Lastpass been compromised

Lastpass uses client-side encryption. Which means your passwords are encrypted with your master password before being sent to their cloud. And when your passwords are downloaded from the cloud they're decrypted locally using your master password. Your master password isn't stored in the cloud. This is kind of the same idea with how Whatsapp/Signal etc works with end-to-end encryption; your chat messages aren't stored in plain text on their servers, and only your device can decode them.

Even if someone did have access to the Lastpass database they'd need your master password. So as long as you use a decent quality master password it would likely take too long to brute force.

So if they wanted to steal all your passwords they'd most likely have to infiltrate the Lastpass extension to make it leak your master password back.

I use Bitwarden which I think works the same way.
 
Feek said:
“After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.”
Click to expand...
yea I'm sure any evidence got destroyed

Pho said:
Lastpass uses client-side encryption. Which means your passwords are encrypted with your master password before being sent to their cloud. And when your passwords are downloaded from the cloud they're decrypted locally using your master password. Your master password isn't stored in the cloud. This is kind of the same idea with how Whatsapp/Signal etc works with end-to-end encryption; your chat messages aren't stored in plain text on their servers, and only your device can decode them.
Click to expand...
wouldn't be surprised if that's a lie and theres a backdoor tbh
 
Loagi said:
These online password management systems are a terrible idea. They are such an attractive target for attacks, corrupt insiders, or penny pinching (as no-one actually wants to pay for it), its just a matter of time before they get compromised. They are literally dangling the crown jewels infront of every state actor and criminal.

The old joke of passwords being on a post-it note on a monitor as being an example of lack of security is kinda hollow these days. I'd trust a post-it note in my home office before I'd touch a cloud password system.
Click to expand...

Spoken like someone who has no clue how password managers work.
 
Is KeePass still worth it? I use it and keep the database file on my Dropbox, never got around to checking out the rivals.
 
Loagi said:
These online password management systems are a terrible idea. They are such an attractive target for attacks, corrupt insiders, or penny pinching (as no-one actually wants to pay for it), its just a matter of time before they get compromised. They are literally dangling the crown jewels infront of every state actor and criminal.

The old joke of passwords being on a post-it note on a monitor as being an example of lack of security is kinda hollow these days. I'd trust a post-it note in my home office before I'd touch a cloud password system.
Click to expand...
That's not how it works.
Pho said:
Lastpass uses client-side encryption. Which means your passwords are encrypted with your master password before being sent to their cloud. And when your passwords are downloaded from the cloud they're decrypted locally using your master password. Your master password isn't stored in the cloud. This is kind of the same idea with how Whatsapp/Signal etc works with end-to-end encryption; your chat messages aren't stored in plain text on their servers, and only your device can decode them.

Even if someone did have access to the Lastpass database they'd need your master password. So as long as you use a decent quality master password it would likely take too long to brute force.

So if they wanted to steal all your passwords they'd most likely have to infiltrate the Lastpass extension to make it leak your master password back.

I use Bitwarden which I think works the same way.
Click to expand...
That's how it works.
arknor said:
wouldn't be surprised if that's a lie and theres a backdoor tbh
Click to expand...
Based on..... absolutely nothing?
 
Lopéz said:
That's not how it works.

That's how it works.

Based on..... absolutely nothing?
Click to expand...
based on that's how the world works

all the people who reacted to this post with laughing smileys like I'm some nutter
might wanna remember
Edward Joseph Snowden (/ˈsnoʊdən/; born June 21, 1983) is an American former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and subcontractor. His illegal disclosures revealed numerous global surveillance programs, many run by the NSA and the Five Eyes Intelligence Alliance with the cooperation of telecommunication companies and European governments, and prompted a cultural discussion about national security and individual privacy.
Click to expand...
 
Tephnos said:
Disagree. Bitwarden is superior to 1Password. It does everything 1Password does and more, and as it is all open source, you can actually trust what it says. 1Password is closed source and very much a 'trust us' company. No need for that when Bitwarden exists.
Click to expand...
What more does it do?
 
