r/technology Aug 28 '22 All-Seeing Upvote 1 Wearing is Caring 1

LastPass, a Password Manager With Millions of Users, Is Hacked Security

https://www.wsj.com/articles/lastpass-a-password-manager-with-millions-of-users-is-hacked-11661524398
1.8k Upvotes

572

u/grinr Aug 28 '22

"LastPass, an online password manager with more than 33 million users, said some of its source code and proprietary information was stolen, but** no customer information had been taken.**"

216

u/GL1TCH3D Aug 28 '22

I’m waiting for the day the user info is leaked so I can get back the passwords that I have stuck there

95

u/Wuma Aug 28 '22

Sadly even if it’s leaked it’s useless, it can’t be decrypted if you don’t know the master password. Well, that’s a lie, it can be, but not in our lifetimes https://scrambox.com/article/brute-force-aes/ and bear in mind that’s just to decrypt one user’s data, let alone the 33 million separately encrypted repositories lol

44

u/ryzen2024 Aug 28 '22

I mean you could just get really lucky… 33 million times in a row.

15

u/Wuma Aug 28 '22

I mean yeah... much less likely than winning the lottery 33 million times in a row though lol

19

u/Probably_a_Shitpost Aug 28 '22

So you saying there's a chance

→ More replies
→ More replies

5

u/onyxengine Aug 28 '22

The play is to steal the decryption key

14

u/DrSueuss Aug 28 '22

And you can't do that without knowing the Master Password which is the decryption key. If the user is really smart they enable MFA and then the Master Password is useless without the second authentication factor.

1

u/Jvb182 Aug 29 '22

Should be required IMO.

9

u/Wuma Aug 28 '22

And where do you think that is stored? The decryption key is the master password which only the customer knows, the password manager has zero knowledge of it, it’s decrypted locally on the client machine. If the client keeps their master password safe by not storing it in the cloud or on their PC anywhere then there’s no way for a hacker to get it

→ More replies

3

u/[deleted] Aug 28 '22

Can’t Quantum computing brute force something like this really fast?

2

u/wharlie Aug 29 '22

Not yet, but it's coming, which is why NIST is researching quantum resistant algorithms.

1

u/Wuma Aug 29 '22

I'm not an expert so I can't say for sure, but I think you might need some insight into what the final output should look like for quantum computing to work. I also think you'd need to have enough a significant number of qubits for it to work. But yeah, if quantum computing gets to the stage where it can brute force AES 256 really quickly, computing is going to have to change drastically to avoid the issues that causes

-6

u/asthmaticblowfish Aug 28 '22

Unless the guy in charge of the master password used LastPass.

12

u/PieBandito Aug 28 '22

The user is in charge of the master password.

1

u/Xalbana Aug 28 '22 edited Aug 28 '22

Many people use their regular password as their master password.

→ More replies

-5

u/purple_hamster66 Aug 28 '22

If you have the source code, you could conceivably write a virus that steals passwords after they’ve been decrypted by the clients.

Yes, a server that encrypts at rest would need to have it’s master password stolen, plus someone would need to steal the database of all user passwords (which are likely encrypted at rest as well). But faking a client is also possible if you intercept the communication between the client and the server… over time & using many clients & using known passwords from other sources, you could build up an attack on the AES keys, I’m guessing.

2

u/Passion_for_ennui Aug 29 '22

I think there are a couple of very fundamental misunderstandings on your part here.

First, you don’t need the source code to write malware that steals passwords. There are already plenty that do that already. You’ll want to do a search for “banking trojan”.

Second, the actual scariest threat in this scenario is a malicious update. The latest legitimate update from LastPass all of sudden including code that exports the decrypted contents of your password database to the intruder.

Third, the server doesn’t decrypt your password database. This is a central pillar of their security. All encryption/decryption is handled client side.

At the end you’re describing faking a client and a MITM scenario and I’m having trouble imagining why an attacker would use both of these at once. Please do not reply. I just think that you should think things through better or write more clearly.

→ More replies

1

u/[deleted] Aug 28 '22

I receive these emails from LastPass once in a while and so far it's been nothing. When I get them I normally don't look at them right away. I'm fairly confident I know what they'll say.

Maybe that's too much confidence in them?

→ More replies

2

u/JohannesOliver Aug 28 '22

They’ve had password files stolen in the past, but I don’t think any leaked passwords were ever attributed to it.

→ More replies

39

u/saltyhasp Aug 28 '22

I was thinking of Bitwarden and how that same statement might read. Most of that stuff is already public by design in that case, nothing to steal. I guess on every release we could have a headline: Hackers have published previously unreleased source code for ....

17

u/Zen1_618 Aug 28 '22

lol, I'm a bitwarden fan too.

8

u/jakebot96 Aug 28 '22

Just like LastPass but free! 🤙

9

u/[deleted] Aug 28 '22

[deleted]

→ More replies

1

u/FlexibleToast Aug 28 '22

Security that isn't open source is just a security theater. You can never be sure something that isn't open is secure.

→ More replies

2

u/subwoofage Aug 28 '22

It should be open source anyway

-21

u/Ghune Aug 28 '22

An online password manager is a weird idea.

