New on LowEndTalk? Please Register and read our Community Rules.
Lastpass Hacked Again, and worse than what we thought! Use self-hosted solutions!
This maybe old news but I just found out, so it's 'news' to me! 
https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/
I switched to KeyPass a couple of years ago and deleted everything from Lastpass and emailed them a few times to ensure they got rid of all my data.
You should move away from third party authentication providers like this and switch to self hosted for more security. I use KeyPassXC for now but I'm going to check out some other ones. Any other ones worth mentioning? I would never consider any more commercial services for password management.
Cheers, folks!
Comments
Old news, thanks anyway
I guess being stoned does slow time? I keep looking at complicated answers!
I use kaspersky password manager
See this recent thread:
https://lowendtalk.com/discussion/181068/lastpass-hacked
Here are my recommendations from that thread, edited to make it easy to read and understand:
Changing each individual password in your LastPass vault will make any stolen password data useless to attackers. You just reset the bad guys' work back to the starting point, which can't hurt. Yes, it is a lot of work, but it is essential to do. If you are using the same password repeatedly, now is your chance to give each website its own unique random and strong password, a very good idea.
Repeating:
I would reconsider the idea of using online internet-accessible vaults to store passwords. Maybe local storage and self-managed backups are a better way?
I like the approach Enpass takes. Everything is local, but you can optionally store/sync your vault in your GDrive/Dropbox/some other popular cloud storage services.
You can also just sync via your wifi though.
Maybe 100% offline is safer, but this is quite a good compromise, imho. Ofc, DYOR.
Nice. At least you know who you are sharing your passwords with.
Wouldn't be surprised to see lastpass hacked again, but old news
The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” LastPass CEO Karim Toubba wrote, referring to the Advanced Encryption Scheme and a bit rate that’s considered strong. Zero Knowledge refers to storage systems that are impossible for the service provider to decrypt. The CEO continued:
https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/
On principle, I do not like the idea of storing all of your passwords on internet-accessible storage, even though the passwords are encrypted with today's best encryption technology.
I will grant that Enpass' approach is better than LastPass' approach on several levels, but it still fails the essential principle that I stated above.
Ok thanks folks. My aplogies for old news. Though, if I'm discovering it now, maybe more like me are also finding out through this thread so I guess it's not completely useless. Cheers.
Thanks for the suggestions. I'll check those out. I am only doing self hosted credential management now, and no more third party providers.
I switched to keypassXC and use that app on android as well as PC and sync my password file through GDrive and use my biometric to unlock the password file.
So far it's alright, but I want a self hosted solution I can put on my private secure VPS and use from anywhere, on any device, from anywhere. I think that's the goal anyway.
Every single password in my DB if different. Not a single password is reused. Unless the site does not allow it, every password is using all possible and extended charsets, 64 characters in length minimally unless the sites enforces 32 or 24 or 16 or 12 chars. In which case I have to use their max length.
And since I abandoned LastPass, I've manually changed every single password to the above policy. On lastpass, I had actually reused many passwords in my youth. I had to spend 1-2 hours daily and it took about 1.5 months to finally change all my passwords everywhere to the above secure policy.
Now I should be fairly/relatively secure. I say fairly/relatively, as there is no absolute security.
Fair enough, but Enpass doesn't force you to use any sync. And if you don't want to sync via the cloud, it offers wifi sync.
I thought it had happened again already lol. I am happy with Bitwarden. Still wondering if I should self host it again though - at the moment I am using the hosted version. The hosted version if just $10/year so it's ultra cheap, but there is always the chance that Bitwarden is targeted by attackers, which would be less likely with a self hosted anonymous instance. But with self hosting I am worried if my server goes down in the wrong moment... that's why I self hosted it for a very short time in the past.
Does anyone here self host Bitwarden or another password manager?
I have a lifetime license for EnPass and I used it for a while, syncing the vault with Nextcloud. It has more features than Bitwarden and seems almost a clone of 1Password, so it's pretty rich in features. The fact that it doesn't store the vault on a centralized server is awesome, but like for self hosted Bitwarden I am worried if the server I use for syncing goes down...> @stoned said:
Then try Vaultwarden, a lightweight self hosted version of Bitwarden.
I use vaultwarden-backup https://github.com/ttionya/vaultwarden-backup for self-hosting Bitwarden with hourly backups to Cloudflare R2
Yesterday I set up EnPass synced with Seafile and will try it for a while
I've been using lastpass for about 8 years. After OP's message back then I finally migrated to selfhosted bitwarden (vaultwarden / bitwarden-rs ).
Thanks for this, this is exactly what I've been looking for a while!
If I recall correctly "secure notes" were not encrypted.
If the server for syncing goes down, you just restore the local backup file. Enpass also creates (weekly?) Local backups automatically (or maybe I had to tick an option in settings for that).
Vaultwarden is the best solution in selfhosted.
Maybe let will be interested by a tutorial for a migration ?
There is a recent update from LastPass. My summary:
The breach started with a targeted attack against the home computer of one of the only four LastPass employees who had access to the corporate vault. Based on what I read, the attack showed a very high level of sophistication.
More information here. In my opinion, they are worth your time to read:
https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/
https://www.securityweek.com/lastpass-says-devops-engineer-home-computer-hacked/
https://www.bleepingcomputer.com/news/security/lastpass-devops-engineer-hacked-to-steal-password-vault-data-in-2022-breach/
I'm so glad I stopped using them and changed every single password since I stopped using them.
Exported my data, deleted all data from LastPass and account is also deleted. Would prefer bitwarden or keypass.
Update is here : March 1, 2023 | By Karim Toubba
https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/
Lastpass is really bad. (X_X)
better off using Keepass or Bitwarden.
sadly using 1Password,
master password is hard, but not impossible
sadly using it for convinience/sharing passwords and managing family.
if they get hacked in theory someone needs my master password and account key... so meh, i feel safe
Try Enpass or Bitwarden
Sounds like Lostpass instead off Lastpass
im using bitwarden
not selfhosting
prolly will
or no
idk
ipv6 roll outs still suck in india so i cant really SELF host it but i can on a vm but i wont because why would i
Nothing close comes to LastPass in terms of usability. I tried EnPass, Dashlane, BitWarden and 1Password.
I finally liked 1Password. Started changing all the passwords known in LastPass with randomly generated passwords by an iCloud chain. Also, I have enabled 2FA as 1Password to make it easy to log in.
Since being Mac and iOS users, I believe the default iCloud chain will be more useful, and then we can use 1password as a backup for non-apple products.
I use KeepassXC. That's not an option for Mac/iOS users?
Works fine on Mac. On iOS there are Stongbox and Keepassium which you need to pay for to get all the features.
So how much risk am I in here?
I used to use lastpass a year ago.
But after one such breach, I stopped using it and moved to bitwarden.
Stupid of me, I didn't delete my vault from lastpass.
I have 100s of passwords saved in there.
Can anyone please suggest briefly how much security risk I'm in?
Should I go ahead and change all passwords? That'll be a nightmare.