# LastPass hacked again



## Thy (Aug 26, 2022)

I think it was just a few years ago when media told that LastPass got hacked and now again millions of passwords got stolen.

read at forbes.com

I use another password manager (paid version) but i recommended LP to my girlfriend who doesn't want to pay for it. After reading the news today I tried to setup the 2-step-authentification for LP for her, but this is not a free feature. Kind of annoying. Why can a security feature even be a paid option?!

Now the Saturday task will be to change all her passwords and maybe even switch to an alternative manager.
*What do you guys think about Google Chrome Password manager?*


----------



## chrcoluk (Aug 26, 2022)

Any password manager that stores online for sharing is flawed in my opinion, I be surprised if google password manager doesnt do that.

I suggest keepass.


----------



## Thy (Aug 26, 2022)

chrcoluk said:


> Any password manager that stores online for sharing is flawed in my opinion, I be surprised if google password manager doesnt do that.
> 
> I suggest keepass.


yeah that's what we use at work because it's a local safe file. But it's not smoothly integrated in the browser and on my smartphone, you know?


----------



## chrcoluk (Aug 26, 2022)

Thy said:


> yeah that's what we use at work because it's a local safe file. But it's not smoothly integrated in the browser and on my smartphone, you know?


There is an android app for it.


----------



## Regeneration (Aug 26, 2022)

Don't use online service to store your passwords. KeePass is a awesome password manager and its free.


----------



## ThrashZone (Aug 26, 2022)

Hi,
I thought this was a passwordless world ?
Is microsoft wrong


----------



## Thy (Aug 26, 2022)

you mean 4 digit pin and windows hello? 

I'll now check out KeePass more. I hate it at work it's so hard to use but i found extensions. So let's see. Created a post to ask for recommendations, if you guys want to share your wisdom


----------



## Bill_Bright (Aug 26, 2022)

I agree about using online PW managers. I would not trust them. I also do not recommend using any browser's manager either - this is especially true if there is a chance you could step away from your computer and someone you don't know or trust could walk up and start using your computer. 

I use Splash ID - a very old version that worked with my old Palm Pilot. It is stand-alone on my PC.


----------



## ThrashZone (Aug 26, 2022)

Hi,
Yep the cute complex passwords get ripped as easy as a simple abc123.... would.


----------



## qubit (Aug 26, 2022)

And this is why I don't use any online password managers, ever. The potential damage to me caused by a hacker getting hold of all my passwords doesn't bear thinking about.


----------



## delshay (Aug 26, 2022)

qubit said:


> And this is why I don't use any online password managers, ever. The potential damage to me caused by a hacker getting hold of all my passwords doesn't bear thinking about.



Yes. I store all my passwords in my head. If I forget, no problem, just reset it.


----------



## Thy (Aug 26, 2022)

delshay said:


> Yes. I store all my passwords in my head. If I forget, no problem, just reset it.


keeps your brain young and flexible 
I know many of my passwords by heart, because it's a pattern how I create them. But since I use my password manager i love to create random generated ones with 14 characters.


----------



## phanbuey (Aug 26, 2022)

Thy said:


> keeps your brain young and flexible
> I know many of my passwords by heart, because it's a pattern how I create them. But since I use my password manager i love to create random generated ones with 14 characters.


This is how I do it as well -  I only have issue with the sites that have a non-standard enforcement policy that's like "you also have to have the # symbol somewhere" or "password can't be longer than X letters" -- those get stuck in a permanent reset loop.


----------



## GerKNG (Aug 26, 2022)

why do people think that storing passwords on a companies server is a good idea?
keepass offline across all my devices. updating it over USB.


----------



## qubit (Aug 26, 2022)

GerKNG said:


> why do people think that storing passwords on a companies server is a good idea?


Because said company promises to keep them safe, don'tcha know?


----------



## xtreemchaos (Aug 26, 2022)

i keep mine on a password protected thumb stick, ive 2 just incase i lose one all i have to remember is 1 password.


----------



## MarsM4N (Aug 27, 2022)

Geez, what's all the fuzz about? __ Didn't you *read the article*?

_"Toubba also confirmed that neither has evidence been found of any customer data or encrypted password vaults being accessed. LastPass users will, of course, be concerned that a hacker could have got hold of the keys to their online kingdom: their passwords. However, LastPass has made it clear that, courtesy of the 'zero knowledge' architecture implemented, master passwords are never stored. "LastPass can never know or gain access to our customers' master password," Toubba said, "this incident did not compromise your master password." As such, LastPass says that no action is required by users in regard to their password vaults."_ _Source_

Even if they got the vaults they are encrypted, cracking them would take years. And out of the millions of vaults, chances that it would be yours is super minimal. For now I would say online stored vaults are still more safe than locally stored. They got way more security layers than the average Joe on his Windows machine or Android malware phone.

