If you use LastPass as a secure password-managing service, things might not be as secure as you think. Earlier this year in August, the password keeper disclosed that it had been breached, with an unknown hacker having gained access to LastPass' source code and proprietary data. At the time, the company stressed that despite this, customers were unaffected by the hack, and that their data was safe. Now, for the second time this year, LastPass is having to announce that they have been hacked for a second time this year, and that in this incident, customer data has indeed been accessed and stolen.

According to an internal investigation, that same hacker used the data (cloud storage access and dual storage container decryption keys from August in order to get ahold of a backup of LastPass customer data. This means that the individual was able to access billing addresses, telephone numbers, IP addresses, and email addresses saved to users' accounts. That isn't the end of the breach, though, because the hacker also copied a backup of vault data, which contains the most sensitive info; usernames, passwords, and saved form-field data. LastPass claims that no credit card data was accessed, as the service does not store complete credit card numbers and information.

While the information like email addresses and telephone numbers were not encrypted, the password vaults were, with a 256-bit AES encryption, requiring a special key in the form of a user's master password to access. So despite having this information, LastPass claims that this would make it incredibly difficult for the hacker to actually obtain the data from the customer vault. That being said, there is the potential for someone to either brute force the master password, or eventually decrypt the data.

The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.

With all this in mind, LastPass says that there isn't a need to take action at this time, unless your master password was not as secure as recommended. This is just the latest in a string of numerous hacks that the password managing service has suffered over the past few years, with incidents taking place in 2015, 2017, and 2019, all resulting in customer data being accessed by hackers.

Source

 

[RedColoredStars]

I did. Why keep my passes "securely" in an ONLINE service?

Be sheep, boys and gals. Keep on believing on third parties to "secure" your digital life, instead of doing your own due diligence.

You better just disconnect from the grid altogether. I promise you, people already have access to your passwords. Might lower your monthly tin foil expenses too.

 

[Paulsar99]

Yeah this is why I won't trust all my password on an app or program that can be access online.

 

[KitChan]

Lots of bad password advice in this thread. Storing your passwords in a text file or a USB stick is not a good idea:

• You're less likely to use it due to inconvenience (how do I sign in to something on my phone if my passwords are on a USB stick?)
• You're less likely to use secure randomly generated passwords (which are practically impossible to brute force)
• You're more likely to reuse passwords, rather than generate a new one for every single account
• You're less likely to encrypt your password vault/file
• You're vulnerable to losing your passwords due to a lot of different factors (bad windows update, dead hdd, ransomware, etc)

This hack isn't that catastrophic (assuming LastPass aren't lying of course). The stolen passwords are encrypted using your master password, so as long as you picked a good one, your only risk is a brute force attack on your master password. And even with that, a brute force attack takes a very long time, and you have a head start with this announcement to change all of your important passwords.

Moral of the story: ALWAYS USE A PASSWORD MANAGER

I use Bitwarden, but even LastPass is still a good choice.

Randomly generated password is unnessecary, nor is adding numbers and symbols. Length of the password and multiple characters (as opposed to 'aaaaaaaaaaaaaaa') is what matters.

A sentence you can remember and don't need to write down is a secure password. You can come up with different sentences and associate them with each website.

 

[Kioku]

Randomly generated password is unnessecary, nor is adding numbers and symbols. Length of the password and multiple characters (as opposed to 'aaaaaaaaaaaaaaa') is what matters.

A sentence you can remember and don't need to write down is a secure password. You can come up with different sentences and associate them with each website.

"nor is"... So, do you think numbers and symbols are necessary or not?

If not, that's not entirely true. Sure, length adds on a lot to the time of a brute force, but adding in numbers and symbols adds on that much more. To deem them unnecessary is illogical. Whether or not you choose to use them is up to you.

 

[kisamesama]

I don't use bitwarden, but it's also less likely a self-hosted version is as easily discovered as knowing where an online service keeps it. Attacking a large service like lastpass is also just more plain attractive because the hacker would be able to potentially gain access to millions of credentials from millions of people, some of which likely have used the master password more than once, or are able to be phished. With a self-hosted service the usable data set will be much lower, thus worth less, thus they will spend less effort on getting in.

if your self hosted password server gets hacked, you probably wouldn't even know it was hacked. The "advantage" of big firm is that they do frequent audit and while they are more prone to attacks, at least you know it was hacked and can take necessary actions.

 

[xdarkmario]

i would never even trust a 3rd party pass manager anyway unless its a local ONLY one

 

[eyeliner]

You better just disconnect from the grid altogether. I promise you, people already have access to your passwords. Might lower your monthly tin foil expenses too.

Nope, not a tinfoil freak. I know full well how “secure" your passwords are kept, friend.

That's why these tools are food for retarded people.

 

[DinohScene]

Nobody can beat pen and paper encryption. If someone breaks in your place there is a slim chance that the thief will open all your books to find the exact one with the password of the google drive where you stored the pictures of your penis, but I take the risk.

