[HN Gopher] LastPass breach gets worse
___________________________________________________________________
LastPass breach gets worse
Author : sunbum
Score : 564 points
Date : 2023-01-25 09:27 UTC (13 hours ago)
(HTM) web link (old.reddit.com)
(TXT) w3m dump (old.reddit.com)
| andrewmcdonough wrote:
| One of the most frustrating things about the LastPass leak is
| that they still haven't provided all the information needed to
| determine whether a customer is at risk.
|
| For example, it's clear backups were stolen, but they won't say
| how old the backups were, or what their retention policy is. So
| even if you changed your password to a stronger one, with more
| rotations, it may be that the attacker got hold of very old
| backups with weaker security. I've asked their support team for
| information about time windows of backups stolen, if they have a
| retention policy and whether it was adhered to, but they won't
| share that information. Instead we are left with a blog post that
| is more than a month old, no recent updates, and questions
| remaining unanswered. I'm a paying 'enterprise' customer, and
| they are meant to be ISO270001 compliant, so a retention policy
| should be a pretty simple thing to share.
| selykg wrote:
| At this point you should assume you're breached. If they aren't
| going to give you the details, you should assume the worst.
|
| I have asked all of my team to change their passwords. We use
| LastPass via our parent company and will be switching off
| LastPass soon for our team. LastPass never would've been my
| choice, it was made before I joined.
|
| But assume you're breached, change it all now, and ideally
| you're not going to stay with LastPass. Their communication
| sucks, which is just icing on the cake in this entire
| situation.
| andrewmcdonough wrote:
| That's good advice. I already made that assumption when the
| leak was first publicised and changed all of my important
| passwords the same day. I'm just trying to decide whether
| it's worth changing the hundreds of other low value passwords
| that were once stored in LastPass. I migrated to another
| service a few years ago, but I'm concerned the attackers have
| got hold of older backups, containing sensitive data that I
| had deleted, but with LastPass's poor communication, there is
| no way of knowing.
| deadfece wrote:
| Export from LP and start migrating, starting with changing
| common social IdPs like Google, Facebook, Twitter, Github,
| Apple, Microsoft/Live/Xbox/Outlook. Update the password of
| remote access programs like Parsec, and your cell phone
| provider's password. Then go through your TOTP generator and
| start changing everything in your TOTP generator (especially
| since you might be using LP Authenticator - if you are, then
| move to a different authenticator at the same time). Next:
| banking, your work payroll, investment accounts, Tax/IRS,
| shopping. From here one out start going through the list by
| the amount of money involved. If you doubt that then go
| through them ordered by the amount of data involved.
|
| If you get lost and stuff seems too hard, if your replacement
| product lets you sort by age then just sort by oldest and hit
| 5 today. Hit 5 more tomorrow. Keep chipping at it. At this
| point you might as well change one every single day.
| azinman2 wrote:
| I've always felt like there's a startup in there that can
| reliably change all your passwords for you. Probably
| something like one time $299, which sounds expensive, until
| you realize the pain of doing this.
| ryandrake wrote:
| Depending on how it was implemented, that could just
| increase the attack surface. Assuming it's a cloud
| service, now we have another company that has all your
| passwords, that can be breached. A better way would be
| desktop software that runs on your local machine and logs
| in to each web site by itself and changes all your
| passwords, without using any remote compute or storage,
| outputting a _local file_ with all your new passwords
| (don 't make the same mistake again using a cloud
| password manager).
| azinman2 wrote:
| I imagined this was local. I think it would be very
| difficult to trust it otherwise.
| sorokod wrote:
| Attack surface will increase regardless of
| implementation. It is another point that can be attacked,
| one that did not exist before.
| selykg wrote:
| Ironically... isn't that something LastPass does for you?
|
| https://www.pcworld.com/article/430756/nifty-new-
| lastpass-da...
|
| This is an old article, no idea if the feature still
| exists or not.
| artificial wrote:
| Vault rotation++. I was bitten by this switching
| authenticators when one didn't have an export at the
| time. It was such a massive pain to login and remove,
| add, setup and annotate, store secrets and repeat.
| paradox242 wrote:
| This was also the final straw for our organization, we have
| initiated a company-wide reset of any credentials stored in
| in their service (thanks, LastPass) and are definitely not
| going to be renewing. The frequency of recent breaches, and
| especially the opaque manner in which they have been handled
| have destroyed any credibility they may have once had with
| regard to being trustworthy enough to store important
| secrets.
| panarky wrote:
| _> definitely not going to be renewing_
|
| That reads like you're resetting credentials and then
| putting the new credentials back in LastPass, and then
| possibly maybe moving away from LastPass at some point in
| the future.
|
| Given how little LastPass has disclosed, and the negligence
| we already know about, we should not only assume we're
| breached, but we should also assume LastPass is still
| storing critical data in cleartext, they don't have a "zero
| knowledge architecture", and their systems are still
| vulnerable to intrusion and exfiltration.
| nicce wrote:
| If you are in EU, according to GDPR, they should share
| information so that you can evaluate the risk. Otherwise they
| are breaking the law.
| burnte wrote:
| "One of the most frustrating things about the LastPass leak is
| that they still haven't provided all the information needed to
| determine whether a customer is at risk."
|
| Yes they have. They had a breach, and lied about it. You can't
| trust anything about them now. Assume a total breach and move
| on.
| phpisthebest wrote:
| The biggest problem here is for former customers.
|
| What if you closed your account 5 years ago, did they still
| have backups?
| sedatk wrote:
| "Assume total breach" implies to update everything you had
| with them regardless of the timeframe.
| phpisthebest wrote:
| I assume for many people that is easier said than done
| sedatk wrote:
| It is, hence the gravity of the situation.
| vasco wrote:
| There's ISO compliance and there's ISO "compliance". I'm pretty
| sure if most shops were honest they wouldn't be compliant, but
| more like compliance-inspired.
| bee_rider wrote:
| ISO compliance, a la "banana" or "strawberry" flavor.
| _fat_santa wrote:
| The title should be updated to reflect that this wasn't data
| from LastPass but from other products under the Gogo umbrella.
|
| > Our investigation to date has determined that a threat actor
| exfiltrated encrypted backups from a third-party cloud storage
| service related to the following products: Central, Pro,
| join.me, Hamachi, and RemotelyAnywhere.
| [deleted]
| bombcar wrote:
| Even if you change all your pssswords NOW you've still had the
| metadata of where you have accounts leaked.
| ShredKazoo wrote:
| In principle, your passwords _might_ be stored as a JSON blob
| encrypted using a key derived from your master password. In
| which case that metadata _could_ still be secure. I doubt it
| though.
| lolinder wrote:
| LastPass already admitted that the metadata was all leaked.
| Usernames and passwords were encrypted, but all else seems
| to have been in the clear.
| ThunderSizzle wrote:
| Based on what happened to my wife, if the password was
| encrypted, breaking it was trivial
| lolinder wrote:
| She probably had an account that had a very low number of
| iterations. LastPass never updated those unless someone
| knew to do it manually, so if it was an old account she
| likely had 5,000 iterations out of the recommended
| minimum of 100,000.
| william_T wrote:
| just checked, mine is 5,000
| lolinder wrote:
| Yep. And the sucky thing is that the only recourse at
| this point is to reset all your passwords, because what
| was leaked was the low-iteration vault. Changing it now
| only saves you for future leaks.
| emodendroket wrote:
| Do they even know?
| phpisthebest wrote:
| >>they are meant to be ISO270001 compliant
|
| means that some auditor, met with someone that does not know
| anything, and checked boxes in a form.
| tallanvor wrote:
| Honestly, even before this latest update, it's safest to assume
| that your data will be decrypted at some point, and get started
| changing everything now.
|
| Luckily I had already switched over to Bitwarden, but I still
| had around 250 accounts to go through, although about 40
| entries ended up being duplicates, defunct sites/products, or
| so old that the accounts were already deleted due to
| inactivity.
|
| If you haven't started rotating all of your credentials
| already, this news should definitely get you started on it!
| slantedview wrote:
| I did the Lastpass->Bitwarden migration around Christmas, and
| it was probably 6 hours all told just changing passwords for
| the accounts I administer. The good thing is, you get pretty
| fast at changing them after a while.
| adamsb6 wrote:
| I never expected I'd experience such joy at a website failing
| to load, or to see it had been turned into a completely
| different business that doesn't even have a login form.
|
| Thanks, LastPass!
| rishabhkaul1 wrote:
| If I have 2FA set up, would I still need to change the passwords
| (despite the leak)?
| coder543 wrote:
| If everyone knows the password, then it's really just 1FA at
| that point. If you want it to remain 2FA, then yes, you would
| need to have a new password.
| thenickdude wrote:
| 2FA bypass bugs on websites are common, e.g. this PayPal bypass
| that stemmed from them allowing their own app through without
| 2FA, since their app didn't support 2FA at the time:
|
| https://duo.com/blog/duo-security-researchers-uncover-bypass...
