NOT a recommendation: Stop using a password manager Adding new entries and making changes, though, will be difficult to synchronize between the two. You should be able to export and import for the initial setup. Continue to use your existing free account on one platform, and set up a new one (using a different email address) on the other. There is another somewhat cumbersome approach: a second account. Select one platform, PC or mobile, and stop using LastPass on the other. You can simply choose to live with the new restriction. Make sure that’s true for whatever solution you choose in case you later decide they’re not for you. Since LastPass has an export function, switching away from it is theoretically easier. I believe that’s critical, both for backing up and not being locked in. One of the reasons I originally moved to LastPass was because the solution I had been using had no export function. One word of advice: if you move, make sure whatever alternative you choose will let you take your passwords with you. PC Magazine has a recent comparison of free password managers that includes several alternatives. Review them carefully.īitwarden has a good reputation, and its free plan seems comparable. Some free plans, such as that offered by Dashlane, are more restrictive than LastPass’s new plan. If free is important, your choices will be limited. I don’t yet have a specific recommendation for an alternative. Like backing up, password management is important enough to pay for. At this writing, that’s $36 USD per year. While I don’t like the way they handled this change, I believe LastPass is worth the upgrade to an annual paid subscription. I’m a fan of LastPass, and use it across all my devices constantly. You use LastPass Free on both PC and mobile platforms.LastPass Free will no longer support using both platform types on the same account: it’s one or the other, but not both.LastPass Free will continue to be free if you use it only on mobile devices and tablets.LastPass Free will continue to be free if you use it only on PCs 1 (laptops or desktops).In their blog post What can I expect to change for LastPass Free on March 16, 2021?, LastPass announced a change to the terms of their free offering: it will be free on only one “type” of platform. Continuing to use a password manager remains an important part of overall security. If you’re impacted, paying is my recommendation, but you can also switch to other free solutions or live with the new restriction. I'd suggest keeping an eye on this one for any PoCs that become available to get a better idea of how this is exploited in the real world and, in the mean time, patch as soon as you can.LastPass’s free tier will be restricted to a single platform: PC or mobile. What isn't clear is if this is a specific application or just any application - if it's any application then InfoSec teams might want to take a close look at any standard-deploy software (like EDR products) to see if they listen on raw sockets. According to Microsoft this is exploitable by sending a fragmented IP packet inside another ICMP packet, however to actually trigger the vulnerability "an application" on the target must be bound to a raw socket. Hands up who remembers the Ping of Death (circa the late 90s) or it's 2013 counterpart for IPv6? Well this time we have Remote Code Execution via ICMP, but despite the base CVSS score of 9.8 it seems like this might not be as straightforward to exploit as the details suggest. Could a breach like this have occurred even without Plex being installed? Absolutely! But could it have at least raised the bar a little if it weren't? Also yes. There was a more naieve time, perhaps, when BYOD seemed like a good idea - a way to cut capital expenditure, make life easier for employees, enabled road warriors etc, but with the modern threat landscape I'm dubious, at best, that the benefits outweigh the potential costs. but, should a personal workstation even have been allowed access to LastPass' production network? BYOD has always made me nervous for precisely this reason - corporate workstations can be tightly controlled (admittedly frustratingly so, sometimes, as the end user!) while end user devices can have all manner of unapproved, potentially buggy or even outright malicious software installed on them and then connected to your corporate network. There was more than adequate time for even the most lackadasical user to update their media server software and head this whole problem off at the pass. One last thing to point out regarding this chain of events - the Plex vulnerability was disclosed in 2020, two years before this all unfolded.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |