Lastpass have been breached again, this time vault data has been exposed via backups.
Sounds like not all data was encrypted, so even without your master password attackers can tie your billing info to a list of sites you have saved.
Anyone with a weak master password might want to go through all their saved sites and get resetting.
https://blog.lastpass.com/2022/12/notice-of-recent-security-…
https://www.bleepingcomputer.com/news/security/lastpass-hack…
@tp0: Indeed, but we're not talking about the security of the product, we're talking about the security of its actual utilisation.
iCloud is undoubtedly a convenience product first and a security product second. As a result, its use is largely as a convenience, autofilling simple user created passwords.
(PS I don't dislike Apple. I dislike fanboys, of any persuasion, couldn't give a toss about brands as long as the price/performance is there for my needs, I'll buy it, hence why I own an iPad)
@ESEMCE: iCloud keychain’s default stance is auto-generating complex passwords. You have to override it to save a user created password for a new account.
Yes they are still at risk. (albeit a tiny risk)
2FA only secures you from someone accessing your account if they somehow got your master password (ie by Keylogging)
In this case the hackers have your data, but it's encrypted, so they need to decrypt it by guessing your password hundreds of times per second (if they have access to a massive computer) until they guess correctly.
If they succeed, then they will have a plain-text list of your usernames and passwords.
Yea this bypasses 2FA completely.
Hey chatgpt, can you hack optus, telstra, lastpass and apple plz
Does anyone use Nordpass? I have moved over from Lastpass to Nordpass well over a year ago now. So far I have had no issues, but with the way hacking is escalating I assume it is a matter of time untill Nordpass like many other's will get hit as well.
FYI, it's possible your LastPass data was still stolen, so I'd recommend changing any passwords just in case. The data stolen was backups apparently, and could include data from closed accounts or older accounts.
Curious why more people don't use KeePass
Probably because of the convenience of cloud syncing.
I used KeePass XC prior to Bitwarden.
When will people learn? All these cloud password manager solutions are high risk, you are putting all your eggs in one basket, a basket with a giant target painted on it.
When will people learn?
Perhaps you need to learn how encryption works.
What's your better solution? Memorised completely unique, high entropy passwords?
KeePass is your better solution
lol yep noticed that in some of the comments.
Am I just showing my age here when I prefer non-cloud storage for most things :P
Plenty of options without those BS pen-and-paper comments lol
If your personal computer gets compromised by malware they'll like also use one of the many tools to grab your KeePass file. KeyFarce has been around for years now, it'll grab your password from your computer's memory along with your encrypted file and flick it all back to whoever attacked you.
KeePass is less secure (in a single environment they have access to both your password and encrypted file), the only thing going for it is you can at least be responsible for your own security.
Perhaps you need to learn how encryption works.
doesnt seem to matter in this case does it?
doesnt seem to matter in this case does it?
how so?
Lastpass holds what is effectively a digital lump of bits, indistinguishable from random noise.
Unless your master password is simplistic, the brute force cracking effort/time (assuming some hacker singles out your specific digital lump) makes it effectively worthless for as long as you'd care to worry about.
@SBOB I think YOU will learn how encryption works sooner or later, when your stolen password data is eventually exposed.
Better solution? Sure, as some have already responded, there are non-cloud (server) based products that can offer similar features with some minor inconveniences.
There are also products that have self-hosted variants available… for example, Bitwarden can be self-hosted, as opposed to using their cloud services.
I run VaultWarden (formerly Bitwarden_RS) which is a consolidation of Bitwarden's services that you can self host, you could deploy it to a free tier amazon/google cloud service, deploy it in docker, install it on a dedicated linux platform, the list goes on.
Obscurity is not security, though it does contribute to keeping you off the radar in some cases.
Yep, if you want to go a level further, self host it. Doesn't make cloud hosted a worthless solution.
It does not in anyway change the inherent security of the data blob that the password manager stores.
If you only trust the encryption security because you self host it, then your trust is somewhat misplaced.
@SBOB: It's not a question of worth, it's a question of risk.
Using cloud password managers is trusting your passwords to an entity that is at the top of everyone's hit list, eventuality can't be avoided.
The products are marketed in a way that gives a false sense of security to the average joe, believing their data is going to be safely handled and protected, which simply isn't the case.
is trusting your passwords
They have your passwords in the same way google cloud has my passwords if you self deploy.
Yes, if you use a dumb short master password, then if your data blob was obtained it could technically be brute forced in some reasonable amount of time.
If you use a decent master password, you shouldn't care..it's as worthless as random noise in any period of time you'd care to worry about.
If you don't trust the encryption security of your password blob, well, you'd have a hard time going through your day not hoping aes-256 wasn't easily crackable elsewhere.
Cloud based password managers are still the best choice for people who want convenient synchronised access across multiple devices. Security is always a compromise or tension between different factors; often convenience and risk.
There are many options to store your secrets or credentials. Ranging from paper in a safe through to Keepass and similar software, to self hosted Bitwarden, to hosted cloud password managers. All have their benefits, disbenefits and risks.
Personally I use Bitwarden with a strong master password. If Bitwarden is compromised and vaults stolen, I should have more than enough time to change all the credentials and secrets stored in my vault. It is a risk that I am happy to accept and I am a quite risk adverse. Risk acceptance or otherwise is a very individual decision.
Often it is forgotten how threat actors work. Unless an attack is to target a precise collection of specific parties, the threat actors will go for the low hanging fruit. In the scenario of stolen encrypted vaults, that will be the ones they can crack the fastest. It is likely that stolen vaults will be detected and the breach communicated to customers in a time frame to allow customers to respond appropriately.
Even the nightmare scenario of a complete compromise of a cryptographic algorithm or protocol, providing low compute access to plaintext in vaults would not overly worry me unless it was done without detection. The end to end effort in the chain of activities required to achieve something like that would mean higher value targets would be affected first and likely lead to detection, allowing us lower valued minnows time to effectively respond.
It's probably time I change all my password from password to something stronger.
password2
2023 is coming up so I’ll be changing all mine from password22 to password23
Another reason I cant get my head around how these things are better than a pen and notepad.
How do you log into to websites when you're out and about with your phone?
He swears profusely after the 2nd failed login attempt and resigns himself to logging in once he gets home, unfortunately by the time he is home the Ozbargained item gets Ozbargained and he misses out.
Hard to write down 100 character passwords of random characters and symbols
I have to log into dozens of sites a day, and I need to use complex, unhackable passwords that can't be easily remembered or typed, and need to be changed regularly to maintain good security practices. Even the average person needs a lot of passwords these days, and good passwords - unique for each site, with symbols, numbers, etc. are more difficult to manage on paper.
I would have no time for work if I had to manually track passwords on paper.
Paper notebooks can be stolen, damaged, or lost.
Due to encryption, the passwords stolen by the hackers are unreadable except for users who had weak passwords.
I had a LOT of passwords in an old LastPass vault. Even though that vault has potentially fallen into hackers' hands, they can't get into my data unless they brute force a password that in theory should take a few thousand years to crack. Within a very short time of the hack being public, I have changed all the passwords that were in that vault, so even if they manage to somehow brute force my master password, none of the data they get is useful to them.
"I have changed all the passwords that were in that vault,"
wow.. do you have few only, or is there a trick to quickly change them (i dont think but i just ask anyway as you seems to be expert enough)
Off the top of my head, here's a few reasons to get your head around.
1) Security
a) EVERY site has it's own unique,long, complex password
b) If I lose a notebook, I would need to jump though hoops to reset all the passwords on all my accounts and would need to do so with urgency before any nefarious person could find my notebook and use it to lock me out of my accounts.
c) even in this scenario, I have months to slowly change my passwords with no real risk of compromise of anything.