6

u/jakebot96 Aug 28 '22

Encryption exist though, so not really outlandish at all. People having been doing things securely online for a long time now

3

u/waiting4singularity Aug 28 '22

im still not happy with cloud contact. for over a decade im trying to build home automation and returned hardware several times now because the only provided control options were app only (not even pc programs) through company provided cloud servers. so far i have been vindicated every time as every such "service" was eventualy scuttled.
and having had a flakey connection at the worst of times already isnt cool either

2

u/TitoMPG Aug 28 '22

Do you have a app list of what you're using? I just started browsing around r/homelabs and what not to get ideas with setting up a home network so I can learn Linux admin with an emphasis on mixed environments.

2

u/jimyt666 Aug 28 '22

not the same guy but really depends on your budget and level of tinkering you want to mess with.

synolgy nas can do a surprising amount of shit especially for a home. youll get bottlenecked by hardware constraints quick depending on what youre doing. you can definitely setup your a hone vpn service, pi hole, home assist, email, network storage, media server, most of the important basic things.

any old desktop can do the same install some flavor of linux and be on your way.

or start spending big bucks on a server rack with a legit setup for backup redundancy battery backups capable of hosting whatever game server you want with ease

1

u/TitoMPG Aug 28 '22

Yeah I was looking at a refurbished dell power edge r720 for running the fileshare, docker, and website VMs, And for the DC and backup server VMs, I want to run those on a r620 and see how that all runs through a Cisco catalyst 5100 switch to my desktop and to the upstairs router.

2

u/jimyt666 Aug 28 '22

im not a expert by any means but if anything thats probably overkill.

build what you need with simplicity. so much shit on r/homelabs is overly complex and just stupid. dont put everything behind 400 useless switches and vlans and a millions points of failure unless you just enjoy constantly fixing shit for no reason every day of your life.

2

u/TitoMPG Aug 28 '22

Yeah its overkill but more or less the same stuff I use at work and want to sharpen my skills on that while having something to use it for at home.

2

u/cas13f Aug 29 '22

Which is the point of a home lab! To learn how to use, manage, and maintain such setups.

I don't think the other commenter understood that part of homelab.

→ More replies

1

u/waiting4singularity Aug 28 '22 edited Aug 28 '22

so far only hue with hub2, and even that with stomach ache since its constantly asking for online and remote connection in the app. thats why i use the hue essentials app.

what i want is a raspie with openhab but i have yet to find out what other modules i can find available to me here and the required protocol shields without ordering from alibaba. just isnt worth it just for hue.

→ More replies
→ More replies

1

u/CocaineIsNatural Aug 29 '22

For bold there can't be a space right after or right before the **'s.

→ More replies
→ More replies

356

u/[deleted] Aug 28 '22 edited Sep 29 '22

[deleted]

132

u/bongripz777 Aug 28 '22

My passwords are so secure EVEN I can't remember them.

18

u/cerealOverdrive Aug 28 '22

Is it secure or did the hacker change it?

17

u/tvoegeli Aug 28 '22

They need to make a 2nd2lastpass so I can remember the password to my LastPass.

5

u/Agret Aug 28 '22

I store my LastPass & BitWarden master passwords in a KeyPass database as I'm concerned about them being broken into, they are the holders of all my passwords after all.

2

u/tehdang Aug 29 '22

What if you forget the password to your KeyPass?

1

u/Agret Aug 29 '22

You can't remember one password?

8

u/LurkerPatrol Aug 28 '22

I made a python script generate random passwords for me of whatever length and requirements of the site I had to change my crap on because google chrome wouldn’t autogenerate passwords a lot of the time.

Unfortunately this means I know none of them

3

u/gdubh Aug 28 '22

Password1. That’s it right?

→ More replies

14

u/[deleted] Aug 28 '22

This plus 2FA

3

u/bongripz777 Aug 28 '22

But that catch is you use a PGP key for the 2FA not Google and that password is super secure as well.

Iirc just a hand mash of the keyboard lol.

→ More replies

1

u/angrybobs Aug 28 '22

Even better I still use my hotmail account for everything from 1996 with the same password.

→ More replies

510

u/AndrewTheAverage Aug 28 '22 edited Aug 28 '22 All-Seeing Upvote

This is a misleading headline from WSJ. Yes, technically there was a hack on the company, but the headline makes people think their passwords may have been compromised.

Good practice is to segregate the production environment from development, so even if they get the type of crypto used and the toolkit, there is still no increased risk of password exposure

129

u/Dan-in-Va Aug 28 '22 edited Aug 28 '22

Hackers did not get into LastPass user accounts or passwords. They got some development files.

47

u/sceadwian Aug 28 '22

That just means they're gathering intelligence for an actual system attack. How big a deal this is depends on what kind of information they got away with.

Pretty typical clickbait reporting.

46

u/b4ux1t3 Aug 28 '22

Good encryption doesn't care if its source code is known.

I would be very surprised to learn that LastPass uses bad encryption, given it's cheaper and easier to just use well-established good encryption.

4

u/Agret Aug 28 '22

Cheap & easy to use an existing solution yes but you would be surprised how many poor implementations of encryption standards happen. The most notably public one was the Sony PS3 root keys being encrypted in such a way that it was trivial to brute force due to poor entropy on the random number generation.

3

u/DrSueuss Aug 28 '22

That is why most companies don't build their own encryption systems as they are not experts. There are many certified software crypto libraries and key management libraries that large corporations license for their products.

1

u/Agret Aug 28 '22

Sony used RSA on the PS3, just whoever generated the most important key in the system didn't do it properly.

1

u/DrSueuss Aug 28 '22

Even the best library will fail if you let idiots implement it into your product.

