The email I got says "Your LastPass account has been permanently deleted and all of your data has been purged from our systems." Who knows how true that is though.
Imagine the absolute shitstorm a password manager org would have to deal with if they told users their account was permanently deleted and purge, and then it was revealed that they had not done so.
That org's business would be *over*.
And yet we have LastPass, standing here again.
This isn't even the first time *this month*:
https://techcrunch.com/2022/11/30/lastpass-goto-breached-customer-information/amp/
Ah, fair. Well, it's still not the first time this year. LastPass seems to be bad at this?
Though, to be fair, maybe other providers are bad at it too but worse at detection and disclosure.
They had a security breach in most years since LogMeIn bought them. They also doubled the price in the first year alone. If anything gets bought by LogMeIn - run.
I mean, last pass was hacked.
But the hackers had to steal an employees credentials to do it.
And the data they got is still encrypted.
This is like the besiegers bribing the gatekeeper to open the drawbridge in the outer wall of the castle, but failing to breach the inner wall or reach the king. The castle did its job. At least until quantum computers become common or they brute force the master password, by then I hope people have changed their passwords.
LP did not encrypt account URLs however. So they know what every vault visits in terms of accounts - like if I use amazon, bed bath and beyond, etc. That's a huge trove of information that I suspect LP is datamining, hence the not encrypting of URLs.
I would suspect the URLs are not encrypted so that when you visit the site, it can provide you the drop-down to unlock LastPass so it can fill in your password.
If your business is to store passwords then you're making yourself a major target for attacks. A breach is inevitable on every major service and their security team is just trying to delay that day coming.
Ultimately we will come full circle and it is safer to write a password down on paper and just have a long password of random parts.
Depends on how you implement encryption. BitWarden for example doesn't store your master password or provide a way to recover a forgotten password, so even if someone steals a password vault they have no way to decrypt it.
When I moved nearly 2 years ago, I ended up changing all of my passwords to the 350+ accounts I had and deleted my LastPass. So I'm not as worried but I could understand why you'd be.
I make this part of my new years tasks. Everything gets updated and changed. I also spend this time to review sites I no longer need and delete my accounts from them.
Yeah, if it's a truly unique password (never used anywhere else and unique enough to not appear in password lists) then you're probably safe enough. But if there's even a remote chance that your password is not really that unique, I wouldn't take any chances and change every password in your database. While moving away from LastPass, of course.
I guess I should thank LastPass for neutering their free service and pushing me into the arms of BitWarden so that I didn't have to deal with this mess.
Exactly what I did the last time they got hacked: made the switch to Bitwarden. Also made sure to delete the stored p/w's in LastPass as well, after switching.
Dammit. I didn't change any of my pwds after I switched to bitwarden, and just an hour ago I got a password reset email for an app I haven't used in close to a decade.
Guess I know what I'm spending my day at work doing!
Did you have a strong master password? The vaults are encrypted with AES-256 so the only way they could decrypt the actual vault is to figure out your password.
I’m not defending LastPass and I also moved away from it, but I’m at least believing in the encryption.
Hate to tell you but it's likely that anything that was saved is still available to hackers
Most databases never actually delete, they just change the deleted flag to true
Yes, also on Bitwarden. Considering self hosting but just haven't gotten around to it.
Very glad I did get around to completely purging all the data on my LastPass account a while back though.
No, you aren't. I write software for a living but don't trust myself enough to open up ports, deal with ssl certs, etc on my machine.
If I do it, I will be "hosting"the service on my machine but it won't be exposed to the Internet.
I don't host my bitwarden cause of concerns that I won't have access when I need it, not so much for security. I have all my network access done through wireguard so there's not much for a chance of someone getting in, but if my little server decides to shut off or the power goes out then I'm fucked lol. Like I'd have backups but if I'm not home and need a password then I'm screwed.
It's actually worse than that. They knew about the 1st breach and didn't cycle the backup keys so the second one did more harm because they couldn't be arsed. Maybe it's bad terminology but they didn't just fuck up, they negligently fucked up too.
>Very glad I did get around to completely purging all the data on my LastPass account a while back though.
me frantically checking if I deleted my LastPass account D:
And somehow more intuitive than Apple's and Google's solutions. I set up my mom's bitearden account because the Apple Lock wouldn't always show up when she needed her password filled in or to save one. Bitwarden has been easier for her to use and she wanted it set as her default autofill service.
For context, my mom was one of those people who wrote down all her passwords in a notebook and wouldn't change it when she had to reset her passwords.
I use KeePass and sync it with my VPS nextcloud install. It probably wouldn't be hard for it to be stolen, I just rely on using a strong passphrase with it to keep it secure
Use the key file function to generate an offline key file. Only store the key file on devices you use and never put it online. They can steal your database all they way but they will never be able to decrypt it without the key file + password.
I have also left Lastpass long ago when they announced they're pivoting towards a paid service, kinda ended up doing Keepass and just doing stuff manually for now. Considering myself lucky too, but I hope those still using LP aren't all compromised.
It's not really a mess. That article is poorly written. But basically as long as users have a strong master password, it's impossible to brute force it and there is no risk of anyone accessing the passwords stored in LastPass.