| acdha wrote:
| MFA means that you're not immediately exploitable. It doesn't
| mean that you can't be phished -- and remember that someone
| with your LastPass vault can make some pretty convincing
| targeted phishing messages -- if your 2FA is anything other
| than a FIDO2/WebAuthn key. This has become routine and there
| are toolkits for attackers to make it easier so it's definitely
| not an emergency but not something you want to slack on.
|
| It also doesn't doesn't help if there's any way around the MFA
| process. For example, could the attacker convince a minimum-
| wage support person / chatbot that you need to reset your MFA?
| Many companies skimp mercilessly on support costs and that
| makes this easier than it should be. I've even seen sites where
| your MFA can be reset using an email challenge!
| Toutouxc wrote:
| What does everyone think about just using Apple's Keychain for
| everything? Seems that for Keychain the most serious threat is
| actually being rando-banned by Apple and losing access to my
| stuff.
| andybak wrote:
| One would have to exist solely in the Apple ecosystem for this
| to be viable, surely? Surely most people on HN have at least
| one device that isn't Apple!
| crooked-v wrote:
| There's a Windows app for iCloud to show passwords, but it's
| very basic.
| xattt wrote:
| For Google Chrome only.
| hnrodey wrote:
| I tried this app, I thought it was very elementary and a
| very sub-par experience for myself as the user. I would not
| recommend.
| Toutouxc wrote:
| Yes, it's only convenient on Apple devices. But it's still
| doable if you don't access that much stuff on other devices,
| e.g. when I need to access something on my Windows computer
| (which basically exists to run Microsoft Flight Simulator), I
| just manually retype passwords from my iPad.
| KyleBerezin wrote:
| I'm not sure about apple's cloud stuff, but the keychain is an
| actual just a file on your system. It is password protected,
| but it is just your login/sudo password (depending on which
| file it is).
|
| I just had my keychain corrupt last night while I was testing
| the SecItemAdd API. So keep that in mind, maybe make backups. I
| was pretty shocked that you can corrupt the keychain using just
| the API, the entire security process started to lock up too. I
| had to (manually!) delete the entire keystone and start from
| scratch. Luckily I don't rely on it much.
|
| It is worth noting that after you back it up to a remote
| location, it may not be a very secure concept anymore.
| tokamak-teapot wrote:
| You can export your keychain and import into other password
| managers, if you have access to a Mac. I doubt this can be
| automated, though, and passkeys will need another solution.
| wrldos wrote:
| I use a mix of Keychain and MacPass (keepass compatible). I
| will add something to MacPass, then sign in with it and let
| Keychain remember it. Notes however:
|
| 1. I do not use the MFA capability of Keychain at all. Putting
| your MFA, username and password in the same store is fucking
| stupid. I have a hardware TOTP token. Backup codes for that are
| however kept in Keepass.
|
| 2. I keep an offline backup of everything. Never trust a cloud
| backup!
|
| 3. All vendors are ephemeral, regardless of their size.
| Everything I have I have a carefully planned exit plan for.
|
| As other people have pointed out, your keychain is on disk, but
| if you lose the Mac and find out your MFA codes don't work or
| something (this does happen) then you're SOL. Keep a backup.
| kstrauser wrote:
| Keychain is perfectly fine if you're all in on Apple stuff. I
| am, so I could start using it today. A downside is that it
| doesn't have much in the way of a dedicated UI, especially on
| iPad/iPhone. Compare the 1Password app to Settings > Passwords
| on a phone. Keychain also _only_ handles passwords, and not
| TOTP, notes, software licenses, etc.
| lampshades wrote:
| This is what I have been doing since migrating away from
| LastPass. It has been great so far (and free). I'd say that I
| wish I could share passwords like in LastPass/1Pass but
| honestly my wife always struggled with that, so it's easier to
| just AirDrop a credential if we need to share. It's also
| integrated so well with Apple products that my wife was using
| it without even realizing it. I suspect the same will happen
| with my daughters.
|
| If you're an Apple house, it's a great solution.
| shp0ngle wrote:
| I honestly don't want to be locked out of my passwords, just
| because Apple decides to block my account for "abuse", because
| I use iTunes Music Fitness Plus from wrong country or whatever.
|
| There are all these "lol we blocked you for abuse, good luck
| doing anything :^) I guess complain on twitter lol" horror
| stories that I don't want to be locked down to one provider
| that does _everything_, the way Google or Apple does.
|
| Even the fact that I have all e-mail at Google that can
| randomly ban me for "abuse" makes me scared, but I don't want
| to figure out how to move all my mail history to ProtonMail or
| AOL or whatever. I will need to have that as a risk.
| Double_a_92 wrote:
| I think we seriously need legal regulation for that. A
| company should not be able to take your personal data hostage
| like that. If they really want to ban you, you should at
| least be able to legally request a copy of all your data.
| wildrhythms wrote:
| The Apple Keychain items are stored locally in
| ~/Library/Keychains
| ChrisMarshallNY wrote:
| This is true. Apple can't lock you out of your keychain.
| You can register with them to have an unlock key, but that
| is different.
|
| For me, I find the Keychain to be too chaotic. I use
| 1Password.
| ghusto wrote:
| I moved to Protonmail for precisely this anxiety, and can
| tell you that there's not much to "figure out". It's pretty
| painless, they have a guide for it, and despite what I think
| about Google, their "Take Out" service isn't too bad.
| ChoGGi wrote:
| Updated a blog post from November in January, classy move.
|
| Not to mention
| https://en.wikipedia.org/wiki/LastPass#Security_incidents
| emodendroket wrote:
| I use them too, but password managers feel like they're building
| atop a poor foundation. I'd like if we could go further in the
| direction of site login using a big, well-known identity provider
| (sure, let there be some independent one if you don't want to
| trust Google or Facebook). Failing that, this incident does show
| the virtue of the old-fashioned method of writing down the
| passwords and keeping them somewhere safe.
| LastTrain wrote:
| I spent part of my holiday break cleaning up after this mess,
| resetting hundreds of credentials. On the plus side, it provided
| a much needed opportunity for some house cleaning.
| lampshades wrote:
| Did the same. Took several days but feels good to not have to
| worry about LastPass anymore.
| d23 wrote:
| It also made me realize just how many sites have broken or
| missing password reset flows.
| aledthemathguy wrote:
| if i closed my LastPass account a year ago (migrated to a
| different pass manager), am I in a problem?
| ubermonkey wrote:
| It sure sounds like they're doomed.
| richiezc wrote:
| there is only 1 rational course of action: (1) export and delete
| your lastpass account (2) import to new PW manager, in my case
| bitwarden (3) change all your passwords
| bjt2n3904 wrote:
| And my stance against "cloud based password managers" -- and
| really, paid password managers -- is vindicated. Never!
|
| I have evolved a little on using software to track passwords
| though, and I'm using Unix Pass quite happily now. It's just a
| short bash script that is very readable, and uses GPG as a
| backend.
|
| Edit: What's doubly nice is how elegantly it scales from a simple
| folder of gpg encrypted text files to a multi user synchronized
| git repository on everyone's phone.
|
| But all that's optional, and only requires you to trust other
| tools that you already regularly depend on.
| gsk22 wrote:
| That might be fine for the HN crowd, but cloud password
| managers are still the best solution out there for the typical
| person.
| insane_dreamer wrote:
| moved everything important off LastPass a while back; still using
| it for convenience on pwds/accounts that I don't care that much
| about, but using KeePass offline for anything of consequence. Not
| really ready to trust Bitwarden.
| [deleted]
| finnh wrote:
| After using LastPass for years, this breach led me to do
| something I should have done long ago: remove my bank account &
| email account passwords from it (and change them, of course). My
| wife did the same thing. At some point I'll probably switch
| password managers, but the basic realization was that those
| passwords are qualitatively different than the rest and should
| never, ever be trusted to any password manager.
|
| So now I remember ~3 passphrases, instead of 1, and sleep much
| better at night.
| latchkey wrote:
| This logic is like learning that most accidents occur within 50
| miles of your home and then moving 51 miles away.
|
| Why would you remove those bits of information and also not
| switch password managers too?
| [deleted]
| deltarholamda wrote:
| I was always a bit wary of these services. They sound great,
| and the convenience is amazing, but I have not much of an idea
| how everything works behind the curtain.
|
| I went with unix pass installed inside of a FreeBSD jail. It's
| more complex than auto-filling with a browser plugin (though
| those exist), but as long as I can get an SSH terminal I can
| get to my passwords, and various other bits of data. You have
| to allow password login from sshd (which isn't ideal, but I was
| going for "access from anywhere I can get an SSH session), so
| your passphrase had better be good. And you need to have
| terminal discipline to be sure you clear the screen if
| shoulder-surfing is an issue.
|
| But it has the advantage of knowing exactly what's going on at
| all times. And, for added benefit, there are only a handful of
| things you need to have printed out and stored in a safe or
| whatever so that your family can access all of the encrypted
| important stuff if you get struck by lightning.