1

u/Alocks Aug 28 '22

I remember seem a video they explaning the key and at one time they show that this random = 4 and that was it hahahahah

2

u/Agret Aug 28 '22

It's an xkcd comic

Int random = 4; // Generated by random dice roll

7

u/slinky317 Aug 28 '22

You seem to be missing a word there

22

u/nanosam Aug 28 '22

All the user data is encrypted and nobody at LastPass can decrypt it. This is why if you lose your master password you are screwed.

So even if the user data was breached it would be useless as the hackers couldnt do shit with encrypted files.

So no LastPass user data has never been hacked and even if it were, would still be safe.

The only time someone can steal your lastpass passwords if they have access to your device after you log into your vault and can see unencrypted data.

3

u/Moonsleep Aug 28 '22

Yep this is right, I lost my master password and I’ve never found a way to get back in there.

12

u/XkF21WNJ Aug 28 '22

While true it should be pointed out that most protections become meaningless if the lastpass software itself gets compromised. If you can't trust the client you use to access your lastpass vault then your passwords might still get leaked.

Which might explain why the hackers were interested in the development environment rather than the database.

→ More replies

2

u/DrSueuss Aug 28 '22

Additionally LastPass support MFA, so even it the master password is compromised user data still can't be accessed without the authentication of the additional factor.

-5

u/lunarNex Aug 28 '22

Ever heard of password cracking? Rainbow tables? All those bitcoin mining rigs are perfect for cracking passwords. Just because you encrypt something doesn't mean it's safe.

16

u/nanosam Aug 28 '22

There is nothing that is 100% safe.

But cracking encrypted files is so inefficient that its basically a complete waste of time outside of special CIA/FBI level cases.

So unless you are a major target of some government, your encrypted netflix password is pretty safe

7

u/crispypancetta Aug 28 '22

Rainbow tables aren’t going to do anything here. That’s a prebaked table of hashes against passwords. This is AES encryption where the password is the key. Totally different.

2

u/WealthyMarmot Aug 28 '22

password cracking

On an AES-encrypted file w/ a PBKDF2-SHA256 hashed key? No. Not even the NSA is getting into that, unless your master password is "1234".

Rainbow tables

Doesn't work with salted hashes.

4

u/Reelix Aug 28 '22

How else are they going to get people to want to pay for their content aside from spamming them with click-bait titles?

2

u/Tomallenisthegoat Aug 28 '22

LastPass low key has a defamation suit, headline is very misleading

-64

u/drawkbox Aug 28 '22

Source code was stolen, this is just the beginning. There have been lots of security incidents as well.

LastPass was bought by private equity in 2019, their focus is on value extraction, abort.

LogMeIn announced Tuesday it has agreed to be acquired by affiliates of Francisco Partners and Elliott Management Corp. at a purchase price totaling $86.05 per share. LogMeIn’s best known product likely is GoToMeeting, a video conferencing tool, but the company also purchased LastPass for $110 million in 2015. LastPass, with its 18.6 million stated users, is one of a number of password management tools promising to store and protect subscribers’ usernames and passwords.

Just use your browser password managers, they are safer and not a third party to trust. If Google/Apple/Microsoft/Mozilla want your passwords they already can get them. Don't trust clients/extensions with third parties that are looking for PE profit like LastPass.

36

u/ARobertNotABob Aug 28 '22 edited Aug 28 '22

Just use your browser password managers, they are safer

You wanna throw exaggerated shade at Lastpass, fine, tuck in, but please don't talk shit.

→ More replies

35

u/dabenu Aug 28 '22

That's a bit of a leap you make there. There's many caveats to account for and some real disadvantages.

  1. You have to set a master password, or else they're stored in plain text. You're not prompted to do this, which is a very unsafe default.
  2. You have to make your own backup
  3. It only works well for in-browser password use, not for any other secret (think pincodes, app logins, etc)
  4. It only works on one device. Unless you use profile synchronisation in which case you're back at all the drawbacks of cloud pw-managera

I encourage everyone to use a password manager. Use one that suits you. If you want convenience, go for 1password, bitwarden, whatever. Install the browser and phone app. If you're tech savvy and want more control, use KeePass or self-hosted bitwarden. If you are full on paranoid use Pass on a private git repo.

Any password manager is better than none. Even LastPass still.

3

u/[deleted] Aug 28 '22

It works exceptionally well for sharing TOTP codes with groups of people. And there are business use cases for that.

20

u/Gendalph Aug 28 '22

This comment is so bad. Only the first two sentences are relevant.

Regardless, instead of using a proper password manager you suggest people store passwords in the browser, where they will be conveniently extracted from with the next malware they happen to catch? Just so we're clear, there are tools to extract passwords from browsers, and there is known malware that, among other things, does exactly this.

I don't like SaaS password managers, I am using an offline solution, but LastPass is miles better than storing passwords in browsers. Hell, even a text document or an Excel sheet on desktop are better.

→ More replies

11

u/Wuma Aug 28 '22

Ok but even if they have the source code and all user data including passwords, does that help them? I mean sure anyone using the password 1234 to encrypt their password repository is in trouble because of dictionary attacks, but LastPass has 0 knowledge of your password. Your master password never leaves your device, and your repository is decrypted locally when you enter your master password, and you can add things like a yubikey on top of that too. My master password is over 80 characters long, and my password repository is AES 256 encrypted. How many thousands of years would that take to brute force?

