advertisement
Forums

The Forum is sponsored by 
 

AAPL stock: Click Here

You are currently viewing the Tips and Deals forum
All Your LastPasses Are Belong to Us
Posted by: btfc
Date: December 24, 2022 03:39PM
‘ LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults.

The revelation, posted on Thursday, represents a dramatic update to a breach LastPass disclosed in August. At the time, the company said that a threat actor gained unauthorized access through a single compromised developer account to portions of the password manager's development environment and "took portions of source code and some proprietary LastPass technical information." The company said at the time that customers’ master passwords, encrypted passwords, personal information, and other data stored in customer accounts weren't affected.

In Thursday’s update, the company said hackers accessed personal information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses customers used to access LastPass services. The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data. ‘

[arstechnica.com]
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: C(-)ris
Date: December 24, 2022 04:10PM
The only place your passwords are safe is in your own head.



C(-)ris
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Tiangou
Date: December 24, 2022 05:31PM
This is the SECOND major breach there.

Storing your passwords on a cloud server with other people's passwords just makes for a larger target.

Hear that, you AgileBits 1Password A-holes?!! You've made all of your subscription customers into easy targets. LOCAL vaults that you can choose how to sync (or not) for yourself are the way to go. Like the way 1Password USED to do it.



Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: gadje
Date: December 24, 2022 05:51PM
I just took a Computer Science Class at Harvard and I understand a little bit how these passwords are stored. I am going to re-evaluate my 1Password account and decide if I want to continue using it or change to something else, like Keychain Assistant on the local machine. I still need to figure out how to sync computers without going though iCloud for example.
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Paul F.
Date: December 24, 2022 09:14PM
Gee... what a fscking shock!
No, not really... It's exactly what I said right here SEVEN OR EIGHT YEARS AGO, and got ridiculed for by the "password manager" sycophants.

Any place other than your own head, or a piece of paper in a secure location, you store ALL your passwords is vulnerable.



Paul F.
-----
A sword never kills anybody; it is a tool in the killer's hand. - Lucius Annaeus Seneca c. 5 BC - 65 AD
----
Good is the enemy of Excellent. Talent is not necessary for Excellence.
Persistence is necessary for Excellence. And Persistence is a Decision.

--

--

--
Eureka, CA
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: sekker
Date: December 24, 2022 09:45PM
Quote
Paul F.
Gee... what a fscking shock!
No, not really... It's exactly what I said right here SEVEN OR EIGHT YEARS AGO, and got ridiculed for by the "password manager" sycophants.

Any place other than your own head, or a piece of paper in a secure location, you store ALL your passwords is vulnerable.

Not sure what your point is, Paul. Not all password managers are the same. As I've noted on this board, if you are not paying for a product then YOU are the product. Lastpass has been 'free' and suspect - either not enough resources for the 'free' version, or they actually monetize your password data.

Every single method of securing passwords has risks.

Carbon-based memory can be forgotten. Using the same password for more than one site is a risk. Changing them risks memory failure.

Paper can be read by others, lost or copied.

I use a mix of Apple's keychain - which has not been hacked to my knowledge - and custom file vaults in 1password. Those vaults are fully encrypted, even 1password cannot open them.

I've turned down 1password in the cloud for the very reason I do not want them to have unencrypted passwords. They are a relatively small company and could get purchased by a company to leverage their 'user data'.

There is a group moving off passwords, 1password is an active participant. I would love to use a good 2factor authentication that doesn't suck.

We will see.
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Robert M
Date: December 25, 2022 08:42AM
Tiangou,

Seems like your outrage at Agilebits is misplaced:

[support.1password.com]

[support.1password.com]

In this day and age, with the sheer number of online accounts and secure systems, one has become a necessity. This is even more true if, like me, you're managing accounts for yourself and others.

There is a risk involved but, for me, it's an acceptable one. The various alternatives of which there are a numerous number of them are unworkable.

FWIW, of all the models out there, I still trust 1Password more than the others.

Robert
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Tiangou
Date: December 25, 2022 09:58AM
Quote
Robert M
Tiangou,

Seems like your outrage at Agilebits is misplaced...

Nothing that you linked to negates what I wrote.

