If you use LastPass as a secure password-managing service, things might not be as secure as you think. Earlier this year in August, the password keeper disclosed that it had been breached, with an unknown hacker having gained access to LastPass' source code and proprietary data. At the time, the company stressed that despite this, customers were unaffected by the hack, and that their data was safe. Now, for the second time this year, LastPass is having to announce that they have been hacked for a second time this year, and that in this incident, customer data has indeed been accessed and stolen.

According to an internal investigation, that same hacker used the data (cloud storage access and dual storage container decryption keys from August in order to get ahold of a backup of LastPass customer data. This means that the individual was able to access billing addresses, telephone numbers, IP addresses, and email addresses saved to users' accounts. That isn't the end of the breach, though, because the hacker also copied a backup of vault data, which contains the most sensitive info; usernames, passwords, and saved form-field data. LastPass claims that no credit card data was accessed, as the service does not store complete credit card numbers and information.

While the information like email addresses and telephone numbers were not encrypted, the password vaults were, with a 256-bit AES encryption, requiring a special key in the form of a user's master password to access. So despite having this information, LastPass claims that this would make it incredibly difficult for the hacker to actually obtain the data from the customer vault. That being said, there is the potential for someone to either brute force the master password, or eventually decrypt the data.

The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.

With all this in mind, LastPass says that there isn't a need to take action at this time, unless your master password was not as secure as recommended. This is just the latest in a string of numerous hacks that the password managing service has suffered over the past few years, with incidents taking place in 2015, 2017, and 2019, all resulting in customer data being accessed by hackers.

Source

 

[sudeki300]

Sadly keepass database isn't that hard to crack. Especially not with GPU cracking.

it wasn't supposed to be a serious post, hence the lol at the end.

 

[The Real Jdbye]

Tech tip: Never store your passwords on your device. Someone could remotely access your PC and steal your passwords.

Not if they're encrypted.

I put my database on a USB stick so I can use it on my laptop as well, guess it does that too

Tech tip

If you keep that USB stick plugged in it's no different from having the file stored on your PC.

 

[kisamesama]

Maybe storing your passwords outside your home or other secure place that you have exclusive physical access to was never a good idea.

Post automatically merged: Dec 23, 2022

I would recommend an encrypted USB drive as unlike a smartphone, it can't get hacked while it's disconnected and unlike a notepad, people going through your belongings can't read it.

I see. It is sure less convenient. I will probably self host a password manager

The important distinction here is "self-hosted" which LastPass is not.

if they can hack lastpass, they can hack your self hosted bitwarden; probably easier.

 

[Deleted member 194275]

Nobody can beat pen and paper encryption. If someone breaks in your place there is a slim chance that the thief will open all your books to find the exact one with the password of the google drive where you stored the pictures of your penis, but I take the risk.

 

[RAHelllord]

if they can hack lastpass, they can hack your self hosted bitwarden; probably easier.

I don't use bitwarden, but it's also less likely a self-hosted version is as easily discovered as knowing where an online service keeps it. Attacking a large service like lastpass is also just more plain attractive because the hacker would be able to potentially gain access to millions of credentials from millions of people, some of which likely have used the master password more than once, or are able to be phished. With a self-hosted service the usable data set will be much lower, thus worth less, thus they will spend less effort on getting in.

 

[Jayro]

What does that process look like for you? Bitwarden has autofill on mobile, so when I click on a password field, the autofill button shows up on top of the keyboard. Tapping that takes a fraction of a second.

I never said I used that method, but it would be easy to plug in a USB stick, open ES File Explorer Pro, and open the text file to copy and paste my password. Mere seconds. Sure it's slower, but not cumbersome by any means.

Post automatically merged: Dec 23, 2022

that's why i stick to my method for storing passwords and it works and is 100% hack proof: a usb stick that's never connected to the computer all the time

Even better: a USB stick programmed to type your password upon insertion. I made one as a backup for my significant other to access my devices whenever I die.

 

[Dontuuch17]

..open ES File Explorer

Ew.

 

[Kioku]

Ew.

Why ew?

 

[eyeliner]

Hahahahahahahahahahahah.

I love it. Last Pass, KeyPass and crap like that are snake oil.

And their clients are idiots for falling in the "secure" motto.

Hahahahahahahahahahahah.

 

[ZeroFX]

Your brain is a nice place for password storage (provide you aren't brain damaged), better than services like last pass at least, and yes you can store big, secure, and different passwords there just come up with a pattern. But if you want to store passwords somewhere, do it encrypted, locally, with local backups.

 

[Marc_LFD]

Why ew?

There's some controversy about ES File Explorer. Even though it's delisted I still like using it on my Android devices, I guess you could say because of nostalgia and the UI is my favorite (I tried various file explorers and always went back to ESFE Pro).

