December 27, 2022
by Steve Endow
On December 22, 2022, LastPass disclosed that they had discovered that an attacker had copied a backup of customer "vault data" following a cyberattack and data breach that occurred in August 2022.
Aside from the obvious bad news, I initially learned of two interesting things about LastPass that I never would have thought to consider when evaluating password managers.
1. While web site username and password values are encrypted, the URL for the web site entry is not encrypted by LastPass. I believe this poses a security risk for LastPass users.
2. Prior to 2018, LastPass used 5,000 iterations in the key derivation process. In 2018, they increased that to 100,100 iterations. Even if you don't know what key derivation iterations are, just make note of that significant change. From what I've read, older vaults were not automatically upgraded to the more secure configuration. In theory, this means that vaults created prior to the 2018 upgrade are potentially more vulnerable to brute force password cracking.