Agilebits has not demonstrated that their current model is any more secure than LastPass.



Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Robert M
Date: December 25, 2022 10:55AM
Tiangou,

I disagree. The links claim your information is secured in a manner to and from and while on Agilebits's systems that not even Agilebits can access it. That makes it seem more secure than what Lastpass offered with their services. What more do you want from Agilebits?

Robert
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: gadje
Date: December 25, 2022 11:04AM
What more do you want from Agilebits?

I think Tiangou made it very clear in his post:

LOCAL vaults that you can choose how to sync (or not) for yourself are the way to go. Like the way 1Password USED to do it.
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: SDGuy
Date: December 25, 2022 11:05AM
maybe a stupid question - why do people feel the need to upload their passwords (albeit encrypted) to a cloud server, vs. being able only storing/syncing locally?
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: GGD
Date: December 25, 2022 11:36AM
Quote
SDGuy
maybe a stupid question - why do people feel the need to upload their passwords (albeit encrypted) to a cloud server, vs. being able only storing/syncing locally?

I think the general advantage that people see for any cloud based storage is for data that's shared across multiple devices. Like IMAP email, iCloud Contacts/Calendar, DropBox, etc.
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Robert M
Date: December 25, 2022 11:46AM
Gadje,

Two issues. Agilebits definitely offers a more secure online system than Lastpass. No question of that in my mind. So, for that, the information offered negates what he said about it. You are correct in that the current version of 1Password no longer offers local options. Can't say I'm a fan of it but, after reading the following article, I understand why Agilebits changed their direction:

[1password.community]

Key, though, is that local vaults are still a viable option with 1Password 7 and earlier. Agilebits hasn't stopped anyone friom using the older versions of the apps nor have they kaiboshed their syncing features. The option still exists for Tiangu if he wants local vaults and syncing.

Robert
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Tiangou
Date: December 25, 2022 12:44PM
Quote
Robert M
Key, though, is that local vaults are still a viable option with 1Password 7 and earlier. Agilebits hasn't stopped anyone friom using the older versions of the apps...

Until the old versions stop working from obsolescence. Yes. We might have a few more months to use 1PW7.

But most people using local vaults and their own wifi/cloud/sync options are on version6.

Because AgileBits hid the option to buy a "perpetual" license instead of a subscription-cloud-only license for several years. Hid it so thoroughly that we have a bunch of threads in this forum from people looking for the link.

Quote
Robert M
The links claim your information is secured in a manner to and from and while on Agilebits's systems that not even Agilebits can access it. That makes it seem more secure than what Lastpass offered with their services.

Encryption in transit and encryption at rest on their server is EXACTLY what LastPass was doing. Same for "teams" and "families" which is both their rationale for going cloud-only AND basically begging for a breach.



Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: pinkoos
Date: December 25, 2022 12:44PM
I'm beyond annoyed by this situation

I use LastPass, well up until last night when I changed my master pw, deleted / closed my account and told them to F off when they asked why I was canceling

I really have no idea what to think - if you just go by their blog, there's nothing to worry about if one followed good practice and had a relatively complex master pw (incidentally, it's not even clear if everyone was affected or only a subset of customers...I didn't get an email from them and can't remember if I got one back in August when they first 'blogged' about the breach...even if I did, if they have new information, they need to email that out to all affected customers, not just update their blog)

So, if you're a non-techie lay person, you either don't know anything has happened or if you at least saw their blog, you would think there's nothing to worry about

But, me being pretty techie, I've been reading up on posts by security experts and following several of them on Mastodon. Even then, there's conflicting info - some say you need to go in and change all your passwords (I have over 700) or, at the bare minimum your high priority ones and others say that if you have a good master pw it would literally take centuries for someone to crack it

Ugh, what a terrible situation



My music blog: [www.auditorymusings.net]


The Garden of the Gods in Colorado Springs, Colorado
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Tiangou
Date: December 25, 2022 12:53PM
I really have no idea what to think - if you just go by their blog, there's nothing to worry about if one followed good practice and had a relatively complex master pw...

As computers get better/faster, it's a ticking time-bomb for the whole batch.

~2030: Rent some time on a Google or Amazon quantum computer or use the "Hacker" AI, solve it in 20 minutes. How many of those logins and other info (SS/CC/health info, etc.) will still be worth money? Enough.

