Password manager says breach it disclosed in August was much worse than thought.
See full article...
See full article...
LastPass says hackers have obtained vault data and a wealth of customer info
- Thread starter JournalBot
- Start date
I am not sure how much fiddling with CLI is regarded as "to much", but I basically used this here, without Caddy but my own proxy.
https://github.com/dani-garcia/vaultwarden/wiki/Using-Docker-Compose
Docker-compose makes a lot of things easier, if somebody made a good setup with nice explanations for what it did. I run a few things at home with no more effort thank create folders, download a example docker-compose file. Replace some default values and press start.
I have not tried it myself, but dietpi seems like a good option for people who want a more appliance like experience where you install apps and stuff should just work. Looks like an interesting project to me. Just make sure you deal with backups properly!
https://dietpi.com/
Upvote
1
(1
/
0)
"Military grade" = AES256. Or possibly AES512.
I strongly dislike the 'military grade' description these password locker companies eschew in their promotional material. Tell me how you encrypt, don't fluff it.
Upvote
6
(6
/
0)
This is hardly the future that I naively expected, as a kid, the 2000's to be like. I'm still waiting for my jet car.
Upvote
-2
(0
/
-2)
I think I'm done with LP now. Ever-increasing fees and yet another security failure.
How in f's sake could you fail to encrypt secure notes???
Switching to Bitwarden tomorrow most likely but how do we know that they are any better at this?
How in f's sake could you fail to encrypt secure notes???
Switching to Bitwarden tomorrow most likely but how do we know that they are any better at this?
Upvote
3
(3
/
0)
Well, Bitwarden is a bit of a different beast. That is totally 100% self-hosted, so the question then becomes: Am I better at managing this stuff than these online companies?"
Probably yes, but mostly through the 'security through obscurity' model.
There is risk all around w/ storing this stuff online (self-hosted or not), which is why it is best (theoretically) to keep part of your locker in one area and the ability to access that locker in an entirely separate solution.
Example: BitWarden on your self-hosted solution, with a private key required to access it, which is stored on another online solution - say, Google Drive. Then of course using a strong password.
Upvote
0
(1
/
-1)
Upvote
3
(3
/
0)
But they could have updated it the next time you logged in (which is quite frequent), a password change isn’t needed.
Upvote
2
(2
/
0)
That's how any reasonable symmetric encryption works. Your passphrase isn't the key, your passphrase unlocks the key. That's how you can change your password without re-encrypting everything or you can have multiole passphrases/keys/signatures to decrypt the same thing. It's also why you don't have to make a password exactly the length of your key.
They use AES-256. The key is always 256b. Key length is not a secret.
Upvote
4
(4
/
0)
Bitwarden is open source and you can host it yourself, but they also offer it as a service themselves. They even have paid tiers and everything.
Upvote
8
(8
/
0)
This reminded me of of the first example in 1Password’s security white paper.
Story 1: A (bad) day in the life of your data
Oscar somehow gains access to all of the data stored on the 1Password server. We don't know how, and we certainly tried to prevent it, but nonetheless, this is the starting point for our story.
Among the data Oscar acquires is an encrypted copy of your private key. (We store that on our server so that we can deliver it to you when you first set up 1Password on a new device.) If he can decrypt that private key, he will be able to do some very bad things. Nobody (other than Oscar) wants that to happen.
Oscar will take a look at the encrypted private key and see that it is encrypted with a randomly chosen 256-bit AES key. There is no way he will ever be able to guess that. But the private key is encrypted with a key derived from your account password (and other stuff) so he fig- ures that if he can guess your account password he will be able to get on with his nefarious business.
But Oscar cannot even begin to launch a password guessing attack. This is because the key that encrypts your private key is derived not only from your account password, but also from your Secret Key. Even if he hap- pens to make a correct guess, he won't know that he has guessed correctly. A correct guess will fail in the same way that an incorrect guess will fail without the Secret Key.