| coder543 wrote:
| > I went with unix pass installed inside of a FreeBSD jail.
|
| > And, for added benefit, there are only a handful of things
| you need to have printed out and stored in a safe or whatever
| so that your family can access all of the encrypted important
| stuff if you get struck by lightning.
|
| Presumably this print out includes an instruction manual for
| using FreeBSD, opening a terminal on a FreeBSD machine,
| launching a shell inside a jail, and accessing this "user
| friendly" software? Exactly how technical is your family?
|
| Forgive my disbelief that this is an actual solution for
| anyone but yourself.
|
| > but I have not much of an idea how everything works behind
| the curtain
|
| You could choose to learn:
| https://1passwordstatic.com/files/security/1password-
| white-p...
|
| Any good password manager documents this stuff very well.
| LastPass has a very shallow white paper that constantly
| refers to encrypting "sensitive data", but they never define
| what that sensitive data _is_ , which is suspicious, and it
| turns out that LastPass _doesn 't_ encrypt everything, which
| everyone who cares about this stuff has known for years. In
| the 1Password document, they talk about how every item in the
| vault is encrypted, and every item contains various fields
| such as Title, URL, etc. 1Password encrypts _everything_.
|
| 1Password also talks about the benefits of using a user
| password _plus_ a generated 128-bit "Secret Key" (2SKD),
| which is a security feature I strongly appreciate.
| deltarholamda wrote:
| >Presumably this print out includes an instruction manual
| for using FreeBSD, opening a terminal on a FreeBSD machine,
| launching a shell inside a jail, and accessing this "user
| friendly" software
|
| I never said, nor meant to imply, that it was user
| friendly. But, yes, showing a moderately intelligent person
| how to access it is easily done with a set of instructions,
| maybe a single printed page. Not "user friendly," but
| certainly usable. If I am a smoldering corpse, they can
| rescue whatever is stored there relatively easily. Since
| the software is ridiculously stable, the instructions will
| be equally stable.
|
| It's not a universal solution by any means. I tossed it out
| there as an alternative. I'm sure you really love
| 1Password, and if it works for you, fantastic. I'm
| distrustful of any service in general, but maybe 1Password
| is 100% rigorous in all of their security measures. I have
| no idea, as I don't work there, or know anybody who works
| there. I'm relatively confident in mine, as I built every
| step of it (which wasn't much), and it has very few moving
| parts.
| ericpauley wrote:
| I disagree, mostly because the password manager is more than
| just a place to store passwords. The origin binding also
| prevents you from typing the password on the wrong domain. For
| many people they're probably more likely to get phished for a
| memorized password than pwned for a managed password.
| hunter2_ wrote:
| I wonder if there's an app/extension that streamlines
| remembering/autofilling usernames but not passwords. I doubt
| many people would be into it, but it would be the best of
| both worlds for the case you describe, I think.
|
| Or simply a personal allow list of origins, with a happy
| green indicator prominently overlaid onto login forms on
| those origins you've saved -- doesn't even need username
| storage.
|
| Maybe even a community-sourced allow list, but that would
| need some seriously trusted management (including purging
| upon domain registration expiry/transfer) but that would
| mostly duplicate the domain warnings that browsers already
| offer, anyhow.
| swyx wrote:
| ive thought of a mitigation for this - always intentionally
| enter the wrong password on the first try. if you're being
| phished, you'll notice when the wrong password gets you in
| eviks wrote:
| a much more convenient mitigation - create an item without
| a password, so it would autofill username (and not autofill
| if you're being phished, so domains wouldn't match), so all
| you'd have to do is enter the password from memory
| function_seven wrote:
| I thought some phishing attacks act as a relay or middle-
| man? I don't know how common that is.
| coder543 wrote:
| 100% correct. You might have 2 factor enabled, so they
| also need to check that and phish the 2FA code as well.
| That 2FA code expires quickly, so it needs to be used in
| real time to get a session.
|
| I'm sure there are some very basic phishing attacks that
| just save whatever you entered, but... let's avoid trying
| to come up with "clever hacks" that only lend a false
| sense of security.
| eviks wrote:
| You can create an item without a password for this purpose -
| it would show an indicator if you have an account at a given
| domain, would even autofill the user name But you still get
| to save the critical password from the poor security of
| password managers Win Win
| coder543 wrote:
| > the critical password from the poor security of password
| managers
|
| Just because one restaurant has a bad health inspection
| score and is constantly making everyone who eats there sick
| does not mean all restaurants are bad. People who just lump
| "password managers" into one group are fundamentally
| assuming that one bad password manager means that all
| password managers are automatically bad, we just somehow
| don't know it yet. Don't bother eating at restaurants ever
| again if you feel that way, I guess. I know people who have
| gotten sick eating at restaurants, but that doesn't stop me
| from finding good restaurants.
|
| _Most_ password managers have a very good security track
| record. Users creating and remembering their own passwords
| _does not_ have a good security track record at all.
|
| Better to use a completely offline password manager (which
| risks you losing your backups or getting into a conflicting
| sync state) than no password manager at all, but a password
| manager that actually encrypts all your data end to end
| (which LastPass _does not_ ) and _requires_ a strong key to
| unlock (such as the 2SKD method, which again... LastPass
| does not) is extremely safe, even if you don 't trust "the
| cloud", because you don't need to trust the cloud.
| criddell wrote:
| That's a good point that I hadn't thought of before.
|
| I used LastPass for years and switched to BitWarden a couple
| of years ago. I did delete my LastPass account after
| switching, but I have zero confidence that they actually
| deleted my data.
|
| Fortunately, my master password from back then is long and
| complicated.
| smt88 wrote:
| It is absolutely insane that you're going back to LastPass
| after this. We have no reason to believe they're not still
| fully compromised.
|
| Switch to 1Password. It takes ~5 min to export and import.
| toomanyrichies wrote:
| I just migrated over to 1Password and deleted my LastPass
| account. Better late than never, I suppose.
|
| It was surprisingly easy- for all of LastPass's faults, at least
| they don't use shady vendor lock-in practices (like making data
| export needlessly difficult). And 1Password has a LastPass-
| specific import page, which made the migration dead-easy.
| lampshades wrote:
| Hopefully you reset all your passwords and didn't just migrate
| over.
| throw_pm23 wrote:
| Honest question: what's the point of password managers? By
| migrating from one to the other, aren't you exposing yourself
| to the exact same risk?
| tomsmeding wrote:
| The point is to allow oneself to use a different password for
| each website, and strong ones at that. The time required to
| memorise a large number of strong passwords is significant,
| and a password manager alleviates that.
| throw_pm23 wrote:
| Why not store them locally (in a file on your laptop) or on
| a piece of paper in your wallet?
| a10c wrote:
| I don't have my laptop with me everywhere I go and use my
| phone, iPad etc to log in to services.
| foundart wrote:
| What happens if your laptop is stolen or its hard drive
| fails or you lose your wallet?
| x86x87 wrote:
| Lol. A piece of paper with 200 passwords?
| selykg wrote:
| The alternative right now is to use the same password
| everywhere. That's even worse.
|
| If one site is breached you have to go change your password
| everywhere. By using a password manager if one site is
| breached you just have to change that one password for that
| site. Using the same password everywhere is a real concern
| that should be avoided at all costs.
|
| LastPass's breach is the exception to the rule. Generally
| speaking password managers have had a far better go of things
| than LastPass has.
|
| By far, using a quality (LastPass is not one of them and
| frankly never has been) password manager is likely going to
| be the most secure thing that any average user uses every
| day.
|
| This breach is much the same as the typical media stuff,
| hyperbole does no one any good. One bad thing happens and the
| sky is falling (hyperbole). No, the sky is falling for that
| app (LastPass) but not for every password manager. You have
| two really good options: Bitwarden and 1Password. I,
| personally, wouldn't touch any others that are cloud based.
| Local password managers are another matter, but they're
| simply a non-option for me and I'm not willing to give up the
| convenience, or the administration abilities that come with
| it in a business environment.
| throw_pm23 wrote:
| > The alternative right now is to use the same password
| everywhere. That's even worse.
|
| What's wrong with storing them locally on your laptop or on
| a piece of paper in your wallet?
| wilsonnb3 wrote:
| Storing on a laptop is inconvenient because I need to use
| them on my phone and other devices.
|
| Storing on a piece of paper is inconvenient because there
| are roughly 350 logins in my password manager.
| xrikcus wrote:
| and because transcribing a password from a piece of paper
| encourages short passwords.
| Izkata wrote:
| > The alternative right now is to use the same password
| everywhere. That's even worse.
|
| Or to just use the browser's saving functionality and never
| push your passwords online in the first place. They're
| probably only using one primary device like me; I generally
| don't log in to stuff on my phone, or personal stuff on my
| work laptop/work stuff on my personal laptop.
|
| If their habits are like mine then these cloud password
| services are pretty pointless.
| mrWiz wrote:
| I think that using multiple devices is probably by far
| the most common use case. Personally I have my own PC, a
| work laptop, and a phone that I regularly use, and a
| tablet that I use irregularly (but often enough that I
| want my account information available).
