Another LastPass Security Incident

Apologies if I’m getting things mixed up as I’m not at my computer but when I went to activate 2fa login on my Bitwarden account it came up with a warning something along the lines of if I lost my phone that I’d be basically screwed (or words to that effect!).

I used Google Authenticator App for 2fa so what do I need to do to make sure if my phone is lost or broken that I can get access to Bitwarden?

Other than my Bitwarden login, would moving all of my 2fa logins to be generated by Bitwarden be better or would that make it less secure?

Thanks
 
GaryTheSnail said:
So how does KeepassXC work on IOS. It’s not that cross platform unlike such as BitWarden.
Click to expand...

Unless i'm missing something blatantly obvious about KeepassXC (because i am an idiot) it seems easier and far less convoluted to me to just use the Firefox function that allows you to import/export passwords to a CSV file, encrypt the file yourself and use a separate Authenticator?

But unless you self host those files on a home server ( then you might as well use Bitwarden self host ) then you're still stuck in the same situation of having to use a cloud server for those encrypted files and keys, so if you're going to use a cloud server then you might as well just either use Firefox sync (as mrk said he been using for years in this thread) or just stick with a fully fledged password manager like lastpass, bitwarden or what ever.

In my opinion if any of that made sense. :)
 
Do special characters actually make passwords any more secure in reality, especially with the power of computers today, rather than just somebody sitting and guessing?
Even that EFF dice method only uses normal letters and words it seems.
 
Ice Tea said:
Unless i'm missing something blatantly obvious about KeepassXC (because i am an idiot) it seems easier and far less convoluted to me to just use the Firefox function that allows you to import/export passwords to a CSV file, encrypt the file yourself and use a separate Authenticator?

But unless you self host those files on a home server ( then you might as well use Bitwarden self host ) then you're still stuck in the same situation of having to use a cloud server for those encrypted files and keys, so if you're going to use a cloud server then you might as well just either use Firefox sync (as mrk said he been using for years in this thread) or just stick with a fully fledged password manager like lastpass, bitwarden or what ever.

In my opinion if any of that made sense. :)
Click to expand...

You are limited with keypass I can’t see an iOS or android option, so it’s not really fully cross platform.
 
Last edited:
ajf said:
Do special characters actually make passwords any more secure in reality, especially with the power of computers today, rather than just somebody sitting and guessing?
Even that EFF dice method only uses normal letters and words it seems.
Click to expand...
I'm not sure what the reality actually is but changing a single letter in to a symbol in my new password made it go from 37 Billion years to 1 Trillion to crack.
 
  • Like
Reactions: ajf
Mark M said:
Apologies if I’m getting things mixed up as I’m not at my computer but when I went to activate 2fa login on my Bitwarden account it came up with a warning something along the lines of if I lost my phone that I’d be basically screwed (or words to that effect!).

I used Google Authenticator App for 2fa so what do I need to do to make sure if my phone is lost or broken that I can get access to Bitwarden?

Other than my Bitwarden login, would moving all of my 2fa logins to be generated by Bitwarden be better or would that make it less secure?

Thanks
Click to expand...

In the security settings of you bitwarden account there should be some backup code you can jot down or print out and put somewhere safe. And I presume you use this code if ever you lose access to your 2fa device.
 
ajf said:
Do special characters actually make passwords any more secure in reality, especially with the power of computers today, rather than just somebody sitting and guessing?
Even that EFF dice method only uses normal letters and words it seems.
Click to expand...
They use normal words because it's much easier to remember, adding a special character and number to it would make it more secure.
 
  • Like
Reactions: ajf
ajf said:
Do special characters actually make passwords any more secure in reality, especially with the power of computers today, rather than just somebody sitting and guessing?
Even that EFF dice method only uses normal letters and words it seems.
Click to expand...

In general, assuming your password is long enough and doesn't contain easily guessable words/combinations then special charcaters can increase the size of the space (Character sets) required for brute forcing.

It's not as simple as that though, enforcing special characters can force users to make poor password decisions so that they can remember them (Such as replacing letters with number S>5 A>4 E>3 etc) Modern Brute Force methods dont just use dumb cyclic methods, they are effectively trained to look for common replacements, common words or words found in language dictionarys, first letter being capitalised and the last being a special chracter etc etc.

In a general sense Sheep1 is less secure that sHeep1 because brute force attacks will prioritise capitalised first letters or in the case of avoiding 'human like' behaviour Sheep1 is less 'complex' than Sh1eep

The answer to your question is therefore Yes, No...Maybe?

Suffice to say an 8 character password containing a-z, A-Z, 0-9 and Special Characters has less entropy (and is quicker to brute force) than a 14 character password of JUST lowercase a-z.
 
Last edited:
  • Like
Reactions: ajf
password_strength.png
 
  • Like
Reactions: ajf
GaryTheSnail said:
If all sites had 2FA/MFA passwords wouldn't really matter what they were. You could have a 1 digit/letter password and you still can't get into the account.
Click to expand...

2FA isn't a completely fool proof solution though. There are attack vectors for either intercepting the retrieving code (for those that aren't generated on device), or even spoofing where the code gets entered. These are definitely more targeted rather than rather than most of the sweeping/catch all attacks though. But just highlighting that it's not completely foolproof.
 
Semple said:
2FA isn't a completely fool proof solution though. There are attack vectors for either intercepting the retrieving code (for those that aren't generated on device), or even spoofing where the code gets entered. These are definitely more targeted rather than rather than most of the sweeping/catch all attacks though. But just highlighting that it's not completely foolproof.
Click to expand...

It's not completely fool proof but it's much better than having only passwords IMO. I like the idea of a password that constantly changes that is only access via an app or by SMS. The phone companies has said something about they have found a technology that can stop SMS 2FA fraud and number swap fraud or something like that, which will be implemented shortly.... Can't remember where I read it though.
 
Last edited:
OK!, how do i apologise to all the people i've mocked for years for using KeepassXC, it's growing on me. :D

Since i've been playing with it via the browser interface it's making more sense to me that you can leave most of the settings on default, it also has built in 2FA that you can use via the browser interface which i didn't realise before though i've not tried that part of it yet.

Not sure about syncing, I see people on reddit are using Mega free encrypted cloud service, i'm not sure how i feel about that as the owner of Mega has never had a good reputation and using USB sticks is a faff and you certainly would never email the database to yourself. :p
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom