TL;DR: Last Pass is broken. All passwords at the time of the breach were taken. They also got internal secrets from a laptop and can now probably throw computational power at anything they want to decrypt.

Switch. Do not use. Change everything you have if you were using it. Treat everything as breached.

    • mittens [he/him]
      ·
      edit-2
      2 years ago

      No kidding. I mean the other biggest losers are not just lastpass, but the supposed security experts that non-stopped plugged password managers as practically THE solution to password security for the average joe and now they are non-ironically saying that maybe physically writing your passwords in a piece of paper wasn't that bad of an idea after all. Extreme loser shit. I mean I still use password managers, but I know the risks, the master password is beefy, some important passwords like my g account are 100% commited to memory and now I'm wary of recommending passwords managers. When I think of my boomer parents who can't grasp the importance of, like, keeping their devices up to date through no fault of their own, I realize that we are truly living in a digital hellscape of our own making.

      • edge [he/him]
        ·
        2 years ago

        Only if you re-use passwords which is probably the worst thing you can do. No amount of muscle memory is going to help you remember a unique, randomly generated password like 72^@Bjh81N5QmEN6 for every single website.

          • edge [he/him]
            ·
            2 years ago

            You can still download Bitwarden and enable it in private browsing. Or you can just set your browser to clear on exit in normal sessions but still use the built in password manager. It's much more secure to use randomly generated passwords unique to each website than to use anything you can type, especially if you're reusing a password.

      • tagen
        ·
        edit-2
        1 year ago

        deleted by creator

        • edge [he/him]
          ·
          2 years ago

          You need to be able to access randomly generated passwords (which all your passwords should be) from any device. Password managers lose a lot of usefulness if they aren't online.

          • tagen
            ·
            edit-2
            1 year ago

            deleted by creator

            • edge [he/him]
              ·
              2 years ago

              No? All your passwords absolutely should be randomly generated and unique per website, something you can't keep track of on your own. The solution is a password manager that syncs to all your devices.

          • darkcalling [comrade/them, she/her]
            ·
            2 years ago

            What you do is use one that has locally encrypted/decrypted databases and authentication and store the database as an encrypted file in a cloud storage service. The service itself therefore no longer matters, only keeping your master password safe matters and the file online is useless without your master password. The service therefore never holds even so much as keys for your database and it is impossible without compromising your end devices to access your passwords.

            • edge [he/him]
              ·
              2 years ago

              That's the same as a password manager but much less convenient. Password managers don't store keys in their database, your master password is the key.

        • blobjim [he/him]
          ·
          2 years ago

          lastpass stores them encrypted only, like every other password manager. It decrpyts on your local computer.

        • xXthrowawayXx [none/use name]
          ·
          2 years ago

          I was under the impression that lastpass was storing passwords encrypted and even when you use their website without the browser extension it decrypts locally.

          That’s what Bitwarden claims as well and seems to be standard across the different services.

          • tagen
            ·
            edit-2
            1 year ago

            deleted by creator

            • groundling20XX [none/use name]
              ·
              2 years ago

              This isn’t too realistic even if someone has a cracking program based on the way LastPass encrypts information. Even after this breach your passwords in LastPass are probably still safe, but you should rotate your mfa.

              • tagen
                ·
                edit-2
                1 year ago

                deleted by creator

                • xXthrowawayXx [none/use name]
                  ·
                  2 years ago

                  Brute forcing encrypted data takes a monumental and in most cases nonexistent amount of computational power.

                  I don’t expect it to stay that way, but realistically speaking it’s not something to worry about.

                  • tagen
                    ·
                    edit-2
                    1 year ago

                    deleted by creator

                    • xXthrowawayXx [none/use name]
                      ·
                      2 years ago

                      not in this case. lastpass, like all the other password managers i know of and a bunch of other cryptographic services, don't handle the master passphrase in plaintext when theyre receiving it from the app or browser or whatever, so at worst when they apply it to the encrypted block of data that represents the users other passwords it's salted, hashed and expanded out to the length required by the encryption strength. at that point it doesn't matter how strong or weak the master password that was used is or isn't.

                      for the purposes of brute forcing the encrypted file.

                      if they're doing the absolute bare minimum to have the user data in a file encrypted by the master password.

                      it really seems like im defending those ding dongs so uhh... let me be clear: i haven't used lastpass for about seven years now.