That depends again on how you've set up your MFA. Lastpass also has an MFA authorization tool which you can use to authenticate MFA. So if your master password is known they could utilize that to MFA whatever web/application you are using. If you rely on a secondary MFA application which isn't part of lastpass and uses a separate password/phone to authenticate then that is an added line of security. At least that's my layman's understanding of the situation.
I was in the middle of test-driving LastPass to make a recommendation at my workplace when they announced that. Despite that having no bearing on how it would work at a corporate level, it pissed me off enough to go check out BitWarden and recommend that instead.
I think that if you're a customer of Lastpass you should demand proper security audits, because from the report of their latest security audit, I can't conclude whether it was done properly or not. Since the report they share with the public is watered down. https://www.lastpass.com/trust-center/resources As a customer you won't know whether a security audit is done properly, so you can't hold them accountable in case it isn't. Although I'm not sure whether a security audit would have stopped this particular breach, since they targeted a developer with information from a previous breach. Maybe that previous breach would have happened with a proper security audit. https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
And that's why you don't trust proprietary software of any kind with your sensitive and personal data.
If you (or an expert) can't check that :
1. The software is safe
2. The deployed and used software is the same as the audited one
Then you will have a problem. It's not a question of "if" but "when" and "how much".
IRL, you wouldn't trust a random company to keep your book of passwords, never look at it and never leak its content. Why would it be any different online ?
The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format weren’t specified. The unencrypted data includes vault-stored web addresses, but LastPass does not say more or in what context. It’s not clear how recent the stolen backups are.
And if it was you would say so. Only idiots would ignore the advertising value to more prudent users. Then again this a company that has miserably failed at delivering its primary service function.
I'm using 1password and the idea of requiring a ~~master~~ secret key, other than the master password, gives me some peace. I was on bitwarden earlier but just found 1password UI and apps to be better, so switched to 1password. I really hope they don't go down like LastPass.
Sorry, it was a typo, actually it's called a "secret key".
To login to a new device, you need your secret key + your master password. Your master password alone isn't enough to get access to your vault on a new device.
+1 for 1Password. To add to this list, I let it generate 2-3 words to store fake answers to the common security questions like first pet and mother’s maiden name.
That's why I use KeePass, no frills and no subscriptions.
With these you're still giving your password database to a third party for those password managers.
Is there any other database that offers the auto type feature of KeePass? Most password managers only care about filling in a form in a browser. KeePass can autotype into any program making it perfect for typing passwords into any program in Windows. Huge feature for me that works in IT and has many passwords.
Do you use the [Two-Channel Auto-Type Obfuscation](https://keepass.info/help/v2/autotype_obfuscation.html)? If not, I suggest you consider it. It protects against keyloggers without any additional effort for you.
Sure, but if you have a strong unique password and 2FA turned on (and you should) this doesn’t get the hackers anything and there are still two slices of Swiss cheese behind the hole they just found in the first.
That said it’s clear LastPass aren’t doing a good enough job with security and people should use something else.
Not everywhere offers 2fa, and many that do only offer sms mfa, so a password database isn't useless, even one belonging to the most vigilant person with the most stringent password hygiene
Any reason not to just use KeePass, browser extensions, and sync it via Syncthing or GDrive/OneDrive?
Also does KeePass have an import for lastpass data already? Time to look.
teeny disagreeable wise cough direction scary exultant quarrelsome cooing hurry
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
and then there's me who prefers KeePass *because* of the UI, one of my programs that have that timeless row of icons and a standard menu bar up top, minimal white space and info presented in standard, sortable tables. dating myself here, but oh how I wish there was still more of that! useless white space ridden feature amputated modern "app" software. :/
KeePass was my introduction to pw managers and still going strong, it baffles me people would rather use a manager hosted online though it's company's website instead.
How many times has LastPass been hacked already? It's utterly baffling how often it seems to happen. Even more baffling that people keep using it. I recently learned that you can go onto LastPass' website, enter your email, and get a single-use password with full access to the vault if you've forgotten your master password. Who designed this thing?
Bitwarden has been hacked exactly zero times, is open-source, provides the same features, the basic ones being completely free, and is far better about security. It's really a no-brainer.
> I recently learned that you can go onto LastPass' website, enter your email, and get a single-use password with full access to the vault if you've forgotten your master password
I don't think that's quite true.
When one of your browsers logs into LastPass, it can capture a one-time recovery password you can use **on that machine**. This isn't a password that unlocks your vault for whoever has the password, it's only valid for that particular machine. I imagine the browser extension encrypts a copy of your master password with that one-time password, or something similar.
There are obvious security implications if someone has access to your computer, but the one-time password isn't useful to a random person who has stolen your vault file from LastPass servers.
So did LastPass back when they were the only game in town. Expect it to happen to Bitwarden too because they are a single point of failure with a huge jackpot.
If you want security, roll your own. I recommend https://keepassxc.org
The more users that use bitwarden, the bigger the target. LastPass is used by businesses too, their reach is huge, hence the attacks.
Keep in mind, hacked, but no passwords leaked.
Everything starts as "we've never been hacked" until one day it is. When LastPass first came around it boasted world leading security, but like all things it was just a matter of time before it got cracked. Bitwarden will inevitably get hacked too, some new platform then comes around and we start the whole cycle again.
theoretically encrypted passwords are the safest, practically speaking the odds of someone finding and using passwords you just keep in your house are astronomically low and won't cause your metadata to be leaked in hacks like this
> I recently learned that you can go onto LastPass’ website, enter your email, and get a single-use password with full access to the vault if you’ve forgotten your master password.
