LastPass Admits Its Cloud Password Database Has Been Stolen — Boosting Interest in Open Alternatives

Cloud authentication storage firm LastPass has warned its users that attackers have made off with "a backup of customer vault data" including unencrypted URLs and encrypted passwords — an admission that may have users looking for offline alternatives to better secure their authentication details.

Designed to offer a more secure alternative to password reuse without inconvenience, LastPass allows its users to store unique usernames and passwords for services in an encrypted database behind a single "master password." To make things easier, the database is stored on a remote server and synchronized between devices — including, the company has confessed, an attacker's computer as they gained unauthorized access to a backup of the full encrypted vault plus selected unencrypted information.

While the critical data was encrypted, LastPass warns that "the threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took." With the data now in unknown hands, there's little LastPass users can do — bar change their passwords for every site they had stored on the service. The potential loss of confidence in the service, though, may give some cause to investigate more secure alternatives — of which we here at Hackster have seen plenty.

Dan Murphy's PasswordPump 2.0, for instance, is an open-hardware gadget that stores up to 250 username and password combinations in an encrypted database on two EEPROM chips — and if you don't have physical access to the gadget, there's no way to get at the passwords contained therein. The Mooltipass Mini BLE works on a similar principle, with the additional security of having the encryption key stored on a removable smart card, which is in turn locked with a four-digit hexadecimal PIN. The M5Stick-based PassStrong, meanwhile, generates hard-to-guess passwords and stores them in its own memory — and costs a fraction as much as competing solutions.

Alternatively, you can go low-tech: The Mnemocard is little more than a sheet of plastic, with no electronics or moving parts, but promises high password security by turning easy-to-recall patterns into hard-to-guess passwords mixing letters, numbers, symbols, and a variable not printed on its face. DiceKeys, meanwhile, focus on secure key generation through physical entropy — the rolling of actual dice, which can then be read by eye or by camera.

Another option for securing accounts is the use of two-factor authentication — something you have or are, as well as the password you know — in order to render stolen or guessed passwords entirely useless. Conor Patrick's Solo V2 launched two years ago as an upgraded successor to the world's first open-source U2F dongle to implement the FIDO2 standard, while the URU Key has the twist of including a fingerprint scanner to require biometric authentication before confirming a login.

Then there are the more out-there options, such as 3D-Auth: 3D-printed physical objects, designed by researchers from TU Darmstadt and Keio University Japan, which combine two authentication factors into a single physical object. For the retro-heads, there's even the option to blend the modern world of time-based one-time password (TOTP) authentication with vintage hardware: Cameron Kaiser has written and released a TOTP 2FA generator for the Commodore 64 and compatible eight-bit microcomputers.

More information on the LastPass attack, meanwhile, is available on the company blog.