| [deleted]
| fullstop wrote:
| You're unlike most people in that regard. I'm signed into
| services on at least two or three devices -- a desktop, a
| laptop, and my phone.
|
| Also, with your setup, what happens if the computer with
| the browser containing all of the saved passwords is
| destroyed somehow?
|
| I don't know if this has changed, but a few years ago the
| stored passwords in Chrome were stored unencrypted in a
| sqlite3 database. (on Linux, at least) I'd use an audited
| service such as Bitwarden or roll my own Keepass thing
| before using the browser's saved password feature. All it
| would take is one RCE exploit in a browser to expose your
| passwords.
| Izkata wrote:
| > Also, with your setup, what happens if the computer
| with the browser containing all of the saved passwords is
| destroyed somehow?
|
| This has already happened a few times over the past
| decade: I restore from local backups.
| fullstop wrote:
| Okay, one step further then. What happens if your house
| burns down? Eventually you will want some sort of offsite
| backup.
|
| Also: https://ohyicong.medium.com/how-to-hack-chrome-
| password-with...
|
| Passwords are still easy to obtain outside of Chrome, and
| apparently Firefox is just as easy.
|
| By using the browser's saved password feature you are one
| RCE away from someone being able to automate the
| extraction of all of your passwords.
| acdha wrote:
| Password reuse is the most common way people are breached.
| Until there's pervasive WebAuthn passkey support, that means
| you need a way to store unique passwords for everything you
| use and that can't be algorithmic because different sites
| have conflicting policies.
|
| Other password managers don't have Last Pass' long history of
| security concerns. They also have hardening against this
| specific scenario. For example, 1Password assumes they could
| be breached and includes a strong random key which is unique
| per-user so in an event like this the attacker would have to
| do a lot more work to break vaults:
|
| https://support.1password.com/secret-key-security/
| [deleted]
| phonebucket wrote:
| > By migrating from one to the other, aren't you exposing
| yourself to the exact same risk?
|
| My main gripe with LastPass is that they did not encrypt
| everything. Vast amounts of important information (email
| addresses, billing addresses, telephone numbers, IP
| addresses, website URLS [0]) were not encrypted on user's
| local machines with the master password, and subsequently
| have fallen into the hands of a malicious actor.
|
| I would feel much better about LastPass if the security
| genuinely was safeguarded by a strong master password. But
| they've demonstrated that it's not.
|
| Other password managers, as far as I can see, provide much
| greater protection in terms of encrypting everything. That's
| why I'd feel better about using them.
|
| [0] https://blog.lastpass.com/2022/12/notice-of-recent-
| security-...
| jabroni_salad wrote:
| My work keepass has 68 credentials in it. I am not going to
| memorize all of that.
| ComputerGuru wrote:
| I've been sitting on what I think _might_ be the last straw to
| break the proverbial camel's back but I didn't think readers had
| any more bandwidth to hear more about this breach. I have my
| reasons to believe there's a good chance LP knows of a means by
| which the master keys if some users may have been once
| compromised long before this incident.
| d23 wrote:
| First rule of security breaches: it's always worse than they let
| on.
| andjelam990 wrote:
| Wow! This should definitely not be downplayed, they have lost
| users' trust for good.
| ransom1538 wrote:
| Can someone explain it to me like I am 5 years old. Why would I
| take all my passwords, centralize them and place them onto a 3rd
| party site? Why is this security best practice?
| silverlake wrote:
| You can publicly post an encrypted password file and dare
| hackers to break it, assuming your password is >80bits of
| entropy. All this worry about cloud storage and web access is
| due to ignorance about encryption.
| sofixa wrote:
| It's a _recommended_ practice (I hate the term "best",
| everything depends).
|
| Why? Quite easy actually - having random passwords is better
| than reusing the same everywhere. Random passwords are
| impossible to remember by a regular human, hence you need a
| password manager. Using a local file as a password manager
| poses a usability/availability risk (you have to sync it
| yourself, you have to back it up yourself, you have to make it
| available on all devices without putting it at risk, you have
| to secure it, etc.), hence cloud-based password managers are
| better for the average person, especially coupled with MFA for
| critical accounts (banks, email, etc.). If you're a highly
| technical or highly security conscious person, or under threat,
| the equation changes of course, but the recommendation for a
| cloud-based password manager isn't meant to apply to _everyone_
| , just most people.
| daveoc64 wrote:
| Because using a password manager as intended solves several
| well-known and very common password-related attacks like
| credential stuffing.
|
| A password manager makes it possible for the average person to
| have high length, completely random passwords for each and
| every site, and to have them available on all of their devices.
|
| That makes it a lot less likely that people will do bad things
| like re-using passwords, having short passwords, or writing
| them down.
|
| My LastPass account would have been in the breach, but as my
| vault was protected with 151,000 iterations and a very long
| password, it'd take an attacker a long time to be able to get
| to my Hacker News password, which they'd find was 50 random
| characters long and looked something like
| jtES^cqhPj3@&rgPW5#frmDpf#^gGyf3eRoPH#fUZWJQGNFJvW
|
| They'd also find that I've since changed it!
| npteljes wrote:
| It's not a security best practice, but a security "good
| enough".
| ejb999 wrote:
| It's not.
| loudmax wrote:
| You have to consider what the security landscape looked like
| when LastPass got going in 2008. The common practice for non-
| technical people was (or still is) to reuse the same password
| everywhere. A password that's really easy to remember like
| "p@$$word".
|
| In this context, the common alternative to LastPass isn't best
| practice, it's worst practice.
| jerry1979 wrote:
| Is there a reason why I shouldn't just store my passwords in
| Firefox?
| thescriptkiddie wrote:
| firefox and other browsers are just not very good at password
| management. it does seem like a feature that should be built in
| to the browser.
| Gregoriy wrote:
| Maybe an overkill, but i use cryptomator, which encrypts the
| files, the files are synchronized with nextcloud of remote
| location, but i suppose you can use whatever software you want.
| Inside that there is a https://keepassxc.org/ It works on a phone
| too, cryptomator open vault with finger, open keepassxc with
| finger, well not the quickest way but it will do. I still have
| some useless passwors in chrome but for not important stuff.
| iillexial wrote:
| I use KeepassXC too, and Dropbox for database sync. Probably
| not very secure, but I store root password only in my head, and
| secret key offline. Never used mobile client though, not sure
| if they can be trusted.
| ghusto wrote:
| Years ago, I told them privately of a vulnerability in their
| implementation of 2FA. They dismissed it as a non-issue.
|
| A couple of weeks later they sent out a statement "clarifying"
| how their 2FA had a caveat. It was basically marketing bullshit
| glossing over the fact that they don't enforce 2FA locally
| (sorry, details are very vague in my memory now, but I remember
| it being a serious mis-implementation).
|
| Clowns.
| Alifatisk wrote:
| I am so happy I left and destroyed my account before this breach
| and went with Bitwarden.
|
| They showed red flags a long time ago!
| thenickdude wrote:
| This doesn't necessarily mean you're in the clear, as we don't
| know what the age of the backups that were stolen are.
|
| If you were a LastPass user at any point you should rotate all
| the credentials that touched that service.
| matesz wrote:
| Same here but unfortunately have done it 1 month ago.
|
| This breach helped me learn why it is important to have strong
| passwords.
| jonnycomputer wrote:
| A reddit thread about another company. Can anyone link me to
| where the LastPass announcement changed?
| drunner wrote:
| https://www.goto.com/blog/our-response-to-a-recent-security-...
| hnrodey wrote:
| Sucks that LastPass has these significant problems. From purely a
| product perspective it's pretty good. I used it for years quite
| happily as it kept myself and wife in sync with all of our
| accounts/passwords across all of our devices and browsers.
| LastPass is one of only a handful of products that truly works on
| virtually all platforms and browsers. Windows and Mac, home and
| corporate devices, mobile, you name it.
| coder543 wrote:
| 1Password works everywhere too, and it works much better than
| LastPass from everything I've heard and seen.
|
| 1Password also actually encrypts your entire vault, and it uses
| a strong, generated secret key _in addition_ to your password,
| so even if a user does not use a strong password, their vault
| would still be very hard to crack.
| bigiain wrote:
| > LastPass is one of only a handful of products that truly
| works
|
| "Truly works" except for the one critical feature that is the
| sole reason people use it. It does not keep your passwords
| safe.
|
| Doesn't matter how nice their Windows app is, or how smooth the
| animations on iOS are, or how well it's browser plugins work.
|
| It fails at its only real task, safely storing your
| credentials.
| pragmatick wrote:
| The new addon for Firefox doesn't just work but instead is
| unable to match the current URL to entries. You have to switch
| off the "Advanced autofill" which is automatically turned on
| nearly every day. The android autofill doesn't "just work" but
| that may Android's fault.
| ranting-moth wrote:
| A good advice I was given a long time ago and I have since
| followed:
|
| When you need to admit a mistake or apologize, get it all out and
| be truthful about it. Effectively get it over and done with.