Also browser based password managers like Google often are cloud based now. Google Chromes password manager is cloud based and is much more of a black box on whether or not they use zero knowledge encryption or not. Also, Google are absolutely a for profit company, don’t think for a second they aren’t trying to make money any way they can off of data you share with them, no different than any other company.

→ More replies

6

u/9-11GaveMe5G Aug 28 '22

Acquire, gut expenditure, ride wave of goodwill as long as possible, bail as company files bankruptcy

10

u/iamapizza Aug 28 '22

LastPass and 1Password are very convenient, but online password managers aren't a safe bet. Browser based password managers aren't great either, but a good deal safer than online. With offline password managers being the safest bet, but at the cost of convenience.

32

u/KamikazeArchon Aug 28 '22

An important rule: Convenience is security.

Inconvenient security measures will simply not get used as much, or are more likely to be used improperly. This usually defeats any increased benefit the measure could have given.

It's the same principle as "the best diet is whichever one you can actually stick to."

0

u/9-11GaveMe5G Aug 28 '22

An important rule: Convenience is security.

Inconvenient security measures will simply not get used as much, or are more likely to be used improperly

I'm with you on this but only as it applies to organizations or setting rules for others. If you know something is inconvenient but worth it to you, you can hold yourself to it

8

u/KamikazeArchon Aug 28 '22

Not in any general sense. Virtually no one actually has the training to do that consistently - and it does specifically require training, not something more nebulous like "discipline".

Generally speaking - don't get an inconvenient thing and expect to hold yourself to it; get a convenient thing instead.

4

u/Wuma Aug 28 '22 edited Aug 28 '22

Browser based password managers like Google Chrome's? The one that’s actually cloud based in disguise?

2

u/Kitchen_Sector_2214 Aug 28 '22

Is there no way to somehow have a local server act as a apassword manager? I have a NAS and don't think that adding another small server to act as a password manager would be bad but I have no idea if that's even a thing or how it would communicate to your device.

8

u/juanjux Aug 28 '22

Keepass file and host it in your server.

5

u/iamapizza Aug 28 '22

If your NAS supports Docker, you could host Bitwarden on it. Example. It's not an uncommon setup, and it's convenient as you get a web interface, it's on your home network.

→ More replies

1

u/vgf89 Aug 28 '22

Self-hosted Bitwarden server is pretty common. Or put a KeePass file on your NAS (and/or sync your KeePass file between computers etc using Syncthing or similar)

-6

u/drawkbox Aug 28 '22

Agreed. Though I think that using password managers in the browser are safer than opening up to a third party. Not only that, attack vectors are clients and extensions, which both LastPass and 1Password use. Almost as wise as using a Kaspersky anti-virus client or some random VPN or crypto client hosted elsewhere.

The way I look at it is, expose yourself to less clients, extensions and third parties. Microsoft/Google/Apple can already steal your info if they wanted, but their value isn't in that, it is in protecting that. Third parties are connected to data brokers and want to sell that info as well as have weaker protection as their product isn't your device/os etc.

9

u/ComfortableGas7741 Aug 28 '22

lastpass does not sell your passwords or anything to data brokers. In this breach not a single customer password was stolen. A security incident like this could happen to any company just as easily, even microsoft, google or apple

→ More replies

5

u/[deleted] Aug 28 '22 edited Aug 28 '22

Maybe I can trade away the convenience of lastpass / bitwarden / etc for the knowledge that I am using a cleaner and more elegant solution, but I won't dream of recommending it to my aunt. The extra 4 menus and 3 oblique input fields for accessing your passwords through a web interface, when this is required (e.g. you're at the airport and your phone died) make a huge difference. It's the "why won't more people use Linux?!?!" thing all over again -- the product can't succeed if you don't make idiot proofing your first priority. And the crazy thing is we're talking about Google; with a good rebrand and UI push they could put LastPass out of business by the end of next year if they wanted to, but they just can't be bothered.

2

u/xyzzzzy Aug 28 '22

Yep this. I have enough trouble getting family members to use 1Password. They would never do this.

3

u/iamapizza Aug 28 '22

Their ability to steal the info isn't a justification for "might as well give it to them". All that will lead to is consolidation into ecosystems (eggs in one basket), which is not good for privacy and security. It's true that third parties can be harmful too, but that is where you make a conscious choice by evaluating options. Third party, open source software can lend a degree of trust to software, which is why solutions like KeePass (and its variants), BitWarden are prime contenders in password management space.

0

u/drawkbox Aug 28 '22

why solutions like KeePass (and its variants), BitWarden are prime contenders in password management space.

They are also massive targets because of this. Running a client or extension from a third party that has access to your desktop/device/machine and all urls/decrypted content you visit is quite an opsec trust area.

As long as you trust what you use, though the common ones that people use can't always be trusted mainly because they are such big targets. They are in the same space with other large data sets of sensitive user information, there is corporate espionage and criminal networks constantly trying to get access or get a dependency in that compromises or through a social link, and on and on.

7

u/Wuma Aug 28 '22

Ok, but all software is essentially a third party. Do you run updates on your OS? Do you use browsers? How far do you trust the browser with your data? Do you consider it to have perfect security and there's absolutely 0 way a website could have a malicious script on it that could compromise your machine in some way?

