No it’s not - and unfortunately a lot of them don’t know what they are talking about - they just parrot each other talking about features…
Some of these have been shared here in this thread earlier or in other posts on the community (these are general ones so not all are LastPass specific):
The Diceware Passphrase Home Page - A better way to create strong passwords.
Also these guys seem more reliable as they look a little more at technical features and in the case of LastPass (when compared to 1Password in a side-by-side review) it failed due to the numerous security incidents. In the link below Bitwarden comes out ahead of 1Password in their side-by-side review of the two they consider possibly the best options available. But I can’t vouch for them in anyway - just my anedotal ‘gut feel’ is they are a bit better with their reviews…
Yes, okay. Thanks.
I will read those pages with interests.
There are many things that I’m not yet aware of, about how a password manager works, I’m reading and learning. It helps to understand.
I was reading for example that little PCmag article
We are told how the master password is used, how it never leaves the device!
I like PCmag. Why? I do not know.
We incidentally learn that Lastpass had already a problem quickly corrected in 2019. and Laspass is rated as excellent, which it surely is, but we know now that that didn’t prevent the leaks (perhaps because of a human error, and data theft)
again iN PCMag I read this article
“No, LastPass Didn’t Expose Your Passwords”
It’s interesting and the article ends with this:
" When LastPass imposed limits on the use of its free edition,many users jumped ship. Given that your passwords weren’t actually exposed in this latest breach, Is there any real reason to switch password managers? Perhaps there is. LastPass was among the first password management programs, and it’s extremely well known, so it’s a big target. Conceivably you might be safer choosing an effective but less famous password solution. You can even get excellent free password management from PCMag Editors’ Choice winner Bitwarden"
I’m not sure if that second article is actually 100% correct. [EDIT - removed redundant sentence due to publishing date in grb’s point below]
There is a lot of conflicting information about exactly what LastPass did and didn’t have taken, and it’s highly likely they haven’t been fully open about exactly what that is and how much was taken. As mentioned previously they have had at least 7 breaches over recent years (at least that they have publicly admitted to) and do come across as a bit dodgy and slippery with the truth - remember they could have announced this breach 6+ weeks ago and chose not to.
Also FWIW I am not so enamoured with PC Mag any more (or other similar outfits like CNet) - in recent years reviews and such I’ve looked at from them (incl. from the different ‘countries’ they have website profiles for that may have different editorial teams) have been pretty average - and quality of some of the articles is quite poor IMO. They aren’t what they were 10-15 years ago. It may just be representative of them having very few high quality writers or reviewers, but may also be symptomatic of a slide towards a ‘click bait’ mentality where just getting people to view your pages is all that really matters not the quality of the content… (but that doesn’t mean they may not still have some good content occassionaly or a few quality writers).
The linked PC Mag article was published Dec. 1, which is three weeks before the Dec. 22 update to the LastPass notice in which they disclosed that customer vaults were in fact stolen.
Well spotted @grb! I missed that - and that probably explains a couple of other articles I read, and that I didn’t think to check publishing date - although in December obviously before 22nd so only referring to the original August breach and not the following bigger one when the vaults went.
Blockquote
There are fees for Lastpass but is it possible that the metadata they don’t encrypt is sold for additional profit?
Could very well be the case, this wikipedia link shows, that Lastpass in 2021 was discovered to have several trackers in their Android app. It was at that time I left their product which in my opinion continues to be sugarcoated in good marketing, but failing at its core business - protect data and privacy.
Yep - just read this list of articles (or should I say litany of disaster):
I’m surprised so many people are still with LastPass given history - just in the recent period of 9 months Dec '21-Aug '22: all users Master Passwords compromised, Hackers steal system source code then have 4 full days of access to LastPass internal systems, and steal customer vaults from cloud storage. And there had already been several major incidents in previous years prior to this.
source for “all users master passwords compromised?”
As per this post regarding the breach back in December 2021 - last pass accredited it to Credential Stuffing but refused to comment further (i.e. I think they denied a breach) but security researchers had found thousands of LastPass credentials stolen through malware, etc…:
EDIT: P.S. I believe many LastPass users actually got notifications from LP themselves saying their passwords may have or had been compromised; but I think LP just didn’t admit that publicly…
It doesn’t say all LP master passwords were compromised in that article. But it does reveal something odd is going on. Either phishing or something worse. I think what has happened at LP is serious and damaging to its reputation and to its customers. I have left LP as a result. I think LP needs to be disclosing more info, more regularly so we can better understand has actually happened.
Yep. And the other ‘big name’ Keeper has some suspicious attitudes too - like constantly threatening to litigate people and doing bug hunts but not allowing anyone who finds anything to disclose what they find, etc… But back to LP:
So before #LastPass increased the iteration count to 100,100 they had 5,000. Before they increased the iteration count to 5,000 they had 500. And before they increased the iteration count to 500 they had 1.
