator of choice to authenticate to the LastPass vault.
> If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?
I assumed they were just increasing the rounds as a general good practice. The best time to plant a tree was ten years ago, the second best time is now, and all that.
If it is just a regular rounds increase, why force an immediate re-auth on all users? It would be way more user-friendly to just wait 6 months or so for natural re-auths to occur, and only do a forced re-auth on the few remaining users afterwards.
Genuine question: why are there still LastPass users?
I mean, if you have a password manager, it means that you somehow care about your passwords. If you have LastPass, it means that you chose something that was not the default Google Wallet or Apple whatever-it-is-called.
Are there so many LastPass users who haven't followed the news in the last 2 years?
I'm a developer by profession and I almost didn't switch from LastPass after their breach last year.
Simply put, after all the reports of last year's breach, I assessed how vulnerable I am. First, my LastPass settings were such that I shouldn't be too affected by their breach; among other things in their self-assessment report, I had the "new" healthy default of 600K iterations. Also, the three most important accounts forming the basis of my online identity were never on LastPass and had unique passwords.
(And yeah, I understand that the security issue isn't purely on technical merit but also a social question of LastPass' reputation as a company. But on a personal level, I didn't really care that much. Moving on...)
Hence, on a personal basis, I didn't see much reason to switch out. The alternative would be the hassle of evaluating a new password manager, exporting data from LastPass, setting up the new password manager on my devices, importing my pre-existing vault, tweaking the new password manager so it behaves as I expected, etc. I know I'm playing the world's smallest violin with this grievance but that's really how it was. I think there was also a confluence of other factors why I didn't want this hassle on my plate at the time (e.g., I remember this was end of last year and I'd rather focus on my holiday arrangements).
I did reach out to family members whom I might've recommended LastPass to in the past though, and advised them to switch out. I didn't believe they could make the same self-assessment that I did.
In the end, I did switch to Bitwarden though. I did go through the hassle as I thought I would but articles like this make me glad I did. The decisive factor for why I did it anyway was that I realized that I might have some passwords/keys in my vault that I use professionally so, out of professional prudence, I switched. Were I not a developer, I might not have had this factor at all.
It's not about the leak itself, but the lax of their operational policies that resulted into it, the low level of ownership they demonstrated in communication through the incidents, the weird design decisions that were made to leave parts of wallets unencrypted, that you would never know of since it's all a black box (1pwd for example opensourced some of their designs).
I've been involved in switching users in a corporate environment from one password manager to another.
You want to irritate non-technical people? Tell them that they need to use a password manager.
You want to irritate even technical people? Tell them that the password manager you had to force them to use is going to be replaced by a new one, and _they_ have to do the export/import steps -- despite the fact that their boss is breathing down their neck for four projects that are late, half of which they have no control over.
I'm glad I don't have to worry about the Lastpass breach, but I can absolutely commiserate with anyone who has to care about password managers for other people.
You want irate non-technical people? Tell them they need to come up with something better than Password123.
People hate passwords. You can explain to them why passwords are important, how people from the outside can do all kinds of nasty things if you pick weak ones, but people will ignore all that because they never need to deal with the fallout.
When these people eventually get hacked, they will blame their computers, their antivirus, their browsers, the websites they use, and most likely also the most recent person who touched the computer.
Password security is like herding toddlers. This is why I'm looking forward to a future where physical keys and passkeys are supported essentially everywhere. We don't even need them as 2FA because they work fine as a first factor in most cases, though 2FA would be much better of course.
And to be honest, whoever manages normal people's IT is probably partially to blame for the hate most people have for passwords. Things like monthly password resets, session tokens that last less than a work day, separate passwords with slightly different usernames across different applications, and all kinds of other useless limitations are why people hate passwords so much: using a password manager once or twice is fine, but having to use it to copy/paste passwords every other hour is tedious and terrible.
Companies unable or unwilling to fix their terrible password setup should invest into something like Yubikeys to at least make the process less frustrating. The difficult part is getting a backup when people lose their keys, but you can probably use passwords as a fallback until a new key can be arranged.
It’s such an important lesson for informed people, and tech people, especially, to learn: our context is absolutely not the common one. Things that are obvious and clear to us are a world away for most others.
I am pretty tech savvy, read HN often and still use it.
Partially, laziness, partially hard to change flows, partially hard to migrate, partially I don’t believe that it’s THAT bad, though the last one is the one I’m least sure.