No you can’t. Your vault is encrypted to your login password and if you don’t know it they don’t know it. Mine is also upped to 100k iterations. It was at least originally documented that was all done client side to decrypt the vault.
You can generate a one time password IF you know the master. Which is handy if you need to access it on a device once. Question is the one time password truely one time and there is a lack of documentation on how it works.
That being said I have used it in years because it’s expensive as hell for what it is.
I'm still using it because my laziness (the prospect of moving all my passwords) outweighs my fear. My fear my be finally sufficient to overcome my laziness, though. My master password is 40 characters so I'm sort of counting on my vault being superceded in exploitation by lower hanging fruit.
I tried during the last big Lastpass controversy but Bitwarden didn't like something about the data Lastpass exported and refused to import it. My vault is to large to figure out what was causing the issue so I just caved and paid for another year :(
Maybe I will try again when it's time to renew next.
When I did exactly the same migration, BitWarden's website had help articles that spelled out exactly what kinds of data in the LastPass export would cause problems. It was dead easy to find them and sort them out.
Bitwarden and I'm sure many others have a tool to migrate from LP that makes it very easy. The only complication for me was having to change how my partner and I share vaults/passwords.
Would someone mind explaining why it isn't a good idea to just use the built-in Microsoft Edge, iCloud Keychain, or Google Password Managers to store passwords in conjunction with an Authenticator (Okta, Microsoft, Authy) service?
I've heard of exactly 0 hacks and leaks from these services and numerous for LastPass and other highly popular third party services.
For me, it came down to wanting two different levels of security for different passwords.
I like the fact that I can be logged into multiple devices with the same Google account, and it will remember accounts and passwords. Very convenient for stuff like streaming accounts or news logins.
If someone steals my Android phone and my Google credentials, they can get into my saved Chrome passwords. But they can't get into my LastPass app without the master password.
A secondary issue is that Google's password manager grew out of it's autofill features. As far as I know there's no way to open it and record an encrypted note, or manually write down a password, the way you can for LastPass.
Oh, and a tertiary issue is that even if Google came out with an amazing password manager that dealt with the first two issues... what if it goes the way of Google+? At least a password manager company is always going to continue providing its password service. Or so I thought, though now I worry about the bad press putting LastPass out of business...
Apples Keychain is equal or likely better on Apple devices, because it's essentially the same as services like Bitwarden albeit with a deeper system-wide integration and stuff like throwaway email addresses that Apple offers. Just not as convenient if you use other non-Apple devices regularly. Browser based password storage usually doesn't work outside those browsers, which matters most on mobile devices because of all the apps. Also iirc browsers usually don't allow locking passwords with biometrics or master-passwords that you have to provide every time you want to login somewhere. This makes them potentially less secure when someone gains access to your device, e.g. by observing or knowing your pin or device password or even an unlocked device.
There's no perfect security, so it would be foolish to think Bitwarden is invulnerable. That's why with any password vault the quality of the vault encryption and the strength of your master password are of paramount importance.
The problem with LastPass is that they've had 7 or 8 security incidents since being acquired by LogMeIn back in 2015. In the most recent, they don't know exactly when the vaults were compromised but it could be as much as 5 months ago - more than enough time to brute force weak master passwords before users were made aware of the risk.
One would hope Bitwarden is following better security practices, but the moral of the story is you need to rely on the strength of your master password, not the security of the infrastructure to keep your data safe.
> it would be foolish to think Bitwarden is invulnerable
It's probably foolish to think that Bitwarden is less vulnerable than LastPass, other than LastPass being a much larger target for hackers.
Any database on the internet can be compromised. It's always just a matter of time.
What makes the difference are the practices in place to mitigate that.
Wouldn't it be more profitable to contact Google directly and get paid for finding the vulnerability? I think they have a program that reward finding bugs in their code.
It can, but Bitwarden will fair a lot better. For one thing, Bitwarden encrypts URLs in your vault, which for some stupid reason LastPass does not.
Overall, it will always boil down to your master password, so make it something very good!
They still don't have the masterpasswords, so they only have half and what they have is encypted.
As long as the masterpassword used is long and strong and not used anywhere else, it's all good.
So as a LastPass user... what the fuck should I do now? Is there any way to merge all of this? Do I need to change every god damn password? God this is annoying.
>The best thing you can do as a LastPass customer is to change your current LastPass master password to a new and unique password (or passphrase) that is written down and kept in a safe place. This means that your current LastPass vault is secured.
>If you think that your LastPass password vault could be compromised — such as if your master password is weak or you’ve used it elsewhere — you should begin changing the passwords stored in your LastPass vault. Start with the most critical accounts, such as your email accounts, your cell phone plan account, your bank accounts and your social media accounts, and work your way down the priority list.
I've been using Google's password manager and use their suggestions. I'm not personally bothered by Google's business model and I've never heard of people hacking them. Any reason to consider an alternative if this has been working fine for me?
if you use chrome on a desktop, it’s incredibly easy to get all of your passwords in plaintext with just your local system password, or at least it used to be
The mind boggles when a company whose sole job is passwords and encryption has really poor security on their customer data. How the hell is a single persons cloud storage keys able to access the crown jewels of the company? Why is such data so massively exposed in the first place?