Loagi said:
The old joke of passwords being on a post-it note on a monitor as being an example of lack of security is kinda hollow these days. I'd trust a post-it note in my home office before I'd touch a cloud password system.
Click to expand...

I dunno I think a combination is a good idea, like do you really manually enter your login details from a post-it note or a notebook every time you want to log onto forums, Twitter, Facebook, Instagram, Gmail etc..?

Most of that stuff has 2FA so I'm quite happy to be able to launch a browser and/or mobile app and have it automatically logged into say gmail etc.. if someone drops a link to something on Instagram in a WhatsApp group I can simply click on it and Instagram launches - I wouldn't want to have to type in a password every time I do something like that.

I do kinda agree with the point re: security though in so far as I think the whole "don't write your password down" is waaay overblown. Perhaps not a post-it note but the average burglar isn't looking through your notebooks or whatever, he's at best going to nick passports and/or a couple of utility bills for identity theft but more likely interested in jewelry and electronics. I mean even if someone did nick say your online banking ID and password they can't do anything with it as my bank asks for a one-time code from the mobile app too and in order to open the mobile app they'll need a pin to open my phone and then a fingerprint to open the app.

Maybe for things like an apple ID password it is worth having it written down somewhere, I don't use it very often but every few months I come to install an app I need to enter it and it's some additional variation on a previous password that I can't remember... It's annoying when stuff like at least one capital letter and one symbol is included etc..

BDEE said:
Easy. Just use the same password for every login. Something easy too... "KidsName1975", or the like. No need for any sort of pw manager then.
Click to expand...

That not ideal, one website gets compromised and your password is compromised, unfortunately, lots of websites are now compromised as companies seemingly can't be trusted to encrypt password databases.

Fortunately, 2FA helps with this though I guess.
 
Feek said:
I really dislike the KeePass interface.
Click to expand...

I'm the same plus it seems an overly convoluted way of local hosting when most people can just import/export the passwords from their browser themselves and then encrypt output file if a online password manager is of no use to them.
 
I use Plex but have 2fa so was less worried but changed password anyway.

I used to be on lastpass but deleted my vault and passwords when I quit so that should be ok.

I use a password manager. It's a god send. A really really long passphrase (sentence really) and 2FA and you're pretty safe to be honest.

It seems to be doing the rounds these hacking attempts. Or is it just making news more now?
 
Pho said:
Lastpass uses client-side encryption. Which means your passwords are encrypted with your master password before being sent to their cloud. And when your passwords are downloaded from the cloud they're decrypted locally using your master password. Your master password isn't stored in the cloud. This is kind of the same idea with how Whatsapp/Signal etc works with end-to-end encryption; your chat messages aren't stored in plain text on their servers, and only your device can decode them.

Even if someone did have access to the Lastpass database they'd need your master password. So as long as you use a decent quality master password it would likely take too long to brute force.

So if they wanted to steal all your passwords they'd most likely have to infiltrate the Lastpass extension to make it leak your master password back.

I use Bitwarden which I think works the same way.
Click to expand...
What's a decent quality password and will a non technical user remember it if I get hit by a bus.
 
dowie said:
That not ideal, one website gets compromised and your password is compromised, unfortunately, lots of websites are now compromised as companies seemingly can't be trusted to encrypt password databases.

Fortunately, 2FA helps with this though I guess.
Click to expand...

I was being sarcastic :P
 
OspreyO said:
What's a decent quality password and will a non technical user remember it if I get hit by a bus.
Click to expand...
I use a sentence I remember that's relevant or I can refer to.


For example:

Ocukoverclockingbmwfanboyforum

(I've never used this password)

That password alone will take trillions of years to crack. No special characters to remember.

Maybe quantum computing may change the cracking timescales but for now long sentence for master password and 2fa is a boon for me. As my password manager can automatically set long complex passwords
 
You must log in or register to reply here.
Back
Top Bottom