Update - Dropping LastPass
I did a post just about 10 days ago about sticking with LastPass as one of two password managers I use to keep my passwords strong and safe. Since then, I read a good short piece on this by an old friend/colleague and a few other articles by people and organizations I respect. None of these were positive about LastPass’s breach history, and one or two were scathing about the company’s public response to their latest breach.
Thinking on these posts while I was changing all the passwords I had in LastPass was like a last straw for me. As I mentioned in my first post on this, I also use Bitwarden, and have been using it as my primary for a couple of years. So over the last few days I changed my approach and:
In Bitwarden, changed the passwords for all entries that also existed in LastPass
Deleted all those entries in LastPass
Pulled into Bitwarden the very few items that were only in LastPass before, changed their passwords, and deleted them from LastPass
Canceled my LastPass subscription
Some of the above is perhaps in the “abundance of caution” category, as the vast majority of my entries in both password managers have MFA in place through an authenticator app and/or time-based one-time passwords, or a security key. I still feel good about making this change though.
I have no bad feelings towards LastPass. I hope they are able to address their issues that lead to recent compromises and repair their reputation as well.