TL;DR: Last Pass is broken. All passwords at the time of the breach were taken. They also got internal secrets from a laptop and can now probably throw computational power at anything they want to decrypt.
Switch. Do not use. Change everything you have if you were using it. Treat everything as breached.
No kidding. I mean the other biggest losers are not just lastpass, but the supposed security experts that non-stopped plugged password managers as practically THE solution to password security for the average joe and now they are non-ironically saying that maybe physically writing your passwords in a piece of paper wasn't that bad of an idea after all. Extreme loser shit. I mean I still use password managers, but I know the risks, the master password is beefy, some important passwords like my g account are 100% commited to memory and now I'm wary of recommending passwords managers. When I think of my boomer parents who can't grasp the importance of, like, keeping their devices up to date through no fault of their own, I realize that we are truly living in a digital hellscape of our own making.
This message was brought to you by muscle memory.
Don't remember your password? your fingers do.
Only if you re-use passwords which is probably the worst thing you can do. No amount of muscle memory is going to help you remember a unique, randomly generated password like 72^@Bjh81N5QmEN6 for every single website.
It's not that hard until the time you have to remember one you haven't used in 5 years
I use private browsing by default. I have to enter log ins every session.
You can still download Bitwarden and enable it in private browsing. Or you can just set your browser to clear on exit in normal sessions but still use the built in password manager. It's much more secure to use randomly generated passwords unique to each website than to use anything you can type, especially if you're reusing a password.
Is the horsestaplebattery meta outdated?
I use uniques everywhere with muscle memory.
You need to be able to access randomly generated passwords (which all your passwords should be) from any device. Password managers lose a lot of usefulness if they aren't online.
No? All your passwords absolutely should be randomly generated and unique per website, something you can't keep track of on your own. The solution is a password manager that syncs to all your devices.
What you do is use one that has locally encrypted/decrypted databases and authentication and store the database as an encrypted file in a cloud storage service. The service itself therefore no longer matters, only keeping your master password safe matters and the file online is useless without your master password. The service therefore never holds even so much as keys for your database and it is impossible without compromising your end devices to access your passwords.
That's the same as a password manager but much less convenient. Password managers don't store keys in their database, your master password is the key.
lastpass stores them encrypted only, like every other password manager. It decrpyts on your local computer.
I was under the impression that lastpass was storing passwords encrypted and even when you use their website without the browser extension it decrypts locally.
That’s what Bitwarden claims as well and seems to be standard across the different services.
This isn’t too realistic even if someone has a cracking program based on the way LastPass encrypts information. Even after this breach your passwords in LastPass are probably still safe, but you should rotate your mfa.
Brute forcing encrypted data takes a monumental and in most cases nonexistent amount of computational power.
I don’t expect it to stay that way, but realistically speaking it’s not something to worry about.
If someone breaches it, they get everything.
IMO they are great if you control them yourself and take reasonable precautions, which means not using any public website password managers.
You can self-host bitwarden, for example. Or use a 100% local one. If you do host something like bitwarden, it's now on you to make sure it's up to date and following best practices, which is pretty annoying.
That’s not quite true of stuff like lastpass or Bitwarden (self hosted or as a service).
What people get (and got, when they breached lastpass) is a bunch of encrypted data that still needs the master password to unlock once decrypted.
If it’s really worrisome, pair the master pass phrase with a hardware token and be done.
With Bitwarden, the recent major issue relates to the essential security of getting into the vault itself. Self-hosters like myself needed to pay attention to this and change their settings from the defaults, at the cost of performance, in order to mitigate fairly realistic attacks.
right?
I complained about not being allowed to use old passwords and people were all "just use a password manager" what happens if that gets breached dipshit, let me cycle through obscure old passwords, fuck
yeah i'm jumping to them as we speak. luckily my mp was insanely long and full of non-dictonary words, basically just some weird shit i came up with in my head calling back to some worldbuilding i did when i was like 12 and offline
I switched to Bitwarden a while ago, but I never cleared my LastPass vault, so I still have to deal with this :sadness:
Trying to remember if I nuked my Lastpass account before switching to Bitwarden when everyone was migrating because Lastpass got bought out by an ad company or something.
The data accessed from those backups included system configuration data, API secrets, third-party integration secrets
It’s almost as if security should be publicly audited and based on well known encryption methods and not obscurity
The whole thing is a complete and total disaster. If you click through to the page about what was taken it's basically fucking everything. They must be treated as completely insecure, all secrets stolen, someone out there very probably has the ability to just access anything they want if they know what to do with it.
