Security Incident December 2022 Update - LastPass - The LastPass Blog
Please refer to the latest article for updated information.nbs[..]
Another LastPass Security Incident
- Thread starter Ice Tea
- Start date
Just an FYI if you didn't know, Bitwarden premium can generate your 2FA codes. I just found it s faff having a password auto filled and then having to load Authy to generate a code. Bitwarden is nice and clever that if you're using a site that needs a 2FA code, once you auto-filled your username and password it fills the paste buffer with your 2FA code so you can immediately paste it in.
Soldato
Security Incident December 2022 Update - LastPass - The LastPass Blog
Please refer to the latest article for updated information.nbs[..]blog.lastpass.com
So all the password data has been accessed but it's still encrypted. So, just a case of brute forcing and catching out the weak ones then?
I had to read it a couple of times but that's pretty much how i read it and they say if you was using a 12 digit pass then it wouldn't be easy.
Any password manager is going to be a target and wonder if they will be so open if they get hacked?
It is annoying having to piddle about with a separate authenticator.
Soldato
- Joined
- 17 Oct 2007
- Posts
- 3,835
While I have mentioned this before, having a secret code that you add to somewhere to the password means even if someone gains access to your passwords, they are useless without that secret code. Also, enabling 2 factor authentication is obviously an extremely good idea.
Soldato
I would say the only really secure option is hosting your own, but it'll have it's limitations for working remotely (outside the home). Your best bet really is setting up a VPN in this instance rather than opening ports/port forwarding.
My passwords are pretty secure, and every site has a randomly generated 30 character password. So if one site becomes compromised then I only need to scrap that password.
The last few months I've also been moving my accounts over to Simple Login which is basically an email forwarding service. That way if a site becomes compromised they only get your alias rather than your actual email.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
Problem with this is you always have to go through the VPN. Will be a pain IMO if you don't always don't need to be on it. I use Caddy web server and it sits behind a reverse proxy. I accept not everyone will be able to do this option so just hosting it with BitWarden is the only choice for most.
When I check my logs I do have attempts but nobody is getting in as it's got 2FA attached to the account.
Last edited:
Yep you've gotta make a compromise somewhere between being secure and ease of use. IMO you're better off having it hosted by Bitwarden and having secure passwords with 2FA.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
I would say £10 a year is an absolute bargain and I personally think BitWarden is one of the best ones out there.
I'm thinking of moving to Bitwarden premium. £10 is negligible.
I don't have the skills or patience to host my own and make it effective enough.
Last edited:
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
£10 works out at roughly 0.027 pence per day.
It's about a pint and 1/4 in London lol
You need working knowledge of web servers, security, reverse proxies, ssl certs and domain configuration to get it working properly. Then there's mail settings so that it emails you when there's a log in or anything else it needs to email you about. I have it connected to an SMTP server and sign up is disabled because you can allow multiple people to use the service with a log in. It's pretty funky.
Last edited:
Soldato
Post It notes or a diary in your drawer
You lost me at reverse proxies.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
It's basically so for example you can access https://vault.domain.com instead of https://vault.domain.com:9000 so you can get rid of the port as the web server does the routing to where it needs to be. So internally it could be 192.168.0.1:9000 for example.
Anyone defending LastPass needs to reread the article and extent of the breach.
Personal Data and URLs were taken in an unencrypted form. This makes weaponising the breach so much easier and more potent.
The update also states the source code and other data stolen would have allowed futher exploitation and access to and decryption of cloud data.
Its generally accepted that data gets stolen, and as long as you used a strong master password the encrypted data lost isn't likely to be decrypted. Getting unencrypted data taken which can be used in phising and other attacks to decrypt the encrypted data is shocking.
Data loss aside there is a Privacy Question to ask - LastPass states they had a Zero Knowledge environment. They dont. (They have a readable list of all your services saved in their vault)
Personal Data and URLs were taken in an unencrypted form. This makes weaponising the breach so much easier and more potent.
The update also states the source code and other data stolen would have allowed futher exploitation and access to and decryption of cloud data.
Its generally accepted that data gets stolen, and as long as you used a strong master password the encrypted data lost isn't likely to be decrypted. Getting unencrypted data taken which can be used in phising and other attacks to decrypt the encrypted data is shocking.
Data loss aside there is a Privacy Question to ask - LastPass states they had a Zero Knowledge environment. They dont. (They have a readable list of all your services saved in their vault)
