Q: I’m concerned about the recent breaches at LastPass, so I’m considering a switch to 1Password. Before making the switch and deleting my LastPass account, what should I know, or should I be using a cloud-based password manager at all?
A: Password security continues to be one of the most challenging issues regardless of how tech-savvy you may be. We all have a plethora of online accounts, which makes remembering every long, complex password we generate without some form of help impossible.
The go-to for most is to use the same password on multiple accounts, which is extremely dangerous because of the constant threat of data breaches. Anyone using the same password on multiple accounts can easily be compromised across all those accounts from a single breach on any of them.
A common refrain in the cybersecurity world is that there are three types of companies in today’s world: Those that have been breached, those that will be breached, and those that have been breached but don’t know it yet.
Stolen credentials are routinely fed into automated bots that will use something known as ‘credential stuffing’ across thousands of popular online sites to see where else the password is being used. If you’re still using the same password everywhere, stop immediately!
Some form of a password manager isn’t an option but a necessity for every one of us.
Recent breaches at LastPass
In the past, I’ve recommended LastPass as a solid password manager, but several recent incidents have understandably shaken the confidence of millions of users.
The CEO said cybercriminals acquired customer data, including names, email addresses, phone numbers and some billing info, and could attempt to ‘brute force’ the master passwords of the breached information.
The breach itself is disconcerting, but concerns about how they handled the disclosure to the public may be just as much of a consideration for those on the fence about switching.
Urgent measures for LastPass users
Whether you plan to continue using LastPass or switch to another option, you need to change your master password and all the associated passwords on all your accounts to play it safe. The stolen passwords, although encrypted, can potentially be broken which would instantly expose you to a massive problem.
Since you’re going to have to go through all this extra work anyway, it’s a good time to consider an alternative if you don’t want to rely on LastPass any longer.
Exporting data from LastPass
The good news is that you can switch to a new password manager with relative ease using the export function in LastPass.
See here for all the specifics of transferring from LastPass to 1Password — or just the export instructions for use in any other program.
Should I stop using cloud-based managers?
The first thing to understand is that virtually anything you use for managing your passwords has inherent risks, so choosing the option with the lowest risk is key.
We’ve established that using the same password everywhere is the highest risk, so anything else you choose will be less risky.
Creating a hidden file on your smartphone and/or computer is exponentially safer than using the same password everywhere, but encrypting all your credentials is even more secure.
The ultimate question is whether a cloud-based service’s approach is more secure than whatever you’re doing now.