You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I know from previous threads that there are a few of you...
Ars Technica is reporting that an August breach at Last Pass is worse than originally thought
https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/
Is anyone surprised really ?.
Gather together all your passwords, and thus make them a target to be hacked by the unscrupulous. Almost like asking it to be done.
The proverb has always been, 'Don't place all of one's eggs in one basket' These password management site to me seem to fly in the face of such wise knowledge.
The passwords and usernames are still encrypted, LastPass does not have the keys to unencrypt and therefor neither do the hackers.
Is anyone surprised really ?.
Gather together all your passwords, and thus make them a target to be hacked by the unscrupulous. Almost like asking it to be done.
The proverb has always been, ‘Don’t place all of one’s eggs in one basket’ These password management site to me seem to fly in the face of such wise knowledge.
Then I guess the question would be how do you maintain many multiples of complex passwords without one?
Then I guess the question would be how do you maintain many multiples of complex passwords without one?
Yellow stickies are impervious to hacking 😉
Yellow stickies are impervious to hacking 😉
I tear mine in half, half a password on the monitor bezel and half on the fridge door
ahh now I understand, I always wondered what they meant by two factor authentication.
I use passwordsafe for exactly this reason, it's not as convenient as it doesn't autofill passwords for you, but your actual password file is not held by passwordsafe at all. You connect it to a cloud storage service of your choice (i.e dropbox) on your account and it stores the encrypted file there. Not inherently more secure but the incentive is lower for hackers as they'll only get one account at a time that they have to crack individually.
I read the article and am none the wiser.
“The threat actor copy backup of customer vault encrypted storage container data stored proprietary binary format both unencrypted data website URLs naked banking encrypted sensitive fields usernames password website secure notes data form-filled porn.”
I read the article and am none the wiser.
I'm not sure all of those words were there :). If you are concerned then change the passwords that you care about, but for me it only really holds the hundreds of passwords you need day to day for logging in to places like this, shops etc. The stuff I really care about such as banking is still in my head. If you change your website passwords then change your master password as well of course
dependant on both internet access and some rando cloud service otherwise I can’t get to any of my passwords? Nah 😂I use passwordsafe for exactly this reason, it’s not as convenient as it doesn’t autofill passwords for you, but your actual password file is not held by passwordsafe at all. You connect it to a cloud storage service of your choice (i.e dropbox) on your account and it stores the encrypted file there.
Why would you need your password if you don't have Internet access?
you are dammed if you do and dammed if you dont.
I'm still going to use one but i'm probably going to dump lastpass
@zilog6128 - nope it stores a local copy on each device you use it on but syncs to a cloud service
many scenarios, use your imaginationWhy would you need your password if you don’t have Internet access?
well that is good but not how you explained it! Googled it now & seen how it works. Seems ok but a bit clunky! Sounds like it’s the OG password manager tho 😀nope it stores a local copy on each device you use it on but syncs to a cloud service
So the hack didn’t give access to the passwords and usernames of users or just personal information that they could use to exploit 2FA and then change passwords.
Or have they also got the password files that they can set to work on brute force guessing the passwords for at their leisure?
Or have they also got the password files that they can set to work on brute force guessing the passwords for at their leisure?
Exactly that. As I understand it they have the password files that they can brute force. LastPass don't believe they can be brute forced within any practical timeframe
<b><span data-contrast="auto">If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.</span></b>
However, if you use your master password elsewhere then you need to
1. Slap yourself very hard
2. Get onto changing all your passwords now
If you have used a nice long master passphrase and don't use it anywhere else then you are good to go
The stuff I really care about such as banking is still in my head.
The stuff I really care about has 2fa (ie lastpass)
The stuff I really care about has 2fa.
As well of course and the very sensitive stuff doesn't count an SMS as 2FA
Gather enough slave PCs together, bit coin style?
Plus there must be several people that use a shorter/common passwords that will be easier/quicker to crack.
I suppose at least people have warning to change their passwords
Modern day 1st world nightmare are passwords.
If I use Bitwarden or lastpass you still need to store the master password somewhere and if it's complex then you end up putting it on excel or something. Luckily of late my phone has fingerprint recognition but I then need to transfer my PC.
I moved to BitWarden when LastPass started charging. Genuinely hopeful that I deleted my LastPass folder when I stopped using it, but going to have to investigate
I’m considering not renewing my LastPass when it comes up in January. I might go back to keepass..