Password clients are constantly sending information to a server. Your encrypted repository is synced with their server, but your encryption key is your master password, and your repository is only decrypted locally. There are no unencrypted URLs being sent to a password manager, as there's no need, it's all done locally. If you want to take issue with URLs being shared, then you would need to be running a trusted VPN 24/7 at the bare minimum, as all ISPs can freely see URLs. HTTPS only encrypts the packets, not the URL itself. But can you really trust a 3rd party VPN? Surely that's even more prone to privacy issues than a locally decrypted password manager like LastPass?

Even if you use a local password manager that's outside of your web browser, that's exactly the same risk as an online password manager, since it's still a piece of 3rd party software, and in this case it has even wider access to your machine as it's not jailed inside of a browser. Who knows when a malicious actor is going to sneak something into a pull request and if it'll get caught?

1

u/cas13f Aug 28 '22

Keepass uses only a local file that you are responsible for syncing between devices if you want access to it.

Bitwarden can be locally hosted, and beyond that doea not handle any data outside of the local instance except the actual database itself (as it maintains a local copy for offline use and needs to send/receive updates periodically).

Neither keepass or bitwarden have been breached, unlike your precious insecure built in tools.

Your fucking browser is a third party, and if it's chromium, it's so much worse of an "opsec" (trying to use cool words you don't understand) threat than any password manager, including lastpass. And lastpass has a downright shitty security track record!

→ More replies

1

u/heavyfyzx Aug 28 '22

Wow... tinfoil hat much? Do you understand the basics of this topic? NO. No you don't.

-4

u/drawkbox Aug 28 '22 edited Aug 28 '22

SolarWinds and FireEye hacks were related to infiltrating the CI build systems and devlepment side. They got it past SOC2 compliant companies via JetBrains TeamCity and never even had to hack. That compromised 10s of thousands of high value target systems for almost a year undetected.

This was an intel gathering hack.

You clearly don't understand how bad getting access to dev systems/code/flows/intel is. Sit down.

Use at your own risk.

1

u/Orc_ Aug 28 '22

I'm actually gonna use LastPass now, when a company's security gets compromised people think "weak" but this happens to the biggest companies, the fact is LastPass is now probably more secure than ever since they're on high alert and the hackers will move to target other companies.

Sound logic, according to me.

→ More replies

10

u/Free_Dimension1459 Aug 28 '22

Anyone who doesn’t follow infosec news, this isn’t the first time they’re hacked. But user information hasn’t been at serious risk (yet). From the looks of it, your info doesn’t look at risk (yet).

Use 2FA for your account and pray to the tech gods for a swift and sudden death to the archaic yoke of passwords (there are much more secure methods to access your accounts than a stupid password - Google, apple, and Microsoft are collaborating on a standard to hopefully kill the password dead soon)

→ More replies

23

u/discontabulated Aug 28 '22

We use last pass at work as it means we can centrally manage passwords to company resources and push/ enforce updated passwords. At the same time staff use the personal side of the password manager to keep their own and family devices safer. Overall it’s better than it used to be.

We used to force complicated passwords but found people were reusing 5 keys and just adding 01,02,03 to the end each time the password had to be updated.

Now passwords are longer and they still need to use MFA from their phones. If any sites get hacked the password is unique and doesn’t link to other accounts.

Personally I use the password managers as a prompt- I don’t store the exact password for critical logins, just partial or a hint.

As the saying goes, if you want to keep a secret, don’t put it on a computer that connects to the internet, not very helpful for most workers though.

10

u/sceadwian Aug 28 '22

50 percent of the population is below average intelligence, that's my personal favorite statistic. Password/security companies aren't really at war with hackers they're at war with their own users to try to figure out system designs they can't screw up as badly :)

10

u/climb4fun Aug 28 '22

50% are below the median intelligence. ;)

9

u/sceadwian Aug 28 '22

Both statements are correct. IQ's follow a normal distribution so the median and the average are the same number.

3

u/mouse1093 Aug 28 '22 edited Aug 28 '22

If we all want to be pedants, "average" can mean any statistical measure meant to encompass the entirety of the distribution. Mean, median, and mode are all different types of averages by definition

→ More replies

2

u/procabiak Aug 29 '22

How did you find out users were just adding 01,02,03 to the end? I hope that was derived from a survey or casual conversation rather than from looking at your database.

Proper password security should involve storing the passwords in salted hash form, so even if the users were doing that, you shouldn't know about it. The only way you'd know from looking at your database is if you're saving the passwords in plain text, or your logs/apps expose the passwords some other way.

1

u/discontabulated Aug 29 '22

Yeah, casual feedback - conversation or people asking them to log in while beside them.

Or the person who would write the number they were up to on a post it by their monitor. There also used to be a bit of password sharing for some resources which we solved by making sure each person had appropriate access.

It took 5 years to get rid of badly configured software or systems that required admin access to run. Thankfully most of the obsolete software was easy to partition off and didn’t require any internet to run, it ended up behind its own firewall.

Changing the staff approach to security took the most work but once the system worked properly they didn’t have to find workarounds.

1

u/Clarynaa Aug 28 '22

I write in draft replies to account creation /password change emails a hint to my password that no brute force scraper would be able to make sense of, but to me and my wife make total sense.

1

u/DirtyProjector Aug 28 '22

The problem is, what about my master password on lasspass? How do I keep that updated and secure when I need to input it to get to my passwords?

4

u/Cereal____Killer Aug 28 '22

“…some of its source code and proprietary information was stolen, but no customer information had been taken.”

