Lastpass hacked proper

[tomos]

I'm sure everyone's heard about this:
Lastpass was hacked this summer a lot worse than they originally thought, or admitted. From the Lastpass blog -- Notice of Recent Security Incident

Stolen was:

information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. 

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Arstechnica article:
LastPass users: Your info and password vault data are now in hackers’ hands

Hacked passwords are still encrypted, but I guess it's time to change all important passwords and start looking at alternatives to central storing of passwords. I see in the 2015 dc thread Lastpass Hacked preople already saying to avoid this approach.

[mouser]

What's insane is all of these password managers are absolutely fanatical about convincing you to put your passwords on the web -- ostensibly so that you can sync to multiple devices, but perhaps more importantly so they can sell subscription software as a service regular fees.

Roboform has been pathological about forcing people to move to their roboform "everywhere" plan where your all of your sensitive password data is stored on their servers.  It's getting well past the stage of being ridiculous.

[daddydave]

I've never trusted password managers, but I've started using KeePass. It has no requirement to sync to the cloud, so I don't.

[Shades]

Once Hackers have enough of your (meta) data, it can be reconstructed and will either help them make educated guesses or go for brute force as they have the time to do so.

HomeAssist is a tool that allows to make your home a lot smarter. But that is not its only function. You can use add-on's to enhance the feature-set. DNS, proxy, NTP are also very possible to manage with it. The reason I bring it up is that there is the 'Vaultwarden' add-on, which is a password manager. It is one that doesn't require the cloud. But as it is available to you in your home network, you can use it for many devices and do any kind of syncing when your devices are connected into your home network.

If you desire, you could also make your HomeAssistant instance accessible from outside your home network, so you could use your 'VaultWarden' setup also when your devices are outside your own network. Personally, I wouldn't go for such a setup, as one is usually at home when secure access to whatever service/software is required.

HomeAssistant is a project intended to be used in combination with the Raspberry 3 and 4 computing boards. But if you look well enough, you'll find that there is also an installer that works in a Linux VM or directly on an old computer. There is also a Docker-container of HomeAssist available, if that is more your thing. I elected to use a Linux VM inside my ProxMox environment and that works wonderfully well. I must add that there currently quite some add-ons installed, as well as HA keeping track of 10 security cameras (IP cams, 1080p) where I am figuring out how to use OpenAI for person recognition after motion is detected. I would not undertake those things with a Raspberry Pi.

Is HomeAssist with the 'VaultWarden' a good idea for anyone on the DC forum? I don't know. But it is worth a mention, as password managers do have their use. And if you are willing yo put a bit of effort into it and don't mention that you make use of it on social media, it should be a lot safer than having all those secrets permanently on cloud servers, which are under continuous attack from hackers.

[wraith808]

Hacked passwords are still encrypted, but I guess it's time to change all important passwords and start looking at alternatives to central storing of passwords. I see in the 2015 dc thread Lastpass Hacked preople already saying to avoid this approach.

-tomos (December 23, 2022, 03:51 PM)

These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

If they don't have the hash, and it's correctly secured with 256-bit AES, you're still safe, right?

[mouser]

If they don't have the hash, and it's correctly secured with 256-bit AES, you're still safe, right?

Assuming everything was coded well, and that you used a sufficiently strong master passphrase to encrypt your password collection.  But if you did not use a strong master password...

[x16wda]

Note there are some threat actors that are harvesting possible high value encrypted files to hold onto until the tech is fast enough to do the breaking.

[wraith808]

Note there are some threat actors that are harvesting possible high value encrypted files to hold onto until the tech is fast enough to do the breaking.

-x16wda (December 24, 2022, 08:12 PM)

Yeah, I'm planning to change - already using Bitwarden, but just haven't gotten everything over yet. And planning to change passwords. Just wanted to know how credible the threat is right now to prioritize.

[4wd]

I've never trusted password managers, but I've started using KeePass. It has no requirement to sync to the cloud, so I don't.

-daddydave (December 23, 2022, 06:37 PM)

Been using Keepass for years, it syncs to iDrive Cloud Drive, (mainly as a backup but also so I have access to the database file via browser/app if needed), and via OneDrive sync plugin which the Android app uses as the database, (syncing any local changes back to it which then propagate to computers).

[rjbull]

What's insane is all of these password managers are absolutely fanatical about convincing you to put your passwords on the web -- ostensibly so that you can sync to multiple devices, but perhaps more importantly so they can sell subscription software as a service regular fees.

-mouser (December 23, 2022, 04:50 PM)

That's what I thought, too...

Roboform has been pathological about forcing people to move to their roboform "everywhere" plan where your all of your sensitive password data is stored on their servers.

-mouser (December 23, 2022, 04:50 PM)

I find their hyping of "Everywhere" tiresome.  Yet they still allow you to use RoboForm "Free," if you are content not to sync and not to have the other extra features in "Everywhere" (such as 2FA).  Comparison of "Free" and "Everywhere" is here: https://www.roboform.com/en/everywhere  Presumably they genuinely value their cloud storage.  I don't; I think there's some kind of principle here.  I don't intend to generate important things like passwords, hand them to someone else for storage, then hire back their use.  But, I've reinstalled RoboForm Free, because it still seems better than e.g. Sticky Password for complicated form-filling.

[skwire]

Been using Keepass for years, it syncs to iDrive Cloud Drive, (mainly as a backup but also so I have access to the database file via browser/app if needed), and via OneDrive sync plugin which the Android app uses as the database, (syncing any local changes back to it which then propagate to computers).

-4wd (December 25, 2022, 10:57 PM)

Keepass user for many years as well.  I also use a similar online setup to yours to gain access from my phone and to sync back changes.

[rgdot]

Keepass DB uploaded to Tresorit is what I have done for the past few years. It is good enough for me.

[Tuxman]

Unsurprisingly, storing your passwords on other people's computers is an idea of relatively low sophistication.

[tomos]

I'm one of those people who are slow to change, in this case, slow to move on from something I know is flawed.
Was given a big push by my lastpass extension in Vivaldi -- it started staying logged in between sessions (I hibernate the laptop). Just now, I started laptop and was able to make a payment via paypal using lastpass -- the computer hadnt been used for two days; I think then lastpass realised it shouldnt be logged in so it logged me out.

Anyways, that gave me the push to move to Keepass, just used it for the first time, seems fine

[Tuxman]

Good choice!