New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
LastPass hacked
After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.
https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/
Hopefully that's the truth. (No access to customer data or encrypted password vaults)
Quite scary news.
Comments
this is why you gotta self host vaultwarden locally and not trust some online service
They got into their development instance. Those are usually not very well secured.
Thanks god, Keepass exists
I think Keepass is underrated unfortunately. If you can support them then do it.
https://keepass.info/download.html
Some people doesn't know that even Keepass have more features than expected.
https://keepass.info/plugins.html
Constantly updated, better than those online password managers.
Even if they got hacked, does it matter as the passwords are encrypted using the master password, and it is very hard to crack them?
And the hack is on the development environment, and they are very transparent as they even notify their customer about the hack in the dev environment.
You have better security than lastpass?
A page straight from the 90s and a .info domain does not make me feel safer, even though the product might be good. It needs better marketing.
Well, what if the vps goes down?
Can you even setup a simple failover or HA setup for vaultwarden?
Does the encryption happen client side, so even if your vps gets hacked, you be fine?
Yeah. Everything in a Bitwarden vault (selfhosted or not) is encrypted on the client side using your master password, which is never sent to the server. Though the server does store a hash of the master password.
If you stole all the data from a Vaultwarden instance (Or even Bitwarden itself), you will receive the encrypted vault contents as well as the hashed master password. Crack that hash and you get the vault.
Your vault is as secure as your master password is. (And how secure the hashing algorithm used is)
Wwweeelllll, they have been hacked what two times now? Three? ;-) ( I know, I know ... they're a huge target. Mostly joking. )
I'm sure the focus here is the distribution of risk. LastPass is basically a whale in the pond so poking at it and getting into it will result (assumed) in a bigger reward than lets say JoeShmoe self-hosting with lower security standards and significantly lower payoff.
I mean there's a ton of big assumptions here and more details will help, but at the end of the day noone really cares about Joe Shmoe. Let's be honest, most people don't really care about your and my passwords and accounts because we're not really anyone. But if you have an aggregate of that within LastPass then that'll make their payoff better and actually worth something (a bit more).
Well I guess so, it runs on a raspberry pi locally, doesn't have internet connection either.
Runs locally, i manually backup to a local NAS.
Don't you need to sync it with other devices? What's the other option, carry around a USB stick?
It syncs with my mobile phone, which is again in my home network. I am not that guy who goes out mostly, I stay home all day, so it has been fine for me.
I get your point, a password manager has its own unique features and stuff.
Maybe a much secure way of throwing a vaultwarden instance online would be having server side disk encryption and throwing it behind cloudflare access entirely.(bitwarden is e2e so cloudflare can't sniff.)
I saw this, and felt that I had to comment:
I read the breach disclosure notice written by LastPass. I wonder about LastPass' motivation in posting it. Were they motivated by "doing the right thing" or were they compelled under some government's breach disclosure laws?
While LastPass is to be commended for disclosing the breach, the text was crafted in a way that reassures customers, but does not tell the whole story. LastPass did not say anything about the integrity of their source code and software - only reassurances to customers that their encrypted data is still encrypted. Did the attackers make changes to LastPass source code that left a hidden vulnerability in their software?
We know that the attackers have a copy of LastPass' source code. They may uncover a hidden vulnerability. That is a concern, but good security should never rely on the secrecy of the methods used or the source code.
I agree with the sentiment here. Store your passwords and keys locally. Keep good backups.
I have never understood the concept of storing all of your passwords and keys somewhere on the internet in "a vault." Once there, they may be copied elsewhere. You will never know. You should assume that they are on the internet forever. Your true protections are the encryption in the software product, the design of the company's software, and how flawlessly they implemented that design.
If an attacker ever gets a copy of your vault from the internet, they have as much time and resources as they wish to apply to the problem of attacking it. New methods may appear in the future to render the security obsolete. A previously unknown vulnerability may be published in the future that an attacker can apply to your vault.
In my opinion, storing your passwords on the internet solely for the convenience of accessing them from multiple devices is a Faustian bargain. Your online and financial life are at stake. Do not store your passwords and keys on the internet, trusting the software of others while daring attackers to get it. Eventually, they will.
One ring to rule them all.
Use KeyPass, LastPass, 1Password, etc. I recommend that everyone use a good password manager. If for nothing else, use it to generate strong unique random passwords. Whatever you use, do not use their internet vault. Store the vault on your own local computer. Keep it secure and backed up. Trust yourself to do what it takes to protect your strong passwords and keys, not strangers who write software they they claim will keep your secrets secure forever.