2) Convenience
a) I have all of my passwords accessible within a few seconds on all of my devices, wherever I am within easy access of my phone, or even from any, random (trusted) internet connected device (provided I have my Yubikey - on my keyring - or Phone available for 2FA).
b) accurately typing a long, complex password is tedious. A password manager autofills in seconds (after logging in) and is accurate every time.
what's the advantage of Yubikey when your phone is used for 2FA already?
I mean
I have my passwords with me if I have my phone.
If not, I could log into Bitwarden (on a trusted machine) and authenticate with my Yubikey to access my passwords.
Love all the cyber security experts with no knowledge or experience whatsoever bringing their 2c like they're industry professionals.
If it's so easy why aren't you making millions providing top notch cyber security to all these companies?
They're busy with their start up stationery company trying to sell pen and paper solutions.
If not Lastpass, what is the safe alternative?
Or is it notebook and pen only?
Tattooed on your private parts
This is why I haven’t moved to 1Password cloud offering - local vault only.
so i'm guessing just store it with chrome with google?
8.02 trillion trillion centuries to brute force… well I was gonna go to the shops today but better start moving away from LastPass.
It's anytime between next second and 8.02 trillion trillion centuries actually and that applies only to truly random passwords. For everything else good dictionary will return a decent results in much less time.
Yes, obviously they could fluke it with the first try but not much you can do about that is there? I've moved to Keepass now so that I can be personally responsible for the next leak of my passwords :)
Even if you spend all day removing yourself from lastpass they still have your data - isnt that the way it works?
Moving away from lastpass would obviously include changing every password stored inside it? Otherwise there's no point in moving. Well, every password that is of significance. My account with fluffypettoys.com.au isn't something I care about… much.
Apple kee-pass anyone ?
I dont understand if its safe but seems to have collected quite a few of our passwords over time
Any clues appreciated
Don't use password managers, just don't. Anyone who pushes them either is clueless or is getting a kick back.
They're a high value target, they will get broken into.
Stick to the XKCD's advice and make a long passphrase for each site that you can remember. It's ok to have a variance pattern only you understand.
You would want to make sure you use a unique passphrase for each site (with truly random generated words, not just the first ones you think of), and also likely add an additional word compared to xkcds advice (its diceware number sugesstion is below the recommended minimum of 6 that diceware password creator Arnold Reinhold recommends), and use padding characters.
Good luck remembering unique 6 random word passwords for each site, but yes….that is an excellent password generation recommendation
Plenty of highly regarded security experts would disagree with you regarding memorising
Eg the local guy behind haveibeenpwned
https://www.troyhunt.com/im-sorry-but-were-you-actually-tryi…
And that sell out Edward Snowden just pushing the company line ;)
https://twitter.com/Snowden/status/1175433355921436673
But sure, all those opsec experts…
all just clueless or getting kickbacks
I use Enpass. Keeps data in an encrypted single file, which can be synchronized to your (own) cloud storage location (ie OneDrive), or kept local. Works across all devices.
Why some people think it's a great idea to sync to a single vault provider is beyond me… it's a high value target.
The parent company who own this also own GoTo Meeting and there are concerns that this may also be affected. The company I work for have told staff to cease using it.
whats the benefit of LastPass over free Google Password built into Chrome? My iPhone is able to access it via all the apps as well. Seems safer too.
Used LastPass for two weeks two years ago before i decided it wasn't for me. Now I'm regretting not deleting the account. My master password is reasonably strong, 22 characters with uppercase, lowercase, numbers and special characters, but does contain dictionary words. Probably not hackable in a timeframe that matters to me but I'll change important passwords anyway.
Are the hackers going to be able to try brute force all the hacked accounts simultaneously or will they need to try each account sequentially?
