Can you lose maybe 25 million peoples vaults and still claim to be a secure secret management company? Does that even fly? Does it matter that you lose all the metadata (IP access logs), URLs and vast amounts of other metdata but don’t worry ~5 fields are encrypted so as long as your master password is never cracked… yawn…
Setting an Example
I use a range of different mechanisms. I have offline secret stores, Keepass in cloud storage and I was a user of LastPass. I also deploy monitoring, Multi Factor Auth etc. so I try and have a defence in depth approach. So why would I use LastPass rather than the other home brew style solutions (which I also use)? Well, it should be fairly simple, I want to promote usage and adoption, to help move the needle for the masses not just those with the motivation and interest to secure everything down with custom bolt on style solutions (they aren’t bad they just, for me are not for the mass market)
Well I wanted to show people that the UX wasn’t awful (it wasn’t) and that in a world of hundreds of accounts, super weak passwords and password re-use that this simple to use solution would improve their security (even if they couldn’t stomach MFA on every service (most people can’t, it annoys them and they seem to miss the point until their Facebook/Instagram etc. get’s pwn3d!) so I was there in the crowd, but I f*ck3d up.. I trusted what they and other people had said, and I never ripped it apart. There is after all, some level of trust required in the world. If your job is to manage and protect secrets, you would assume that you would move heaven and earth to ensure someone couldn’t steal large volumes of data… purely securely. But perhaps (as has been proven) that assumption was very misguided.
I’m going to be moving to another SaaS provider. I haven’t quite worked out which one, I’m currently testing out BitWarden and 1Password is not firmly on my list.
I’m not panicking about the LastPass breach, my master password is strong, the rest of the damage is done. I hope they sort their act out, or if they can’t find the resolve to do that (and take steps to protect the people that are at risk!) maybe they need to think about doing something else.
Will I consider using them again? Perhaps, but the damage to trust is catastrophic and for now (and this is rare for me) I will probably actively say, I would not recommend them. That leaves them and D*rkTrace as being two companies on a very small list where I say… actually, probably better options elsewhere.
I believe my defences are “ok” given the loss of data is similar to the loss of a laptop with FDE but covered in stickers so you would know it’s mine, but you couldn’t read secrets. I am however now embarking on a journey to conduct a more robust level of assurance before I find the next solution to embrace, because fundamentally I believe our job as security professionals is to help the many vs helping the few (the ones who already will likely take steps with hardware tokens and encrypted vaults (like KeePass)). Like most things in life, we must accept a level of risk, I’ll be looking to accept that risk somewhere else in the very near future… and who know’ s… even that could turn out to be problematic in the future, after all… where there’s data involved, the possibility for theft exists, it’s just how many layers there are and how strong they can be that matters.