Oscar has discovered – much to his chagrin and our de- light – that even all the data held by AgileBits is insuf- ficient to verify a correct guess at someone's account password. “If it weren't for two-secret key derivation I might have gotten away with it” mutters Oscar. He probably shouldn't have bothered stealing the data in the first place. Without the Secret Keys it is useless to him.
If Oscar had read this document he would have learned that he cannot learn or guess your account password or Secret Key from data held or sent to AgileBits.
Story 1: A (bad) day in the life of your data
Oscar somehow gains access to all of the data stored on the 1Password server. We don't know how, and we certainly tried to prevent it, but nonetheless, this is the starting point for our story.
Among the data Oscar acquires is an encrypted copy of your private key. (We store that on our server so that we can deliver it to you when you first set up 1Password on a new device.) If he can decrypt that private key, he will be able to do some very bad things. Nobody (other than Oscar) wants that to happen.
Oscar will take a look at the encrypted private key and see that it is encrypted with a randomly chosen 256-bit AES key. There is no way he will ever be able to guess that. But the private key is encrypted with a key derived from your account password (and other stuff) so he fig- ures that if he can guess your account password he will be able to get on with his nefarious business.
But Oscar cannot even begin to launch a password guessing attack. This is because the key that encrypts your private key is derived not only from your account password, but also from your Secret Key. Even if he hap- pens to make a correct guess, he won't know that he has guessed correctly. A correct guess will fail in the same way that an incorrect guess will fail without the Secret Key.
Oscar has discovered – much to his chagrin and our de- light – that even all the data held by AgileBits is insuf- ficient to verify a correct guess at someone's account password. “If it weren't for two-secret key derivation I might have gotten away with it” mutters Oscar. He probably shouldn't have bothered stealing the data in the first place. Without the Secret Keys it is useless to him.
If Oscar had read this document he would have learned that he cannot learn or guess your account password or Secret Key from data held or sent to AgileBits.
Upvote
9
(9
/
0)
Oh interesting. But I thought the entire point of Bitwarden was to be a self-hosted solution. If there is an online, paid tier for them hosting data I would assume they're just as vulnerable as LastPass, 1Password, etc. The whole 'someone else's computer' thing.
The entire reason I migrated away from my KeePass/Dropbox/Drive/password/key setup and to 1Password was because I liked their security model. They don't know anything about your stuff. So even if an attacker gained access to 1Password's servers, including password lockers, there wouldn't be a way to break into the lockers.
Upvote
-2
(2
/
-4)
I checked my settings, and the value was set to 5000, I had never set it myself, but have had the account for at least 11 years. So I assume at some point the default was 5000 and was increased to something "woefully short" of recommended values. Which leads me to believe some have settings that are whatever 5000:100100 is if 100100:310000 is woeful.
Edit: Should have read all 12 pages before posting this. Figures others have noted the same.
Last edited:
Upvote
4
(4
/
0)
They have free and paid service.
Yes, someone could break in and steal all the databases Bitwarden has. Same could happen to Dropbox, they'd just have to root around to find your database. Dropbox is someone else's computer too.
This is why you encrypt everything. I can't guarantee someone isn't going to make their way into service X, Y, or Z. Likewise I can't guarantee someone isn't going to break into my house and walk off with my desktop or my server. So, everything is encrypted. No need for trust.
Upvote
11
(11
/
0)
I completely by-pass all this frustration by having all important info/accounts, etc, updated monthly, printing it on millions of leaflets that are then randomly dropped from aircraft over large metropolitan areas.
Last edited:
Upvote
6
(8
/
-2)
If the central store contents were never going to change, absolutely, you could just auth in on first connect and never worry about it again.
This gets more complicated when you have multiple devices that are depending on a central store and any given device could have added sites between the use of any other given device: if one device adds a new site, you have to reflect that back to other devices somehow.
