LastPass user data compromised

[rhett7660]

Cloud based solutions, regardless of who you go to carry a measure of risk. I use bitwarden and my details are on the cloud but they audit their systems, the software is open source and if push comes to shove, you can self host. I have a measure of confidence. If I host on my own server, is that any safer? Apple's iCloud with their keychain offers a measure of confidence. I also have a measure of confidence with 1Password.

My problem with last pass is that this isn't the first time its happened. They seem to continually downplay the issues, but it keeps happening.

I had no idea you could self-host Bitwarden... Interesting. Been using Bitwarden for a few now and no complaints... knock on wood.

I would be pissed and moving far away from LastPass at this point. This is unacceptable.

 

[rhett7660]

I've never used a software "app" to control passwords.

Instead, I created a simple database (using the free "iData").
Currently at over 130 entries.

On my MacBook Pro, I created a small encrypted disk image that requires a password to open.
I store my password database in the disk image.

When I need to check a password (and it seems that as I get older, I'm checking it a LOT), I just mount the disk image with the password. Then "it's all there".

When done, just dismount the disk image again.

I used to something similar... Had a disk image that had a text file in it that was also password protected. It worked when I had one device, but now that I have multiple it wasn't working as well as I liked. Since I access a lot of stuff from my phone or laptop, I needed something that I could install that would follow me around, enter Bitwarden.

I still keep my master passwords to some items in a disk image and I also keep some in a note that is password protected.

 

[MacGizmo]

This is the THIRD time (twice in the last 6 months) LastPass has been hacked and the FIFTH major security issue they've had since 2021. I thought about switching to LastPass a few times in the past, but I'm glad I didn't. If I were a LastPass subscriber/user, I would be finding a replacement immediately. They clearly don't have their act together.

 

[VineRider]

Interesting read

The LastPass disclosure of leaked password vaults is being torn apart by security experts

“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie.”

www.theverge.com

 

[bogdanw]

After years of promoting this dumb idea, Wired says: "Yes, It’s Time to Ditch LastPass"
https://www.wired.com/story/lastpass-breach-vaults-password-managers/
"LastPass has not returned WIRED's multiple requests for comment about how many password vaults were compromised in the breach and how many users were affected."

 

[chillvisio]

In addition, you can enable 2-factor authentication with 1Password to make it even more secure...

I don’t know how much would 2FA help if all user vaults get stolen directly from the server the way LastPass vaults were and then brute forced for weak master passwords.

 

[bogdanw]

I don’t know how much would 2FA help

Wladimir Palant: "I don’t know about other vendors but for LastPass 2FA has nothing to do with encryption. It’s merely an additional step when you log in, so that you can access the vault data. Given that the attackers here got the vault data already, they don’t need to care about 2FA any more."
https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

 

[coops]

I use Keepass on my Mac and iPhone.
When I make a change I transfer the encrypted database over via Airdrop (you could sync to a cloud service of your choice if you're ok with that... but that's your choice).

 

[chillvisio]

I use Keepass on my Mac and iPhone.
When I make a change I transfer the encrypted database over via Airdrop (you could sync to a cloud service of your choice if you're ok with that... but that's your choice).

I also like KeePass. I’m using Strongbox on my iPhone and KeePassXC on my PC, and I’m syncing dbs between devices using OneDrive. As of yet it works great.

I’ve been using Bitwarden on their cloud (not self-hosted) before the LastPass fail happened. This incident dramatically changed my mind. I wouldn’t feel happy my vault to end in malicious hackers’ hands, no matter that it’s 256-bit encrypted with long and hard to brute force password. I’m ok to trade my comfort and ease of use for more security. Of course that’s just my own 2 cents and I don’t recommend anything to anyone. Everyone should decide for themselves.

 

[gregmac19]

I could also recommend KeePass. I’m using Strongbox on my iPhone and KeePassXC on my PC, and I’m syncing dbs between devices using OneDrive. As of yet it works great.

I’ve been using Bitwarden on their cloud (not self-hosted) before the LastPass fail happened. This incident dramatically changed my mind. I wouldn’t feel happy my vault to end in malicious hackers’ hands, no matter that it’s 256-bit encrypted with long and hard to brute force password. I’m ok to trade my comfort and ease of use for more security. Of course that’s just my own 2 cents and I don’t recommend anything to anyone. Everyone should decide for themselves.

I don't think you need to "trade my comfort and ease of use for more security." You could use Codebook, which has versions for Android, iOS, macOS, and Windows, and which you can sync via local WiFi.

Edit: I should have mentioned that you can also use Enpass, although I am reluctant to recommend a program I have never used.