Bitwarden still doesn't have as good a multi-account workflow as LastPass does. They finally added multi-account support late last year, that was a full blocker for me, as I need access to both my personal and work vaults on my devices. Now that they have multi-account support, it's better, but they still are significantly worse than the LP approach. If they get multi-account search working as requested here, I might finally switch over:
I exported my LastPass vault (yeah I used to be on LastPass...) and imported it into Bitwarden. Maybe I was lucky, but I was amazed by how simple it was. It took like 2 minutes, and it just worked.
> the default Google Wallet or Apple whatever-it-is-called.
It’s just called “Passwords”. Consistent with “Mail”, “Notes”, “Reminders”, “Calendar”, but it doesn’t have a dedicate app like the others (it’s inside System Settings).
Probably mostly companies stuck with long-term contracts.
The global company I work at uses it, they have an enterprise-wide contract. Migrating to something else is just a massive PITA, extra costs & sure downtime.
Good question. I cannot even 100% remember why i left a couple of years ago. IIRC it was a compromised cache / logon on a device i didn't control anymore and the general uneasyness of having my digital identities stored on a foreign service that could be hacked / could lock me out any time.
Keepass plus syncthing works for me; Keepass' autotype is great.
1. The main competitor everyone knows about, 1Password, has its own problems. (I gave up on it a couple years ago after learning that you can't quit the goddamn MacOS application when it's logged out. It literally requires you to be logged in to make use of a super-secret-strong quit that doesn't leave some daemon on the system. Which is incredibly irritating when you're trying to just run a software update but instead you have to type your super long and secure password manager password.)
2. Transitioning passwords is hard even once you find a good alternative. One should change passwords after a breach, but there are basically three options: (a) use the automated password changing within the old password manager. But if you don't trust your password manager after a breach, it's probably a bad idea to use the automated password changing feature of said password manager and end up with your new passwords in the insecure service. (b) import everything to a new password manager and change from there. But if you have a lot of passwords, there's a good chance the new password manager won't be able to automatically change them all, and then you'll either have to carve out a huge amount of time to do it all at once, or have a mixture of secure and insecure passwords in the new password manager, which seems very problematic. (c) gradual transition: move the mission critical passwords first and change them on the spot, then as you use a less important service, change the password for that and move it to the new service as you go. Which makes sense, but means you'll still be using the shitty old one for a while.
Caveat, bitwarden-cli isn't supported last I checked. They also only implement a subset of bitwarden features. Not to knock it vaultwarden, I've used it for years and have no plans to migrate anytime soon.
The bitbetter project[0] shims bitwarden licensing for personal use. It might be better if you're looking for complete feature parity and client support.
What parts of the cli doesn't Vaultwarden support? The cli client works fine for me when it comes to basic password operations.
I'm aware that the backend doesn't implement every API Bitwarden has but I've also never noticed any missing features. It did take some time before Bitwarden Send was implemented, but I can't fault the devs for that. I also expect the upcoming BW passkey support to take a while to make it to Vaultwarden.
Personally, the whole organisations thing is only a nice to have when it comes to hosting Bitwarden. The standard Bitwarden installation eats up gigabytes of memory for (I assume) optimizations for large installations that most self hosters probably don't really need.
> They also only implement a subset of bitwarden features.
Any idea what's missing?
Vaultwarden does add TOTP support, which the free official server didn't last time I checked, so while it may be missing features, it also unlocks features you wouldn't have without paying.
Bitwarden is also moving towards a unified docker image [0] that allows using SQLite or Postgres instead of the earlier mess of containers. Working pretty well for me and avoids have to trust an additional 3rd party.
1Password is probably the best kept secret when it comes to password managers. I don’t understand why not more IT professionals advocate this software.
+1 Made the switch this quarter. It's practically the same price, incredibly easy to switch, comfortably similar if you've used lastpass before... And as I went through this process I also discovered despite breaches and insecurity, my LP account actually had some hardening issues remaining that they fixed for new signups, but failed to do so for long time customers. So fuck them. (I've since rolled many of the most important credentials btw)
Cost. Get a quote for a few thousand users from each vendor. Bitwarden and LastPass will come in around $50k, where 1Password will quote you $75k and have no flexibility to be competitive on their pricing. LastPass will probably drop to $40k later in your decision process to entice you to pick them.
LastPass has known issues and IT departments can make an understandable recommendation to the business to pick Bitwarden even with a slight cost premium. There is nothing to justify the insane premium 1Password demands. I have seen them lose multiple contract opportunities because of this.
Note: The dollar quotes are made up numbers, but the percentage differential is real. 1Password is often 50% higher in total cost.
