Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


After Lastpass, now another Password Manager breached
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

After Lastpass, now another Password Manager breached

kidrockkidrock Member
edited January 2023 in General

After the recent Lastpass hack, now again Norton PM is breached.
NortonLifeLock warns that hackers breached Password Manager accounts
https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/

Here is a method to download and deobfuscate an old LastPass vault
https://www.grc.com/sn/sn-905-notes.pdf

One after another, Password Managers getting breached, so what security measures are you taking to prevent such incident?

Comments

  • @kidrock said:
    NortonLifeLock warns that hackers breached Password Manager accounts
    https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/

    After the recent Lastpass hack, now again Norton PM is breached.
    Here is a method to download and deobfuscate an old LastPass vault
    https://www.grc.com/sn/sn-905-notes.pdf

    One after another, Password Managers getting breached, so what security measures are you taking to prevent such incident?

    self hosted bitwarden inside homelab ftw

    Thanked by 2kidrock NanoG6
  • Not a surprise to see Norton LifeLock/any Symantec product get breached or proven to fail. Their products have been notoriously terrible over the years. In most cases, people who have Norton or Symantec products installed on their PC is because it came pre-installed, or they genuinely didn't know better and installed it thinking that they provide a good service.

    I remember back in the early days of Windows XP when my old man had to call their support and go through over an hour on the phone with them on uninstalling Norton antivirus because it was impossible to simply remove through the Add or Remove settings in the Control Panel. Norton antivirus was a virus in itself, and that moment on taught me to avoid their services like a plague.

    Thanked by 3kidrock bdl ariq01
  • Bitwarden self hosted

    Thanked by 1kidrock
  • I thought Trezor was for cryptocurrencies only. So it provides PM too?

  • msallak1msallak1 Member
    edited January 2023

    @kidrock said:

    I thought Trezor was for cryptocurrencies only. So it provides PM too?

    From what I understand they don't host your passwords, you can have them saved and encrypted in your Dropbox account and interact with them via their app. Your trezor device will do the encryption/decryption.

    Edit: it is a browser extension not a real app*

    Thanked by 1kidrock
  • @kidrock said:
    One after another, Password Managers getting breached, so what security measures are you taking to prevent such incident?

    I have self-hosted Vaultwarden on a Luks encrypted Kimsufi with regular backups to my local computer. I not open it to the internet, I use a permanent WireGuard tunnel on my phone and laptop. I created self-signed certs, so after it added to my devices, I can use Bitwarden APPs and extension without problem. I use this setup with a high satisfaction since summer. Before that I used PasswordSafe with Syncthing, but I can't edit on both devices in some time and couldn't use on iPhone. In my experience Bitwarden is the best solution, it supports notes, credit cards and TOTP tokens.

    Thanked by 2kidrock maverick
  • ArkasArkas Moderator

    Time to go back to writing passwords on paper and hiding it around my home/office

    Thanked by 4kidrock jsg ariq01 wuck
  • @Arkas said:
    Time to go back to writing passwords on paper and hiding it around my home/office

    Special new year discount for you :D

  • It's time to keep all the passwords in mind.

    Thanked by 1kidrock
  • VoidVoid Member
    edited January 2023

    Oh very sad.
    Anyway
    Didn’t know Norton PM existed
    Bitwarden FTW

    Thanked by 2kidrock ariq01
  • AdvinAdvin Member, Host Rep

    Title is clickbait, they themselves were not breached. Just someone was buying email/password combinations and brute forcing NortonLifeLock accounts. If you're using the same password for your password manager as other accounts and not using 2FA, then you're doing it wrong :p

    Thanked by 2kidrock t0m
  • I only remember the passwords of websites/apps that does not have "forgot password"

    Thanked by 1kidrock
  • jsgjsg Member, Resident Benchmarker

    @Arkas said:
    Time to go back to writing passwords on paper and hiding it around my home/office

    But ... but da cloud is säkkure!!!

    Thanked by 2kidrock Arkas
  • I have completed overhauled my password management stack. It's called Nunya.
    nunya business.