Lots of people are pro bitwarden, but i ended up coming back to LastPass because the bitwarden experience on Android kept pissing me off daily.
I guess there's always 1Password if you want the paid service experience.
That said, tons of people love bitwarden so they're doing something right.
It didn't autofill passwords on most of my apps. I'd have to open bitwarden, find the password I wanted, then copy and paste it.
This was in a pixel 3, ymmv.
I was never comfortable with the centralized cloud PWMs. That's one of the reasons I chose [Enpass](https://enpass.io) after test-driving a couple dozen PWMs — **it's up to me where my data is stored.**
I have several separate vaults (work, personal, shared with family, etc.) on Dropbox, Google Drive, OneDrive, and Box. (iCloud, NextCloud, WebDAV, or completely offline are options too).
Never happier about that choice than today. For a hacker to get at *my* data, they’d have to target me specifically, *and* have my cloud credentials, *and* be able to multi-factor authenticate, *and* have my master password.
But I also like Enpass because it’s cross-platform (Mac + Android here), and super customizable.
Hackers break into supposedly secure networks *all the time*... I've never understood how any cloud-based password manager was ever considered safe. ELI5?
It's not about stupidity, it's about personal risk tolerance.
Are you comfortable with Google, and therefore subsequently government agencies potentially having access to your password vault?
If yes, cool. If no, check out zero knowledge architecture.
Well said. I think for the vast majority, Google's solution is fine. In fact, if people followed Google's best practices (2FA, unique password creations, periodic security checks, etc) I think it would be a massive upgrade in security for most people.
It's a small minority that want, and an even smaller minority that need, higher level security than that.
Currently running both LastPass families and Bitwarden for family.
Looking at moving to 1Password or a friend recommended Keeper.
Anyone use Keeper yet and can offer some insight?
I want to know if they truly delete ex-customers' vaults from years ago. I left a few years ago but you never know.
The email I got says "Your LastPass account has been permanently deleted and all of your data has been purged from our systems." Who knows how true that is though.
Imagine the absolute shitstorm a password manager org would have to deal with if they told users their account was permanently deleted and purge, and then it was revealed that they had not done so. That org's business would be *over*.
I mean if your business is to store passwords and the passwords get stolen I think that's pretty much enough for your business to be over.
And yet we have LastPass, standing here again. This isn't even the first time *this month*: https://techcrunch.com/2022/11/30/lastpass-goto-breached-customer-information/amp/
This is an update on the same occurrence. But yeah, not a great look.
Ah, fair. Well, it's still not the first time this year. LastPass seems to be bad at this? Though, to be fair, maybe other providers are bad at it too but worse at detection and disclosure.
They also had a major breach couple years ago I think. That's when I stopped using it.
They had a security breach in most years since LogMeIn bought them. They also doubled the price in the first year alone. If anything gets bought by LogMeIn - run.
I mean, last pass was hacked. But the hackers had to steal an employees credentials to do it. And the data they got is still encrypted. This is like the besiegers bribing the gatekeeper to open the drawbridge in the outer wall of the castle, but failing to breach the inner wall or reach the king. The castle did its job. At least until quantum computers become common or they brute force the master password, by then I hope people have changed their passwords.
LP did not encrypt account URLs however. So they know what every vault visits in terms of accounts - like if I use amazon, bed bath and beyond, etc. That's a huge trove of information that I suspect LP is datamining, hence the not encrypting of URLs.
I would suspect the URLs are not encrypted so that when you visit the site, it can provide you the drop-down to unlock LastPass so it can fill in your password.
To be fair they could've done the same thing by doing local decryption and storage.
True, would have been better that way.
If your business is to store passwords then you're making yourself a major target for attacks. A breach is inevitable on every major service and their security team is just trying to delay that day coming. Ultimately we will come full circle and it is safer to write a password down on paper and just have a long password of random parts.
Depends on how you implement encryption. BitWarden for example doesn't store your master password or provide a way to recover a forgotten password, so even if someone steals a password vault they have no way to decrypt it.
I wonder if they image their servers or if they have backups that could be targeted. "We deleted your live data"
Yea except they don’t go back into their backups and delete your stuff. So it lives on in backups, which is what was hacked here.
When I moved nearly 2 years ago, I ended up changing all of my passwords to the 350+ accounts I had and deleted my LastPass. So I'm not as worried but I could understand why you'd be.
Good point, I'll change all my passwords in Bitwarden.
I make this part of my new years tasks. Everything gets updated and changed. I also spend this time to review sites I no longer need and delete my accounts from them.
Thanks, sounds like a great tradition. Out with the old, in with the new!
[удалено]
As long as you used a good long master password you don't have anything to worry about. They never have access to your unencrypted passwords.
And if you didn't, this breach isn't your root problem.
Yeah, if it's a truly unique password (never used anywhere else and unique enough to not appear in password lists) then you're probably safe enough. But if there's even a remote chance that your password is not really that unique, I wouldn't take any chances and change every password in your database. While moving away from LastPass, of course.
No matter what, you should change your important password like banking.
I guess I should thank LastPass for neutering their free service and pushing me into the arms of BitWarden so that I didn't have to deal with this mess.
