• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

LastPass hacked again

T

Thy

New Member
Joined
Aug 26, 2022
Messages
6 (0.01/day)
I think it was just a few years ago when media told that LastPass got hacked and now again millions of passwords got stolen.

read at forbes.com

I use another password manager (paid version) but i recommended LP to my girlfriend who doesn't want to pay for it. After reading the news today I tried to setup the 2-step-authentification for LP for her, but this is not a free feature. Kind of annoying. Why can a security feature even be a paid option?!

Now the Saturday task will be to change all her passwords and maybe even switch to an alternative manager.
What do you guys think about Google Chrome Password manager?
 
Any password manager that stores online for sharing is flawed in my opinion, I be surprised if google password manager doesnt do that.

I suggest keepass.
 
chrcoluk said:
Any password manager that stores online for sharing is flawed in my opinion, I be surprised if google password manager doesnt do that.

I suggest keepass.
Click to expand...
yeah that's what we use at work because it's a local safe file. But it's not smoothly integrated in the browser and on my smartphone, you know?
 
Thy said:
yeah that's what we use at work because it's a local safe file. But it's not smoothly integrated in the browser and on my smartphone, you know?
Click to expand...
There is an android app for it.
 
  • Wow
Reactions: Thy
Hi,
I thought this was a passwordless world ?
Is microsoft wrong :laugh:
 
o_O

you mean 4 digit pin and windows hello? :laugh:

I'll now check out KeePass more. I hate it at work it's so hard to use but i found extensions. So let's see. Created a post to ask for recommendations, if you guys want to share your wisdom ;)
 
I agree about using online PW managers. I would not trust them. I also do not recommend using any browser's manager either - this is especially true if there is a chance you could step away from your computer and someone you don't know or trust could walk up and start using your computer.

I use Splash ID - a very old version that worked with my old Palm Pilot. It is stand-alone on my PC.
 
  • Wow
Reactions: Thy
Hi,
Yep the cute complex passwords get ripped as easy as a simple abc123.... would.
 
And this is why I don't use any online password managers, ever. The potential damage to me caused by a hacker getting hold of all my passwords doesn't bear thinking about.
 
delshay said:
Yes. I store all my passwords in my head. If I forget, no problem, just reset it.
Click to expand...
keeps your brain young and flexible :roll:
I know many of my passwords by heart, because it's a pattern how I create them. But since I use my password manager i love to create random generated ones with 14 characters.
 
Thy said:
keeps your brain young and flexible :roll:
I know many of my passwords by heart, because it's a pattern how I create them. But since I use my password manager i love to create random generated ones with 14 characters.
Click to expand...
This is how I do it as well - I only have issue with the sites that have a non-standard enforcement policy that's like "you also have to have the # symbol somewhere" or "password can't be longer than X letters" -- those get stuck in a permanent reset loop.
 
why do people think that storing passwords on a companies server is a good idea?
keepass offline across all my devices. updating it over USB.
 
GerKNG said:
why do people think that storing passwords on a companies server is a good idea?
Click to expand...
Because said company promises to keep them safe, don'tcha know? ;)
 
i keep mine on a password protected thumb stick, ive 2 just incase i lose one all i have to remember is 1 password.
 
Geez, what's all the fuzz about? :rolleyes: Didn't you read the article?

"Toubba also confirmed that neither has evidence been found of any customer data or encrypted password vaults being accessed. LastPass users will, of course, be concerned that a hacker could have got hold of the keys to their online kingdom: their passwords. However, LastPass has made it clear that, courtesy of the 'zero knowledge' architecture implemented, master passwords are never stored. "LastPass can never know or gain access to our customers' master password," Toubba said, "this incident did not compromise your master password." As such, LastPass says that no action is required by users in regard to their password vaults." Source

Even if they got the vaults they are encrypted, cracking them would take years. And out of the millions of vaults, chances that it would be yours is super minimal. For now I would say online stored vaults are still more safe than locally stored. They got way more security layers than the average Joe on his Windows machine or Android malware phone.

But you can increase security by switching to a better service with 2FA authentification. Check out Bitwarden. It's open source, free for personal use, works on all devices (incl. PW syncing) & has 2FA (app).
 
So they stole some source code and technical data.

I assume LastPass will replace this to prevent it being used to create vulnerabilities in the password system itself. Stay updated.
 
delshay said:
Yes. I store all my passwords in my head. If I forget, no problem, just reset it.
Click to expand...
Literally what I do, sometimes it's annoying, and you have to reset it or what not but just feels like the right thing to do.
 
Chicken Patty said:
Literally what I do, sometimes it's annoying, and you have to reset it or what not but just feels like the right thing to do.
Click to expand...

Passwords you can remember are bad passwords. ;) Randomly generated passwords, minimum. I use 14 characters, upper & lower case + special characters.

That's the good thing about a password manager. You only have to remember your master password & can generate super secure passwords you don't have to remember for logins.
 
MarsM4N said:
Passwords you can remember are bad passwords. ;) Randomly generated passwords, minimum. I use 14 characters, upper & lower case + special characters.

That's the good thing about a password manager. You only have to remember your master password & can generate super secure passwords you don't have to remember for logins.
Click to expand...
That is very true, I guess either way the risk is there. Luckily so far I have not had any issues yet with my method.
 
aren't they encrypted? and should be separate from the username and site. So i so no major issue.

If they are encrypted and linked to sites or usernames easily then it's a problem. I only keep shit passwords online and with different usernames always. Important passwords are offline safe with me.
 
Hard copy notebook at my desk to store all password and the important one are stashed away in a different place at home.

For the very unimportant things I use the chrome pass logger.
 
So, it looks like it's a lot worse. It wasn't only LastPass who got hacked, but also 2FA provider "Authy". o_O This is bad.

https://arstechnica.com/information...s-caught-up-in-the-twilio-hack-keeps-growing/
Guess I have to look into FIDO2. Thinking of getting a YubiKey for my desktop. To my understanding passwordless authentication & biometric authentication on phone (TouchID & FaceID) is already based on the FIDO2 standard, right? Anyone got some experience with YubiKey? Is it worth it or is there a better or equal good solution? I did read a TMP 2.0 (Trusted Platform Module) could also be used for secure authentification?

Passwordless authentication via FIDO2
 
That's why 2FA is important. I've enabled it everywhere I could, and most of our banking apps and services use it by default in one form or the other.
This way even if your password(s) or password manager is compromised - no one will get access to your accounts unless they also have access to your phone and/or e-mail.
Biometrics is also pretty cool alternative. Works perfectly on my phone, but for some reason there's less support on desktop(even though cheap fingerprint readers have been around for over a decade).
Chrome password manager will get this feature soon on desktop, and only got it implemented on phones last month. Kinda weird, considering my shitty abysmal banking app (that still caps passwords at 12 alphanum chars and won't allow special chars for some idiotic reason) had this feature for 5+ years already.
 
You must log in or register to reply here.
Back
Top