|
| People do appreciate honesty, but will strike back with
| retaliation if they find out you only appeared honest. Telling a
| half truth is no better than lying.
| sethammons wrote:
| "If you have to eat crow, best to do so while it is warm."
| nickjj wrote:
| In the comments on Reddit someone linked to a podcast where they
| broke down what this really means in terms of how "secure" your
| leaked encrypted vault is.
|
| The TL;DR is even with 100k+ iterations of PBKDF2 an attacker can
| crack a password with 40 bits of entropy in about 71 days if they
| had access to 200 modern GPUs. For comparison if there were only
| 1 iteration instead of 100k the same type of password could be
| cracked in 61 seconds.
|
| 50 bits of entropy changes things a bit. Now it takes 1 year
| instead of 71 days but if you're a high value target they can
| just ramp up the number of GPUs to reduce the time.
|
| The difference between 40 and 50 bits of entropy for a password
| look like this: 40 bits: !climb33 50
| bits: ClimbS1@ 40 bits: any 9 lower case letters
| 50 bits: any 11 lower case letters
|
| The takeaway I got is you're probably ok if you have a really
| good password (150+ bits) with 100k+ iterations but if I were
| using Lastpass personally (which I'm not) I would absolutely re-
| roll everything and never use the product again. I personally use
| a command line tool called `pass` which stores everything
| locally. This story interests me though because I am mildly
| involved with someone who is using Lastpass and I suggested they
| re-roll everything. I'm happy to see someone did the math, it's
| the exact information I wanted to know.
|
| The podcast show notes are on page 6 which has more numbers and
| practical examples: https://www.grc.com/sn/SN-905-Notes.pdf
| Y_Y wrote:
| I think this misrepresents password entropy. For example
| forcing a capital letter mostly results in lusers capitalising
| the first letter (and losing about 1 bit versus having the
| choice of case for every character). Requiring "special
| characters" further decreases the entropy (certainly in theory,
| and I assume in practice).
| nickjj wrote:
| I used https://www.omnicalculator.com/other/password-entropy
| to calculate it by the way. I threw out a few examples but
| you're right, it does come down to individuals knowing what
| to do or not. Those aren't meant to be good examples of
| passwords to use in practice.
| Y_Y wrote:
| For the record, it's pretty easy to do this by hand. The
| calculator assumes the attacker knows how many of each kind
| of character there is, which is a weird assumption so I'll
| not use that. Anyway you can take the base-2 log of the
| number of possibilities, or more easily add the entropies
| of each character (if they're not related). If you take
| e.g. the 64 symbols of Base64 as your allowed space you
| get: n*log_2(64)= 6n bits of entropy for an n-character
| password.
| tzs wrote:
| > The TL;DR is even with 100k+ iterations of PBKDF2 an attacker
| can crack a password with 40 bits of entropy in about 71 days
| if they had access to 200 modern GPUs
|
| ...
|
| > 50 bits of entropy changes things a bit. Now it takes 1 year
| instead of 71 days
|
| I don't understand this. Going from 40 bits to 50 bits
| increases the size of the search space by a factor of 1024. Why
| does it only increase the search time by a factor of 5?
| philjackson wrote:
| `pass` is lovely, but don't you need your passwords on your
| phone when you're out-and-about?
| doubled112 wrote:
| Pass has clients on iOS and Android, but there was some
| blocker with my GPG key on YubiKey last time I tried.
|
| Ended up on Bitwarden (Vaultwarden in my closet really)
| instead for web passwords. Admin passwords stayed in pass
| because I want to be sure I have them. Git is local to the
| device even if the server burns down.
| rsstack wrote:
| There are apps for mobile devices, some sync with a GitHub
| repository (which you should make private): https://www.passw
| ordstore.org/#:~:text=password%20(OTP)%20to...
|
| The contents of the GitHub repo are of course encrypted with
| your own key, which you need to manually sync to your other
| devices.
| Kwpolska wrote:
| The Android app for pass, and the required gpg app, are
| pretty clunky and not very friendly to work with (and the
| Windows desktop experience is not great either).
|
| After some time with pass, I switched to a more integrated
| solution, with KeePassXC on desktops and Keepass2Android on
| mobile, with sync via OneDrive.
| tremere wrote:
| You can rsync the whole directory of passwords elsewhere and
| then connect there from your phone using SSH. If you're handy
| with `pass` you probably have an SSH client on your phone
| anyway (I use Prompt on iOS). Some people might think you're
| weird for using SSH from your phone though, fair warning.
| traceroute66 wrote:
| Makes me pleased to be a loyal Zetetic Codebook[1] (nee STRIP)
| customer.
|
| The thought of storing my passwords on a web/cloud-based service
| always struck me as the dumbest thing anyone could do as it would
| be only a matter of time until such a service was hacked.
|
| I started using Zetetic after learning about them via a 2012
| Black Hat conference presentation[2] where they took a bunch of
| password managers and STRIP came out on top. I figured if it was
| good enough for them, it was good enough for me. The product has
| only got better and better since 2012 (note that the presentation
| PDF is out of date in terms of security, they have _of course_
| changed hash and substantially increased rounds ! see their
| website for detail).
|
| Their support is first-class too.
|
| [1] https://www.zetetic.net/codebook/ [2]
| https://media.blackhat.com/bh-eu-12/Belenko/bh-eu-12-Belenko...
| neandrake wrote:
| +1 for Codebook. I've been using it for ~5 years and haven't
| had an issue, I feel secure in managing where my vault is
| stored and haven't had issues with syncing. It's a one-time fee
| per device type - I paid for iOS, macOS, and Windows without
| any hesitation.
|
| Additionally their support is really good. They added a feature
| on iOS version (and Android I assume) which copies the TOTP
| when you use codebook to auto fill a login. However it cleared
| the clipboard when the TOTP code expired which was sometimes
| too soon - I suggested they add a buffer of ~15-30 sec which
| most TOTP validators allow, giving the user a bit more leeway
| in pasting it. They added it in the next version.
|
| Some cons though: They do lack Linux support. Syncing is manual
| (I think they mentioned the next big update will make it more
| automatic), and there aren't any family/team sharing
| capabilities. For these reasons I would really only recommend
| it for tech-savvy individual use. I've recommended it to a few
| colleagues and they have had great experiences and continue to
| use it for several years now.
| traceroute66 wrote:
| > They do lack Linux support
|
| That is true although I understand this is simply down to
| lack of user demand for it[1].
|
| There appears to be an _UNOFFICIAL_ Linux tool called Read-
| Codebook[2] though...
|
| [1]https://discuss.zetetic.net/t/codebook-for-linux/1063/26
| [2]https://github.com/teracow/read-codebook
| avhception wrote:
| No Linux support =/
| sys_64738 wrote:
| I asked the tech lead at a past job if he'd have been willing to
| resign over his decision to store our keys in the "cloud", using
| LastPass. He never responded.
| xwdv wrote:
| We're finished with LastPass. We are actively moving employees
| away from it and will never touch their products again.
| ramses0 wrote:
| The other difficulty is it appears there is little-to-no support
| for API/automation:
|
| https://github.com/lastpass/lastpass-cli/issues/602
|
| https://github.com/lastpass/lastpass-cli/issues/624
|
| https://github.com/lastpass/lastpass-cli/issues/604
|
| ...their CLI tool is de-facto deprecated (unsupported) and has
| several unreliability issues (ie: `lpass ls/userls ...` reports
| differing amounts of values depending on when a user was added to
| the folder or not). Basically `lpass ls ... | xargs -n1 ...`
| cannot be trusted, and you can only get an accurate list of
| passwords (or users) from the actual GUI.
|
| It makes automation, auditing, reporting, near impossible.
| AtNightWeCode wrote:
| My personal password policy is. Never store passwords in PW-
| managers to important things that can be accessed without MFA.
| Especially not work related things.
|
| I have not figured out where to store those backup codes though.
| xwowsersx wrote:
| GoTo considered harmful
| d23 wrote:
| This is amazing.
| intunderflow wrote:
| The fact they're drip-feeding how bad this breach actually was is
| terrible enough and yet their entire product is built on nothing
| but trust.
|
| Part of me wonders if this was an intentional strategy: Downplay
| during the initial media round then very quietly reveal this was
| a worst case scenario.
|
| Personally I'm never touching them again - anecdotally everyone I
| know who was an individual customer has migrated away and inside
| companies lots of engineers have stopped adding new passwords.
| prepend wrote:
| When it comes to important stuff I think it's important to
| trust no one.
|
| I'm sure LastPass tried really hard to protect data. But
| everything fails eventually. If there's things that are life
| threatening or financially devastating then I don't think I can
| afford to audit people sufficiently to trust them with the
| info.
|
| This is also why I can't imagine ever using Plaid/Mint/etc that
| require my bank credentials just to do minor stuff like make
| payments or read transactions.