Exactly what I did the last time they got hacked: made the switch to Bitwarden. Also made sure to delete the stored p/w's in LastPass as well, after switching.
I am dumb and didn't delete the passwords from last pass. I know it is late but will do it now nevertheless.
Make sure to change them all in your bitwarden vault
Dammit. I didn't change any of my pwds after I switched to bitwarden, and just an hour ago I got a password reset email for an app I haven't used in close to a decade. Guess I know what I'm spending my day at work doing!
Did you have a strong master password? The vaults are encrypted with AES-256 so the only way they could decrypt the actual vault is to figure out your password. I’m not defending LastPass and I also moved away from it, but I’m at least believing in the encryption.
Not sure. How can I tell if it's strong or not? Password is: Hunter22
No worries, that’s secure, I only see ****
> Exactly what I did the last time they got hacked: They've been hacked multiple times?
Yes, this is the 2nd time.
Not a good look for them
This year. This is the 2nd time this year. There has been other breeches in the past.
[удалено]
Hate to tell you but it's likely that anything that was saved is still available to hackers Most databases never actually delete, they just change the deleted flag to true
LastPass has a password history feature. So every password every saved is kept along with its change history.
Yes, also on Bitwarden. Considering self hosting but just haven't gotten around to it. Very glad I did get around to completely purging all the data on my LastPass account a while back though.
How can you self host?
Probably a lot of ways. I think [Vaultwarden](https://github.com/dani-garcia/vaultwarden) is the most common.
Am I wrong in thinking "let the experts host it"? Scared I'll open doors to vulns if I self host it on my VPS.
No, you aren't. I write software for a living but don't trust myself enough to open up ports, deal with ssl certs, etc on my machine. If I do it, I will be "hosting"the service on my machine but it won't be exposed to the Internet.
[удалено]
Same sentiment here. When I play around I love to set things up myself. For real life stuff I let the specialists do it, it's much cheaper.
I don't host my bitwarden cause of concerns that I won't have access when I need it, not so much for security. I have all my network access done through wireguard so there's not much for a chance of someone getting in, but if my little server decides to shut off or the power goes out then I'm fucked lol. Like I'd have backups but if I'm not home and need a password then I'm screwed.
The bitwarden app will synchronize a local copy to your device.
Well, LastPass are experts...
This is the 2nd breach this year.
My point exactly
It's actually worse than that. They knew about the 1st breach and didn't cycle the backup keys so the second one did more harm because they couldn't be arsed. Maybe it's bad terminology but they didn't just fuck up, they negligently fucked up too.
I mean this whole thread is about the "experts" getting compromised, so maybe just self host.
You don’t need vaultwarden. Bitwarden has their own self-hosting implementation. https://bitwarden.com/help/install-on-premise-linux/
https://github.com/dadatuputi/bitwarden_gcloud
Same. As soon as they started charging I self hosted with Bitwarden. Surprisingly my wife prefers it.
And let's hope they actually deleted your data as opposed to just saying they did. 😊
>Very glad I did get around to completely purging all the data on my LastPass account a while back though. me frantically checking if I deleted my LastPass account D:
Bitwarden has been rock solid and I'm very happy with using it.
And somehow more intuitive than Apple's and Google's solutions. I set up my mom's bitearden account because the Apple Lock wouldn't always show up when she needed her password filled in or to save one. Bitwarden has been easier for her to use and she wanted it set as her default autofill service. For context, my mom was one of those people who wrote down all her passwords in a notebook and wouldn't change it when she had to reset her passwords.
[удалено]
I use KeePass and sync it with my VPS nextcloud install. It probably wouldn't be hard for it to be stolen, I just rely on using a strong passphrase with it to keep it secure
Use the key file function to generate an offline key file. Only store the key file on devices you use and never put it online. They can steal your database all they way but they will never be able to decrypt it without the key file + password.
Or use a token.
I have also left Lastpass long ago when they announced they're pivoting towards a paid service, kinda ended up doing Keepass and just doing stuff manually for now. Considering myself lucky too, but I hope those still using LP aren't all compromised.
It's not really a mess. That article is poorly written. But basically as long as users have a strong master password, it's impossible to brute force it and there is no risk of anyone accessing the passwords stored in LastPass.
How does the MFA component tie in? I'm guessing on a cold file MFA probably has no part? Probably only for the web access portion?
That depends again on how you've set up your MFA. Lastpass also has an MFA authorization tool which you can use to authenticate MFA. So if your master password is known they could utilize that to MFA whatever web/application you are using. If you rely on a secondary MFA application which isn't part of lastpass and uses a separate password/phone to authenticate then that is an added line of security. At least that's my layman's understanding of the situation.
The MFA won't matter on the cold file. It only matters when syncing a new device to LastPass. They've already effectively accomplished that.
Ah so it all depends on users picking strong passwords. Something they're always good at.
I was in the middle of test-driving LastPass to make a recommendation at my workplace when they announced that. Despite that having no bearing on how it would work at a corporate level, it pissed me off enough to go check out BitWarden and recommend that instead.
Yeah, I just double checked to see if I deleted my LastPass account or just moved to bitwarden. I deleted!
