for reasons that may be obvious, I have had to go back and change password and userids where possible for many sites. the lastpass client user experience helps in some ways (e.g. generate strong password is useful) but can be a bit frustrating and tedious for a big task such as this.
I have started to lose track of which sites I have already updated.
one can sort by most recently used, but it would be good to be able to see when the account info for an entry was last changed.
I like this idea. It would be great if we had a Last Changed Date column on the Security Dashboard \ Password Security page. This way you could sort all of the password by Last Changed date. Also it would be nice to be able to have a "Risk" added to the same page that you could set a Last Change Date by. IE Let the end user pick a time frame, say 1 year or 6 months, and when a Last Changed Date goes past the defined time, it becomes a "Risk".
The reality is that given their data breach, this feature is essential. We know that the user vaults were stolen on or about August, 2022 (and perhaps thereafter - LastPass hasn't said exactly). That means any vault containing a password of that age or older is vulnerable should the hackers manage to reverse engineer/decrypt what they have already stolen.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. [https://blog.lastpass.com/2022/12/notice-of-recent-security-incident]
Unfortunately this doesn't specify what else is "unencrypted" - so e.g. if a notes field is unencrypted and contains sensitive information, hacker may already have that data!
I would argue this is more important than merely a suggestion - this needs to be fast-tracked. In fact, it's embarrassing that this feature wasn't dreamed of before, or immediately following the incident, or implemented immediately following the suggestions.
It pains me to say this because I have championed LastPass for years but LP/LMI really dropped the ball on so many levels with this incident. Failing to be on full alert, with counter-measuring and exhaustive risk analysis following the initial August incident. Since LP/LMI apparently aren't putting lots of effort into keeping safeguards on the data we pay them to secure, the least they can do is help us attempt to mitigate and clean up the security mess they permitted.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.