|
| These password managers are in a tough spot market wise as they
| aren't smart enough to secure super important stuff and for
| unimportant things, iOS/chrome password management is pretty
| good. I don't mind if my audible account gets rooted, but it
| would be very bad if my bank or brokerage gets rooted.
| mdla-hn wrote:
| "but it would be very bad if my bank or brokerage gets
| rooted"
|
| Yup. I put everything in the password manager except primary
| email and bank/brokerage.
| imiric wrote:
| > I'm sure LastPass tried really hard to protect data. But
| everything fails eventually.
|
| Sure, but password managers available over the internet are
| especially vulnerable. They're major centralized honeypots
| given the data they handle, and leaks are probably worth
| millions on the black market. To think that any company could
| handle this responsibility is naive at best.
|
| Password managers are an entire section of software that
| shouldn't exist. They're too confusing and a chore to use for
| the general public, even if users are educated about their
| importance, and would like to secure their accounts. Many
| non-technical people don't bother or care at all.
|
| The way forward is to get rid of passwords altogether and
| make passwordless authentication the norm. There have been
| some usability improvements in recent years in this area, to
| the point where it could reach mass adoption, but the change
| needs to start with developers.
|
| I was a LastPass user for many years, many years ago, and
| trusted them, but have since moved all my passwords offline.
| And I would very much like not to worry about maintaining
| accounts, updating passwords, etc. Ugh, what a chore.
| pyth0 wrote:
| > [Password managers are] major centralized honeypots given
| the data they handle, and leaks are probably worth millions
| on the black market.
|
| My knowledge in this area is admittedly limited but
| shouldn't password managers be fully encrypting your data
| with a key only you have (like 1Password). The way I
| understood it was that these leaks shouldn't be a problem
| because the data is worthless without the master key.
| Although I guess LastPass wasn't doing it that way.
| imiric wrote:
| I was specifically talking about _online_ password
| managers in that quote. Even in the best case scenario
| that they do follow all best modern security practices
| for storing the data at rest, there are countless exploit
| opportunities while the data is in transit, especially
| considering the clients are web browsers, with their own
| security issues. Not to mention the vulnerability from
| rogue employees, social engineering, etc.
|
| Entrusting _any_ company with the secrets to your digital
| life is a bad idea in general. I know that 1Password is
| the darling in this space, but breaches are a matter of
| time. They only need to mess up once. Their entire
| business reputation relies on being 100% secure, which is
| impossible. I'm not surprised LastPass is reluctant to
| share more information; they want this to go away as soon
| as possible so that business can continue as usual. It
| also wouldn't suprise me if there were other breaches
| that were never made public, at LastPass, 1Password, or
| any of these companies.
| goodpoint wrote:
| > I'm sure LastPass tried really hard to protect data
|
| Not really.
| sofixa wrote:
| > This is also why I can't imagine ever using Plaid/Mint/etc
| that require my bank credentials just to do minor stuff like
| make payments or read transactions.
|
| That's the fault of banks. We need open banking, with APIs
| using OAuth or similar with scopes or some way for per-
| action/item access.
| rxyz wrote:
| Already exists in EU.
| manuelabeledo wrote:
| As far as I know, there is no common, open banking API in
| the EU, unless you are talking about IBAN, which is more
| like an exchange framework.
| nilsmagnus wrote:
| Open Banking aka PSD2 exists, and it is very different
| from IBAN.
| brnt wrote:
| unfortunately, individuals are not allowed to make use of
| it for private purposes. You must be a registered
| business and then be entered in a register before you get
| any keys.
| elif wrote:
| What if the bank were collectively owned and operated, and
| used a clever cryptographic scheme to simultaneously allow
| full transparency and full monetary autonomy?
| danparsonson wrote:
| Then I guess that multiple bad actors would jump at the
| chance to irreparably scam thousands of accounts out of
| millions of dollars. Or something like that.
| thedougd wrote:
| They could have started simpler with app passwords that
| provide read only access. They purposefully drug their feet
| under the false principal that they own their clients'
| data.
| arp242 wrote:
| > Part of me wonders if this was an intentional strategy:
| Downplay during the initial media round then very quietly
| reveal this was a worst case scenario.
|
| Seems like a poor strategy. This is like an infected wound that
| keeps on festering. A turd that will not flush. A house guest
| that won't take multiple hints it's time to leave. Better to
| just get it over with in one go; next week the news cycle will
| be something else and it will be over; now it's in several news
| cycles again and again.
| usrusr wrote:
| And each drip paints a bigger crosshair on the back of keypass
| wrt supply chain attacks (the only angle where keepass isn't
| inherently better than others). I wish lastpass all the best in
| terms of improving their communication!
| verisimi wrote:
| I'm now expecting a raft of these sort of leaks.
|
| This sort of thing, will all encourage us to 'naturally' move
| towards a government backed, biometric solution. Which will of
| course be phone based, will hold your wallet, id and medical
| information, and will be provided to us by kindly corps such as
| twitter, google, apple, microsoft, meta, etc.
| medellin wrote:
| surprisingly the government based sites i use let me use
| email for 2fa which is better than phone since i can add 2fa
| for my email as well. It's the banks that keep insisting i
| use a phone for 2fa. I have moved away from ally because of
| this
| Denzel wrote:
| Can confirm. Migrated from LastPass -> 1Password last month.
| lolinder wrote:
| I don't think it was intentional: this is one of those places
| where ripping the band-aid off is far better than slowly
| dragging it out. The drip-fed reveal increases the raw number
| of headlines about the breach and drills the idea "GoTo is bad
| at security" into people via spaced repetition. If they said
| "our entire company was pwned" on day one, they would have had
| their day in the media and by now only HN would still be
| grumbling about it.
|
| I think what's actually happening is that they're just _really_
| bad at security. Either every few weeks they discover something
| new _or_ they still haven 't successfully locked the attacker
| out.
| aggie wrote:
| This assumes everyone sees all the headlines. This approach
| is very bad for people paying attention, but the type of
| people to pay attention to this kind of news would probably
| be unwilling to go near LP again if it was revealed all at
| once. Their play might be to assume the initial headlines get
| the most coverage so soften the message there, then wait for
| a general audience to tune out and reveal the worst parts.
| LocalPCGuy wrote:
| I do think they are being very intentional in how they
| release and frame things, and one of the things dripping it
| out can do also is produce some level of fatigue on reporting
| it. It definitely seems like they knew some things before it
| came out - some people have looked at changes to their site
| and there are new or updated marketing changes that in
| retrospect seem very correlated to what we're learning now.
| Not definitive proof, but very concerning.
|
| I also think you are correct to a point, they are really bad
| at security so it is also possible that some of these things
| are just coming out also.
| blitzar wrote:
| If drip-feeding the details is an intentional strategy it is a
| stupid one. Keeping the negative story in the headlines for a
| day longer means it will reach more people and draw more
| attention.
| code_runner wrote:
| They'll only piss off the people paying attention to every
| drip.
| ryanjshaw wrote:
| Not just that, this drip feed of information makes
| formulating a proper response very difficult.
|
| If, for example, you deleted your account after the first
| report in August (a rational decision), you have no way of
| checking what iterations setting you had, now that people are
| talking about it.
|
| It's also unclear whether you will receive any data breach
| notifications detailing the exact impact to your data, since
| your account is now deleted - do they keep a history for
| "post-fact" situations like this?
|
| And of course, if you didn't keep a backup of your passwords
| before deleting your account, you'd have to reset everything
| to be sure.
|
| Terrible, awful company with no respect for their users.
| jolmg wrote:
| There's not really any benefit to deleting the account
| other than forgetting they're untrustworthy and
| accidentally using them in the future. I would think it's
| better to change all passwords (at each service, not at
| lastpass) and leave the account at lastpass active,
| precisely to be in the know for such things in the future.
| That's unless I'm misunderstanding something about their
| service that makes it better off to delete the account.
| I've never used them.
| dividedbyzero wrote:
| They still have a list of accounts, email, usernames,
| even if the passwords have been rotated, plus whatever
| happens to be in secure notes and the like. Deleting the
| account is really easy (has to be for EU customers) and
| they're obliged to delete all data they hold on the user
| (under EU law), so I don't see any reason to let that
| kind of data sit around on an untrustworthy party's
| servers. I certainly won't need a reminder that they're
| untrustworthy.
| jolmg wrote:
| Forgot Europeans have a valid reason to believe
| "deleting" an account actually deletes anything instead
| of just withdrawing your access.
| varenc wrote:
| If you're in California the CCPA should give you this
| right too.
| sureglymop wrote:
| How many more times can we shout it. KeePass with Syncthing.
| chinathrow wrote:
| As a long time KeePass user, I throw in KeePassXC. Much more
| polished.
| eatsyourtacos wrote:
| I love KeePassXC and have used it forever.
|
| However is there any good way to use it with my phone? I do
| find it frustrating to have to type in passwords manually
| sometimes, even though it's not very often.
| tfvlrue wrote:
| I use Keepass2Android on Android devices and Strongbox on iOS
| devices. They've served me well.
