If you use LastPass as a secure password-managing service, things might not be as secure as you think. Earlier this year in August, the password keeper disclosed that it had been breached, with an unknown hacker having gained access to LastPass' source code and proprietary data. At the time, the company stressed that despite this, customers were unaffected by the hack, and that their data was safe. Now, for the second time this year, LastPass is having to announce that they have been hacked for a second time this year, and that in this incident, customer data has indeed been accessed and stolen.

According to an internal investigation, that same hacker used the data (cloud storage access and dual storage container decryption keys from August in order to get ahold of a backup of LastPass customer data. This means that the individual was able to access billing addresses, telephone numbers, IP addresses, and email addresses saved to users' accounts. That isn't the end of the breach, though, because the hacker also copied a backup of vault data, which contains the most sensitive info; usernames, passwords, and saved form-field data. LastPass claims that no credit card data was accessed, as the service does not store complete credit card numbers and information.

While the information like email addresses and telephone numbers were not encrypted, the password vaults were, with a 256-bit AES encryption, requiring a special key in the form of a user's master password to access. So despite having this information, LastPass claims that this would make it incredibly difficult for the hacker to actually obtain the data from the customer vault. That being said, there is the potential for someone to either brute force the master password, or eventually decrypt the data.

The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.

With all this in mind, LastPass says that there isn't a need to take action at this time, unless your master password was not as secure as recommended. This is just the latest in a string of numerous hacks that the password managing service has suffered over the past few years, with incidents taking place in 2015, 2017, and 2019, all resulting in customer data being accessed by hackers.

Source

 

[Halbour]

Putting your passwords onto an online password manager is one way to get yourself hacked at any point in time.

I Hope 1Pass is better!

Post automatically merged: Dec 23, 2022

Tech tip: Never store your passwords on your device. Someone could remotely access your PC and steal your passwords.

Not if you have Bitdefender installed!!

 

[Jayro]

Maybe storing your passwords outside your home or other secure place that you have exclusive physical access to was never a good idea.

Post automatically merged: Dec 23, 2022

I would recommend an encrypted USB drive as unlike a smartphone, it can't get hacked while it's disconnected and unlike a notepad, people going through your belongings can't read it.

Samsung's S7 SSD has a fingerprint reader and 256-bit encryption. It's fantastic, even as a crypto wallet.

 

[Dimensional]

Might I suggest YubiKey in these troubling times? Without physical access to it, your data is even harder to access by a malicious actor.

 

[Jayro]

Might I suggest YubiKey in these troubling times? Without physical access to it, your data is even harder to access by a malicious actor.

I had one, got it for free... But the software is confusing as fuck, so I'm definitely not buying one of those.

 

[Ryab]

Ironically, I expect most of the people using these methods to be using either weak or reusing passwords that you might actually be safer with the Lastpass hack if you used a suitable master password.

You just gotta use a 24-32 character password of random letters, numbers, and symbols. a long random password plus some other external authenticator app is your best bet. With that you can just have long random passwords for all sites without having to remember their passwords too.

 

[linuxares]

Storing your data at home or online doesn't really matter. I can tell you right now most places (Except LogMeIn because they're a bunch of bastards) have higher security than your home router or computer.

 

[RedColoredStars]

I've used Roboform for years on end. Even if their db was hacked, good luck decrypting the master password and then the passwords themselves that are up to 512 characters and randomly generated. I have close to 400 logins/passwords. Only person that writes down or memorizes that many passwords most likely uses the same 1-5 simple passwords for all 400 sites.

 

[diggeloid]

Lots of bad password advice in this thread. Storing your passwords in a text file or a USB stick is not a good idea:

• You're less likely to use it due to inconvenience (how do I sign in to something on my phone if my passwords are on a USB stick?)
• You're less likely to use secure randomly generated passwords (which are practically impossible to brute force)
• You're more likely to reuse passwords, rather than generate a new one for every single account
• You're less likely to encrypt your password vault/file
• You're vulnerable to losing your passwords due to a lot of different factors (bad windows update, dead hdd, ransomware, etc)

This hack isn't that catastrophic (assuming LastPass aren't lying of course). The stolen passwords are encrypted using your master password, so as long as you picked a good one, your only risk is a brute force attack on your master password. And even with that, a brute force attack takes a very long time, and you have a head start with this announcement to change all of your important passwords.

Moral of the story: ALWAYS USE A PASSWORD MANAGER

I use Bitwarden, but even LastPass is still a good choice.

 

[linuxares]

I use Bitwarden, but even LastPass is still a good choice.

LastPass is a terrible choice now days. LogMeIn doesn't provide the adequate security measures to keep getting hacked.

 

[Marc_LFD]

I keep mine on a SanDisk USB stick.

Good idea sure, but USB/SD cards can get corrupted so make sure you make at least two copies.

I personally use Bitwarden and yes I know the risks there are using a cloud password manager so stuff such as this is concerning though I still trust BW. If it happens to BW then I'll look into storing it on a USB or something (not as convenient albeit it is safer).

Post automatically merged: Dec 23, 2022

I use Bitwarden, but even LastPass is still a good choice.

LastPass fucked itself when it decided to change to a subscription service and force users to use one device or whatever. That's what made me switch to Bitwarden.

Kind of feels like LastPass betrayed long-time customers (I used them for many years).

 

[djpannda]

imma paper and pen man..

 

[kevin corms]

No idea why so many people recommend password managers, its never a good idea to put all your passwords in one place.... I thought this would be common sense.

 

[Jayro]

Lots of bad password advice in this thread. Storing your passwords in a text file or a USB stick is not a good idea:

• You're less likely to use it due to inconvenience (how do I sign in to something on my phone if my passwords are on a USB stick?)

Newsflash, genius: Your phone can read USB sticks.

 

[Bladexdsl]

that's why i stick to my method for storing passwords and it works and is 100% hack proof: a usb stick that's never connected to the computer all the time

 

[linuxares]

No idea why so many people recommend password managers, its never a good idea to put all your passwords in one place.... I thought this would be common sense.

Except with a password manager you can change your password really quickly.

 

[tech3475]

You just gotta use a 24-32 character password of random letters, numbers, and symbols. a long random password plus some other external authenticator app is your best bet. With that you can just have long random passwords for all sites without having to remember their passwords too.

My post was about the methods in the post I was quoting and what I expect from most people who use them.

Out of the three the text editor is the best option (particularly if you use something other than notepad which allows encryption), but even then I doubt most people would use an actually strong password like you suggest.

 

[diggeloid]

Newsflash, genius: Your phone can read USB sticks.

What does that process look like for you? Bitwarden has autofill on mobile, so when I click on a password field, the autofill button shows up on top of the keyboard. Tapping that takes a fraction of a second.

 

[impeeza]

Our CISO "security" police obligate us to use a cloud "password manager". I did receive an admonishment for to not using it. and instead using a local password manager with 4096 bits encryption, few weeks later all my coworkers had to change all his/her passwords because the "super high secure cloud password manager" get hacked and all secrets was stealed...

First rule of security: if a bad guy have physical acces to your data, isn't your data anymore

https://www.marshall.edu/it/departments/information-security/10-immutable-laws-of-security/

 

[sudeki300]

If yall need a good password manager
https://keepassxc.org/
https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser/

OK, black hat hacker, won't get us that easy.lol

 

[linuxares]

OK, black hat hacker, won't get us that easy.lol

Sadly keepass database isn't that hard to crack. Especially not with GPU cracking.