I don't mean to be rude in any way. But it is impossible to read your argument and remain silent.
Since when does an old, new or modern website dictate what software is? I'll give you an example lowendtalk has a horrible design, but it's quite functional. Do you think lowendtalk has a modern design? not.
But what people want is sometimes something functional, clean and good. The beautiful or old doesn't mean anything. do you have the example of qbittorrent, smf forum
First of all keepass is offline which in itself is much safer much more.
There is no possible comparison. Just use an encrypted VM on your local computer and no internet with firewall blocking all connections.
hardly anyone could access, unless they are retard and doesn't have any know-how.
Any solution offline is better and even if you want online solution they have it.
Keepass have also a master key.
Website of 90s doesn't mean nothing. Ridiculous argument.
Impossible is nothing.
You're not wrong. But sometimes different people have different weighting on the aesthetics or designs (which is why marketing always has a major budget, because, and myself included, people are judgemental). The idea of "Don't judge a book by it's covers" really shines through for something like KeePass, especially since I use the living crap out of KeePass.
I think the most important thing here is:
Write your credentials on a piece of paper, fold it really small and keep it in your wallet, just like how it was with phone numbers back in the days.
Photostat for backup 👌
Spend time memorizing your parents' phone numbers so if you get lost you can always call.
The brain's the ultimate lockbox... Except when it isn't. The Inception Dream Machine's still not a thing yet right?
That's what I said. Keepass by default is and should be saved locally and offline.
Just use an encrypted VM with no internet connection. And going to make backups. The risk is minimal or very small. Unless you are dealing with people who have advanced knowledge.
His argument was just ridiculous. Since when does an example serve as an example? Not to mention keepass is free with many features.
Wordpress itself also doesn't have an up-to-date and beautiful page, neither does this forum. I wonder why he uses this forum since the design is not modern... it looks like it's from the 90s.
But this is me.
I know... But what I'm stating is that for some people they do look at the design of the website and the app and it impacts their experience to a point where they don't feel comfortable about it. It's away from the utilitarianism perspective and that's part of life. KeePass does need a complete refresh on design and UX (this is why BitWarden is such an attractive alternative). But on a functional level, it's great.
All that matters and is really important is that people are using password managers.
I do not agree that this forum looks like it's from the 90's. Sure, maybe a decade old look, but not from the 90's. BitWarden is safe, can be totally free and under your control and CAN If you so wish, sync your devices. Now If you stay home all day and don't need to venture out to the scary woods, then fine, be comfortable with KeePass. If they can't afford a decent site and a solid domain, then that worries me about what else they can't afford to do well. Also, I like to add a new password wherever I am and have it synced. Sometimes I need it, not so much a choice.
You know when you use an example to just be an example?
With children.
Class dismissed
It is a zero knowledge architecture. In theory they don't have your master which is why in their announcement they say you don't have to take action. I believe that's the reason people trust these online password managers. Otherwise it wouldn't be secure at all.
Make sure you have strong 2fa.
I think I'm missing something here. Because examples are some of the best ways to convey an idea so that people understand what you're saying.
Either that or you just insulted probably all the senior leaderships of various companies and politicians (aka decision makers) because... well... Theyre not going to understand every single detail and will need examples to help understand and make an informed decision.
I agree. No disrespect to any senior leaders, especially politicians was meant.
Did you know that not everybody is from US/UK right? Also I see you didn't like my argumentation then you are talking in that way.
I should told you the truth. When website style means bad software? I know good software with poor website, just because they give all efforts to their software rather than their website.
That's how it works. But you are free to code it. Specially when it is free.
Someone was weak mental. That was been retired from Moderation because of pressure... laugh within a few days after being mod.
Crying with others about how the big pressure was. Clearly you misses the class of chads.
What are you babbling on about? I never said I gave up because of the pressure?
Obviously you didn't get my humor in the post so you are now upset. Or is it because I gave you a warning when I was a mod, tell us, which one is it?
Upset? For what? I only laugh when I saw your commentary about 90s website doesn't have nothing to do or related with coding or software.
Yes you told that pressure, feedback and moderation is heavy for you. Or you don't remember?
Upset because you said that? Don't worry. I'm not Arkas who left Moderation just because fancy and fools things. (Which you are free to leave).
Next time, think if you can do it better. If not, refuse.
I sincerely don't remember that, I'm not being a jerk. Can you please show me where I said that?
the extention itself is glitchy after August 10 update if you see the reviews you will come to know i think after this all of sudden . i moved to another password manager now no more of this kind of issues where the extention just hangs or just stays open .