Lastpass security breach and my thoughts.

[Gromett]

Lastpass have just provided an update on the recent security breach.

Here is the update.

Notice of Recent Security Incident - The LastPass Blog

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.

blog.lastpass.com

I am seriously impressed with this company. They have been open and honest about the situation and have given enough details to be able to make an informed decision on how to proceed.
This is an example of how companies SHOULD handle breaches.

Providing your master password is decent, then you should have nothing to worry about on this one.

Your data is encrypted and that encryption is password secured. So. each vault has a different encryption key. What this means is that the hackers CANNOT run a common dictionary attack or other standard bulk decryption technique.
Each account would have to be hacked individually.

It is unlikely that you or I will be targeted for this treatment. However if you are a famous or notable person, then they may put resources into decrypting your account.

So my takes from this are.
1) Great transparency from Lastpass. It shows they are serious about this and will now take steps to prevent the same thing happening again. Do not move to another company based on this breach as the next company won't have this real experience and you may find the same thing happening again. Lastpass are not likely to fall for this again.
2) I am not concerned about the security of my data. Although the fact they have Personally identifiable data in the clear is a concern as it may lead to an increase in phishing attempts.
3) I won't be changing providers due to this. Although I may be changing due to their pricing in the future once my current contract expires.

 

[heliart]

Thanks for posting.
Adding two factor authentication to Lastpass, and any other online password based site is also best practice. You just need to be disciplined to back up your phone's authentication app.

Cheers,

Steve

 

[kevenh]

Thanks for posting.
Adding two factor authentication to Lastpass, and any other online password based site is also best practice. You just need to be disciplined to back up your phone's authentication app.

Cheers,

Steve

I watched the “The Secret Genius of Modern Life” episode about credit cards and, like the presenter, I was amused by fraudsters on the dark web using 3FA
I think I’ll misquote them but the tagline is “no fraud between fraudsters”

 

[OldAgeTravellers]

I am much happier using KeyPass and storing it on cloud storage so that it is available to all my devices and locally if I don’t have internet access.

 

[Gromett]

Thanks for posting.
Adding two factor authentication to Lastpass, and any other online password based site is also best practice. You just need to be disciplined to back up your phone's authentication app.

Cheers,

Steve

Two factor authentication is highly recommended. I use a YubiKey for mine.

HOWEVER. 2FA will not protect against this attack. 2FA is used to log into the website and enable the download of the encrypted file.
It plays no part in the actual encryption of the file itself.

As the hackers bypassed all security and downloaded these files, they have them to play with at their leisure and no 2FA or changing passwords will help.

storing it on cloud storage

Which is what lastpass does. The hackers gained access to their cloud storage.

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

I have decided to make the jump to another self hosted password manager. Not because I don't trust lastpass anymore, but because of the high annual cost for what they provide.
I no longer need the cross platform syncing so a local storage system will work just fine for me.

I will be evaluating a few and if anyone is interested I will post the results and my choice.

 

[clanjones]

I would certainly be interested Gromett . I use bitdefender and they have a package offer including their password manager which I was thinking of switching to from Lastpass.

 

[The Dotties]

I don't pay for lastpass, Free if you keep to one machine type either PC/laptop or tablet phone. All I need, and I would struggle to move every password to a néw provider

 

[OldAgeTravellers]

Look at Keypass please Gromett, I have been using it for many years It is self hosted, I just choose to host it on my cloud storage so it is available to all my devices but a local copy is always available. My research came up with a report that the CIA has been trying to break it for years without success. But I would value your opinion. there is a version available for all platforms and it is open source. When I was playing with Linux I ran the windows version through Wine and it ran very well.
Steve

 

[OldAgeTravellers]

Interesting review of KeePass byForbes: https://www.forbes.com/advisor/business/software/keepass-review/

^{_{Subscribers  do not see these advertisements}}

 

[olley]

Norton life lock

NortonLifeLock warns that hackers breached Password Manager accounts

Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks.

www.bleepingcomputer.com

 

[GarryP]

Interesting. Been using Norton password manager since it first came out. Never had a problem and neither I nor my wife seem to have been caught in this latest attack. Think I might activate two factor login just in case.

 

[Brianmor]

Been using LastPass for years, I have a 22 digit master password. My subscription is up for renewal in 3 weeks time and I'm undecided whether to renew or not.
Lastpass hasn't issued any updated advice since 22nd December
Any educated opinions appreciated

 

[kevenh]

Been using LastPass for years, I have a 22 digit master password. My subscription is up for renewal in 3 weeks time and I'm undecided whether to renew or not.
Lastpass hasn't issued any updated advice since 22nd December
Any educated opinions appreciated

Have you begun to use Lastpass’ premium features?
Password management is free.
Details of free v subs: https://www.lastpass.com/pricing/lastpass-premium-vs-free

 

[Brianmor]

I've been using the premium version since I was forced into it 2 to 3 years ago due to my need for multi platform access

^{_{Subscribers  do not see these advertisements}}

 

[Miggs]

I've been using the premium version since I was forced into it 2 to 3 years ago due to my need for multi platform access

Bitwarden gives you that for free.

 

[olley]

Lots of details about the lastpass data breach on the net. Here's one.

LastPass owner GoTo says hackers stole customers' backups

LastPass' parent company says intruders stole the company's encryption key for securing its customers' backed up data.

techcrunch.com

 

[Gromett]

I have got a break in work and am evaluating both bits of software today. Will be migrating across tomorrow or Friday.

 

[Gromett]

OK. I have run through a variety of password managers and finally settled on Bitwarden.

