Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Lastpass Hacked Again, and worse than what we thought! Use self-hosted solutions! - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Lastpass Hacked Again, and worse than what we thought! Use self-hosted solutions!

2»

Comments

  • gianggiang Veteran

    @badhon_raj said:
    So how much risk am I in here?

    I used to use lastpass a year ago.
    But after one such breach, I stopped using it and moved to bitwarden.
    Stupid of me, I didn't delete my vault from lastpass.

    I have 100s of passwords saved in there.

    Can anyone please suggest briefly how much security risk I'm in?

    Should I go ahead and change all passwords? That'll be a nightmare.

    Change all passwords, it's the only way.

    Thanked by 1badhon_raj
  • @badhon_raj said:
    So how much risk am I in here?

    I used to use lastpass a year ago.
    But after one such breach, I stopped using it and moved to bitwarden.
    Stupid of me, I didn't delete my vault from lastpass.

    I have 100s of passwords saved in there.

    Can anyone please suggest briefly how much security risk I'm in?

    Should I go ahead and change all passwords? That'll be a nightmare.

    Do what I did. Change every single password.

    Thanked by 1badhon_raj
  • emgemg Veteran

    @badhon_raj said:
    So how much risk am I in here?

    I used to use lastpass a year ago.
    But after one such breach, I stopped using it and moved to bitwarden.
    Stupid of me, I didn't delete my vault from lastpass.

    I have 100s of passwords saved in there.

    Can anyone please suggest briefly how much security risk I'm in?

    Should I go ahead and change all passwords? That'll be a nightmare.

    (1) The most secure solution would be to change all the passwords. That's a lot of work, but perhaps you can start by changing the ones where compromise would have the most negative impact - banking, medical, insurance, etc. Change 20 a day, and you can reach hundreds in less than a month. Do them all. Yes, it is a lot of effort, but keep reminding yourself that you are getting a valuable education in return. Learning anything takes real work.

    (2) Do you trust LastPass' "Zero Knowledge" architecture to be secure from a very well-funded, highly sophisticated attacker with a lot of computational resources at their disposal? Do you trust that future advances will not expose your passwords in your lifetime? If trust LastPass and their security model, then your security depends on the strength of your Master Password:

    • -> How long is your Master Password? If it is less than 20 characters, then go back to (1) above. Yes, I know that LastPass says 12 characters, but I respectfully disagree.
    • -> How guessable is your Master Password? Be honest, really honest. Does it contain dictionary words, names, sports teams, dates, things easily associated with you, or anything else that is non-random? (NOTE: Special character replacements DO NOT COUNT! e.g., $ for "s" etc. If so, go back to (1), above. Trust me, the bad guys have a lot of experience at using computers and huge files with gigabytes of passwords to try, and they will test every possible variant.
    • -> Have you ever used that Master Password anywhere else for any other purpose, other than LastPass? Anywhere at all? Go back to (1), above.
    • -> Have you ever typed your Master Password into something other than LastPass, such as your browser address/search bar, even accidentally, even if erased immediately without pressing the Return key? If so, go back to (1), above.
    • -> Has your system ever been infected with malware, or possibly infected, or behaved in a way that you cannot explain? If so, go back to (1), above.
    • -> Have you ever used LastPass and entered your Master Password on a system that you do not fully own and absolutely control? If so, go back to (1), above.
    • -> Do you have a queasy feeling at all for any reason, related to your LastPass vault? If so, go back to (1), above.
    • -> Do you trust LastPass even after everything that has occurred? If so, then you are very foolish. Otherwise, go back to (1), above.

    Does that answer your question?

    Thanked by 1badhon_raj
  • @stoned said:
    Do what I did. Change every single password.

    :'( :'(

    The worst part would be to come up with new passwords that I can remember.
    Since I can not re-use any password from there.
    :s
    I need at least 10-15 of such passwords.
    Others can be random.

  • badhon_rajbadhon_raj Member
    edited March 2023

    @emg said:
    Does that answer your question?

    Let me see:
    1. Yes that's how I planned to proceed. I should have deleted the vault when I switched. :'(

    1. Do I trust? I guess I lost that trust after the first breach.
      -> less than 20. So go back to 1
      -> I don't believe it is guessable.
      -> yes! Only with other high important place. So go back to 1?
      -> go back to (1)
      -> not that I am aware of.
      -> no.
      -> well, that is why I'm asking you guys. So, go back to (1)?
      -> I'm a fool for not deleteing after the first breach. But not as much to trust them after everything so far. So, go back to (1)

    Thats a lot of go back to (1)

  • emgemg Veteran

    @badhon_raj said: Thats a lot of go back to (1)

    It appears that you have answered your own question.

    Perhaps by setting a goal of changing a certain number of passwords each day, you can make the hard work more manageable, have a good feeling about how long it will take, and be able to gauge your progress.

    How do you eat an elephant?
    -> One bite at a time.