| acidburnNSA wrote:
| Yes there is. Sync it with syncthing (or next cloud or
| seafile or...) and use a compatible client to read it on your
| phone like KeePassDX.
| yandrypozo wrote:
| I use an app called KPass that reads my .kdbx file perfectly,
| and I use Syncthing as well.
| irrational wrote:
| What is Syncthing? A thing that syncs?
| vageli wrote:
| Yes, it's a service to keep files on your devices in sync
| with one another. https://syncthing.net/
| npteljes wrote:
| Peer to peer dropbox, kind of.
| usefulcat wrote:
| A self-hosted replacement for Dropbox.
| marcosdumay wrote:
| Hum... No, it's not a replacement for Dropbox.
|
| It solves issues Dropbox doesn't (like dealing with
| segregated networks), and doesn't solve issue that Dropbox
| does (like sending files to people).
| a10c wrote:
| I use 1Password with a family account. Good luck getting my
| mother to understand the nuances of KeePass with Syncthing.
|
| Previously she wrote her passwords down in a notebook.
| avhception wrote:
| Have a look at unison, it's what I use instead of Syncthing and
| I couldn't be more happy.
|
| https://github.com/bcpierce00/unison
|
| edit: Also, KeepassXC!
| fIREpOK wrote:
| The only problem I have with Syncthing is how it deals with
| conflicting updates... The interface make it difficult to see
| which file is conflicting. Is it better with Unison?
|
| +1 for keepassXC
| derbOac wrote:
| Why Unison over Syncthing? Just curious because I've been
| happy with Syncthing and haven't heard of Unison.
| twobitshifter wrote:
| I use strongbox pro, which is an iOS keepass app, and keep it
| on iCloud Drive. It's a simple no fuss solution.
| [deleted]
| 2OEH8eoCRo0 wrote:
| And yubikey
| this_steve_j wrote:
| According to https://layoffs.fyi a company named "GoTo Group"
| based in Indonesia recently laid off 1200 employees, however they
| appear to have no obvious relation to "GoTo Company" which owns
| LastPass.
|
| Under the circumstances, a staffing shakeup in the CISO office
| sometimes occurs in companies after this kind of accident.
|
| Does anyone know what the situation is like inside LastPass
| headquarters?
|
| After a previous LP incident I noticed a number of senior
| security officer positions advertised on the LastPass Careers
| site.
| uyaij wrote:
| That "GoTo Group" was formed when Gojek and Tokopedia merged
| [1] and isn't related to Lastpass.
|
| [1] https://en.wikipedia.org/wiki/GoTo_(Indonesian_company)
| abfan1127 wrote:
| What product supports Cross Platform (minimum of Windows, Mac,
| iOS) that is easy to setup for non-technical people?
| whatch wrote:
| Surprisingly, Apple built-in password manager. They have Chrome
| extension for windows (but not for Mac OS Chrome,
| unfortunately)
| softwaredoug wrote:
| Just make sure people with password access update their
| iPhone passwords to be strong. With FaceID, this shouldn't
| cause too much incovenience.
| gopkarthik wrote:
| 1password. In addition to above, it has Linux support & browser
| extensions
| abfan1127 wrote:
| from a position of ignorance, why/how is 1password better?
| ikekkdcjkfke wrote:
| What idiot transfers all their passwords to a small private
| company
| kossTKR wrote:
| I use iCloud keychain - has there been any reason to suspect
| this is an idiotic move, especially when coupled with twofactor
| auth on important sites?
|
| Really important stuff is of course handled in other ways..
| jonplackett wrote:
| One word of caution - do you realise that anyone with your
| iPhone + PIN code can access all those passwords?
|
| All you have to do is go to settings > passwords and enter
| the pin and there they all are.
|
| Sao if you use this, have a really good iPhone pin!
| traceroute66 wrote:
| > have a really good iPhone pin
|
| iPhone PIN ? Say what now ?
|
| Only fools use PINs.
|
| iPhones have supported keyboard entry for passwords for a
| very very very very long time now. And more recently,
| TouchID and FaceID, of course.
|
| You can also configure iOS to erase after _n_ incorrect
| entries.
|
| At this point in time, you get what you deserve if you
| still use numeric PINs.
| kossTKR wrote:
| That's absolutely insane. I use face id plus a pass though.
| softwaredoug wrote:
| With FaceID you can set a complex iPhone password with
| little loss of convenience. I have a complex iPhone
| password, use iCloud Keychain, and have few issues.
| Freak_NL wrote:
| What idiot transfers all their passwords to any private
| company?
| jonsolo wrote:
| What idiot keeps all their money in a bank instead of
| securing it themselves?
|
| Sometimes it's preferable to pay the professionals,
| especially if you're not an expert. I've recommended LastPass
| to my grandparents for years because it's better than using
| their grandkids' names as passwords everywhere.
| ejb999 wrote:
| Do password managers have FDIC coverage? banks do. Big
| difference.
| altacc wrote:
| Whilst not good, this seems to be bad news for some GoTo products
| but not specifically Lastpass:
|
| > a threat actor exfiltrated encrypted backups from a third-party
| cloud storage service related to the following products: Central,
| Pro, join.me, Hamachi, and RemotelyAnywhere
|
| Lastpass is a GoTo product, so in general the multiple security
| breaches undermine confidence in all their products. Your
| password manager is not something you want low confidence in.
| manuelabeledo wrote:
| I didn't realize that Lastpass was part of the same company who
| brought us GoToMeeting.
|
| It makes me wonder if this is all a result of GoTo general
| culture permeating into Lastpass. GoToMeeting and Webinar feel
| hilariously outdated, and I think that people use them mostly
| because corporate inertia.
| ubermonkey wrote:
| We are heavy users of GTM, and have been for over a decade.
|
| Initially, it was FAR AND AWAY the best and most reliable
| option for meetings. It worked well across platforms, and the
| screensharing -- especially the ability to see a
| participant's screen, not the host's screen -- was stellar.
| This was key for us; we're a small software company, so GTM
| sessions to help client IT install, or help a customer with a
| problem, or even get the system configured initially, were
| all our bread and butter.
|
| Sadly, GTM over time has fallen prey to the same thing that
| ails lots of older products: it just keeps getting worse, and
| it feels almost deliberate. We do not give two shits about
| video, but they're pushing it hard. Sharing controls change
| revision to revision, which makes it harder for us to coach
| customers on how to use the tool. Lag and delay has become a
| real issue.
|
| It's just super frustrating.
| snehk wrote:
| GoTo has been bad for a while. I recently sent their team a
| support ticket for their GoToWebinar API (API response
| contained completely different/wrong data). They said it's not
| that much of a problem and said they weren't gonna fix
| anything. Hilariously bad.
| that_guy_iain wrote:
| If that wrong data contained emails, etc. Then that would be
| a data breach and legally they need to fix, inform affected
| users, and report the data breach. If they said they weren't
| going to fix it, report it.
| Spooky23 wrote:
| They were a red headed stepchild within the Citrix portfolio
| before they were carved up like a turkey. I wouldn't expect
| anything positive from them going forward.
| lotsofpulp wrote:
| I was under the impression LogMeIn (GoTo's previous name)
| already was known as malware many years ago when they bought
| Lastpass.
|
| Lastpass was the first password manager I used, and when it
| sold to a scummy company like LogMeIn, I learned my lesson to
| just stick with KeepassXC.
| avhception wrote:
| KeepassXC + unison is the best combo for me. I'll never let
| some cloud service lay their hands on my passwords.
| bogomipz wrote:
| What does unison provide in this strategy. I remember the
| old Keepass, is KeepassXC the next generation in this?
| SCdF wrote:
| > I remember the old Keepass, is KeepassXC the next
| generation in this?
|
| It's the same database format, KeepassXC is a fork of
| KeepassX with more active development.
|
| https://superuser.com/questions/878902/whats-the-
| difference-...
| imperialdrive wrote:
| I'm on hold with lastpass enterprise support as I type because
| upon reviewing our account we found a super-admin that is
| 'blank', no text appears but it has been granted policy access
| to all shared folders. This is nuts. We use SSO so iirc the
| keys were 128bit x2 which was supposed to be completely
| unaffected by the dump. Perhaps not. Screenshot here:
| https://freeimage.host/i/H0RICCu
| ThatsAllForNow wrote:
| I have recently moved away from lastpass onto 1password and find
| myself with some 1000+ credentials that I will now have to
| change. Been working though the list and made a small dent of 50
| accounts so far... There must be a quicker way to do this?
| substation13 wrote:
| Dashlane claims to be able to do this for you.
|
| I don't personally use Dashlane and cannot speak to its
| security.
| coremoff wrote:
| I imagine you can triage that quite heavily; change the
| critical ones (bank/email/etc.), then change anything where
| passwords and usernames have been duplicated. Anything else is
| probably pretty low priorty both in importance or criticality.
| tokamak-teapot wrote:
| Ironically I believe I remember that LastPass had such a
| feature, though it didn't work for more than about 2% of my
| passwords when I used it a long time ago.