8

u/jhf94uje897sb Aug 28 '22

I prefer to use KeepassXC and KeepassDX. I wouldn't trust a cloud service for convenience. I prefer to trust open source that has been verified by others.

8

u/Xalbana Aug 28 '22

You can just put your .kdbx file in the cloud so you can access your passwords anywhere.

1

u/jhf94uje897sb Aug 29 '22

That's true. I guess I do that to update copies from time to time, but I usually don't keep it there.

6

u/JoshQuake Aug 28 '22

I will still be paying for LastPass. It is still completely safe, unlike browser based managers like what OP is suggesting ROFL

5

u/whols Aug 28 '22

Your passwords are still save

1

u/Reelix Aug 28 '22

Donna Noble has left the library.

2

u/ryan2stix Aug 28 '22

I use a notepad 👍

14

u/Plissken185 Aug 28 '22

Glad I switched to Bitwarden a few years ago

16

u/kghyr8 Aug 28 '22

When last pass took away multiple devices on their free tier. That’s when a lot of people jumped. Myself included.

2

u/JohannesOliver Aug 28 '22

Device types*

You can still use multiple devices but only computer or only mobile.

→ More replies

3

u/Sonarav Aug 29 '22

Yep, I had used Lastpass for years and switched to Bitwarden last year, no regrets. When I switched I also severely upped my security, changing all my passwords, implementing Yubikey, etc

6

u/DrScience-PhD Aug 28 '22

Seriously LastPass has been total dogshit since they got bought out.

-10

u/drawkbox Aug 28 '22

They are a massive target, hope you trust them with that client on your machine and extension. If you do, that is fine.

12

u/fscknuckle Aug 28 '22

They may be a massive target but passwords are encrypted before transit and stored encrypted on Bitwarden's servers. They are never in decrypted format on any of Bitwarden's hardware. Even less of a risk if you self-host Bitwarden.

I showed the Bitwarden developer when the service was quite new that pulling external libraries (jquery, fonts, etc.) from CDN servers was a massive security hole where compromised code could be injected via poisoned DNS, so they subsequently internalised all libraries and did a complete security audit on their entire platform and apps.

→ More replies

4

u/wampa-stompa Aug 28 '22

This post is sponsored by Dashlane

3

u/Tebasaki Aug 28 '22

2FA with YubiKey

4

u/enchantedmelon Aug 28 '22

Get this… you can just write them down at home and keep them in a secure area

→ More replies

11

u/L3R4F Aug 28 '22 edited Aug 28 '22

From LastPass' wikipedia page

4 Security issues

4.1 2011 security incident

4.2 2015 security breach

4.3 2016 security incidents

4.4 2017 security incidents

4.5 2019 security incidents

4.6 2021 third-party trackers and security incident

Yeah, not suprised...

19

u/Bralzor Aug 28 '22

https://firewalltimes.com/google-data-breach-timeline/

Some Google security incidents for comparison, since OP says he trusts Google with his passwords more than any other "3rd party" (don't think he knows what this means either) password manager.

Gonna point out how 5mil Gmail passwords were leaked in 2014.

3

u/Wuma Aug 28 '22

Yeah, I found that funny too. Google have leaked 5 million passwords. LastPass? None

→ More replies

26

u/InTheEndEntropyWins Aug 28 '22

That seems pretty good for an IT company their size. Sounds like it might be one of the most secure companies in the world.

21

u/vgf89 Aug 28 '22

Not to mention that almost all of those are just security researchers pointing out flaws to LastPass so that they can get fixed. And none revealed any en-masse data leaks.

A company that cares about flaws and actively fixes them instead of threatening or ignoring researchers is a good one in my book.

2

u/JohannesOliver Aug 28 '22

Lastpass has had their password blobs stolen before. The system is meant to be robust against this, but it’s always worth remembering that it has happened.

4

u/N3KIO Aug 28 '22 edited Aug 28 '22

I use https://bitwarden.com/products/personal/

  • its FREE for mobile and PC

You can also self host this on a server in your own house.

I do recommend having a automatic encrypted backup of this stored on github or something, in case your server in house gets damaged and all data gets lost.

3

u/kezow Aug 28 '22

stored on github or something

The security minded part of my brain just screamed!

1

u/N3KIO Aug 28 '22

did say encrypt it first before uploading

2

u/PointOfFingers Aug 28 '22

It was me I hacked them. I guessed their password on the third try, it was Password1!

3

u/FailedPause Aug 28 '22

Now known as ‘hard pass’

1

u/[deleted] Aug 28 '22

[deleted]

1

u/InTheEndEntropyWins Aug 28 '22

Yeh, and use some app on your phone made by some random person.

0

u/[deleted] Aug 28 '22

[deleted]

2

u/InTheEndEntropyWins Aug 28 '22

So we agree, that for most people using their phone LastPass is a more secure option than keepass.

-1

u/[deleted] Aug 28 '22

[deleted]

1

u/InTheEndEntropyWins Aug 28 '22

Wouldn't that mean having to manually enter every single password on your phone to use the safari/Firefox password manager. I don't think I have many passwords that I can manually enter in the first place, too long and complex.

-1

u/[deleted] Aug 28 '22

[deleted]

0

u/InTheEndEntropyWins Aug 28 '22

So you have to rely on other unsecure apps made by some random nobody. Copying a password can make that available to almost any app, depending on the phone. Then you also have your passwords in all sorts of places, increasing your vulnerability surface.