Then I guess the question would be how do you maintain many multiples of complex passwords without one
With an algorithm. I've used one for many years. For example, the last three letters from the main url, a set word you use for everything, and some numbers and special characters. You can make it harder to work out by using a memorable set of letters and then scatter the chosen letters from the URL through it.
The only times it fails me is when a website is particularly picky ie wanting more letters than normal, which then breaks your method, or a website gets compromised and forces you to change your password and then you need to vary your algorithm. Or one that has caught me out is you want to log in to persil.com but it's a common log in for all Unilever brands, so if you are logging into another brand you try entering the wrong password.
Every single password of mine is different, however a while back Google warned one of my family members that their passwords had been found online due to a data breach being published. Although I should say password, as it flagged up over 200 websites as they'd used the same password ever since they'd got online!
With an algorithm. I’ve used one for many years. For example, the last three letters from the main url, a set word you use for everything, and some numbers and special characters. You can make it harder to work out by using a memorable set of letters and then scatter the chosen letters from the URL through it.
That sounds like a great idea but password cracking systems are aware that people do that. So if they have one password of yours already from something like a breach and then a rainbow table lookup if it's short then your system actually makes it very easy for them :(.
On the charging for the software thing, I'm very happy to pay for it as I want them focusing on what they do rather than how how to monitise what they do either though ads or sideloaded software. I'm sticking with LastPass as they were breached and my passwords are still safe as far as I know.
Luckily of late my phone has fingerprint recognition but I then need to transfer my PC.
I have that switched off for LastPass as although the police/customs/etc can't force you to give them your password they can (as far as I know) put your finger on your phone. Yes I know it sounds paranoid but you can end up on the wrong side the 'law' faster than you imagine
I do a similar thing as @spooky_b329 with passwords. I have a method that works on 95% of sites. Naturally is a person was actually looking at all my passwords in a list agains the site they could probably work it out, but the chances of that are suprisingly low since they all different.
I use lastpass because it works reasonably well. I also get an account with them for free as a result of my employer having an enterprise account.
It's pretty bloody annoying. I primarily used LastPass as I figured they'd be better at looking after my passwords than I would be! It's literally the most core part of their business - don't get hacked.
From the sounds of it, whilst the passwords are secure, the worst bit of it is that the URLs within the vaults weren't encrypted for some reason. 99% of websites use your email address as a username, so effectively they've now got a list of websites that I use and my username, just not my password.
****s.
ahh now I understand, I always wondered what they meant by two factor authentication.
Seriously?
I've been blogging about this, that might be the incentive I need to go finish the series.
I read the article and am none the wiser.
Hackers stole data. The data is encrypted in a manner believed to be secure. Whether a group able to do this in the first place is also able to break secure encryption is open to discussion.
Then I guess the question would be how do you maintain many multiples of complex passwords without one?
Hackers stole data. The data is encrypted in a manner believed to be secure. Whether a group able to do this in the first place is also able to break secure encryption is open to discussion.
Note only *some* of the data was encrypted (the passwords) *not* emails, names, websites that are in your vault. A shit show.
So reading that, does that mean all notes were available unencrypted?
LastPass is likely to be more secure in the future than the past as a result of this. So the logical but possibly counterintuitive thing to to is not to move away from LastPass but towards it.
So reading that, does that mean all notes were available unencrypted?
Not as far as I know. I think it was the website URLs that were unencrypted as it would allow LastPass to show that they have a login for a particular site even if you haven't fully logged in (I would guess)
That sounds like a great idea but password cracking systems are aware that people do that.
No system is infallible but it's a big step up from just being able to purchase a list from the darkweb and the easy option of trying your password against various different websites. And unless lastpass is offering a completely random password that you then accept (like Google does) then using a few favourite passwords for all websites is worse as there is commonality. And finally, I use completely different passwords (not the algorithm) for my email accounts, just to get that extra security against being able to access passwords resets. So in the unlikely event I'm singled out as a valuable target worth the effort of cracking my algorithm, they would hopefully lock my email account before they realise that it's not following the pattern.
For very secure cloud storage you could try Sync though not all of the Password Managers will work with it. Their USP used to be that the storage at their end was all encrypted even at rest and 5i's would be unable to sniff your data as Sync don't hold the keys.
1Password may well be doing something similar with their offering now as I have had to store a recovery code away to ensure that I can gain access to my passwords if I'm unable to remember my vault password.