Another LastPass Security Incident

Eurgh moved to bitwarden a while ago.

There's too much in there for me to change the passwords. I'll do the important ones. Think my pass is 18+ digits.

They're surely done after this, right ?
It may just be me but I find it interesting it's happened after they started charging everyone.
 
Manbatius said:
Eurgh moved to bitwarden a while ago.

There's too much in there for me to change the passwords. I'll do the important ones. Think my pass is 18+ digits.

They're surely done after this, right ?
It may just be me but I find it interesting it's happened after they started charging everyone.
Click to expand...

Done to anyone who researches thier product choice.

Im sure they will retain a customer base with vague langauge in their reporting and marketing campaigns.

Bitwarden user here. Every single detail about thier offering is available on their website in a transparent way.

The fact Lastpass even had access to certain customer personal data on their severs is all you need to know to avoid them.
 
The one thing I found slightly concerning was they say backups were accessed.
Presumably these would continue to use the old vault password even if it was changed after the breach?

I might change to something else, or not. Any accounts of real value have 2fa added as well. Most are single sign ins for random forums over the years, or shops, for which I would use PayPal anyway.
Are any alternatives REALLY any safer long term though?
Any system like this is surely a juicy target?
 
lnoton said:
To be fair mine is reasonable simple it's a word phrase (alpha only) with mixed case.

It wouldn't be in a rainbow table or anything though.
Click to expand...
How long is it? I would try this with the same structure and length but different words.

www.security.org

How Secure Is My Password? | Password Strength Checker

Passwords are the bloodline of data and online security, but our research on the password habits in the U.S. shows that less than half of Americans feel
www.security.org www.security.org
 
ajf said:
The one thing I found slightly concerning was they say backups were accessed.
Presumably these would continue to use the old vault password even if it was changed after the breach?

I might change to something else, or not. Any accounts of real value have 2fa added as well. Most are single sign ins for random forums over the years, or shops, for which I would use PayPal anyway.
Are any alternatives REALLY any safer long term though?
Any system like this is surely a juicy target?
Click to expand...
This was my thought when I read the email. Although I think I'll upgrade my strength of Master password and simply run through the hundred sites and change the passwords.

Shouldn't take too long hahha.

Then I'll plan my exit to something else perhaps.
 
lnoton said:
Blimey 19 hours.
Click to expand...
Yep you're definitely in trouble. I'd assume they have access to your vault and change all your passwords asap.

You can create a strong master passphrase with dice.
www.eff.org

EFF Dice-Generated Passphrases

Create strong passphrases with EFF's new random number generators! This page includes information about passwords, different wordlists, and EFF's suggested method for passphrase generation. Use the directions below with any set of dice.And now, a message from internationally renowned security...
www.eff.org www.eff.org
 
lnoton said:
Blimey 19 hours.
Click to expand...
1 hundred septillion years here. Feeling mildly smug :D

That's my master password for bitwarden, which I have 2FA enabled on. I still don't feel particularly confident relying so heavily on a single provider like I am, but if I didn't then I I know my passwords would be far weaker, or I'd reuse them, or I'd just forget them all.
 
  • Like
Reactions: ajf
Sin_Chase said:
Anyone defending LastPass needs to reread the article and extent of the breach.

Personal Data and URLs were taken in an unencrypted form. This makes weaponising the breach so much easier and more potent.

The update also states the source code and other data stolen would have allowed futher exploitation and access to and decryption of cloud data.

Its generally accepted that data gets stolen, and as long as you used a strong master password the encrypted data lost isn't likely to be decrypted. Getting unencrypted data taken which can be used in phising and other attacks to decrypt the encrypted data is shocking.

Data loss aside there is a Privacy Question to ask - LastPass states they had a Zero Knowledge environment. They dont. (They have a readable list of all your services saved in their vault)
Click to expand...


www.bbc.co.uk

South Staffs Water reveals data hack

Account numbers used for direct debit payments could have been hacked, South Staffordshire PLC says.
www.bbc.co.uk

www.bbc.co.uk

Cambridge Water: Chief apologises for customer bank details leak

Customers received letters saying their names, addresses and contacts had appeared on the dark web.
www.bbc.co.uk

Would moving to a different area and a different water company suddenly make the customer data safe (and will the new company be as transparent) and if the company had been open source would that have stopped the hackers when it's been proven beyond doubt via the ongoing exploits of OpenSLL that open source code doesn't do jack **** for security?

All password mangers are a target and all password managers store the data on cloud unless you self host so now as the bitwarden user base grows it will become a higher value target to hackers and open source code exploits.

In my opinion. :)
 
Last edited:
  • Like
Reactions: ajf
Eddie99 said:
Yep you're definitely in trouble. I'd assume they have access to your vault and change all your passwords asap.

You can create a strong master passphrase with dice.
www.eff.org

EFF Dice-Generated Passphrases

Create strong passphrases with EFF's new random number generators! This page includes information about passwords, different wordlists, and EFF's suggested method for passphrase generation. Use the directions below with any set of dice.And now, a message from internationally renowned security...
www.eff.org www.eff.org
Click to expand...
I'll be starting tomorrow morning. I'll print the list off and go through them.

Meh. Silly me. Still. I doubt they'll ge round to me..plus all important stuff is 2fa anyway
 
  • Haha
Reactions: ajf
Eddie99 said:
How long is it? I would try this with the same structure and length but different words.

www.security.org

How Secure Is My Password? | Password Strength Checker

Passwords are the bloodline of data and online security, but our research on the password habits in the U.S. shows that less than half of Americans feel
www.security.org www.security.org
Click to expand...
Oh, nice

It would take a computer about

4 trestrigintillion years

to crack your password
 
Mine will take about 3 billion years, still a significant buffer considering the development rate of supercomputers. I may have to change it in 10 years when that might drop to a few thousand years.
 
7 quadrillion years.

As still going to change the important ones though, double check 2fa is enabled on everything. hah.

Can you close your lastpass account ? I've been "trialling" bitwarden since the previous breach. Suppose you could just delete all passwords it you can't.
 
You must log in or register to reply here.
Back
Top Bottom