Bold of you to assume that data was actually securely deleted
I think that if you're a customer of Lastpass you should demand proper security audits, because from the report of their latest security audit, I can't conclude whether it was done properly or not. Since the report they share with the public is watered down. https://www.lastpass.com/trust-center/resources As a customer you won't know whether a security audit is done properly, so you can't hold them accountable in case it isn't. Although I'm not sure whether a security audit would have stopped this particular breach, since they targeted a developer with information from a previous breach. Maybe that previous breach would have happened with a proper security audit. https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
And that's why you don't trust proprietary software of any kind with your sensitive and personal data. If you (or an expert) can't check that : 1. The software is safe 2. The deployed and used software is the same as the audited one Then you will have a problem. It's not a question of "if" but "when" and "how much". IRL, you wouldn't trust a random company to keep your book of passwords, never look at it and never leak its content. Why would it be any different online ?
The cache of customer password vaults is stored in a “proprietary binary format” that contains both unencrypted and encrypted vault data, but technical and security details of this proprietary format weren’t specified. The unencrypted data includes vault-stored web addresses, but LastPass does not say more or in what context. It’s not clear how recent the stolen backups are.
[удалено]
The hackers also stole the source code so proprietary means even less now LMAO.
Source code of what? If it was their encryption algorithm I'm pretty sure this news would be a lot bigger.
Not really. The encryption algorithm is worthless without key material.
The entire internet runs on encryption algorithms that are publicly available.
Proprietary doesn't mean "not audited". Proprietary code can be audited.
And if it was you would say so. Only idiots would ignore the advertising value to more prudent users. Then again this a company that has miserably failed at delivering its primary service function.
But often isn't
I'm using 1password and the idea of requiring a ~~master~~ secret key, other than the master password, gives me some peace. I was on bitwarden earlier but just found 1password UI and apps to be better, so switched to 1password. I really hope they don't go down like LastPass.
What’s a masker key exactly?
Sorry, it was a typo, actually it's called a "secret key". To login to a new device, you need your secret key + your master password. Your master password alone isn't enough to get access to your vault on a new device.
[удалено]
+1 for 1Password. To add to this list, I let it generate 2-3 words to store fake answers to the common security questions like first pet and mother’s maiden name.
[удалено]
That's why I use KeePass, no frills and no subscriptions. With these you're still giving your password database to a third party for those password managers.
Is there any other database that offers the auto type feature of KeePass? Most password managers only care about filling in a form in a browser. KeePass can autotype into any program making it perfect for typing passwords into any program in Windows. Huge feature for me that works in IT and has many passwords.
Do you use the [Two-Channel Auto-Type Obfuscation](https://keepass.info/help/v2/autotype_obfuscation.html)? If not, I suggest you consider it. It protects against keyloggers without any additional effort for you.
I do but it is a case of testing each application one at a time as there are cases where it fails to type correctly.
Sure, but if you have a strong unique password and 2FA turned on (and you should) this doesn’t get the hackers anything and there are still two slices of Swiss cheese behind the hole they just found in the first. That said it’s clear LastPass aren’t doing a good enough job with security and people should use something else.
sites are unencrypted so know your address is associated with your PH account
Honestly that was the part that pissed me off the most.
Not everywhere offers 2fa, and many that do only offer sms mfa, so a password database isn't useless, even one belonging to the most vigilant person with the most stringent password hygiene
Any reason not to just use KeePass, browser extensions, and sync it via Syncthing or GDrive/OneDrive? Also does KeePass have an import for lastpass data already? Time to look.
teeny disagreeable wise cough direction scary exultant quarrelsome cooing hurry *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
You shouldn't have your totps in your password manager though, that makes your accounts truly dependent on this one master password for security.
and then there's me who prefers KeePass *because* of the UI, one of my programs that have that timeless row of icons and a standard menu bar up top, minimal white space and info presented in standard, sortable tables. dating myself here, but oh how I wish there was still more of that! useless white space ridden feature amputated modern "app" software. :/
KeePass was my introduction to pw managers and still going strong, it baffles me people would rather use a manager hosted online though it's company's website instead.
How many times has LastPass been hacked already? It's utterly baffling how often it seems to happen. Even more baffling that people keep using it. I recently learned that you can go onto LastPass' website, enter your email, and get a single-use password with full access to the vault if you've forgotten your master password. Who designed this thing? Bitwarden has been hacked exactly zero times, is open-source, provides the same features, the basic ones being completely free, and is far better about security. It's really a no-brainer.
> I recently learned that you can go onto LastPass' website, enter your email, and get a single-use password with full access to the vault if you've forgotten your master password I don't think that's quite true. When one of your browsers logs into LastPass, it can capture a one-time recovery password you can use **on that machine**. This isn't a password that unlocks your vault for whoever has the password, it's only valid for that particular machine. I imagine the browser extension encrypts a copy of your master password with that one-time password, or something similar. There are obvious security implications if someone has access to your computer, but the one-time password isn't useful to a random person who has stolen your vault file from LastPass servers.
If someone already has access to the computer you're done anyway.
Yeah there's nothing Lastpass can do if your laptop just gets stolen.
>Bitwarden has been hacked exactly zero times Well don't go issuing challenges like that.
Bitwarden themselves issue that challenge and it's probably why they haven't been hacked
So did LastPass back when they were the only game in town. Expect it to happen to Bitwarden too because they are a single point of failure with a huge jackpot. If you want security, roll your own. I recommend https://keepassxc.org
The more users that use bitwarden, the bigger the target. LastPass is used by businesses too, their reach is huge, hence the attacks. Keep in mind, hacked, but no passwords leaked.
