New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
90% of hacks are done inside.
78.9% of statistics are made up.
First and foremost, do not believe anything that is written by PCMag or appears on its website. After the utter disconnect between their glowing review of Arvixe and the disaster that was the real Arvixe, I do not believe anything they publish. They do not report facts, only what their advertisers and corporate influencers want consumers to see. The Arvixe disaster exposed that for me. Treat PCMag like squad of cheerleaders, not your science professors.
Second, the referenced link was published in the opinion section, and its "facts" were based on very limited information in LastPass' own damage control statements. I might have interpreted them differently, and with much more skepticism. If I were a member of the press, I would have gathered additional data and asked LastPass to clarify and confirm the "facts".
What I recommend:
If I had my passwords in LastPass and used their vault to store them, I would have changed the master password for my LastPass vault immediately. As soon as practical afterwards, I would have taken the time to go through each and every password in the vault and its associated website or whatever, one by one, and change each individual password to a new, unique, strong, random password. Changing each individual password in your LastPass vault will make any stolen password data useless to attackers. If the data was not stolen, as the opinion piece suggests, no harm done. If the data is actually at risk, then you just reset the bad guys' work back to the starting point, which can't hurt.
After that, I would reconsider the idea of using online internet-accessible vaults to store passwords. Maybe local storage and self-managed backups are a better way?
lastpass account deleted, move to selfhosted vaultwarden
Best solution.
Keepass + strong password + yubico and sync with gdrive. Why paying if the opensource solution is better?!
It's provably true as you can look at the source code for the browser extension and see that it does all encryption and decryption on the client-side. Same with Bitwarden.
Not sure about other countries, but in Australia we had the "White Pages" that had first initial, surname, address, and phone number. Every person with a phone line would receive a printed version of both the Yellow Pages (businesses) and the White Pages (residential) every year for free. You had to pay a monthly fee to make your number "private", which would remove you from the list.
I remember using the White Pages to find phone numbers of friends and extended family members, and looking up someone's address when going to visit them. Seems a little creepy now, but for some reason it felt normal back then.
In the 2000s, they started also providing the contents of the White Pages on a CD-ROM that you could purchase. The CD had a Windows app where you could enter a name and find their entries in the White Pages. This was interesting because people worked out how to extract the database from the app and use it to perform reverse lookups - Given a phone number, look up the name and address of the caller. This was referred to as "Black Pages" or "Grey Pages" as those were names of sites (of questionable legality) that published the reverse lookup data. There's a bunch of sites for that today, but back then (when a lot of people didn't even have caller ID) there was nothing like it.
This is one of the reasons why I moved away from the last pass a long time ago. It's a shame. They used to be good. Let's hope this does not happen to bitwarden.
Using gdrive is secured? I haven't used Keepass but if I have to use cloud like gdrive, then why not Bitwarden? I have been using Bitwarden and can access/use on pc and mobile.
thats why you should use a strong masterpassword. You could also setup your own "cloud" or just a simple ftp server on one of your idling vps from a black deal and sync the database.
How dumb can you be to use any online password-manager?
You trust their security.
Everything is more secure.
Using KeePass synced to Google Drive or something: More secure but more insecure than other options, but still, someone must hack your Google Drive or everyone's Google Drive to get a database file that is encrypted.
Using a selfhosted solution: More secure, someone would need to know your specific server and hack it and decrypt the database.
Using internal networking only: Even more secure.
Using a sheet of paper: Most secure
The only thing that breaches all security is direct access to the client machine where the password manager is hosted.
I could never understand how stupid someone must be to use a password-manager where they don't even know where their database is stored and if and how it is encrypted.
What if some provider gets hacked another way? What if they have access to the servers that hold the databases and every time someone opens their database they just log all the passwords?
If any moron on lowendtalk uses an online password-manager they should be banned.
Bitwarden, if you don't use their selfhost-solution, is less secure because they only store passwords.
If someone breaches Bitwarden, their intent is passwords, if someone breaches google drive, their intent could be anything.
Don't pay for either, get Keepass in some form.
A good desktop client in my opinion is KeepassXC, for mobile, there are multiple clients, just look what suits you best.
Store the file on some cloud provider for pretty good security, store it on your own server for even more security.
If you want even more security go through a VPN to the server and disallow everything else.