  • DataRecoveryDataRecovery Member
    edited January 2023

    @kidrock said: Norton PM is breached

    SON

    I AM DISAPPOINT

    Norton Utilities: Peter on yellow box (classic, vintage)

    Thanked by 3kidrock op23 ariq01
  • umzumz Member

    old but gold ;)

    Thanked by 2kidrock ariq01
  • FatGrizzlyFatGrizzly Member, Host Rep

    I would trust my passwords on @jar's instance rather than any symatec shit.

    Thanked by 1kidrock
  • emgemg Veteran

    The XKCD password scheme posted by @umz above has been discussed for a long time. Some disagree on how secure it is. Here is an essay by Bruce Schneier, which would be a good place to start:

    https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

    Thanked by 2kidrock umz
  • @emg said:
    The XKCD password scheme posted by @umz above has been discussed for a long time. Some disagree on how secure it is. Here is an essay by Bruce Schneier, which would be a good place to start:

    https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

    I'm a fan of Bruce, but he doesn't make his argument successfully, and you can see that in his tips at the bottom having nothing to do with the xkcd comic. The xkcd comic says to use random words, so the crack time is still substantial. The examples found he cited were either common phrases or shorter than 4 common words. Lastly, he talked about storing the password on the computer as being a way to create an easy dictionary for the attacker to use as well as using personal information (again, ignoring that xkcd specifically calls for random words, not personal ones). Its much more likely to need to record the password if its anything more complex than commonly spelled, unambiguous words that can't be memorized easily.

    My friend who tells me more Bruce stories than anyone else I know keeps a piece of paper that looks like a search word puzzle that's like 20x20. In his head, he has some algorithm where he knows to go to such row/column and get the password. Over the years, it's been inconvenient for him and his colleagues on more than one occasion. I'll stick with xkcd idea for now.

    Thanked by 1kidrock
  • emgemg Veteran

    @TimboJones said: I'm a fan of Bruce [...]

    As I said, the method has been discussed for a long time, and not everybody agrees on its security.

    The Schneier article was a place to start, nothing more. Honestly, I read it long ago. It came up high in the web search when I looked for an example of the many discussions and arguments over the method, so I grabbed it. Your assessment of Bruce's blog post is good.

    Thanked by 1kidrock
  • YmpkerYmpker Member
    edited January 2023

    Happy with Enpass, really. Can just be used local, or sync with GDrive account/Dropbox and others.

    Thanked by 2kidrock default
  • @FatGrizzly said:
    I would trust my passwords on @jar's instance rather than any symatec shit.

    @jar's instance?

  • FatGrizzlyFatGrizzly Member, Host Rep

    @explicit said:

    @FatGrizzly said:
    I would trust my passwords on @jar's instance rather than any symatec shit.

    @jar's instance?

    @jar's vaultwarden, vault.mxrouteapps.net i believe. I forgot the domain smh

    Thanked by 1kidrock
  • Blah encrypted on my desktop and backup to flash is safer.

    Thanked by 1kidrock
  • @FatGrizzly said:

    @explicit said:

    @FatGrizzly said:
    I would trust my passwords on @jar's instance rather than any symatec shit.

    @jar's instance?

    @jar's vaultwarden, vault.mxrouteapps.net i believe. I forgot the domain smh

    Wow! I didn’t know he also hosts vaultwarden!

  • FatGrizzlyFatGrizzly Member, Host Rep

    @FatGrizzly said:

    @explicit said:

    @FatGrizzly said:
    I would trust my passwords on @jar's instance rather than any symatec shit.

    @jar's instance?

    @jar's vaultwarden, vault.mxrouteapps.net i believe. I forgot the domain smh

    Edit: @explicit its https://pass.mxrouteapps.com/

    Thanked by 3bdl kidrock explicit
  • @FatGrizzly said:

    @FatGrizzly said:

    @explicit said:

    @FatGrizzly said:
    I would trust my passwords on @jar's instance rather than any symatec shit.

    @jar's instance?

    @jar's vaultwarden, vault.mxrouteapps.net i believe. I forgot the domain smh

    Edit: @explicit its https://pass.mxrouteapps.com/

    Good stuff! Thank you mate!

  • rustelekomrustelekom Member, Patron Provider

    A local password manager with reliable data cryptography. This is the only way to prevent data leakage caused by a third party.

    Thanked by 1kidrock
  • I use Enpass. I highly recommend it.

    Thanked by 1kidrock
Sign In or Register to comment.