Seconded. I’ve used Lastpass at work a few times and I have zero idea why they still exist - 1password is much better and othet competitors exist, too.
I think this is partially true. LastPass has offline support so the LastPass servers temporarily being inaccessible doesn't need to be an issue. But you're right, it's not "offline first".
There's lots of reasons not to use LastPass but I don't think this is high on this list.
> Your passwords need to be with you, not rely on a server.
Pretty much all password managers including Lastpass do store the vaults on your device and you can access them offline. The issue here is the borked MFA reset.
Your setup sounds great. You might find it interesting that it's also very close to what 1Password does.
1Password apps store local state in an SQLite database. They then package up that database and encrypt it with your chosen master password and a randomly generated password. (The random password is only to protect users who picked a weak master password against a server breach, so it's stored in plaintext on your computer). That encrypted file is uploaded to their server.
There is also an android (and iOS) app. If you edit independently conflicts are merged.
I genuinely don't know why people don't use offline databases like keepass. The conveinance of online password management is not worth the hassle they can cause. All be it lastpass appears to be tge worse!
Because I have four devices I need my passwords on, on three different OSs, and no admin on one.
All of my banks use a mobile app for confirming transactions, which requires me to login. Sometimes that requires reauth not just biometrics. I'm not going to go home and try and type a 20-30 character password into a phone when trying to pay for car parking.
I use "pass" with a yubikey and happily use it from Windows, Linux, Android.
It syncs via git and syncthing.
I think I've been using this longer than BitWarden gas existed and will be using it after something happens with BitWarden and triggers another migration.
Once again, a one-time learning and cost of setup has saved me countless headaches and time not spent migrating over the years.
Back when 1Password honored its offline, non-subscription license we bought, we could store the encrypted vault in a cloud storage service like Dropbox (or your own server) and simply set up other instances of the 1Password client to use the vault on that folder.
I agree. If you don't totally own your password manager, you are at the mercy of the company that does.
I use password store (pass command-line utility) at its core it's GPG encrypted files in a local git repo, with a convenient command-line utility to manage them. It's cloud-free, runs on my local machine. If you need to sync, you can use git push/pull to do that.
I don't use it from mobile as I do very little on my phone that requires a password, but if you need that there are options:
I've been using Bitwarden for a very long time without any hassle. It just works. Technology-wise it's effectively the same thing as KeePass+Dropbox, just bundled. It's even open source, so I could export my data and self-host it if needed.
I would be careful about judging the experience of all online password managers based on LastPass.
Can the DBs get merged or are they subject to conflict race conditions?
A years ago experienced hassle and data loss (not of passwords) due to local-first sync solutions such that I’m very wary of them now.
Race condition? In the context of my usage that's not possible and I'm only the only user, and am accessing the data on one device at a time. Even less so since I'm essentially using sneakernet rather than cloud storage for "sync".
Why would LastPass let you "unsubscribe" from critical security emails like "hey you're gonna be locked out"? Or have they tied critical emails to marketing garbage emails in their communication preferences?
I recently had to start using Lastpass for work and I am absolutely mind-boggled at what an all-around terrible piece of software it is. I have my complaints about 1Password but those are peanuts compared to the mile long list of show-stopping bugs and UX problems I experience every day with LP. Irredeemable garbage.
Readit News
Typically you just need to wait for a user to log in, then validate the password against the old hash and create a new stronger replacement hash. Ending all sessions is a good way to log everyone out and force that. But I'm confused.
If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?
The MFA reset shouldn't be related to the increase in hash rounds, those are unrelated. So they must suspect the MFA seeds were also stolen, but aren't saying it, right?
They were stolen but weren't very clear about it.
From their summary of their latest security incident[1] it says attackers stole:
> Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
This summary links to a page[2] with more information, but actually on this page they give less information, saying only:
> [Customer Secrets accessed includes] Multifactor Authentication (MFA) seeds - MFA seeds assigned to the user when they first registered their multifactor authenticator of choice to authenticate to the LastPass vault.
1: https://blog.lastpass.com/2023/03/security-incident-update-r...
2: https://support.lastpass.com/help/what-data-was-accessed
I assumed they were just increasing the rounds as a general good practice. The best time to plant a tree was ten years ago, the second best time is now, and all that.
I mean, if you have a password manager, it means that you somehow care about your passwords. If you have LastPass, it means that you chose something that was not the default Google Wallet or Apple whatever-it-is-called.
Are there so many LastPass users who haven't followed the news in the last 2 years?