My master password is reasonably strong, 22 characters with uppercase, lowercase, numbers and special characters
That is not 'reasonably strong', that is absolutely strong and not crackable at all. You are totally safe.
Are the hackers going to be able to try brute force all the hacked accounts simultaneously or will they need to try each account sequentially?
Not simultaneously, but not really sequentially either. They will iterate through all interesting accounts trying each password on all of them individually before moving onto the next password. ie 'aaaaaaa', 'aaaaaab', 'aaaaaac' All passwords of seven characters or less will have already been cracked on every account by now.
Genuinely, thanks for the vote of confidence on my password.
Still going to change passwords on important accounts though and set up MFA where possible. Hopefully just a reminder and not a lesson.
Syncthing + keepass
Never trust companies having your passwords
Apple iCloud Keychain FTW
I figure my data is out there anyway, could not even be bothered changing my passwords at this point - all 500 odd of them hah
If my master password was 24-25 characters should I even bother changing each individual password? this is going to be tedious. I'm glad I only trust myself with my bank and email account passwords
Probably not an issue, but do it anyway over the course of the year.
Do it next time you're home sick from work and you're bored out of your mind.
I imagine they'll use the billing info + unencrypted site URLs to determine which vaults to spend the GPU time on.
Things like financial accounts, crypto logins probably put a target on your back.
I'm only changing the accounts that I care about, they can have a 10 year old Ubisoft forums account, but not mygov
crypto logins
Would be rare sites that don't enforce 2fa in crypto land though….
Regular banks too, but if you're a big enough target they could get more motivated and go eg Sim jacking. I'm not familiar with the crypto lands, do they take SMS as 2fa?
Unverifiable but this sounded not so great
https://twitter.com/Cryptopathic/status/1606416137771782151
cant this kind of hack happen with other managers , especially bitwarden that im using ?
my master pass only 13 chars (but combination of capital, number, special)
Yes it can happen to any Password Manager.
Definitely worth increasing your password length, to at least 16 characters, but the more the better of course.
13 Characters is OK today, but likely wont be in a few years time.
While you're at it, increase the Hash iterations from the default 100,000 to 400,000 or higher.
You need to do that on the Bitwarden Website under Security and the third tab across.
one feature i like is (could be bitwarden or authy) one of them is able to limit or disallow login from new devices. well still if they know the master pass they can change that.
but using bitwarden plus authy is also good idea i think? so if they know my master pass, they will need to crack my authy as well
damn now i remember iam using the same email and password for both! lol……
1) have a unique password for EVERYTHING (doubly important for your Master Password)
2) Using Multi-factor Authentication (MFA) is definitely a good idea for Bitwarden.
However, be aware that MFA would not provide any extra protection in this case.
MFA can only prevent someone who somehow knows your Master Password from being able to log into Bitwarden and extract all your passwords. (ie if someone installs a Keylogger onto your computer, they could gain access to your Master Password).
MFA is like having a second door on your house with a combination lock.
And inside your house is a safe with all your passwords.
But in this case, the hackers have the data already. (ie they've already entered LastPass through the backdoor, bypassing the 2 front doors altogether, and they've stolen LastPass users' "safe's")
They now need to try to decrypt the data (open the "safe") by guessing the Master Passwords thousands of times per minute.
For anyone with a password longer than 10 characters, this should take on average 100 years or more to guess using today's technology - BUT of course on average means that for one person they could luck out and guess the password correctly on the first attempt, and for another it might take 200 years (still an average of 100 years).
It's for this reason that having a MUCH longer password is important.
Once you're into 16 characters and ideally much more, you're talking millions of years on average and therefore the chances of guessing correctly on the first guess become increasingly unlikely.
@ESEMCE: ah got it. so totally difference cases here regarding authy.
ok so question. if, for example my vault got stolen from lastpass during that recent hack, does it matter to change/increase my master password NOW? or it is too late? did the vault that got stolen has my old master password with it?
