Lastpass security breach and my thoughts. (1 Viewer)

Affiliate links here may earn MHF compensation
Feb 27, 2011
15,048
79,436
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
Lastpass have just provided an update on the recent security breach.

Here is the update.

I am seriously impressed with this company. They have been open and honest about the situation and have given enough details to be able to make an informed decision on how to proceed.
This is an example of how companies SHOULD handle breaches.

Providing your master password is decent, then you should have nothing to worry about on this one.

Your data is encrypted and that encryption is password secured. So. each vault has a different encryption key. What this means is that the hackers CANNOT run a common dictionary attack or other standard bulk decryption technique.
Each account would have to be hacked individually.

It is unlikely that you or I will be targeted for this treatment. However if you are a famous or notable person, then they may put resources into decrypting your account.

So my takes from this are.
1) Great transparency from Lastpass. It shows they are serious about this and will now take steps to prevent the same thing happening again. Do not move to another company based on this breach as the next company won't have this real experience and you may find the same thing happening again. Lastpass are not likely to fall for this again.
2) I am not concerned about the security of my data. Although the fact they have Personally identifiable data in the clear is a concern as it may lead to an increase in phishing attempts.
3) I won't be changing providers due to this. Although I may be changing due to their pricing in the future once my current contract expires.
 
Apr 15, 2022
177
247
Funster No
88,105
MH
DethleffGlobetrotter
Exp
Started in 2005, then took a 15 year break, back in 2022
Thanks for posting.
Adding two factor authentication to Lastpass, and any other online password based site is also best practice. You just need to be disciplined to back up your phone's authentication app.

Cheers,

Steve
 

kevenh

Free Member
Jun 1, 2019
3,319
11,801
Thatcham
Funster No
61,329
MH
Compass C-Class
Exp
I'm a Progressing Newbie
Thanks for posting.
Adding two factor authentication to Lastpass, and any other online password based site is also best practice. You just need to be disciplined to back up your phone's authentication app.

Cheers,

Steve
I watched the “The Secret Genius of Modern Life” episode about credit cards and, like the presenter, I was amused by fraudsters on the dark web using 3FA 🤪
I think I’ll misquote them but the tagline is “no fraud between fraudsters”
 

OldAgeTravellers

LIFE MEMBER
Jan 6, 2014
1,294
1,799
Telford, UK
Funster No
29,599
MH
A Class
Exp
Since 1970
I am much happier using KeyPass and storing it on cloud storage so that it is available to all my devices and locally if I don’t have internet access.
 
OP
OP
Gromett
Feb 27, 2011
15,048
79,436
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
Thanks for posting.
Adding two factor authentication to Lastpass, and any other online password based site is also best practice. You just need to be disciplined to back up your phone's authentication app.

Cheers,

Steve

Two factor authentication is highly recommended. I use a YubiKey for mine.

HOWEVER. 2FA will not protect against this attack. 2FA is used to log into the website and enable the download of the encrypted file.
It plays no part in the actual encryption of the file itself.

As the hackers bypassed all security and downloaded these files, they have them to play with at their leisure and no 2FA or changing passwords will help.


storing it on cloud storage
Which is what lastpass does. The hackers gained access to their cloud storage.

Subscribers  do not see these advertisements

 
OP
OP
Gromett
Feb 27, 2011
15,048
79,436
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
I have decided to make the jump to another self hosted password manager. Not because I don't trust lastpass anymore, but because of the high annual cost for what they provide.
I no longer need the cross platform syncing so a local storage system will work just fine for me.

I will be evaluating a few and if anyone is interested I will post the results and my choice.

 
Feb 13, 2013
1,010
1,105
Edinburgh
Funster No
24,680
MH
Rapido 881F
Exp
Since 2015
I would certainly be interested Gromett . I use bitdefender and they have a package offer including their password manager which I was thinking of switching to from Lastpass.
 