KeepassXC failed because it is a geeks paradise and I just wanted something that works. 10 years ago I would have taken much joy in playing around with it and getting it configured exactly how I want it. I would have been ok with firefox not liking the plugin etc etc. The fun of working out how to get my YubiKey to work would have been a joy. Importing data from lastpass was slightly confusing and took a few goes due to columns being hidden when you selected a column number that was already selected.

These days for core plumbing work like this I just want it to work. KeepassXC may be suitable for you if you want to play, but if you want it to just work then avoid.

Roboform ruled themselves out of the competition by charging too much. Almost £25 a year. The software also didn't install completely smoothly and I don't need that kind of problem from a core app.

Bitwarden, installed 1st time. No problems. Imported my data directly from lastpass without asking any questions. The add on for firefox works differently to what I am used to., There are no icons within the form fields themselves which is a bit of a mixed bag. BUT right click on any field and then click on bitwarden and it gives you all the login options. I will get used to this and end up preferring it. I like it.
It felt slick and professional from the install, to installing the desktop app, to the browser add ons. I was impressed.


The others I tried previously have all been ruled out for various reasons.

Bitwarden is my choice. I even spent the extra $10 (£8.5) for the pro version to get the 2FA feature so I can use my yubi key.

Give me a week and I will update what it is like to be used in anger. I work on my computer 10+ hours a day (often a lot more) so I will find problems fairly quickly if any.

 

[Revolvor]

Gromett, thanks for your reviews. I currently use Lastpass but am planning to change when my current subscription expires. Bitwarden sounds good from what I have also read elsewhere. Will you also be installing it on a phone? I will be interested to read your update when you have used it.

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

Gromett, thanks for your reviews. I currently use Lastpass but am planning to change when my current subscription expires. Bitwarden sounds good from what I have also read elsewhere. Will you also be installing it on a phone? I will be interested to read your update when you have used it.

I hadn't planned on using it on my phone to be honest. I never do any work or social stuff on it. I use it literally as a notification device. It lets me know when and email, whatsapp, skype or slack message arrives. I then go on my computer to deal with it.

I will give it a go if it will help you. But I am probably not the best person to review that side as my phone doesn't have NFC and I will have to scrabble around with an OTA usb cable to get my yubi key to work.

 

[Gromett]

Gromett, thanks for your reviews. I currently use Lastpass but am planning to change when my current subscription expires. Bitwarden sounds good from what I have also read elsewhere. Will you also be installing it on a phone? I will be interested to read your update when you have used it.

ok. Here is a fantastic bit of news. I pretty much stopped using my phone because of no NFC and faffing around with USB OTG rarely if ever worked.

I had the same problem but lastpass kept trying to help.

So i uninstalled lastpass and USB OTG now works perfectly. Bitwarden installed and working on phone. Testing now.

 

[Gromett]

Posting from my phone... Yuk

 

[Revolvor]

I use it literally as a notification device. It lets me know when and email, whatsapp, skype or slack message arrives. I then go on my computer to deal with it.

I'm a bit like that, but do occasionally need to access sites from my phone. Thanks for taking time to check it's performance with a phone.

 

[Gromett]

ok. After a bit of a fight I got it working on my older android.

TIP: click on the password field if it doesn't work on the username field.

Developers have a consistent name for password. But for "log in", "login", User, user_name, "userName" etc etc not so much so bitwarden does not always trigger.

But once I did that it worked perfectly. I have never been able to login using lastpass.

I am happy with bitwarden I have to say.

Give me a week of playing on it. I won't be playing on my phone though so if you want a full review of that side of things you need to ask someone else sorry. I hate phones.

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

Gromett, thanks for your reviews. I currently use Lastpass but am planning to change when my current subscription expires. Bitwarden sounds good from what I have also read elsewhere. Will you also be installing it on a phone? I will be interested to read your update when you have used it.

Had a bit more of a play. It appears to work fine. Works with my finger print scanner. logged me into everything I have on there no problems. So my guess is it is at least as good as lastpass if not better.

 

[Brianmor]

I really appreciate the feedback so quickly, I will download it tomorrow and leave feedback as I use my android Pixel 6 for most things, I will also try it on my Samsung tablet.
I have 3 weeks before my Lastpass renews so Bitwarden works as I hope.

 

[olley]

I came across this post, apparently there's a design flaw with bitwarden.

Bitwarden design flaw: Server side iterations

Bitwarden is a hot candidate for a LastPass replacement. Looking into how they encrypt data, it doesn’t do things that much better however.

palant.info

 

[Gromett]

I came across this post, apparently there's a design flaw with bitwarden.

Bitwarden design flaw: Server side iterations

Bitwarden is a hot candidate for a LastPass replacement. Looking into how they encrypt data, it doesn’t do things that much better however.

palant.info

Thanks for sharing that. I have seen some of those points individually elsewhere but this guy seems to have pulled it all together.

3 points
1) You can set the iterations client side for PBKDF2 hashes. The help for it states to increase it at 50,000 a time to ensure it doesn't slow your system down too much. This seems to be a sensible approach to me and it impressed me. (See below)
2) The big difference between lastpass and bit warden for me was they encrypt the whole database.
3) Bit warden is open source. So it has a lot of people inspecting the code. They will not get away with dumb things like not encrypting the entire db.

Encryption | Bitwarden Help Center

Learn how Bitwarden salts and hashes password Vault data before sending it to the Cloud for secure storage.

bitwarden.com

 

[olley]

I just use Google passwords seems to work ok.

^{_{Subscribers  do not see these advertisements}}