But you can increase security by switching to a better service with 2FA authentification. Check out _*Bitwarden*_. It's open source, free for personal use, works on all devices (incl. PW syncing) & has 2FA (app).


----------



## Count von Schwalbe (Aug 27, 2022)

So they stole some source code and technical data. 

I assume LastPass will replace this to prevent it being used to create vulnerabilities in the password system itself. Stay updated.


----------



## Chicken Patty (Aug 27, 2022)

delshay said:


> Yes. I store all my passwords in my head. If I forget, no problem, just reset it.


Literally what I do, sometimes it's annoying, and you have to reset it or what not but just feels like the right thing to do.


----------



## MarsM4N (Aug 27, 2022)

Chicken Patty said:


> Literally what I do, sometimes it's annoying, and you have to reset it or what not but just feels like the right thing to do.



Passwords _*you can remember*_ are bad passwords.  Randomly generated passwords, minimum. I use 14 characters, upper & lower case + special characters.

That's the good thing about a password manager. You only have to remember your master password & can generate super secure passwords you don't have to remember for logins.


----------



## Chicken Patty (Aug 27, 2022)

MarsM4N said:


> Passwords _*you can remember*_ are bad passwords.  Randomly generated passwords, minimum. I use 14 characters, upper & lower case + special characters.
> 
> That's the good thing about a password manager. You only have to remember your master password & can generate super secure passwords you don't have to remember for logins.


That is very true, I guess either way the risk is there.  Luckily so far I have not had any issues yet with my method.


----------



## Bomby569 (Aug 28, 2022)

aren't they encrypted? and should be separate from the username and site. So i so no major issue. 

If they are encrypted and linked to sites or usernames easily then it's a problem. I only keep shit passwords online and with different usernames always. Important passwords are offline safe with me.


----------



## Dirt Chip (Aug 28, 2022)

Hard copy notebook at my desk to store all password and the important one are stashed away in a different place at home.

For the very unimportant things I use the chrome pass logger.


----------



## MarsM4N (Aug 29, 2022)

So, it looks like it's a lot worse. It wasn't only _LastPass_ who got hacked, but also *2FA provider *_*"Authy"*_.  This is bad.










						The number of companies caught up in recent hacks keeps growing
					

2FA provider Authy, password manager LastPass, and DoorDash all experienced breaches.




					arstechnica.com
				




Guess I have to look into _*FIDO2*_. Thinking of getting a *YubiKey* for my desktop. To my understanding passwordless authentication & biometric authentication on phone (TouchID & FaceID) is already based on the FIDO2 standard, right? Anyone got some experience with YubiKey? Is it worth it or is there a better or equal good solution? I did read a TMP 2.0 (Trusted Platform Module) could also be used for secure authentification?

*Passwordless authentication via FIDO2*


----------



## silentbogo (Aug 29, 2022)

That's why 2FA is important. I've enabled it everywhere I could, and most of our banking apps and services use it by default in one form or the other. 
This way even if your password(s) or password manager is compromised - no one will get access to your accounts unless they also have access to your phone and/or e-mail. 
Biometrics is also pretty cool alternative. Works perfectly on my phone, but for some reason there's less support on desktop(even though cheap fingerprint readers have been around for over a decade). 
Chrome password manager will get this feature soon on desktop, and only got it implemented on phones last month. Kinda weird, considering my shitty abysmal banking app (that still caps passwords at 12 alphanum chars and won't allow special chars for some idiotic reason) had this feature for 5+ years already.


----------



## Vayra86 (Aug 29, 2022)

MarsM4N said:


> Passwords _*you can remember*_ are bad passwords.  Randomly generated passwords, minimum. I use 14 characters, upper & lower case + special characters.
> 
> That's the good thing about a password manager. You only have to remember your master password & can generate super secure passwords you don't have to remember for logins.


Nonsense, any database anywhere can get hacked and then most often your super random 14 digit spree of weird characters is in anyone's hands is linked to either an account, an email address or more.

The only real protection is 2FA. Making passwords difficult is just annoying for yourself. I literally have used the same-ish set of 2 (!) passwords followed by a duo of numbers or other characters, one for 8 position- and one for longer password requirements- and have done so for a whopping 24 years of internet life. Work and personal.

The ONLY hack I encountered in my life was on my Ubisoft account, and only because I hadnt activated 2FA! Thats when I email said company and ask them to lock it. Done in 2 days.

And that is even with both my favorite words being heavily traded online. I was part of multiple hacks; DDO server, MySpace leak, etc etc. HaveIbeenpwned loves my email address; again the very same Ive had since going online.