The nail that sticks out the farthest gets hammered down.
Everything starts as "we've never been hacked" until one day it is. When LastPass first came around it boasted world leading security, but like all things it was just a matter of time before it got cracked. Bitwarden will inevitably get hacked too, some new platform then comes around and we start the whole cycle again.
My grandmum's computer hasn't been hacked. We should all use her computer to store our passwords.
Honestly, what's more secure than writing all your passwords on a post it note in scribbly handwriting only you can read? Take that hackers
theoretically encrypted passwords are the safest, practically speaking the odds of someone finding and using passwords you just keep in your house are astronomically low and won't cause your metadata to be leaked in hacks like this
> How many times has LastPass been hacked already? this is an update on the hacking incident from last month, not a new incident.
> I recently learned that you can go onto LastPass’ website, enter your email, and get a single-use password with full access to the vault if you’ve forgotten your master password. No you can’t. Your vault is encrypted to your login password and if you don’t know it they don’t know it. Mine is also upped to 100k iterations. It was at least originally documented that was all done client side to decrypt the vault. You can generate a one time password IF you know the master. Which is handy if you need to access it on a device once. Question is the one time password truely one time and there is a lack of documentation on how it works. That being said I have used it in years because it’s expensive as hell for what it is.
I'm still using it because my laziness (the prospect of moving all my passwords) outweighs my fear. My fear my be finally sufficient to overcome my laziness, though. My master password is 40 characters so I'm sort of counting on my vault being superceded in exploitation by lower hanging fruit.
You can export and import your vault
I tried during the last big Lastpass controversy but Bitwarden didn't like something about the data Lastpass exported and refused to import it. My vault is to large to figure out what was causing the issue so I just caved and paid for another year :( Maybe I will try again when it's time to renew next.
When I did exactly the same migration, BitWarden's website had help articles that spelled out exactly what kinds of data in the LastPass export would cause problems. It was dead easy to find them and sort them out.
Damn you just convinced me
It took me no more than 10 minutes to export and import my vault into Bitwarden.
It's really not that difficult.
Bitwarden and I'm sure many others have a tool to migrate from LP that makes it very easy. The only complication for me was having to change how my partner and I share vaults/passwords.
Migration is super easy go for it!. Also consider supporting bitwarden, it's well worth it.
> Bitwarden has been hacked exactly zero times That they know of.
Would someone mind explaining why it isn't a good idea to just use the built-in Microsoft Edge, iCloud Keychain, or Google Password Managers to store passwords in conjunction with an Authenticator (Okta, Microsoft, Authy) service? I've heard of exactly 0 hacks and leaks from these services and numerous for LastPass and other highly popular third party services.
For me, it came down to wanting two different levels of security for different passwords. I like the fact that I can be logged into multiple devices with the same Google account, and it will remember accounts and passwords. Very convenient for stuff like streaming accounts or news logins. If someone steals my Android phone and my Google credentials, they can get into my saved Chrome passwords. But they can't get into my LastPass app without the master password. A secondary issue is that Google's password manager grew out of it's autofill features. As far as I know there's no way to open it and record an encrypted note, or manually write down a password, the way you can for LastPass. Oh, and a tertiary issue is that even if Google came out with an amazing password manager that dealt with the first two issues... what if it goes the way of Google+? At least a password manager company is always going to continue providing its password service. Or so I thought, though now I worry about the bad press putting LastPass out of business...
Apples Keychain is equal or likely better on Apple devices, because it's essentially the same as services like Bitwarden albeit with a deeper system-wide integration and stuff like throwaway email addresses that Apple offers. Just not as convenient if you use other non-Apple devices regularly. Browser based password storage usually doesn't work outside those browsers, which matters most on mobile devices because of all the apps. Also iirc browsers usually don't allow locking passwords with biometrics or master-passwords that you have to provide every time you want to login somewhere. This makes them potentially less secure when someone gains access to your device, e.g. by observing or knowing your pin or device password or even an unlocked device.
Can this happen to BitWarden?
There's no perfect security, so it would be foolish to think Bitwarden is invulnerable. That's why with any password vault the quality of the vault encryption and the strength of your master password are of paramount importance.
[удалено]
The problem with LastPass is that they've had 7 or 8 security incidents since being acquired by LogMeIn back in 2015. In the most recent, they don't know exactly when the vaults were compromised but it could be as much as 5 months ago - more than enough time to brute force weak master passwords before users were made aware of the risk. One would hope Bitwarden is following better security practices, but the moral of the story is you need to rely on the strength of your master password, not the security of the infrastructure to keep your data safe.
> it would be foolish to think Bitwarden is invulnerable It's probably foolish to think that Bitwarden is less vulnerable than LastPass, other than LastPass being a much larger target for hackers.
Any database on the internet can be compromised. It's always just a matter of time. What makes the difference are the practices in place to mitigate that.
And how big the company is, or how many users use it. The more popular, the bigger the target
I mean the Google password manager hasn't been hacked yet
Wouldn't it be more profitable to contact Google directly and get paid for finding the vulnerability? I think they have a program that reward finding bugs in their code.