Simply put, after all the reports of last year's breach, I assessed how vulnerable I am. First, my LastPass settings were such that I shouldn't be too affected by their breach; among other things in their self-assessment report, I had the "new" healthy default of 600K iterations. Also, the three most important accounts forming the basis of my online identity were never on LastPass and had unique passwords.
(And yeah, I understand that the security issue isn't purely on technical merit but also a social question of LastPass' reputation as a company. But on a personal level, I didn't really care that much. Moving on...)
Hence, on a personal basis, I didn't see much reason to switch out. The alternative would be the hassle of evaluating a new password manager, exporting data from LastPass, setting up the new password manager on my devices, importing my pre-existing vault, tweaking the new password manager so it behaves as I expected, etc. I know I'm playing the world's smallest violin with this grievance but that's really how it was. I think there was also a confluence of other factors why I didn't want this hassle on my plate at the time (e.g., I remember this was end of last year and I'd rather focus on my holiday arrangements).
I did reach out to family members whom I might've recommended LastPass to in the past though, and advised them to switch out. I didn't believe they could make the same self-assessment that I did.
In the end, I did switch to Bitwarden though. I did go through the hassle as I thought I would but articles like this make me glad I did. The decisive factor for why I did it anyway was that I realized that I might have some passwords/keys in my vault that I use professionally so, out of professional prudence, I switched. Were I not a developer, I might not have had this factor at all.
You want to irritate non-technical people? Tell them that they need to use a password manager.
You want to irritate even technical people? Tell them that the password manager you had to force them to use is going to be replaced by a new one, and _they_ have to do the export/import steps -- despite the fact that their boss is breathing down their neck for four projects that are late, half of which they have no control over.
I'm glad I don't have to worry about the Lastpass breach, but I can absolutely commiserate with anyone who has to care about password managers for other people.
People hate passwords. You can explain to them why passwords are important, how people from the outside can do all kinds of nasty things if you pick weak ones, but people will ignore all that because they never need to deal with the fallout.
When these people eventually get hacked, they will blame their computers, their antivirus, their browsers, the websites they use, and most likely also the most recent person who touched the computer.
Password security is like herding toddlers. This is why I'm looking forward to a future where physical keys and passkeys are supported essentially everywhere. We don't even need them as 2FA because they work fine as a first factor in most cases, though 2FA would be much better of course.
And to be honest, whoever manages normal people's IT is probably partially to blame for the hate most people have for passwords. Things like monthly password resets, session tokens that last less than a work day, separate passwords with slightly different usernames across different applications, and all kinds of other useless limitations are why people hate passwords so much: using a password manager once or twice is fine, but having to use it to copy/paste passwords every other hour is tedious and terrible.
Companies unable or unwilling to fix their terrible password setup should invest into something like Yubikeys to at least make the process less frustrating. The difficult part is getting a backup when people lose their keys, but you can probably use passwords as a fallback until a new key can be arranged.
At least for a personal account, the 1password import tool worked flawlessly (as far as I can tell after about a month switched) .
Does it not work for enterprise? Or perhaps each would have to run it?
It’s such an important lesson for informed people, and tech people, especially, to learn: our context is absolutely not the common one. Things that are obvious and clear to us are a world away for most others.
Partially, laziness, partially hard to change flows, partially hard to migrate, partially I don’t believe that it’s THAT bad, though the last one is the one I’m least sure.
I had already left by then but I would have otherwise.
https://community.bitwarden.com/t/implement-multi-account-se...
Password managers have a stickyness to them. Moving is hard. There are import/export functions, but I found all of them have issues.
Moving needs to be fast and seamless enough that I can move my entire family without hassle. Thats why I'm stuck.
It’s just called “Passwords”. Consistent with “Mail”, “Notes”, “Reminders”, “Calendar”, but it doesn’t have a dedicate app like the others (it’s inside System Settings).
The global company I work at uses it, they have an enterprise-wide contract. Migrating to something else is just a massive PITA, extra costs & sure downtime.
Keepass plus syncthing works for me; Keepass' autotype is great.
1. The main competitor everyone knows about, 1Password, has its own problems. (I gave up on it a couple years ago after learning that you can't quit the goddamn MacOS application when it's logged out. It literally requires you to be logged in to make use of a super-secret-strong quit that doesn't leave some daemon on the system. Which is incredibly irritating when you're trying to just run a software update but instead you have to type your super long and secure password manager password.)