People worry too much


----------



## A Computer Guy (Aug 29, 2022)

Vayra86 said:


> Nonsense, any database anywhere can get hacked and then most often your super random 14 digit spree of weird characters is in anyone's hands is linked to either an account, an email address or more.
> 
> The only real protection is 2FA. Making passwords difficult is just annoying for yourself. I literally have used the same-ish set of 2 (!) passwords followed by a duo of numbers or other characters, one for 8 position- and one for longer password requirements- and have done so for a whopping 24 years of internet life. Work and personal.
> 
> ...


The only time I tell people girth doesn't matter is when it comes to passwords where length is king, particularly if it's easy to remember.


----------



## W1zzard (Aug 29, 2022)

MarsM4N said:


> Geez, what's all the fuzz about? __ Didn't you *read the article*?


Indeed I’m always impressed by peoples inability to read

+1 for bitwarden (and lastpass)


----------



## silentbogo (Aug 29, 2022)

MarsM4N said:


> Even if they got the vaults they are encrypted, cracking them would take years.


Yep. And back in a day people used to say that MD5 was the last encryption you'll ever need. Until rainbow tables happened...
And bruteforce attacks were also "theoretical and impractical" until GPGPU and cheap cloud compute(AWS) happened.


W1zzard said:


> Indeed I’m always impressed by peoples inability to read


W1zz, it's more about reading between the lines. We don't know what exactly was accessed beyond vague "development server". Maybe it'll be a little piece of code that may or may not help developing a collision attack on their specific implementation of PBKDF2-SHA256, or it may be something that may give hackers an ability to turn all lastpass users into a big-ass botnet. Having access to "hashes" is the last thing to worry about, cause there are other ways to collect those.


----------



## W1zzard (Aug 29, 2022)

silentbogo said:


> say that MD5 was the last encryption you'll ever need


MD5 is not encryption, never was, I get what you're saying though, security research and its claims has developed a lot since 1991 (!)



silentbogo said:


> on their specific implementation of PBKDF2-SHA256


It's open source








						GitHub - lastpass/lastpass-cli: LastPass command line interface tool
					

LastPass command line interface tool. Contribute to lastpass/lastpass-cli development by creating an account on GitHub.




					github.com


----------



## Count von Schwalbe (Aug 30, 2022)

And SHA-256 works great. Until quantum computing advances to anywhere near classical. 

Really though, we don't know what they stole. It could have been one critical link in the chain of encryption - or completely useless. If it is critical, we can just hope that LastPass devs patch it out before the hackers develop a exploit based on it. I reckon that that is pretty likely, and we really don't have too much to worry about.


----------



## 80-watt Hamster (Aug 30, 2022)

Vayra86 said:


> Nonsense, any database anywhere can get hacked and then most often your super random 14 digit spree of weird characters is in anyone's hands is linked to either an account, an email address or more.



Well sure, if the hacked party was daft enough to store a database of plains.  A hash of 14 truly random characters is pretty strong against common attacks.


----------



## R-T-B (Aug 30, 2022)

Vayra86 said:


> Nonsense, any database anywhere can get hacked and then most often your super random 14 digit spree of weird characters is in anyone's hands is linked to either an account, an email address or more.


That's only partially true.

The hash of the password will be in their hands.  And on an ultra special passphrase like that, you aren't deriving squat from the hash.


----------



## Totally (Aug 30, 2022)

Thy said:


> I think it was just a few years ago when media told that LastPass got hacked and now again millions of passwords got stolen.
> 
> read at forbes.com
> 
> ...



I'm confused, you are worried about security but you are handing over your credentials to a third party.


----------



## Count von Schwalbe (Aug 30, 2022)

R-T-B said:


> That's only partially true.
> 
> The hash of the password will be in their hands.  And on an ultra special passphrase like that, you aren't deriving squat from the hash.


That is usually true, but I was thinking about it and realized that LastPass syncs across devices. They may be encrypted but they could not do that if it was just the hash. Unless they are acting as a P2P service, establishing a direct link between your devices.


----------



## lexluthermiester (Aug 30, 2022)

Thy said:


> I think it was just a few years ago when media told that LastPass got hacked and now again millions of passwords got stolen.
> 
> read at forbes.com
> 
> ...


It's a bit of a non-story. Because of the way LassPass works, no hacker can ever crack an individual user account, and there's no way around it. Ever. People are complaining about nothing.


----------



## chrcoluk (Sep 5, 2022)

I have just moved my 2FA to Aegis from Authy (online storage owned by same company), although I havent yet deleted the data from Authy.


----------



## W1zzard (Sep 6, 2022)

Count von Schwalbe said:


> That is usually true, but I was thinking about it and realized that LastPass syncs across devices. They may be encrypted but they could not do that if it was just the hash. Unless they are acting as a P2P service, establishing a direct link between your devices.


There's a blob storage of encrypted data on their servers, you just sync the encrypted blob, which gets decrypted on your device only, using whatever you provide as passphrase. Wrong passphrase, the decryption result is just gibberish.


----------