| fluidcruft wrote:
| I remembered that and before I learned more about the breach
| and was feeling "breaches happen" about things (I have strong
| master password) my thought was to use that to update
| passwords by age... but they actually removed the feature!
| That seemed so user hostile it made me mad enough that
| migrating somewhere where I can work with password age became
| my goal. Then as I've learned more about the breach, their
| design and their response it's just put wind in my sails.
|
| Bitwarden isn't much better, but they do have a cli technical
| users can cobble something together. (I ultimately decided to
| skip on Bitwarden also)
| fckthisguy wrote:
| We should introduce an industry best practice for account
| management. A "/.well-known" url for changing passwords would
| make this trivial to do in bulk with a password manager.
| 2Gkashmiri wrote:
| so if i get access to your PM, then i would be able to
| destroy all your accounts en masse.
|
| at least this way they would have to prioritize
| alpaca128 wrote:
| I don't think this matters that much. Most accounts are
| just for random websites that don't let you use basic
| functionality without a login. Being able to manage such
| accounts efficiently & without dark patterns in one program
| would be a massive time-saver, but whether a bad actor
| takes a few seconds or a few minutes to take over my
| important accounts I'm screwed either way.
| monsieurbanana wrote:
| Nothing could go wrong with having a way of hitting millions
| of websites at once with a 0 day exploit :)
| dns_snek wrote:
| The functionality provided by such an API could be limited
| to disabling the account until the password is manually
| reset given that the client provides a valid email and
| password. The blast radius for that would be pretty small.
|
| I don't use 90% of the entries in my password manager on a
| monthly basis so anything that allows me to delay the
| password change on hundreds of accounts until I need to use
| the account again would be valuable.
| devnullbrain wrote:
| Obscurity is security, as the saying goes.
| [deleted]
| handerz wrote:
| Isn't the saying, "security through obscurity is no
| security at all"?
| coder543 wrote:
| I believe the person you replied to was being sarcastic.
| lathiat wrote:
| https://www.w3.org/TR/change-password-url/
| 4lun wrote:
| Currently in the process of cycling a few thousand passwords
| myself. Realised I just have to nip away at it a bit each day
|
| Time boxed to about 15 mins a day, it hasn't felt like too much
| of a burden. But also finding I can just delete quite a few, as
| my vault is over a decade old and many sites/services are now
| defunct
|
| Will take another month or so, but have the more recent/crucial
| ones done already so worst case someone might crack my old digg
| password
| matesz wrote:
| Why not just go through them in one go and be done with it?
| jeromegv wrote:
| Because telling your boss you will be spending the next 3
| working days going through all your password might not be
| the best use of time and might want to spread it out a bit.
| Especially when most of them are obscure website that are
| not likely to be the first target in a password leak.
| fluidcruft wrote:
| One thing I've found is "forgot password" is typically far, far
| faster/easier than hunting around trying to figure out how to
| change a password.
| Weryj wrote:
| From paying customer, to deleted account.
| prepend wrote:
| What's the best way to delete an account? Overwrite all
| password values? Wait a month, overwrite again, wait a month,
| delete? It's hard to tell what's sufficient to reduce risk of
| someone who breaches in the future will use my data.
|
| I doubt LastPass deletes my data when I delete my account. I
| even wonder if to comply with GDPR, they just disassociate the
| data from me so it can never relink, but keep the data so it
| can be used, sold, or rented.
| sethammons wrote:
| Best is to rotate all your stored passwords and not store the
| new ones in lastpass, delete all the items, and change the
| lastpass master password. Check any notes for sensitive info
| before overwriting and then deleting the entry and assume
| someone else will read what you had there.
| bigiain wrote:
| > What's the best way to delete an account? Overwrite all
| password values? Wait a month, overwrite again, wait a month,
| delete?
|
| The only sensible approach is to change every password on
| every site that you've ever stored credentials in LastPass
| for. Any attempt to change the passwords is just hoping hay
| their backups are better secured than their prod database
| (they are almost certainly not), and also that the data
| wasn't popped before you changed them (which they almost
| certainly were, probably multiple times).
|
| Delete your account, but revoke/update all those passwords
| asap as well. Since the site/url and email addresses were not
| encrypted, I'd be changing the email address on at least
| critical accounts as well where I can.
| loudmax wrote:
| For important accounts you should probably update your
| passwords.
|
| Assuming you aren't reusing passwords, you shouldn't need to
| track down every online store you once bought something from.
| But your should consider updating your passwords for bank
| accounts, Paypal, Amazon, Google and whatever else would be a
| major headache if it were compromised.
| slantedview wrote:
| Since I went through this a month ago:
|
| - Migrate your vault to a new password manager
|
| - Rotate all your passwords and save the new ones in your new
| password manager
|
| - Delete your Lastpass account
| 2OEH8eoCRo0 wrote:
| I use KeepassXC with password + yubikey challenge response. My
| mental model is that this encrypts my database using my password
| combined with the yubikey response. With this configuration- it
| appears that I should be able to put my database anywhere in the
| open.
|
| Which leads me to my point: If the password manager is properly
| used then why do we care if the encrypted databases were leaked?
| AmalgatedAmoeba wrote:
| Not all the contents of the databases were encrypted.
| garganzol wrote:
| Keepass encrypts the whole database. There are no unencrypted
| parts, in contrast to some other password managers.
| seanieb wrote:
| What happens to the serial security recidivists? Where are the
| regulators? LastPass has had security incident after security
| incident, how are they still allowed to operate?
| briffle wrote:
| I think at this point, they need to get purchased by Experian,
| so they can combine into such an ugly mess of problems, that
| identity laws get overhauled.
| Alifatisk wrote:
| They failed to secure sensitive user credentials, that must've
| broken some law.
|
| Also, people can store notes on lastpass, did those get leaked
| too?
| HPsquared wrote:
| Would this sort of thing fall under GDPR?
| Alifatisk wrote:
| And probably CCPA in that case?
| poglet wrote:
| Yes
|
| "that contains both unencrypted data, such as website URLs,
| as well as fully-encrypted sensitive fields such as website
| usernames and passwords, secure notes, and form-filled data."
|
| https://blog.lastpass.com/2022/12/notice-of-recent-
| security-...
| Alifatisk wrote:
| I would not be surprised if such sensitive details could
| ruin someones life, and that is now in hands of a bad
| actor.
| arbitrage wrote:
| What regulation? Nobody will ever prosecute them.
| 2Gkashmiri wrote:
| as a keepass user, i cannot be more happy.
|
| contrary to popular belief, maintaining a file synchronized is
| not difficult.
|
| This "breach" is just as good as assuming google or apple or any
| other bitwarden or any other cloud password manager is broken
| because they all work in the same way "we promise to keep it
| secure". this is different from storing a keepass file on the
| same google cloud because an attacker has to break into your
| cloud login first, then hope to find your keepass file. Then try
| to break that file.
|
| as opposed to breaking into your google account and seeing the
| passwords or by breaking into bitwarden or 1password or something
| else.
|
| if someone has a login to 1password of 10 people, there is good
| reason to assume there will be passwords stored.
| somezero wrote:
| I was a long time keepass user but moved to Bitwarden. My
| problem with keepass is the low quality and often poorly
| supported closed source clients that you get on mobile.
| lotsofpulp wrote:
| Strongbox works great for me on iOS and macOS.
| Jamie9912 wrote:
| Me too. Yes I paid for it. Yes it works extremely well.
| 2Gkashmiri wrote:
| i dont know about you but i have been using keepassdroid and
| another client from F-droid for years now..... maybe this was
| because as you said " low quality and often poorly supported
| closed source clients"...
| totetsu wrote:
| The occasional times I haven't been able to log into my bank
| because I was on a computer that didn't have my kdbx file, or
| the small worry I have of keeping it up to date in multiple
| places while transitioning my main system.. are no bother
| compared to constant worry that someone might have my logins
| because of some security breech.. That said I just give apple
| everything when on that echosystem. -\\_ (tsu)_/-.
| XorNot wrote:
| Keepass2Android is excellent if you have an Android phone.
| You can use that with Syncthing to synchronise files, and
| InputStick to emulate a keyboard over Bluetooth if you're
| using a non-personal computer.
| jp191919 wrote:
| I've had good luck with KeepassXC. For an android client I use
| KeepassDX
| bogomipz wrote:
| From the top of the reddit post:
|
| >"For those that may not have seen it, since instead of a new
| post they "updated" the one from November...Looks like it's even
| worse than they first let on"
|
| Can anyone say if they notified their customers that they had
| updated the original post?
| JonChesterfield wrote:
| A question for those "starting to migrate away". Why bother
| changing passwords that you then put back into LastPass?
|
| Change the passwords yes, all of them, but if you're going to put
| the new ones back in to be re-exported by your adversary you may
| as well save yourself the time and stay with the already breached
| ones.
| jp191919 wrote:
| So glad I switched to KeepassXC
___________________________________________________________________
(page generated 2023-01-25 23:01 UTC)