Last week, LastPass, a popular password manager, announced that it had suffered a breach in August and November that led to hackers accessing users’ password vaults. While the company insisted that login information was still secure, cybersecurity experts have raised concerns about the company’s statement and its “zero knowledge” architecture.
Wladimir Palant, a security researcher known for developing AdBlock Pro, wrote a blog post criticizing LastPass’s statement, which he called “full of omissions, half-truths, and outright lies.” Palant accused the company of trying to downplay the severity of the August breach, in which “some source code and technical information were stolen,” by presenting it as a separate incident. He also pointed out that the leaked data included “the IP addresses from which customers were accessing the LastPass service,” which could potentially allow the threat actor to create a complete movement profile of customers if LastPass was logging every IP address used with its service.
Another security researcher, Jeremi Gosney, recommended switching to a different password manager due to what he called LastPass’s “bald-faced lie” of “zero knowledge.” Gosney argued that the company has “about as much knowledge as a password manager can possibly get away with,” and that the phrase is misleading because only a few fields in the user’s password vault are encrypted, while the rest is in plaintext. He also pointed out that the encryption only protects users if the hackers cannot crack the master password, which is LastPass’s main defense against the stolen vaults.
Even LastPass’s competitors have weighed in on the issue. Jeffrey Goldberg, the principal security architect for 1Password, wrote a post calling LastPass’s claim that it would take millions of years to crack a master password “highly misleading.” Goldberg argued that this claim assumes a 12-character, randomly generated password, but human-generated passwords do not meet this requirement and can be easier for threat actors to guess by prioritizing certain password combinations.
LastPass has faced criticism and security issues in the past, leading some experts to recommend switching to a more secure password manager. If you’re a LastPass user, it may be worth considering whether you want to continue entrusting the company with your sensitive login information.