Edit: KeepassXC + Browser Extension is 10 times better than Enpass with their shitty extension that half of the time doesn't recognize login fields (you can manually mark them with KeepassXC if they are ever wrong or it's not filling in the correct fields)
Use a sheet of paper? What if a theif breaks into your home and takes all the sheets? Or if you put it in your wallet, again.
Best thing is to use brain. You're taking it too far, in terms where you mention members should be banned if they use online password managers.
Come on, show us your stack of papers.
There is another thread here in LET about self-hosting Bitwarden and I think it'd screw up for newbies if we don't know how to properly self-host.
Secondly, in your other comment recommending Keepass, as KP is offline, how do I access and use it from mobile and sync both devices so that I can use it from anywhere? Maybe there are other apps/extensions to use Keepass but won't that make it similar to using Bitwarden?
While I agree with most of the concepts and sentiment in this comment, I would have preferred that it be said in a nicer way.
Nobody here is "dumb" or a "moron" for using an online password manager. It is certainly better than setting every website password to "abc123" or "password1", right? Nobody is perfect, and we can help people step their way from bad to better to good.
I agree that there are risks to using online password managers and carefully described them above. Nonetheless, we can all share our knowledge and experience in a way that encourages others to follow. Abusing your students is not a good way to teach them.
@tr1cky, the type of guy to use 123456 as a password on every website and secure that on a piece of paper.
You store the Keepass file on a cloud provider of your choice, certain cloud providers are not directly built into most Keepass clients, but this way you can still sync.
Is this the most secure solution? No, it's not, but it would require that your cloud gets breached and then a hacker would have to decrypt your database.
Bitwarden, if not self-hosted, is just Lastpass but a bit more transparent.
I'm not saying the cloud way is very secure but it is relatively easy and you don't rely on a provider that only does one thing: store passwords.
And that's my argument why storing your database file, even in a cloud, is more secure than using something like not self-hosted bitwarden.
I would argue a self-hosted solution is more secure than using a cloud but if it's about easy of use, then I'd recommend cloud.
I mean, there are commercial projects like enpass, that do exactly that.
And I would recommend Enpass with cloud over Bitwarden using Bitwarden's servers.
It gets worse...
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
The following is copied and lightly edited from my post above. What I recommend:
If I had my passwords in LastPass and used their vault to store them, I would change the master password for my LastPass vault immediately.
-> As soon as practical afterwards, I would take the time to go through each and every password in the vault and its associated website or whatever, one by one, and change each individual password to a new, unique, strong, random password.
Changing each individual password in your LastPass vault will make any stolen password data useless to attackers. We have now learned that your password data is actually at risk. By changing every individual password in your vault, you just reset the bad guys' work back to the starting point, which can't hurt.
After that, I would reconsider the idea of using online internet-accessible vaults to store passwords. Maybe local storage and self-managed backups are a better way?
^This.
Of more concern is that with your phone number, email address and other metadata exposed, unencrypted, phishing attacks are going to be harder to spot as they will have some info that phishers don't normally have.
I had migrated to Bitwarden from Lastpass few years back. Last year, after their vulnerability, I deleted all the login details from Lastpass vault. After reading their yesterday's blog update, I logged in to Lastpass and found all my login details are still there in the vault, wtf
don't trust them with your passwords.
https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/
Lastpass users went from "Even if they're hacked they won't be able to get into the encrypted blob" to "I sure hope they're never able to get into the encrypted blob or I'm royally fucked."
You're probably okay as a user, but you'll never know if they found a vulnerability in that blob until it's too late. What a really lousy situation.
I wonder if these encrypted blobs are that secure - from what I'm reading, their encryption key is just the user-supplied master password processed using a standard key derivation function. That makes this hack not much different from hacking any other site - the only difference is that this time you pwn the entire user instead of a single service.
On the registration form you can even set a password reminder - now that's something I haven't seen since Windows XP.
With Bitwarden, anything else one can do besides choosing a long and difficult master password? I mean to protect myself in case someone gains access to the vault. I don't want to self host it anymore.
OMG that website is hideous
Sure, it's pretty easy even with a traditional setup. Database replication between hosts plus load balancing and IP failover.
never understood why someone would trust a 3rd party as a single point of failure. An obvious target. KeePassXC is everything i need, foss, full features.
The big issue I've heard in the last few days is that they also got source code, so even if there is some obscure algorithm, the hackers have that too. It is a matter of how good that master password is, unfortunately.