    Thanked by 1badhon_raj
  • @badhon_raj said: The worst part would be to come up with new passwords that I can remember.

    What? No. You don't have to remember anything. That's why these apps exist. They also have password generators. Read over my replies in this post to see how I did things. It's effort, but you have to make that effort. Otherwise, be insecure.

  • Keypass???

  • If you really care about security, only KeePass is the best solution.

  • badhon_rajbadhon_raj Member
    edited March 2023

    @stoned said:

    @badhon_raj said: The worst part would be to come up with new passwords that I can remember.

    What? No. You don't have to remember anything. That's why these apps exist. They also have password generators. Read over my replies in this post to see how I did things. It's effort, but you have to make that effort. Otherwise, be insecure.

    I know. I am using bitwarder at the moment. and use the password generator built into the plugin.
    I used keepass before I started using lastpass, but I found it less convenient.

    I like remembering a few important passwords. not a lot. about 10 would do I think.
    For other sites, I can use random password generated by the password generator.

    also @stoned, is it necessary to email lastpass? to have my data removed?
    I already deleted all entry from the web interface.

    Edit:
    If I self host vault-warden, then is it necessary to worry about the security of the files stored in the VPS?
    If someone can access the data in the VPS, will my passwords be at risk?

  • emgemg Veteran
    edited March 2023

    Further update:
    This morning, I learned a key point from the LastPass incidents that I had not known before: "... website URLs visited by customers were not encrypted." This summary paragraph says it all, in a quote attributed to "Roger Grimes, data-driven defense evangelist at KnowBe4":

    'The damage may have been done, Grimes says. “LastPass had always said they protected customers' stored data, but when that data was breached, it was revealed that while LastPass did possibly protect customers' stored passwords, they did not protect customer login names, website links, and other customer-specific private information. This gives the hacker in possession of the information a complete map of the sites the user visits and what their logon names are. At the very least it could lead to customized spear phishing attacks that appear to be from websites the victim frequents. On top of that, the breach revealed that LastPass was still allowing weak master passwords.” '

    Source:
    https://www.csoonline.com/article/3689169/data-breaches-some-of-the-best-and-worst-among-recent-responses.html

    What wasn't said is that it allows the attackers to rank targets, prioritizing the highest value ones first, such as those customers with URLs for specialty and investment banks that cater to high value investors, for example.

  • ArkasArkas Moderator

    @louiejordan said: If you really care about security, only KeePass is the best solution.

    Have you tried Bitwarden? It is superior IMO. You can self host it as well.

    Thanked by 1arda
  • VoidVoid Member
    edited March 2023

    Latest revelation says one of the employees was running an outdated Plex server on his personal computer that was vulnerable and attackers exploited it to install a keylogger and it lead to the second data breach.

    https://thehackernews.com/2023/03/lastpass-hack-engineers-failure-to.html

  • KonbuKonbu Member

    My use of Bitwarden has also exposed the problem. (ノД`)
    Don't use auto-fill...

    Bitwarden: The Curious (Use-)Case of Password Pilfering : March 7, 2023
    https://flashpoint.io/blog/bitwarden-password-pilfering/

    Bitwarden flaw can let hackers steal passwords using iframes : March 8, 2023
    https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/

  • VoidVoid Member

    @Konbu said:
    My use of Bitwarden has also exposed the problem. (ノД`)
    Don't use auto-fill...

    Bitwarden: The Curious (Use-)Case of Password Pilfering : March 7, 2023
    https://flashpoint.io/blog/bitwarden-password-pilfering/

    Bitwarden flaw can let hackers steal passwords using iframes : March 8, 2023
    https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/

    Sponsored by last pass ?

    Bitwarden auto fill is disabled by default and there is a warning at the ‘enable auto fill’ tab that says exactly “don’t enable unless you want to get hacked”.

  • iKeyZiKeyZ Veteran

    @Konbu said:
    My use of Bitwarden has also exposed the problem. (ノД`)
    Don't use auto-fill...

    Bitwarden: The Curious (Use-)Case of Password Pilfering : March 7, 2023
    https://flashpoint.io/blog/bitwarden-password-pilfering/

    Bitwarden flaw can let hackers steal passwords using iframes : March 8, 2023
    https://www.bleepingcomputer.com/news/security/bitwarden-flaw-can-let-hackers-steal-passwords-using-iframes/

    As @jmaxwell says, it even warns against it;

  • HostEONSHostEONS Member, Patron Provider

    I just use iCloud Keychain since I'm Apple ecosystem and have enabled Advance Data Protection so that even if iCloud is ever hacked my data is still safe and even Apple Does not have the key to decrypt it. The recovery key is stored somewhere safe offline.

    For 2FA I'm using Yubikey security key wherever available and it sort of makes all my online accounts very secure, as authenticator apps also have their own flaws and OTP via SMS also has it's risks but this is sort of most secure possible solution that I have available other then keeping everything OFFLINE :wink:

Sign In or Register to comment.