It's the worst breach I think I have ever seen.
The best part is that the press release doesn’t cover everything. Media outlets have been reporting that only a few people had access to this information, like 4 or so. And they were able to access it via their home devices and didn’t use a company device lol
I'll never use a password manager. Random password generator and notepad stays winning
Yes it's a boomer way to do things but I don't care
An unencrypted passwords.txt file sitting on your desktop is probably more secure than anything put in "the cloud".
An encrypted passwords.kdbx file sitting on your desktop would be significantly more secure though.
The cloud is just someone else's computer, that's what I've always thought
Words of the utterly deranged, cloud is a bunch of water droplets :meow-tableflip:
this except named "FILEINTRO_DAT" and with a bunch of gibberish before you scroll down
or alternatively, just a bunch of MSpaint files
True but this is like the second or third breach in the last couple years and the obviously aren't meeting the expected standard.
Huge target, large dev team and knowledge of they ever covered up a breach of data access they will be obliterated. They are one of the few companies that actually reports breaches because they want to push liability for these post breach incidents on their customers who may have bad passwords.
Yes, but that said: if you have a bad master password the attempts at cracking it can commence anytime (if not already). So, really, change your master password and EVERY password you manage with LastPass. Anything short of that is insufficient.
their wikipedia page shows almost as many security incidents as chipotle's page shows poisoning incidents
If it makes you feel better than you should probably switch but after reading the bulleting the key points are: Some encrypted passwords were taken. However they can only be decrypted by using the master password which they don't have access to and never have.
In other words, as long as you have a strong master password the chances of you actually being hacked are next to zero. That said, some people are careless and they have bad passwords. That sucks for everyone but realisticaly that person also likely had the worst possible passwords before password managers gave them access to easy random passwords, so I'm not sure the net loss/win here in the long term.
Personaly I've always used managers and I'll continue until something actualy meaningful changes.
My reaction to this last week after reading "experts" talk about this is still the same now.
I absolutely couldn't give less of a shit about some random fucker on the other side of the planet having access to my """""""""""""metadata"""""""""""", let alone giving two shits about them having access to the sacred metadata from dumb fucks working at [randomasscorporation]. How hackers are planning to use that to target corporations literally doesn't matter to me and shouldn't matter to anyone.
If corporations care they'll change, if not they'll continue to use managers, apparently lastpass is huge with businesses so is this going to make them change? You know the answer already.
There's always the possibility Mozilla gets hacked like this. idk if there's a way to make it on device only, but by default it syncs with a Mozilla server.
But as I said elsewhere in this thread, password managers kinda need to be in cloud storage so you can access your randomly generated passwords from any device.
Also Bitwarden is more feature full. And you can host your own server instance if you really want, so you wouldn't be vulnerable to the security of a company. Though you'd instead be vulnerable to your network's security, so you should probably only do that if you know how to properly secure a network.
There’s always the possibility Mozilla gets hacked like this. idk if there’s a way to make it on device only, but by default it syncs with a Mozilla server.
No, by default in fact it does not (that would be insane). You have to enable it, and create an account and everything.
Also, if you do opt for the firefox password manager, use a secure key to encrypt it (that is not enabled by default either).
physical security, but if they have your device there's not much you can do, and the feds will use the $5 wrench method if they actually care about you
They'll use "advanced interrogation techniques" to beat the passwords/access to your accounts out of you if they deem you a serious enough threat.
:shrek-pixel-despair: I haven't used it in years but this will be a pain to change everything
Yeah I switched and now I still need to just change everything. I already changed my major passwords (banks, email, etc) but now I need to do everything else :pathetic:
Password Safe and the Twofish encryption algorithm it uses were originally developed and released to the public by Bruce Schneier and Counterpane Labs.
Password Safe is now an open source project hosted at sourceforge.net. The latest program updates, documentation, and news can be located at http://pwsafe.org.
I mean that's how password managers work. They have to store something on online. And as we know online/the cloud is just someone else's server or computer. And even if it's just the encrypted part of the password, or its technically "unhackable", when there's a will, there's always a way to hack something.
If they aren't stored online you can't log in to sites unless you have access to the computer you stored them on.
I've always used keepass since it lets you keep a local database.
doesn't storing the password with the mfa thing kind of defeat the purpose?
Your master password is in your head, your 2fa should be on your phone or another device