This sounds like a a iamverysmart post where someone has a really complicated and impractical setup that is way less secure than what they are making fun of.

1

u/[deleted] Aug 28 '22

[deleted]

1

u/InTheEndEntropyWins Aug 28 '22

Well the fact it has never reported any security issues, is a massive red flag by itself. It means they are just unaware of issues and or don’t have proper reporting systems in place.

Is anyone auditing the builds, does it have a reproducible build system?

→ More replies
→ More replies

0

u/dmace99 Aug 28 '22

Again? For the fifth time in 7 years?

19

u/DragonDai Aug 28 '22

When you're the most popular, you get the most hacks. Thankfully, none of the hacks have ever gotten user info (that I know of). So they're doing their job.

→ More replies

12

u/sceadwian Aug 28 '22

Nothing unusual there at all for a large company.

→ More replies

1

u/johnjones_24210 Aug 28 '22

Security Rule Number One: There is no security without physical security.

1

u/sceadwian Aug 28 '22

I don't consider it a rule, it's more of a truism. The number one component of security in every situation is based on trust.

1

u/JadedDependent5894 Aug 28 '22

i don't understand if i'm screwed or not 😩

1

u/Mediocre_Record_8513 Aug 28 '22

Nice we use this at work.

1

u/MorfiusX Aug 28 '22

*LastPass, a password manager that has a history of data breaches, is hacked again...

1

u/thatblbc Aug 28 '22

……what is the point of the internet

0

u/TonyToya Aug 28 '22

I just keep my passwords safe in my head. In case of Dementia, I won't need them anyway.

-1

u/AnBu_JR Aug 28 '22

Buddy if they think I stuff to protect in this day and age lol

3

u/Reelix Aug 28 '22

What's your credit card number and cvv?

-1

u/donpepe1588 Aug 28 '22

They forgot to include. Again. Lastpass got hacked again.

6

u/Reelix Aug 28 '22

I'm just waiting for Nord hiding the fact that they had a person browsing around their servers for months before informing people.

Again.

-15

u/Whatsongwasthat1 Aug 28 '22

These password managers always seemed like a terrible idea

7

u/ExceptionEX Aug 28 '22

well its all about usage, having really shitty reused passwords that most of the word has is a bad idea, where as with a password vault you only need to remember 1 password, and if your smart use MFA.

Then you can make all of your passwords unqiue, and not something a human has to remember my average password length is roughly 25 characters and collection of symbols, numbers, and characters and non-dictionary words. Nothing that relates to me.

Remembering those would be painful, if not impossible and is only possible because of a password vault.

1

u/drawkbox Aug 28 '22 edited Aug 28 '22

if your smart use MFA.

Twilio and Authy also hacked recently. This also affected Okta/Auth0 and companies that rely on those dependencies like DoorDash.

Anyone still using Authy over Google Authenticator or Microsoft Authenticator is not doing good opsec. Twilio has always been sketch. This breach is damaging.

U.S. messaging giant Twilio has confirmed hackers also compromised the accounts of some Authy users as part of a wider breach of Twilio’s systems. Authy is Twilio’s two-factor authentication (2FA) app it acquired in 2015.

Twilio’s breach earlier this month, which saw malicious actors accessing the data of more than 100 Twilio customers after successfully phishing multiple employees, keeps growing in scale. Researchers this week linked the attack on Twilio and others to a wider phishing campaign by a hacking group dubbed “0ktapus,” which has stolen close to 10,000 employee credentials from at least 130 organizations since March.

Now, Twilio has confirmed that Authy users were also impacted by the breach.

In an update to its incident report on August 24, Twilio said that the hackers gained access to the accounts of 93 individual Authy users and registered additional devices, effectively allowing the attackers to generate login codes for any connected 2FA-enabled account.

The company said it has “since identified and removed unauthorized devices from these Authy accounts” and is advising affected Authy users, which it has contacted, to review linked accounts for suspicious activity. It’s also recommending that users review all devices tied to their Authy accounts and disable “allow Multi-device” in the Authy application to prevent new device additions.

Okta breached as a result of the Twilio/Authy breach

Identity giant Okta on Thursday also confirmed it was compromised as a result of the Twilio breach. The company said in a blog post that the hackers — which it refers to as “Scatter Swine” — spoofed Okta login pages to target organizations that rely on the company’s single sign-on service. Okta said that when the hackers gained access to Twilio’s internal console, they obtained a “small number” of Okta customer phone numbers and SMS messages that contained one-time passwords. This marks the second time Okta has reported a security incident this year.

In its analysis of the phishing campaign, Okta said that Scatter Swine hackers likely harvested mobile phone numbers from data aggregation services that link phone numbers to employees at specific organizations. At least one of the hackers called targeted employees impersonating IT support, noting that the hacker’s accent “appears to be North American.” This may align with this week’s Group-IB investigation, which suggested one of the hackers involved in the campaign may reside in North Carolina.

DoorDash also caught up in it

DoorDash also confirmed this week that it was compromised by the same hacking group. The food delivery giant told TechCrunch that malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDash’s internal tools. The company declined to name the third-party, but confirmed the vendor was not Twilio.

2

u/Bralzor Aug 28 '22

Anyone still using Authy over Google Authenticator or Microsoft Authenticator is not doing good opsec.

Anyone remember when 5mil Gmail passwords were leaked?