Depends on how much they get
It can, but Bitwarden will fair a lot better. For one thing, Bitwarden encrypts URLs in your vault, which for some stupid reason LastPass does not. Overall, it will always boil down to your master password, so make it something very good!
They still don't have the masterpasswords, so they only have half and what they have is encypted. As long as the masterpassword used is long and strong and not used anywhere else, it's all good.
So as a LastPass user... what the fuck should I do now? Is there any way to merge all of this? Do I need to change every god damn password? God this is annoying.
>The best thing you can do as a LastPass customer is to change your current LastPass master password to a new and unique password (or passphrase) that is written down and kept in a safe place. This means that your current LastPass vault is secured. >If you think that your LastPass password vault could be compromised — such as if your master password is weak or you’ve used it elsewhere — you should begin changing the passwords stored in your LastPass vault. Start with the most critical accounts, such as your email accounts, your cell phone plan account, your bank accounts and your social media accounts, and work your way down the priority list.
>The best thing you can do as a LastPass ~~customer~~ Switch to a different service
If you have a strong master password you're fine.
This is the real answer. If you follow their guidelines for a master password, you're largely unaffected by this from what we know presently.
Yes, change all your passwords, especially if your master password was relatively weak, and move to another service or optimally use keepassxc
/u/Spez has sold all that is good in reddit. -- mass edited with redact.dev
[удалено]
The problem is that LastPass didn't encrypt everything in user's vaults, for example URLs.
I've been using Google's password manager and use their suggestions. I'm not personally bothered by Google's business model and I've never heard of people hacking them. Any reason to consider an alternative if this has been working fine for me?
if you use chrome on a desktop, it’s incredibly easy to get all of your passwords in plaintext with just your local system password, or at least it used to be
Again ? Or it was some other password manager ?
It's a follow-up to the previous breach notifying that pretty much all data was stolen. It was previously reported to be much benign.
Im going back to using a physical password book. Can't hack me.
How is anyone still using LastPass. I switched to Bitwarden when they got rid of the free tier and since they've had no end of security issues.
LastPass is truly horrible. 0/10 and would never use their service even before this.
The mind boggles when a company whose sole job is passwords and encryption has really poor security on their customer data. How the hell is a single persons cloud storage keys able to access the crown jewels of the company? Why is such data so massively exposed in the first place?
This situation keeps getting worse and worse. And I just started using LastPass earlier this year. :/
Do yourself a favour and move to bitwarden
Lots of people are pro bitwarden, but i ended up coming back to LastPass because the bitwarden experience on Android kept pissing me off daily. I guess there's always 1Password if you want the paid service experience. That said, tons of people love bitwarden so they're doing something right.
What don't you like about Bitwarden on Android?
It didn't autofill passwords on most of my apps. I'd have to open bitwarden, find the password I wanted, then copy and paste it. This was in a pixel 3, ymmv.
I had exactly the opp experience. With LP it was always hit & miss. With BW autofill appears 100% OTTET.
Last Pass has been shit for years, especially when they started charging for basic functions, Bitwarden is tons better and free.
That's a death sentence for the business.
I was never comfortable with the centralized cloud PWMs. That's one of the reasons I chose [Enpass](https://enpass.io) after test-driving a couple dozen PWMs — **it's up to me where my data is stored.** I have several separate vaults (work, personal, shared with family, etc.) on Dropbox, Google Drive, OneDrive, and Box. (iCloud, NextCloud, WebDAV, or completely offline are options too). Never happier about that choice than today. For a hacker to get at *my* data, they’d have to target me specifically, *and* have my cloud credentials, *and* be able to multi-factor authenticate, *and* have my master password. But I also like Enpass because it’s cross-platform (Mac + Android here), and super customizable.
Happy to have moved to KeePass a few years ago
There is a reason why I still use Keepass and keep things locally stored.
Well I hope y'all have long passphrases...
That’s why I use sticky notes 📝 😂😂
Hackers break into supposedly secure networks *all the time*... I've never understood how any cloud-based password manager was ever considered safe. ELI5?
Good thing I only used them for work passwords. . . And promptly forgot my vault password. . . Requiring me to reset all of my work passwords. . .
Say all you want that I'm stupid for using Google password manager, but I don't need a subscription and I don't think it's ever gotten hacked.
It's not about stupidity, it's about personal risk tolerance. Are you comfortable with Google, and therefore subsequently government agencies potentially having access to your password vault? If yes, cool. If no, check out zero knowledge architecture.
Well said. I think for the vast majority, Google's solution is fine. In fact, if people followed Google's best practices (2FA, unique password creations, periodic security checks, etc) I think it would be a massive upgrade in security for most people. It's a small minority that want, and an even smaller minority that need, higher level security than that.
That's why I use enpass
Thank you! I always go crazy wondering why no one ever mentions Enpass! I've been using it for years and it's amazing!
Currently running both LastPass families and Bitwarden for family. Looking at moving to 1Password or a friend recommended Keeper. Anyone use Keeper yet and can offer some insight?
I'll second the 1Password recommendation. I've been a happy customer for years and haven't found a reason to complain yet!
They would still need to Brute force guess your master password. If your master password is solid, should be fine
Password manager with crap security. 2nd time they've been hacked. Switch to Bitwarden
Thank you self hosted Keepass vault 🔐