2. Transitioning passwords is hard even once you find a good alternative. One should change passwords after a breach, but there are basically three options: (a) use the automated password changing within the old password manager. But if you don't trust your password manager after a breach, it's probably a bad idea to use the automated password changing feature of said password manager and end up with your new passwords in the insecure service. (b) import everything to a new password manager and change from there. But if you have a lot of passwords, there's a good chance the new password manager won't be able to automatically change them all, and then you'll either have to carve out a huge amount of time to do it all at once, or have a mixture of secure and insecure passwords in the new password manager, which seems very problematic. (c) gradual transition: move the mission critical passwords first and change them on the spot, then as you use a less important service, change the password for that and move it to the new service as you go. Which makes sense, but means you'll still be using the shitty old one for a while.
The bitbetter project[0] shims bitwarden licensing for personal use. It might be better if you're looking for complete feature parity and client support.
[0] https://github.com/jakeswenson/BitBetter
I'm aware that the backend doesn't implement every API Bitwarden has but I've also never noticed any missing features. It did take some time before Bitwarden Send was implemented, but I can't fault the devs for that. I also expect the upcoming BW passkey support to take a while to make it to Vaultwarden.
Personally, the whole organisations thing is only a nice to have when it comes to hosting Bitwarden. The standard Bitwarden installation eats up gigabytes of memory for (I assume) optimizations for large installations that most self hosters probably don't really need.
Any idea what's missing?
Vaultwarden does add TOTP support, which the free official server didn't last time I checked, so while it may be missing features, it also unlocks features you wouldn't have without paying.
[0] https://bitwarden.com/help/install-and-deploy-unified-beta/
Deleted Comment
1. Comb through your last pass, and delete cruft
2. Signup for 1password https://1password.com/switch/
3. use their auto import tool to pull from lastpass
4. Profit for ~3 months just for safety
5. Delete each item in last pass (who know if they do hard or soft delete?)
6. Request account deletion https://lastpass.com/delete_account.php
I can't see how any business would allow secrets to be stored on hardware they don't control
Earlier versions allowed the store to be on other sites like dropbox for syncing or on your own servers or a mix.
Note I do use 1password as I don't need any corporate secrets at the moment. It allows me to use other browsers than Safari and also Windows and macOS
If businesses can't trust any of that, then we wouldn't have any online businesses.
I can have an offline password manager that just works, for free, and I don't have to worry about backdoors or hackers or incompetence.
LastPass has known issues and IT departments can make an understandable recommendation to the business to pick Bitwarden even with a slight cost premium. There is nothing to justify the insane premium 1Password demands. I have seen them lose multiple contract opportunities because of this.
Note: The dollar quotes are made up numbers, but the percentage differential is real. 1Password is often 50% higher in total cost.
I use keypass, it stores all passwords in a file, encrypted. The file can be stored in Onedrive/Dropbox/ etc.
But the point is, if all the aervers in the world go down, I have all my passwords in a local copy. There is also an android app.
You can even edit the database file independantly on desktop and on mobile and it will be able to merge two cobflicting files
https://keepass.info/download.html
What's the point of all that garden-walling and 30% tax and hoops you have to jump through if there's still malware?
Deleted Comment
There's lots of reasons not to use LastPass but I don't think this is high on this list.
[1] https://support.lastpass.com/s/document-item?language=en_US&...
Pretty much all password managers including Lastpass do store the vaults on your device and you can access them offline. The issue here is the borked MFA reset.
1Password apps store local state in an SQLite database. They then package up that database and encrypt it with your chosen master password and a randomly generated password. (The random password is only to protect users who picked a weak master password against a server breach, so it's stored in plaintext on your computer). That encrypted file is uploaded to their server.
There is also an android (and iOS) app. If you edit independently conflicts are merged.
All of my banks use a mobile app for confirming transactions, which requires me to login. Sometimes that requires reauth not just biometrics. I'm not going to go home and try and type a 20-30 character password into a phone when trying to pay for car parking.
It syncs via git and syncthing.
I think I've been using this longer than BitWarden gas existed and will be using it after something happens with BitWarden and triggers another migration.
Once again, a one-time learning and cost of setup has saved me countless headaches and time not spent migrating over the years.
I use password store (pass command-line utility) at its core it's GPG encrypted files in a local git repo, with a convenient command-line utility to manage them. It's cloud-free, runs on my local machine. If you need to sync, you can use git push/pull to do that.
I don't use it from mobile as I do very little on my phone that requires a password, but if you need that there are options:
https://www.passwordstore.org/#other
I would be careful about judging the experience of all online password managers based on LastPass.