New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
After Lastpass, now another Password Manager breached
After the recent Lastpass hack, now again Norton PM is breached.
NortonLifeLock warns that hackers breached Password Manager accounts
https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/
Here is a method to download and deobfuscate an old LastPass vault
https://www.grc.com/sn/sn-905-notes.pdf
One after another, Password Managers getting breached, so what security measures are you taking to prevent such incident?
Comments
self hosted bitwarden inside homelab ftw
Not a surprise to see Norton LifeLock/any Symantec product get breached or proven to fail. Their products have been notoriously terrible over the years. In most cases, people who have Norton or Symantec products installed on their PC is because it came pre-installed, or they genuinely didn't know better and installed it thinking that they provide a good service.
I remember back in the early days of Windows XP when my old man had to call their support and go through over an hour on the phone with them on uninstalling Norton antivirus because it was impossible to simply remove through the Add or Remove settings in the Control Panel. Norton antivirus was a virus in itself, and that moment on taught me to avoid their services like a plague.
Trezor password manager
https://trezor.io/learn/a/trezor-password-manager
Bitwarden self hosted
I thought Trezor was for cryptocurrencies only. So it provides PM too?
From what I understand they don't host your passwords, you can have them saved and encrypted in your Dropbox account and interact with them via their app. Your trezor device will do the encryption/decryption.
Edit: it is a browser extension not a real app*
I have self-hosted Vaultwarden on a Luks encrypted Kimsufi with regular backups to my local computer. I not open it to the internet, I use a permanent WireGuard tunnel on my phone and laptop. I created self-signed certs, so after it added to my devices, I can use Bitwarden APPs and extension without problem. I use this setup with a high satisfaction since summer. Before that I used PasswordSafe with Syncthing, but I can't edit on both devices in some time and couldn't use on iPhone. In my experience Bitwarden is the best solution, it supports notes, credit cards and TOTP tokens.
Time to go back to writing passwords on paper and hiding it around my home/office
Special new year discount for you
It's time to keep all the passwords in mind.
Oh very sad.
Anyway
Didn’t know Norton PM existed
Bitwarden FTW
Title is clickbait, they themselves were not breached. Just someone was buying email/password combinations and brute forcing NortonLifeLock accounts. If you're using the same password for your password manager as other accounts and not using 2FA, then you're doing it wrong
I only remember the passwords of websites/apps that does not have "forgot password"
But ... but da cloud is säkkure!!!
I have completed overhauled my password management stack. It's called Nunya.
nunya business.
SON
I AM DISAPPOINT
old but gold
I would trust my passwords on @jar's instance rather than any symatec shit.
The XKCD password scheme posted by @umz above has been discussed for a long time. Some disagree on how secure it is. Here is an essay by Bruce Schneier, which would be a good place to start:
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
I'm a fan of Bruce, but he doesn't make his argument successfully, and you can see that in his tips at the bottom having nothing to do with the xkcd comic. The xkcd comic says to use random words, so the crack time is still substantial. The examples found he cited were either common phrases or shorter than 4 common words. Lastly, he talked about storing the password on the computer as being a way to create an easy dictionary for the attacker to use as well as using personal information (again, ignoring that xkcd specifically calls for random words, not personal ones). Its much more likely to need to record the password if its anything more complex than commonly spelled, unambiguous words that can't be memorized easily.
My friend who tells me more Bruce stories than anyone else I know keeps a piece of paper that looks like a search word puzzle that's like 20x20. In his head, he has some algorithm where he knows to go to such row/column and get the password. Over the years, it's been inconvenient for him and his colleagues on more than one occasion. I'll stick with xkcd idea for now.
As I said, the method has been discussed for a long time, and not everybody agrees on its security.
The Schneier article was a place to start, nothing more. Honestly, I read it long ago. It came up high in the web search when I looked for an example of the many discussions and arguments over the method, so I grabbed it. Your assessment of Bruce's blog post is good.
Happy with Enpass, really. Can just be used local, or sync with GDrive account/Dropbox and others.
@jar's instance?
@jar's vaultwarden, vault.mxrouteapps.net i believe. I forgot the domain smh
Blah encrypted on my desktop and backup to flash is safer.
Wow! I didn’t know he also hosts vaultwarden!
Edit: @explicit its https://pass.mxrouteapps.com/
Good stuff! Thank you mate!
A local password manager with reliable data cryptography. This is the only way to prevent data leakage caused by a third party.
I use Enpass. I highly recommend it.