I know [roughly] how ~I~ would balance this out in terms of security versus convenience, and it would involve a combination of timestamping, list fingerprinting/CRC (with that resulting hash stored without further encryption, not realistically any concern), and a limited number of "added sites" (you could add them raw, or you could do something like symmetrically encode them with a key generated via hashing the primary decryption pass that of course ideally would be kept in the device's secure user store for added security as well, but you'd still have to weigh related security concerns of keeping that hash stored on each device: probably minimal compared to other concerns of a device breach, but then it becomes something that could still theoretically be attacked if a device is lost unlike only if it is breached while live and in use--there are ways to improve this concept but it's out of scope here) with each entry expired when it's a week old, with out of date devices (determined by list fingerprint cross checking) requiring the user to re-sync using their primary decryption pass.
Ultimately this would still provide a degree of concern and require some related trust if the "most recent sites added" list was being stored in the raw centrally (sure, the service provider in that case could snoop each addition... but if you don't trust them to not jump through that level of hoops, you don't trust them enough to have local clients on your devices/etc at all), but it doesn't provide the same forms of easy temptation related concern as the entire list always being in the raw, while still providing plenty of convenience functionality.
(aside: the stuff where it's not just FQDNs for indexing and related UX/use flow utility but apparently? also secure notes/etc, THAT has no excuse)
Last edited:
Upvote
1
(1
/
0)
I like it when someone says “military grade”. It tells me they're either incompetent or conmen and I don't need to spend more time learning about their product. It's rare that you can otherwise reliably evaluate a security product in 10 seconds.
For example: 1Password does not use the term. LastPass does.
Upvote
11
(11
/
0)
Also annoyed they're not making their 'hacked password' monitoring tools available to free-tier people.
On the dashboard they even have the audacity to leave up all the nags to really rub it in...
"Dark web monitoring: Cyber-crime is real. Don’t be a victim. With dark web monitoring, you’ll be proactively alerted if sites from your vault are breached. Monitor these addresses. All day, every day."
"Have any of your email addresses been breached? Upgrade to find out"
"Upgrade to start dark web monitoring and find out if you’re compromised in an online data breach."
2022 has been quite the year; I'm too tired for this
On the dashboard they even have the audacity to leave up all the nags to really rub it in...
"Dark web monitoring: Cyber-crime is real. Don’t be a victim. With dark web monitoring, you’ll be proactively alerted if sites from your vault are breached. Monitor these addresses. All day, every day."
"Have any of your email addresses been breached? Upgrade to find out"
"Upgrade to start dark web monitoring and find out if you’re compromised in an online data breach."
2022 has been quite the year; I'm too tired for this
Upvote
3
(3
/
0)
I mentioned earlier, the timeline isnt clear because they likely have a independent third party doing the forensics investigation. While everyone else is mentioning potential solutions, LastPass said this access was aquired by compromising a user. So any of the other services are just as vulnerable because it was once again a stupid person that gave an attacker the keys to the vault ...literally.
LastPass is used all over the place. Password managers dont fall under any particular regulation but if the feds are impacted by this, they will be. How the hell did they not have EDR?
At this point I just encrypted an excel file which I exported from LP. That will at least give me time to choose the right solution. I realize some folks have a complicated setup but that isn't possible for everyone so we need to stop the judging. The people who need to be held accountable are LastPass. I have a number of devices, tablets and etc. To do any of the suggested solutions would be a time sync that I dont have. The issue here is LastPass was not transparant about their security controls and somehow they compromised a user that opened the front door for them. They need to be held accountable.
LastPass is used all over the place. Password managers dont fall under any particular regulation but if the feds are impacted by this, they will be. How the hell did they not have EDR?
At this point I just encrypted an excel file which I exported from LP. That will at least give me time to choose the right solution. I realize some folks have a complicated setup but that isn't possible for everyone so we need to stop the judging. The people who need to be held accountable are LastPass. I have a number of devices, tablets and etc. To do any of the suggested solutions would be a time sync that I dont have. The issue here is LastPass was not transparant about their security controls and somehow they compromised a user that opened the front door for them. They need to be held accountable.
