TL;DR: Last Pass is broken. All passwords at the time of the breach were taken. They also got internal secrets from a laptop and can now probably throw computational power at anything they want to decrypt.

Switch. Do not use. Change everything you have if you were using it. Treat everything as breached.

      • edge [he/him]
        ·
        2 years ago

        Only if you re-use passwords which is probably the worst thing you can do. No amount of muscle memory is going to help you remember a unique, randomly generated password like 72^@Bjh81N5QmEN6 for every single website.

          • edge [he/him]
            ·
            2 years ago

            You can still download Bitwarden and enable it in private browsing. Or you can just set your browser to clear on exit in normal sessions but still use the built in password manager. It's much more secure to use randomly generated passwords unique to each website than to use anything you can type, especially if you're reusing a password.

      • tagen
        ·
        edit-2
        1 year ago

        deleted by creator

        • edge [he/him]
          ·
          2 years ago

          You need to be able to access randomly generated passwords (which all your passwords should be) from any device. Password managers lose a lot of usefulness if they aren't online.

          • tagen
            ·
            edit-2
            1 year ago

            deleted by creator

            • edge [he/him]
              ·
              2 years ago

              No? All your passwords absolutely should be randomly generated and unique per website, something you can't keep track of on your own. The solution is a password manager that syncs to all your devices.

          • darkcalling [comrade/them, she/her]
            ·
            2 years ago

            What you do is use one that has locally encrypted/decrypted databases and authentication and store the database as an encrypted file in a cloud storage service. The service itself therefore no longer matters, only keeping your master password safe matters and the file online is useless without your master password. The service therefore never holds even so much as keys for your database and it is impossible without compromising your end devices to access your passwords.

            • edge [he/him]
              ·
              2 years ago

              That's the same as a password manager but much less convenient. Password managers don't store keys in their database, your master password is the key.

        • blobjim [he/him]
          ·
          2 years ago

          lastpass stores them encrypted only, like every other password manager. It decrpyts on your local computer.

        • xXthrowawayXx [none/use name]
          ·
          2 years ago

          I was under the impression that lastpass was storing passwords encrypted and even when you use their website without the browser extension it decrypts locally.

          That’s what Bitwarden claims as well and seems to be standard across the different services.

          • tagen
            ·
            edit-2
            1 year ago

            deleted by creator

            • groundling20XX [none/use name]
              ·
              2 years ago

              This isn’t too realistic even if someone has a cracking program based on the way LastPass encrypts information. Even after this breach your passwords in LastPass are probably still safe, but you should rotate your mfa.

              • tagen
                ·
                edit-2
                1 year ago

                deleted by creator

                • xXthrowawayXx [none/use name]
                  ·
                  2 years ago

                  Brute forcing encrypted data takes a monumental and in most cases nonexistent amount of computational power.

                  I don’t expect it to stay that way, but realistically speaking it’s not something to worry about.

                  • tagen
                    ·
                    edit-2
                    1 year ago

                    deleted by creator

                    • xXthrowawayXx [none/use name]
                      ·
                      2 years ago

                      not in this case. lastpass, like all the other password managers i know of and a bunch of other cryptographic services, don't handle the master passphrase in plaintext when theyre receiving it from the app or browser or whatever, so at worst when they apply it to the encrypted block of data that represents the users other passwords it's salted, hashed and expanded out to the length required by the encryption strength. at that point it doesn't matter how strong or weak the master password that was used is or isn't.

                      for the purposes of brute forcing the encrypted file.

                      if they're doing the absolute bare minimum to have the user data in a file encrypted by the master password.

                      it really seems like im defending those ding dongs so uhh... let me be clear: i haven't used lastpass for about seven years now.

      • AHopeOnceMore [he/him]B
        ·
        2 years ago

        If someone breaches it, they get everything.

        IMO they are great if you control them yourself and take reasonable precautions, which means not using any public website password managers.

        You can self-host bitwarden, for example. Or use a 100% local one. If you do host something like bitwarden, it's now on you to make sure it's up to date and following best practices, which is pretty annoying.

        • xXthrowawayXx [none/use name]
          ·
          2 years ago

          That’s not quite true of stuff like lastpass or Bitwarden (self hosted or as a service).

          What people get (and got, when they breached lastpass) is a bunch of encrypted data that still needs the master password to unlock once decrypted.

          If it’s really worrisome, pair the master pass phrase with a hardware token and be done.

          • AHopeOnceMore [he/him]B
            ·
            2 years ago

            With Bitwarden, the recent major issue relates to the essential security of getting into the vault itself. Self-hosters like myself needed to pay attention to this and change their settings from the defaults, at the cost of performance, in order to mitigate fairly realistic attacks.

    • GorbinOutOverHere [comrade/them]
      ·
      2 years ago

      right?

      I complained about not being allowed to use old passwords and people were all "just use a password manager" what happens if that gets breached dipshit, let me cycle through obscure old passwords, fuck