Every time you hear "Don't worry! Your personal data was encrypted!" Think "Yeah, that's fine now, but what about 2030?"



Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Numo
Date: December 25, 2022 12:55PM
Don’t the latest Apple iOS and Mac OS updates offer end-end encryption for iCloud? I use Keychain, but unfortunately, it’s very rudimentary.
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: pinkoos
Date: December 25, 2022 12:57PM
I exported my LastPass csv file last night before closing my account and imported it into iCloud Keychain (I already had most of it in iCloud already anyway)
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: pinkoos
Date: December 25, 2022 02:33PM
The other thing is this breach occurred back in August (or at least that's the first time LP publicized it) so these vaults have been flapping in the wind since then

It's only in the last week that it became apparent to the public that the breach was worse than LP admitted to in August

So, theoretically, attempts to crack master passwords have been ongoing for at least 5 months or so
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Tiangou
Date: December 25, 2022 02:43PM
Quote
pinkoos
So, theoretically, attempts to crack master passwords have been ongoing for at least 5 months or so

...And if your password was any of millions in common dictionary-crack kits, it's same to assume that yours was wide open within minutes of the breach.

FYI: !QAZxsw2#EDC is NOT a secure complex passcode.







Edited 1 time(s). Last edit at 12/25/2022 02:43PM by Tiangou.
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: pinkoos
Date: December 25, 2022 02:50PM
So not sure if it's good news that these have been compromised for months and I haven't noticed anything afoot with my accounts or.....
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Lux Interior
Date: December 25, 2022 04:34PM
Battery
Horse
Staple
Correct
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: bfd
Date: December 25, 2022 05:12PM
Person
Woman
Man
Camera
TV

smiley-laughing001
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: gadje
Date: December 25, 2022 08:54PM
Hamburger
Ketchup
Fox News
Twitter
What was the fifth thing?

smiley-laughing001 indeed
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: sekker
Date: December 26, 2022 02:31PM
Quote
pinkoos
So not sure if it's good news that these have been compromised for months and I haven't noticed anything afoot with my accounts or.....

You are likely saved by the 'two campers and a bear' scenario -- the hackers have so many other, more lucrative targets that you are likely safe for some time! Nearly every single other member of my family will be a far easier target than you, for example.



Edited 1 time(s). Last edit at 12/26/2022 02:31PM by sekker.
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: sekker
Date: December 26, 2022 02:33PM
Quote
Robert M
Key, though, is that local vaults are still a viable option with 1Password 7 and earlier. Agilebits hasn't stopped anyone friom using the older versions of the apps nor have they kaiboshed their syncing features. The option still exists for Tiangu if he wants local vaults and syncing.

Robert

This is very important to remember. I know they are pushing the cloud version as the future of 1password. But you can still download and use a locally syncing and fully encrypted version of 1password7, which is what we are using now.
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: pinkoos
Date: December 26, 2022 02:37PM
Quote
sekker
Quote
Robert M
Key, though, is that local vaults are still a viable option with 1Password 7 and earlier. Agilebits hasn't stopped anyone friom using the older versions of the apps nor have they kaiboshed their syncing features. The option still exists for Tiangu if he wants local vaults and syncing.

Robert

This is very important to remember. I know they are pushing the cloud version as the future of 1password. But you can still download and use a locally syncing and fully encrypted version of 1password7, which is what we are using now.

What does locally syncing mean exactly? Does that mean you vault is physically on only one device? If so, how do you access your login info when you're not at that device? Thanks
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: sekker
Date: December 26, 2022 04:13PM
Quote
pinkoos
Quote
sekker
Quote
Robert M
Key, though, is that local vaults are still a viable option with 1Password 7 and earlier. Agilebits hasn't stopped anyone friom using the older versions of the apps nor have they kaiboshed their syncing features. The option still exists for Tiangu if he wants local vaults and syncing.

Robert

This is very important to remember. I know they are pushing the cloud version as the future of 1password. But you can still download and use a locally syncing and fully encrypted version of 1password7, which is what we are using now.