The Dotties

Free Member
Jan 31, 2015
1,872
4,023
Gloucester
Funster No
34,955
MH
In between
Exp
Ex Newbie
I don't pay for lastpass, Free if you keep to one machine type either PC/laptop or tablet phone. All I need, and I would struggle to move every password to a néw provider
 

OldAgeTravellers

LIFE MEMBER
Jan 6, 2014
1,294
1,799
Telford, UK
Funster No
29,599
MH
A Class
Exp
Since 1970
Look at Keypass please Gromett, I have been using it for many years It is self hosted, I just choose to host it on my cloud storage so it is available to all my devices but a local copy is always available. My research came up with a report that the CIA has been trying to break it for years without success. But I would value your opinion. there is a version available for all platforms and it is open source. When I was playing with Linux I ran the windows version through Wine and it ran very well.
Steve
 
Jul 24, 2020
109
1,447
San Antonio Tlayacapan, Mexico
Funster No
73,417
MH
2023 LTV Unity TB
Exp
Newbie
Interesting. Been using Norton password manager since it first came out. Never had a problem and neither I nor my wife seem to have been caught in this latest attack. Think I might activate two factor login just in case.
 
Aug 8, 2019
409
580
Chichester
Funster No
63,081
MH
Autosleeper Broadway
Exp
Since 2019
Been using LastPass for years, I have a 22 digit master password. My subscription is up for renewal in 3 weeks time and I'm undecided whether to renew or not.
Lastpass hasn't issued any updated advice since 22nd December
Any educated opinions appreciated
 

kevenh

Free Member
Jun 1, 2019
3,319
11,801
Thatcham
Funster No
61,329
MH
Compass C-Class
Exp
I'm a Progressing Newbie
Been using LastPass for years, I have a 22 digit master password. My subscription is up for renewal in 3 weeks time and I'm undecided whether to renew or not.
Lastpass hasn't issued any updated advice since 22nd December
Any educated opinions appreciated
Have you begun to use Lastpass’ premium features?
Password management is free.
Details of free v subs: https://www.lastpass.com/pricing/lastpass-premium-vs-free
 
OP
OP
Gromett
Feb 27, 2011
15,048
79,436
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
I have got a break in work and am evaluating both bits of software today. Will be migrating across tomorrow or Friday.
 
OP
OP
Gromett
Feb 27, 2011
15,048
79,436
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
OK. I have run through a variety of password managers and finally settled on Bitwarden.

KeepassXC failed because it is a geeks paradise and I just wanted something that works. 10 years ago I would have taken much joy in playing around with it and getting it configured exactly how I want it. I would have been ok with firefox not liking the plugin etc etc. The fun of working out how to get my YubiKey to work would have been a joy. Importing data from lastpass was slightly confusing and took a few goes due to columns being hidden when you selected a column number that was already selected.

These days for core plumbing work like this I just want it to work. KeepassXC may be suitable for you if you want to play, but if you want it to just work then avoid.

Roboform ruled themselves out of the competition by charging too much. Almost £25 a year. The software also didn't install completely smoothly and I don't need that kind of problem from a core app.

Bitwarden, installed 1st time. No problems. Imported my data directly from lastpass without asking any questions. The add on for firefox works differently to what I am used to., There are no icons within the form fields themselves which is a bit of a mixed bag. BUT right click on any field and then click on bitwarden and it gives you all the login options. I will get used to this and end up preferring it. I like it.
It felt slick and professional from the install, to installing the desktop app, to the browser add ons. I was impressed.


The others I tried previously have all been ruled out for various reasons.

Bitwarden is my choice. I even spent the extra $10 (£8.5) for the pro version to get the 2FA feature so I can use my yubi key.

Give me a week and I will update what it is like to be used in anger. I work on my computer 10+ hours a day (often a lot more) so I will find problems fairly quickly if any.
 
Oct 8, 2014
1,693
3,239
Wiltshire
Funster No
33,737
MH
Autotrail Excel 600B
Exp
Previous VW Camper + Caravan
Gromett, thanks for your reviews. I currently use Lastpass but am planning to change when my current subscription expires. Bitwarden sounds good from what I have also read elsewhere. Will you also be installing it on a phone? I will be interested to read your update when you have used it.