 

[RedColoredStars]

Hahahahahahahahahahahah.

I love it. Last Pass, KeyPass and crap like that are snake oil.

And their clients are idiots for falling in the "secure" motto.

Hahahahahahahahahahahah.

Hahahahahahahahahahahah.

So you didn't read the entire story.

Hahahahahahahahahahahah.

LastPass is still more secure than storing your passwords in a notebook or digitally unencrypted. A person would have to be a complete idiot to use a password manager but still use passwords like abc123 instead of randomly generated and heavily encrypted ones. Sure, user data was stolen. Good luck decrypting the passwords themselves. And for the record, your passwords are already stored online without using a password manager. Every site you log in to has your password stored and any other info you've given them. Any site you belong to could at any point in time be hacked and your info stolen. And it's likely that even after the hack, peoples LastPass passwords still have heavier encryption then most websites are storing peoples password/data with.

 

[AlexMCS]

There's some controversy about ES File Explorer. Even though it's delisted I still like using it on my Android devices, I guess you could say because of nostalgia and the UI is my favorite (I tried various file explorers and always went back to ESFE Pro).

It's the only Android file explorer I use. It's really the best.

As for security, unless you make your own encryption on top of a secure one, get ready to get cracked some day.
I'd recommend a XOR-based encryption with a variable input value based on a custom function.

 

[Jayro]

Why ew?

He's afraid of features.

Post automatically merged: Dec 23, 2022

There's some controversy about ES File Explorer. Even though it's delisted I still like using it on my Android devices, I guess you could say because of nostalgia and the UI is my favorite (I tried various file explorers and always went back to ESFE Pro).

Same, the new one sucks. I use the good one.

 

[eyeliner]

Hahahahahahahahahahahah.

So you didn't read the entire story.

Hahahahahahahahahahahah.

LastPass is still more secure than storing your passwords in a notebook or digitally unencrypted. A person would have to be a complete idiot to use a password manager but still use passwords like abc123 instead of randomly generated and heavily encrypted ones. Sure, user data was stolen. Good luck decrypting the passwords themselves. And for the record, your passwords are already stored online without using a password manager. Every site you log in to has your password stored and any other info you've given them. Any site you belong to could at any point in time be hacked and your info stolen. And it's likely that even after the hack, peoples LastPass passwords still have heavier encryption then most websites are storing peoples password/data with.

I did. Why keep my passes "securely" in an ONLINE service?

Be sheep, boys and gals. Keep on believing on third parties to "secure" your digital life, instead of doing your own due diligence.

 

[SylverReZ]

I'd recommend a XOR-based encryption with a variable input value based on a custom function.

XOR, MD5, amongst many other checksum and encryptions are easily crackable by brute force.

 

[RHOPKINS13]

KeePass is actually really darn secure if you set it up right. You can host your KeePass database on Google Drive or some other cloud service. Use a key file, and it will be extremely difficult to brute force. Copy your key file to your PC, laptop, phone, etc. anywhere you want to have access to your KeePass database from.

Now, for a hacker to get your information, they have to hack BOTH your cloud service account for the database AND your personal device for the key. Add in a secure password on top of that? Very unlikely anybody is going to be able to break into that.

You could take it a step further and host the database yourself rather than a cloud service. You might already have a NAS at home you can throw it on, or some routers have features to do this built-in. Setup dynamic DNS because you most likely have a dynamic IP address, and if you host it using SFTP you can use an SSH key rather than a password to access it (much more secure.)

At this point, you're pretty damn safe. Even if somebody did somehow jump through all the hoops to hack into your stuff, that's a ton of work just to break into one person's accounts. You'd have to be a really high profile target for somebody to even consider it. They'd have much better luck either hacking into a system like LastPass or Bitwarden, where they could potentially get access to thousands of user accounts.

 

[AlexMCS]

XOR, MD5, amongst many other checksum and encryptions are easily crackable by brute force.

Nah, they are akin to OTP if done right. XOR is easy only if you do use a fixed key per byte.
It's pretty much uncrackable with a variable key per byte/bit by using custom functions.

 

[Marc_LFD]

He's afraid of features.

Post automatically merged: Dec 23, 2022

Same, the new one sucks. I use the good one.

View attachment 344121

On my Samsung it doesn't use the whole screen space, well, it's an old app so that's not surprising still as long as it works I'll use it.

 

[toolazytosearchitmyself]

I don't know exactly what LastPass does and doesn't do on their end, but for any sort of security related solutions companies should have dedicated cyber-security teams to minimise the risk of a breach. All customer data should be encrypted, not just the passwords.