What does locally syncing mean exactly? Does that mean you vault is physically on only one device? If so, how do you access your login info when you're not at that device? Thanks
'

You have two options. 1) Only syncing to your vault on your device. That would be single device only as you note. 2) I realize I was not complete in my description. We DO use a cloud service to hold a vault that we manage but share in the family. This can be put into Dropbox or iCloud (need the more recent version that allows family sharing). That vault is fully encrypted, controlled and managed by us, and no corporate control/access/oversight.

A more complete setup is for each family member to have a personal vault encrypted and stored in an encrypted cloud service (like iCloud), and then use a separate, shared vault for family purposes. I have a third for business uses, those passwords are thus not put into a personal or shared family vault.

Note that all of this takes work! And with Dropbox moving its default folder location on all Macs (and that cannot be changed), if you were to use Dropbox for the cloud syncing, you will have to tell 1password where the vault has been moved to. And for EVERY device (Mac, windows, iOS, Android, etc).



Edited 1 time(s). Last edit at 12/26/2022 04:14PM by sekker.
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Tiangou
Date: December 26, 2022 04:20PM
Quote
pinkoos
Quote
sekker
Quote
Robert M
Key, though, is that local vaults are still a viable option with 1Password 7 and earlier. Agilebits hasn't stopped anyone friom using the older versions of the apps nor have they kaiboshed their syncing features. The option still exists for Tiangu if he wants local vaults and syncing.

Robert

This is very important to remember. I know they are pushing the cloud version as the future of 1password. But you can still download and use a locally syncing and fully encrypted version of 1password7, which is what we are using now.

What does locally syncing mean exactly? Does that mean you vault is physically on only one device? If so, how do you access your login info when you're not at that device? Thanks

1PW7 and the corresponding old iOS app will sync to each other over WiFi.

You can also host/sync your encrypted vault/keychain through any of several services, including iCloud and Dropbox. When you opt to sync over another service, you're making yourself a smaller target. (People don't try to hack Dropbox in the expectation of randomly finding and cracking encrypted 1PW vaults. When they target 1PW, they'll go after AgileBits' servers to get thousands of 1PW vaults all at once and then automate the job of cracking them.)



Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: gadje
Date: December 26, 2022 06:15PM
if you use iCloud or Dropbox, my understanding is that the hackers need to crack these, and then once they have your 1Password file, they also need to crack that. Right?

If you use Agile bit's servers, are you more exposed or about the same? they would need to crack Agile's password to gain access to their servers, and then would also need to crack your password, right?
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Robert M
Date: December 26, 2022 06:43PM
gadje,

For 1Password7 and earlier with locally stored vaults, they have to crack the online service, find the individual vault and then crack that, too. It's going to take work, especially if your vault's password is well chosen and exceptionally secure.

For 1Password online accounts, it's more than just cracking Agilebits's security. A hacker has to break into Agilebits's servers. Once there, the hacker has to break into each individual account. Each individual account has login info and a secret key which is a long combination of letters and numbers.

Not sure if Lastpass has this additional level(s) of security since I never used it.

Robert



Edited 1 time(s). Last edit at 12/26/2022 06:43PM by Robert M.
Options:  Reply • Quote
Re: All Your LastPasses Are Belong to Us
Posted by: Tiangou
Date: December 27, 2022 07:00AM
Quote
gadje
If you use Agile bit's servers, are you more exposed or about the same? they would need to crack Agile's password to gain access to their servers, and then would also need to crack your password, right?

It's the same situation as LastPass. You're more exposed because your data is part of a single target where the hackers are actively seeking that type of file and seeking to crack it. Your passwords are protected by strong encryption, but that's only good so long as the computing power thrown at it never gets better.

...No, they wouldn't need to crack Agile's password to gain access to their servers. There are many MANY ways to gain access to data on servers, including exploiting coding-vulnerabilities, social-engineering, insider-threats including both espionage and accidents, and more. Then they would need to crack the encryption on your vault. This would simply be a matter of time and computing power.

As the folks at LastPass said, a "brute force" attack on a vault would take centuries. But "brute force" is one of many ways to attack encryption, and as computers get faster even the "brute force" attack will become more feasible.



Options:  Reply • Quote
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 716
Record Number of Users: 186 on February 20, 2020
Record Number of Guests: 5122 on October 03, 2020