@CyberMurning: If your passwords were stored on Lastpass with an old Password, the hackers potentially have your data and they only need to guess your old password to unlock all of your passwords.
(think of the "safe" metaphor, they've broken in and stolen a bunch of "safes" that each contain passwords of an Individual Lastpass User)
Changing your Master Password will only change the unlock "key" for your Bitwarden "Safe".
The LastPass "Safe" is still locked using the old Master Password and you can do nothing to change it.
But no need to panic. They still likely have nothing useful and are unlikely to for at least 12 months.
Just start changing your old passwords, starting with your most important ones.
ie email, mygov, Insurance, utilities, phone account and banking
By the time they've guessed your old Master Password (if they ever do) they will still have nothing useful.
@ESEMCE: ah i see. okay i just use lastpass as example on my question above.
i had lastpass for few months long time ago not sure if i have really used it properly maybe just play around. when they plan to charge fee, i stop,
deleted all the entries inside (but i may have the account open still, not sure).
since then im using bitwarden and i have changed most of the passwords anyway
None of that is any help at all if someone steals your vault from Bitwarden. At that point they have all the time in the world to try crack the key with zero authentication requirements and zero limits on attempts. Authy stops them using Bitwarden's standard web interface even if they know your password, that's it.
Realistically though, they're not likely to crack it in the next decade with 13 characters (assuming it's actually random). At the moment it'd take hundreds of thousands of years, in a decade it might be a few years. Unless quantum computing breaks encryption as we know it.
@freefall101: Set up bitwarden with
Store your master password and 2fa recovery code somewhere secure.
Congrats, no one is brute forcing your password vault anytime in your lifetime or any following lifetime you'd care to worry about.
@SBOB: That's what mine looks like. I switched to Bitwarden a couple of years ago but stupidly left my Lastpass as a "backup". But I'm not even remotely worried about it being cracked. Over 5 words, a couple of them aren't even real, few other bits thrown in. Good bloody luck to anyone wanting to crack that one.
2FA still means nothing though for a Lastpass style leak though. It's not two keys encrypting the vault, it's just user verification.
Quantum is still a worry though. Brute forcing the password isn't really the issue at that point but simply breaking the factoring. Imagine if someone is sitting there capturing all the HTTPS traffic at the moment, they'll be able to decode all of it in a decade or two and they have your password. Still need to update passwords and re-encrypt every 5-10 years or so. Fortunately we'll have plenty of heads up on that one when it happens.
@freefall101: if we have quantum computing breaking aes-256 with ease anytime soon, we'll have more to worry about than our password vaults :)
@SBOB: ^this
If/when Quantum Computing breaks our current Encryption standards, it will require an entire re-set of system security everywhere.
And there will be far bigger fish being targeted than anyone commenting on this thread.
If/when Quantum Computing breaks our current Encryption standards, it will require an entire re-set of system security everywhere.
And there will be far bigger fish being targeted than anyone commenting on this thread.
plus at this stage, quantum computing theories do not show any signs of being more effective against symmetric encryption like AES-256, so just saying 'but what about quantum computing' ignores the differing types of encryption and how each types of encryptions 'maths' works.
Quantum computing would be more effective at asymmetric encryption like RSA (ie RSA and other similar asymmetric encryptions would become worthless), while AES based encryption would be (somewhat) considered 'quantum' proof
Ha, deleted the account years ago when they wanted to charge for the service.
on bitwarden now changing my master pass and increasing iteration.
i see "Rotate your Encryption Key" option.
i read the desc but not really understand. do we need to tick that ? default is not
Shouldn't need to
Don't need to unless you think your vault has been breached.
Don't bother.
Just up the iteration count, ensure good master pwd with 2fa, note it and your recovery codes down somewhere secure.
Congrats, yours more secure than 99%+ of the world popular
@ESEMCE: iCloud Keychain (password manager) is very secure. No point dunking on it just because you don't like Apple.