Literally this.
Altho I have to admit that I'm a little lazy when it comes to writing it down.

 

[RedColoredStars]

Literally this.
Altho I have to admit that I'm a little lazy when it comes to writing it down.

You should literally grab a dictionary and learn what the word literally means. Pen and paper "encryption" is not encryption whatsoever. I get your notepad, I have your passwords. Literally. Let's see you decrypt my Roboform passwords, after you decrypt my master password. LOL! People who think writing passwords down in plain txt is more secure than a 20 character, randomly generated, fully encrypted password are retarded.

 

[eyeliner]

Literally this.
Altho I have to admit that I'm a little lazy when it comes to writing it down.

Well, I use the password reset features on some sites quite often.

My modus operandi has been deciding on the special character of choice and a few meaningful words with a relevant number.

You got my password for that dubious content website where I peruse MILFs being stuck under tables, couches or washing machines? Good! Help me discern the quality of the script.

 

[Deleted member 194275]

You should literally grab a dictionary and learn what the word literally means. Pen and paper "encryption" is not encryption whatsoever. I get your notepad, I have your passwords. Literally. Let's see you decrypt my Roboform passwords, after you decrypt my master password. LOL! People who think writing passwords down in plain txt is more secure than a 20 character, randomly generated, fully encrypted password are retarded.

Paper is more secure against cyber attacks than any fancy encryption that exists, what is so retarded about that?

Also if you physically get access to my home how you will find the lists of my important passwords if even I have lots os trouble finding it myself? And why would you read through my notes, open my books instead of steal my TV or whatever and get away as fast as possible?

 

[G25900]

I've lost count of the amount of times websites have been hacked, I literally get flooded with spam every few months when the next scumbag grabs my email from one of the leaks.

The chance of a site getting hacked is significantly higher than your house getting broken in to, so keeping them written down is overall safer, more so if you create your own cipher for it. People breaking in aren't really bothering to search paper anyway, they want valuables so more than likely won't even realise what it is nor even be interested in them unless it's blatantly bank details.

Write them down and pick a decent hiding spot on the slim chance you are robbed.

 

[Dontuuch17]

Why ew?

There's some controversy about ES File Explorer. Even though it's delisted I still like using it on my Android devices, I guess you could say because of nostalgia and the UI is my favorite (I tried various file explorers and always went back to ESFE Pro).

That's about the gist of it. I'd rather use material files or mixplorer. Less scummy stuff going on.

 

[RedColoredStars]

Paper is more secure against cyber attacks than any fancy encryption that exists, what is so retarded about that?

Also if you physically get access to my home how you will find the lists of my important passwords if even I have lots os trouble finding it myself? And why would you read through my notes, open my books instead of steal my TV or whatever and get away as fast as possible?

So you're telling me plain text is more secure? LMFAO! That's just flat out STUPID. And if I was a criminal out to get you, I couldn't care less about your tv because I already have a 75" OLED. I'd go after your personal info to try to do some real damage. Things like your wallet, checkbooks, phone, laptop, and yes, notebooks/notepads. The majority of people who write their passwords down, keep them close by their computer. Not all criminals are like the ones in Home Alone. Despite how much you might like to think they are.

 

[Marc_LFD]

If those on here that are against cloud password managers I hope they're not the same ones who use Face Unlock and have their face all over the web.

Face Unlock creeps me the fuck out way more than a cloud pass manager.

 

[MSX]

Let's see you decrypt my Roboform passwords, after you decrypt my master password. LOL! People who think writing passwords down in plain txt is more secure than a 20 character, randomly generated, fully encrypted password are retarded.

THIS.

Never before have I seen such so many bad takes on password managers. Do you people seriously think writing down (most likely) small variations of the same 3 passwords is safe? A site gets hacked, now the attackers know to try that password on multiple other sites. For those who might say "oh I always create a new password for every place I sign up," it gets harder every time to think of a new secure password, doesn't it? Not using something that can randomly generate long, encrypted passwords is bad op sec. Take it from someone who is in IT, and our group is always in contact with our Cyber group because our company's users are always getting their passwords stolen (albeit most of the time through phishing except of one genius who plugged his laptop straight into their modem, bypassing their router, and immediately falling victim to a password spray attack).

 

[Schneiderus]

If you need a good password manager, it's KeepassXC (I already like you @Professor_Pootis_PhD ) or Bitwarden. You can only trust open-source. Security through obscurity is worth nothing !

 

[Tommer147]

Or just don't and use an external device to keep all of your passwords on, much more secure than keeping all of it stored on your device.

Do you have a recommendation for a specific device?

 

[master801]

That's about the gist of it. I'd rather use material files or mixplorer. Less scummy stuff going on.

I've always used FX File Explorer. Its privacy policy is great, has no analytics, ads and trackers.

 

[I_g_o_r]

Unhackable passwords is the solution. They are not stored in any place, therefore they can not be hacked, damaged, stolen, broken, confiscated, etc.