And apparently they failed at updating people’s security settings at each and every step. So your mom is the “lucky” one who has her account configured with 1 PBKDF2 iteration. Which offers close to zero protection today.
That’s the company people trust with their passwords. And keep defending because “it’s all encrypted.”
Quoted from:
More importantly read the follow up! Here:
EDIT: Here’s another one:
P.S. It’s implied - because they won’t say how many were (of anything). They won’t even admit the true date - likely these vaults were all stolen in August a few days after the first breach long before the admitted the first intrusion in September…
P.P.S. Here’s a good analysis on what their almost Christmas Eve statement really says/means:
EDIT: P.S. A lot of people now discovering their vaults didn’t have the 100,100 iterations (as per above article), most only had 5,000 (if they were a pre-2019 customer), many had only 500, and a few (slowly increasing) finding they had only 1.
P.P.S. As an aside @misterp I don’t know if I have a lot of faith in that Neil J. Rubenking who authored those P.C. Mag articles - he makes a big deal of being mates with the guy from Keeper (so there’s a bad choice to start with that doesn’t fill me with confidence) and he comes across a bit of a snob. He also looks like he has highly praised LastPass in the past despite all the previous breaches and all the other security issues and LastPass bad practices raised by security specialists…
The fact that LastPass is so quiet about it all should tell you everything you need to know. If it was only a subset that was stolen, they would have shouted that from the rooftops. Also, it is telling that when people inquired whether the Authentication backups were stolen as well, the official reply was, quote
The LastPass Authenticator app data was also fully encrypted during the latest security incident. However, if you are concerned this data is vulnerable due to a weak account password, you may temporarily un-link the authenticator in order to create a new QR code and reconnect that auth app again
Which, translated, means “yes, they got stolen as well, do with it what you will”.
Honestly I have never in my life been this grateful that I escaped their clutches after LogMeIn took over… best decision of my life (well, security wise that is).
Its a clear case of criminal negligence and a few other things - whatever the US equivalent of a securities commission or similar is they should be all over LastPass like a rash! This is actually not far off the type of scam Elizabeth Holmes pulled with Theranos, it’s just probably through incompetence and greed rather than outright fraud…
Here’s an example of LastPass getting hassled in July 2018 for not fixing their issues from 2015 as of January 2018 and still leaving some lesser issues unresolved, and the supposed upgrade to 100k iterations: Is your LastPass data really safe in the encrypted online vault?
I assume the encrypted LP vaults and authenticator backups have been stolen. It’s a risk we take with all cloud-based password managers. If I wanted to mitigate that risk I would keep a local password manager which I tried and abandoned. But, that is very different than the hackers having access to them all. I’m not worried that my LP data has been accessed, frankly.
And I don’t care that my unencrypted file urls have been exposed as there was nothing I would care about if anyone saw. HOWEVER, most users aren’t aware of this exposure and do have urls they wouldn’t want others to see. I think LP making the choice to leave them unencrypted to leverage extension autofill features tells you security started to take a back seat for them as they grew their user base. And those priorities have now placed them in this mess.
I have fully transitioned to Bitwarden and deleted my LP account because of their delay in disclosing, lack of clarity or frequent updates, lack of accessible third party audits, and because the code is close sourced. The combination of those issues creates a black box and tells me it is time to move on from LP after over a decade. The fact that Bitwarden has roughly reached feature parity with LP and has some advantages such as being able to store attachments and the 2FA codes in a single file, ALL of which is encrypted unlike LP, closes the deal for me.
Do we know if the stolen data was only the latest backups or could older backups also have been accessed?
I guess we have to assume the thieves took it all. I deleted my account shortly after I moved to Bitwarden, which was… well… how old is Bitwarden? Then 
So I’m assuming that there aren’t any 8 (?) year old backups floating around.
All the same, I did update our most important accounts such as our bank, email, mobile phone, etc and I updated the master password for Bitwarden. Just in case…
I wouldn’t bet on it… 
Given everything else about LP and the fact it sounds like much of it’s environment is spaghetti code too (the web side) it should be assumed there’s at least the possibility for ex-users old vaults and/or activity details to still be on their servers, despite deleting their accounts some time ago… Looks like the web-interface leaked (or leaks) like a sieve and has poor security/lots of vulnerabilities…
In addition to the above linked post, also:
I worked for LastPass for about a year, well before they were bought by LogMeIn. I believed what I was told by the peeps in charge of the security side, it seemed like they knew what they were doing.
The UI side though was horrendous! A bunch of 25K line PHP files that each handled: Page display, Form processing, & API calls. Contained conditional PHP, HTML, JS & CSS, with hundreds of switches based on User settings and permissions. Absolute freaking NIGHTMARE to work on.
Source for above quote on Mastodon
Someone else said the following (again off the same Mastodon discussion on LP IIRC):
LastPass already had bad crypto before they were acquired. There “server-side rounds” were a terribly misconceived idea and put users in harm’s way when they were breached in 2015.
But hopefully, yeah, there are none - when you delete your account they actually do purge their data of you, properly…