Subscribers  do not see these advertisements

 
OP
OP
Gromett
Feb 27, 2011
15,048
79,436
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
Gromett, thanks for your reviews. I currently use Lastpass but am planning to change when my current subscription expires. Bitwarden sounds good from what I have also read elsewhere. Will you also be installing it on a phone? I will be interested to read your update when you have used it.
I hadn't planned on using it on my phone to be honest. I never do any work or social stuff on it. I use it literally as a notification device. It lets me know when and email, whatsapp, skype or slack message arrives. I then go on my computer to deal with it.

I will give it a go if it will help you. But I am probably not the best person to review that side as my phone doesn't have NFC and I will have to scrabble around with an OTA usb cable to get my yubi key to work.
 
OP
OP
Gromett
Feb 27, 2011
15,048
79,436
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
Gromett, thanks for your reviews. I currently use Lastpass but am planning to change when my current subscription expires. Bitwarden sounds good from what I have also read elsewhere. Will you also be installing it on a phone? I will be interested to read your update when you have used it.
ok. Here is a fantastic bit of news. I pretty much stopped using my phone because of no NFC and faffing around with USB OTG rarely if ever worked.

I had the same problem but lastpass kept trying to help.

So i uninstalled lastpass and USB OTG now works perfectly. Bitwarden installed and working on phone. Testing now.
 
Oct 8, 2014
1,693
3,239
Wiltshire
Funster No
33,737
MH
Autotrail Excel 600B
Exp
Previous VW Camper + Caravan
I use it literally as a notification device. It lets me know when and email, whatsapp, skype or slack message arrives. I then go on my computer to deal with it.
I'm a bit like that, but do occasionally need to access sites from my phone. Thanks for taking time to check it's performance with a phone.
 
OP
OP
Gromett
Feb 27, 2011
15,048
79,436
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
ok. After a bit of a fight I got it working on my older android.

TIP: click on the password field if it doesn't work on the username field.

Developers have a consistent name for password. But for "log in", "login", User, user_name, "userName" etc etc not so much so bitwarden does not always trigger.

But once I did that it worked perfectly. I have never been able to login using lastpass.

I am happy with bitwarden I have to say.

Give me a week of playing on it. I won't be playing on my phone though so if you want a full review of that side of things you need to ask someone else sorry. I hate phones.

Subscribers  do not see these advertisements

 
OP
OP
Gromett
Feb 27, 2011
15,048
79,436
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
Gromett, thanks for your reviews. I currently use Lastpass but am planning to change when my current subscription expires. Bitwarden sounds good from what I have also read elsewhere. Will you also be installing it on a phone? I will be interested to read your update when you have used it.
Had a bit more of a play. It appears to work fine. Works with my finger print scanner. logged me into everything I have on there no problems. So my guess is it is at least as good as lastpass if not better.
 
Aug 8, 2019
409
580
Chichester
Funster No
63,081
MH
Autosleeper Broadway
Exp
Since 2019
I really appreciate the feedback so quickly, I will download it tomorrow and leave feedback as I use my android Pixel 6 for most things, I will also try it on my Samsung tablet.
I have 3 weeks before my Lastpass renews so Bitwarden works as I hope.
 
OP
OP
Gromett
Feb 27, 2011
15,048
79,436
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
I came across this post, apparently there's a design flaw with bitwarden.
Thanks for sharing that. I have seen some of those points individually elsewhere but this guy seems to have pulled it all together.

3 points
1) You can set the iterations client side for PBKDF2 hashes. The help for it states to increase it at 50,000 a time to ensure it doesn't slow your system down too much. This seems to be a sensible approach to me and it impressed me. (See below)
2) The big difference between lastpass and bit warden for me was they encrypt the whole database.
3) Bit warden is open source. So it has a lot of people inspecting the code. They will not get away with dumb things like not encrypting the entire db.


1674759521630.png
 
Jul 29, 2007
6,591
40,587
Ipswich
Funster No
32
MH
RV and PVC
Exp
30 years
I just use Google passwords seems to work ok.

Subscribers  do not see these advertisements

 

Join us or log in to post a reply.

To join in you must be a member of MotorhomeFun

Join MotorhomeFun

Join us, it quick and easy!

Log in

Already a member? Log in here.

Latest journal entries

Funsters who are viewing this thread

Back
Top