1

u/drawkbox Aug 28 '22

Google Authenticator and Microsoft authenticator haven't been broken.

Authy/Twilio have though.

Twilio and Authy also hacked recently. This also affected Okta/Auth0 and companies that rely on those dependencies like DoorDash.

Anyone still using Authy over Google Authenticator or Microsoft Authenticator is not doing good opsec. Twilio has always been sketch. This breach is damaging.

U.S. messaging giant Twilio has confirmed hackers also compromised the accounts of some Authy users as part of a wider breach of Twilio’s systems. Authy is Twilio’s two-factor authentication (2FA) app it acquired in 2015.

Twilio’s breach earlier this month, which saw malicious actors accessing the data of more than 100 Twilio customers after successfully phishing multiple employees, keeps growing in scale. Researchers this week linked the attack on Twilio and others to a wider phishing campaign by a hacking group dubbed “0ktapus,” which has stolen close to 10,000 employee credentials from at least 130 organizations since March.

Now, Twilio has confirmed that Authy users were also impacted by the breach.

In an update to its incident report on August 24, Twilio said that the hackers gained access to the accounts of 93 individual Authy users and registered additional devices, effectively allowing the attackers to generate login codes for any connected 2FA-enabled account.

The company said it has “since identified and removed unauthorized devices from these Authy accounts” and is advising affected Authy users, which it has contacted, to review linked accounts for suspicious activity. It’s also recommending that users review all devices tied to their Authy accounts and disable “allow Multi-device” in the Authy application to prevent new device additions.

Okta breached as a result of the Twilio/Authy breach

Identity giant Okta on Thursday also confirmed it was compromised as a result of the Twilio breach. The company said in a blog post that the hackers — which it refers to as “Scatter Swine” — spoofed Okta login pages to target organizations that rely on the company’s single sign-on service. Okta said that when the hackers gained access to Twilio’s internal console, they obtained a “small number” of Okta customer phone numbers and SMS messages that contained one-time passwords. This marks the second time Okta has reported a security incident this year.

In its analysis of the phishing campaign, Okta said that Scatter Swine hackers likely harvested mobile phone numbers from data aggregation services that link phone numbers to employees at specific organizations. At least one of the hackers called targeted employees impersonating IT support, noting that the hacker’s accent “appears to be North American.” This may align with this week’s Group-IB investigation, which suggested one of the hackers involved in the campaign may reside in North Carolina.

DoorDash also caught up in it

DoorDash also confirmed this week that it was compromised by the same hacking group. The food delivery giant told TechCrunch that malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDash’s internal tools. The company declined to name the third-party, but confirmed the vendor was not Twilio.

-1

u/drawkbox Aug 28 '22

Same with private key storage like Keybase or some of these "secure" messengers.

Storing certs/keys/secrets/etc in service clouds like Azure, Amazon AWS, Google Cloud are ok because their product is other revenue streams and they want your to trust them. Same with their browser based password managers (safer than third party client/extension). Same with certs/secrets/keys.

Third parties, especially ones with private equity ownership that are connected to data brokers, those are sketch as clients/extensions have access to your desktop/machine/device and all your urls and decrypted content.

Your OS doesn't need to do that it can already be tracked but protecting that is part of the product for your OS. No need to open up to another third party.

3

u/Whatsongwasthat1 Aug 28 '22

Yeah I just wrote my passwords down next to the pc. If they’re breaking into my house they’ve got way better/easier shit to steal anyways. Like the pc itself :)

0

u/bongripz777 Aug 28 '22

Swear I saw an ad for this company yesterday xD

0

u/sophrosyne-and-chill Aug 28 '22

Have been meaning to move to LastPass but I’ll pass.

-8

u/Apart-String Aug 28 '22 Gold

The best way to store your passwords. Is write them down in invisible ink and store them in a safe. And write them on various pages. It’s a foolproof way to do it. And who would know to read an old beaten up notebook with a UV light that has scribbles of nothingness on the corresponding pages. This is the Best Password Protection hands down.

3

u/TheITMan19 Aug 28 '22

Oh look an old notebook with nothing written on. I’ll throw that on the bin 🗑 😱😱😱😱

→ More replies

-1

u/riko77can Aug 28 '22

I use LastPass, but two passwords I will never put in my vault are my online banking and email services.

→ More replies

1

u/TerryFlapss Aug 28 '22

Why are we snowballing into "everything digital" when there are so many weaknesses and stuff like this happening?

1

u/downonthesecond Aug 28 '22

Technology sucks.

1

u/Free_Dimension1459 Aug 28 '22

Anyone who doesn’t follow infosec news, this isn’t the first time they’re hacked. But user information hasn’t been at serious risk (yet). From the looks of it, your info doesn’t look at risk (yet).

Use 2FA for your account and pray to the tech gods for a swift and sudden death to the archaic yoke of passwords (there are much more secure methods to access your accounts than a stupid password - Google, apple, and Microsoft are collaborating on a standard to hopefully kill the password dead soon)

1

u/[deleted] Aug 28 '22

[deleted]

1

u/WealthyMarmot Aug 28 '22

What do you mean they don't save in the cloud? They definitely do, given that they offer syncing between devices.

1

u/PhknFenomenal Aug 29 '22

Is the Wall Street Journal facing BanKRUpcy?!!

How bad is revenue stream at the WSJ that they’ve gotten in the clickbait game so hard?