      • AHopeOnceMore [he/him]B
        ·
        2 years ago

        If someone breaches it, they get everything.

        IMO they are great if you control them yourself and take reasonable precautions, which means not using any public website password managers.

        You can self-host bitwarden, for example. Or use a 100% local one. If you do host something like bitwarden, it's now on you to make sure it's up to date and following best practices, which is pretty annoying.

        • xXthrowawayXx [none/use name]
          ·
          2 years ago

          That’s not quite true of stuff like lastpass or Bitwarden (self hosted or as a service).

          What people get (and got, when they breached lastpass) is a bunch of encrypted data that still needs the master password to unlock once decrypted.

          If it’s really worrisome, pair the master pass phrase with a hardware token and be done.

          • AHopeOnceMore [he/him]B
            ·
            2 years ago

            With Bitwarden, the recent major issue relates to the essential security of getting into the vault itself. Self-hosters like myself needed to pay attention to this and change their settings from the defaults, at the cost of performance, in order to mitigate fairly realistic attacks.

    • GorbinOutOverHere [comrade/them]
      ·
      2 years ago

      right?

      I complained about not being allowed to use old passwords and people were all "just use a password manager" what happens if that gets breached dipshit, let me cycle through obscure old passwords, fuck

    • RION [she/her]
      ·
      2 years ago

      Make room for bitwarden enjoyers 😎

      • Des [she/her, they/them]
        ·
        2 years ago

        yeah i'm jumping to them as we speak. luckily my mp was insanely long and full of non-dictonary words, basically just some weird shit i came up with in my head calling back to some worldbuilding i did when i was like 12 and offline

      • edge [he/him]
        ·
        edit-2
        2 years ago

        I switched to Bitwarden a while ago, but I never cleared my LastPass vault, so I still have to deal with this :sadness:

        • FuckYourselfEndless [ze/hir]
          ·
          2 years ago

          Trying to remember if I nuked my Lastpass account before switching to Bitwarden when everyone was migrating because Lastpass got bought out by an ad company or something.

      • captcha [any]
        ·
        2 years ago

        Self host it for free with vaultwarden.

  • MaoistLandlord [he/him]
    ·
    2 years ago

    The data accessed from those backups included system configuration data, API secrets, third-party integration secrets

    It’s almost as if security should be publicly audited and based on well known encryption methods and not obscurity

    • Awoo [she/her]
      hexagon
      ·
      2 years ago

      The whole thing is a complete and total disaster. If you click through to the page about what was taken it's basically fucking everything. They must be treated as completely insecure, all secrets stolen, someone out there very probably has the ability to just access anything they want if they know what to do with it.

      It's the worst breach I think I have ever seen.

      • MaoistLandlord [he/him]
        ·
        2 years ago

        The best part is that the press release doesn’t cover everything. Media outlets have been reporting that only a few people had access to this information, like 4 or so. And they were able to access it via their home devices and didn’t use a company device lol

  • aaaaaaadjsf [he/him, comrade/them]
    ·
    edit-2
    2 years ago

    I'll never use a password manager. Random password generator and notepad stays winning

    Yes it's a boomer way to do things but I don't care

    • Orcocracy [comrade/them]
      ·
      2 years ago

      An unencrypted passwords.txt file sitting on your desktop is probably more secure than anything put in "the cloud".

      • edge [he/him]
        ·
        edit-2
        2 years ago

        An encrypted passwords.kdbx file sitting on your desktop would be significantly more secure though.

        • plinky [he/him]
          ·
          2 years ago

          Words of the utterly deranged, cloud is a bunch of water droplets :meow-tableflip:

      • sooper_dooper_roofer [none/use name]
        ·
        edit-2
        2 years ago

        this except named "FILEINTRO_DAT" and with a bunch of gibberish before you scroll down

        or alternatively, just a bunch of MSpaint files

    • Chump [he/him]
      ·
      2 years ago

      Sticky Notes taped to your monitor would like a word.

  • blobjim [he/him]
    ·
    2 years ago

    The passwords are still encrypted so this isn't true.

    • familiar [he/him]
      ·
      2 years ago

      True but this is like the second or third breach in the last couple years and the obviously aren't meeting the expected standard.

