03 Dec Is LastPass Safe?
LastPass markets itself as the last password a user will ever need, as it allows people to store all their passwords and logins in one secure location.
But what happens if LastPass gets hacked? Will all 30+ million user accounts have their credentials compromised?
Looking for an alternative to LastPass? We’ve tested dozens of tools and NordPass is our favorite password manager.
In this article, we’ll share how secure LastPass is exactly and the types of security measures they implement. We’ll also outline why password managers are not 100% preventable from hacks (plus why you shouldn’t worry).
How Does LastPass Work?
LastPass creates a master password, also known as the LastPass vault. This is the only password a user needs to remember. From there, they can store their passwords and other sensitive information.
LastPass encrypts and decrypts information on a user’s local device before syncing it with LastPass servers. This means that even if LastPass were to be hacked, the attacker would only gain access to encrypted data, not usable passwords or logins.
What Encryption Does LastPass Use?
LastPass protects the contents in your LastPass vault through 256-bit AES encryption. This means that even LastPass representatives cannot access your information, as it is all encrypted before it ever reaches the server.
LastPass also uses a one-way salted hash, which is an irreversible function. A hash substitutes your character password with numbers and letters.
Adding extra data to the hash to make it more complex is called salting. LastPass does this by using the username as the salt for the master password.
LastPass creates a salted hash by putting the username and master password into one-way functions. A regular person wouldn’t be able to reverse the process, even if they obtained the salted hash. Therefore, if an attacker somehow got their hands on the hash, they would still have no way of knowing your actual password.
LastPass additionally protects your information by using PBKDF2-SHA256 rounds. By increasing the number of iterations required to guess a password, this feature makes it even more difficult for an attacker to access your account.
Has LastPass Ever Been Hacked?
LastPass has several security features in place to protect its application and user account information and data.
That being said, LastPass (and any password manager) is not impervious to hacks. This is evident as recently as August 25th, 2022, when LastPass experienced a breach in their development environment. This particular instance resulted in some of their source code and technical information being taken.
An internal investigation revealed that the threat actor’s activity was limited to a short period of time. And while the threat actor was able to access the Development environment, their system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.
While the encrypted information was not usable by the hackers, it did leave some users feeling uneasy about trusting their sensitive information to LastPass.
This issue also led to an unauthorized party using obtained information to access a third-party cloud storage service, which is currently shared by LastPass and its affiliate GoTo. This was further discussed and made public by LastPass via an update on November 30th, 2022. The matter was escalated to an outside security firm named Madiant and law enforcement.
LastPass has also experienced some other hacks throughout its history. Some users in 2021 reported that their LastPass Master Passwords may have been compromised. Although LastPass claimed they hadn’t been breached, many people who received emails warning them of unknown login attempts into their accounts lost trust in the company. Despite this skepticism, LastPass insisted it was simply the result of a credential stuffing attack.
LastPass also had a major outage in 2020, and users reported they couldn’t log into their accounts or autofill passwords. And in 2019, a significant security problem was uncovered by security researchers as well.
This isn’t a full list of security incidents, but it does prove a few things:
- LastPass has been hacked and will continue to be a target of attacks.
- LastPass is transparent about security incidents and proactively communicates with its users when incidents occur.
- LastPass works quickly to rectify any/all vulnerabilities once reported.
With all of this in mind, there’s really only one question that remains: Is LastPass Secure?
Is LastPass Secure?
The aforementioned security incidents might have you a little uneasy about LastPass, but it shouldn’t. Here’s why:
At the end of the day, LastPass is one of the leaders in password management. Their entire business is dependent on creating a safe and secure infrastructure to protect user data.
But just like with any password manager, or even online service, there will always be a risk of a hack or security breach. Those that are concerned about the security of LastPass should really be inquiring about the security of the web as a whole.
The question isn’t “Is LastPass Secure?”, it’s actually “Are online applications and tools 100% secure?”
In other words, is the Internet safe? No, of course not. Anything online can potentially be hacked, but it’s up to the user to take appropriate security measures and for companies like LastPass to continue implementing robust security protocols.
Investing in cybersecurity is by no means a light investment. In fact, Cybersecurity Ventures estimates that an increase in cybercrime and the need for digitized businesses and consumers to guard against such crimes will drive up expenditure on cybersecurity products and services to $1.75 trillion between 2021 and 2025.
LastPass in its own regard is not a small business. In 2021, they reported $200 million in revenue. And because their business model is predicated on retaining users, it’s in their best interest to continue investing heavily in the latest and greatest cybersecurity measures.
So, will LastPass ever be 100% safe? Probably not. But that falls into the necessary evil conundrum and agreement that we as individuals and companies make when operating in the online world.
For me personally, I feel more comfortable utilizing a well-regarded, profitable company that needs my trust and business to stay in business. To use an analogy, people fly major airlines although there is an implied risk of that plane crashing. Mainly because it’s a heck of a lot faster than other forms of transit.
So, would you rather use LastPass and quickly login to all of your accounts? Or would you rather write your passwords down on a piece of paper in some cryptic fashion, and store it in your desk drawer under a landfill of staples, receipts, and expired breath mints?
I’ll choose LastPass, or another well-known LastPass alternative, thank you.