      • groundling20XX [none/use name]
        ·
        2 years ago

        Huge target, large dev team and knowledge of they ever covered up a breach of data access they will be obliterated. They are one of the few companies that actually reports breaches because they want to push liability for these post breach incidents on their customers who may have bad passwords.

    • neo [he/him]
      ·
      2 years ago

      Yes, but that said: if you have a bad master password the attempts at cracking it can commence anytime (if not already). So, really, change your master password and EVERY password you manage with LastPass. Anything short of that is insufficient.

  • Mike_Penis [any]
    ·
    2 years ago

    just write them down on paper and it will never get hacked 😎 😎 😎 😎

  • buh [she/her]
    ·
    2 years ago

    their wikipedia page shows almost as many security incidents as chipotle's page shows poisoning incidents

  • BynarsAreOk [none/use name]
    ·
    2 years ago

    If it makes you feel better than you should probably switch but after reading the bulleting the key points are: Some encrypted passwords were taken. However they can only be decrypted by using the master password which they don't have access to and never have.

    In other words, as long as you have a strong master password the chances of you actually being hacked are next to zero. That said, some people are careless and they have bad passwords. That sucks for everyone but realisticaly that person also likely had the worst possible passwords before password managers gave them access to easy random passwords, so I'm not sure the net loss/win here in the long term.

    Personaly I've always used managers and I'll continue until something actualy meaningful changes.

    My reaction to this last week after reading "experts" talk about this is still the same now.

    I absolutely couldn't give less of a shit about some random fucker on the other side of the planet having access to my """""""""""""metadata"""""""""""", let alone giving two shits about them having access to the sacred metadata from dumb fucks working at [randomasscorporation]. How hackers are planning to use that to target corporations literally doesn't matter to me and shouldn't matter to anyone.

    If corporations care they'll change, if not they'll continue to use managers, apparently lastpass is huge with businesses so is this going to make them change? You know the answer already.

  • THC
    ·
    edit-2
    1 year ago

    deleted by creator

    • edge [he/him]
      ·
      edit-2
      2 years ago

      There's always the possibility Mozilla gets hacked like this. idk if there's a way to make it on device only, but by default it syncs with a Mozilla server.

      But as I said elsewhere in this thread, password managers kinda need to be in cloud storage so you can access your randomly generated passwords from any device.

      Also Bitwarden is more feature full. And you can host your own server instance if you really want, so you wouldn't be vulnerable to the security of a company. Though you'd instead be vulnerable to your network's security, so you should probably only do that if you know how to properly secure a network.

      • TheCaconym [any]
        ·
        2 years ago

        There’s always the possibility Mozilla gets hacked like this. idk if there’s a way to make it on device only, but by default it syncs with a Mozilla server.

        No, by default in fact it does not (that would be insane). You have to enable it, and create an account and everything.

        Also, if you do opt for the firefox password manager, use a secure key to encrypt it (that is not enabled by default either).

    • robot_dog_with_gun [they/them]
      ·
      2 years ago

      physical security, but if they have your device there's not much you can do, and the feds will use the $5 wrench method if they actually care about you

      • THC
        ·
        edit-2
        1 year ago

        deleted by creator

  • usbgen4 [none/use name]
    ·
    2 years ago

    :shrek-pixel-despair: I haven't used it in years but this will be a pain to change everything

    • ChestRockwell [comrade/them, any]
      ·
      2 years ago

      Yeah I switched and now I still need to just change everything. I already changed my major passwords (banks, email, etc) but now I need to do everything else :pathetic:

    • gauntlet [none/use name]
      ·
      2 years ago

      Password Safe and the Twofish encryption algorithm it uses were originally developed and released to the public by Bruce Schneier and Counterpane Labs.

      Password Safe is now an open source project hosted at sourceforge.net. The latest program updates, documentation, and news can be located at http://pwsafe.org.

  • tagen
    ·
    edit-2
    1 year ago

    deleted by creator

    • aaaaaaadjsf [he/him, comrade/them]
      ·
      edit-2
      2 years ago

      I mean that's how password managers work. They have to store something on online. And as we know online/the cloud is just someone else's server or computer. And even if it's just the encrypted part of the password, or its technically "unhackable", when there's a will, there's always a way to hack something.

    • edge [he/him]
      ·
      2 years ago

      If they aren't stored online you can't log in to sites unless you have access to the computer you stored them on.