Upvote
4
(4
/
0)
this sounds like a pretty good scenario to be honest... I have a very secure master password... so... good luck.
Upvote
0
(0
/
0)
Think LastPass will let individual users know if they identify their vault was stolen?
I just spent 4+ hours resetting all my personal and business passwords (two instances of LastPass in a family plan) after resetting my master password. I also upped the PBKDF to 310,000 as recommended by OWASP.
Almost all of my important passwords also have 2FA enabled making it even harder for someone to gain access to one of those accounts. No, it's not impossible, but it does make it highly unlikely.
I just spent 4+ hours resetting all my personal and business passwords (two instances of LastPass in a family plan) after resetting my master password. I also upped the PBKDF to 310,000 as recommended by OWASP.
Almost all of my important passwords also have 2FA enabled making it even harder for someone to gain access to one of those accounts. No, it's not impossible, but it does make it highly unlikely.
Upvote
4
(4
/
0)
I have a very secure master password and require 2FA to login. I just changed my master password to a different and even more complex one.
But I'm still looking at changing critical account passwords as well as stuff thrown in (In)secure Notes. That really peeves me.
I have to say, I'm beginning to think I should evaluate the local or self- hosted alternatives.
But I'm still looking at changing critical account passwords as well as stuff thrown in (In)secure Notes. That really peeves me.
I have to say, I'm beginning to think I should evaluate the local or self- hosted alternatives.
Upvote
1
(1
/
0)
Also... when we have places like the IRS getting attacked and leaking all of our social security numbers etc, It nice to know someone actually takes these threats seriously. It's not if but when there is a data leak, I'm glad they have our data secured so well. Do you thin the IRS took this much care with my social security number?
Upvote
-8
(1
/
-9)
I don't mind people knowing I bought something from Adam & Eve or used a dating app. I'm not even embarrassed that I use Bing as my daily driver for search. If someone wants to judge me for that it's a 'them' problem, not a 'me' problem
Please just don't judge me for my fox "news" account. I was young and unaware
snark aside.... this is annoying. as someone else mentioned there's no reason they shouldn't have been encrypting all of it, re the SSL and overhead argument. makes no sense to leave a piece of information hanging out like that in a process / system specifically mean to secure information
::angry samuel l. jackson.gif::
Upvote
1
(1
/
0)
A public key and a hashed strong password are essentially the same thing. The one difference is how a password vs key is sent to the server. You send a password to the server over an encrypted channel, then it is hashed server-side to compare to the stored hash, but it is the actual password being sent. With keys, you essentially sign a random number with your private key, then send that.
So the attack surface that exists with a strong password, that doesn’t exist with an asymmetrical key, is during the actual password communication process. Otherwise what asymmetrical keys provide is that users automatically end up with a strong password.
That is, you could post the hash of your strong password all over the internet and it would be just as secure as posting your public key all over the internet.
Upvote
0
(1
/
-1)
anyone who's ever been in the military knows that phrase is code for "will break when used" and not "not as cool as you think it is" lol
Upvote
2
(2
/
0)
I used to use Last Pass but decided to switch when VC's got a hold of them. I use Windows PC's for home and work and when shopping for a new Password Manager the one I ultimately chose was Bitwarden. It's easy to switch over - you can export your LP passwords to a CSV file and then import them into Bitwarden (this is a good time to review your accounts and possibly deactivate those you no longer use). Bitwarden can be installed as a browser extension and also has a mobile version which are both similar to LP. All this means once you get things setup on your devices you'll more or less just have to train them to look for the new app. Everything will work the same way. Of course, you'll want to delete the CSV file when done, too (which is to say - purge it from your recycle bin)
Upvote
0
(0
/
0)
Upvote
-4
(0
/
-4)
Upvote
0
(0
/
0)
Yikes, I too moved to bitwarden then too (and love it). Thankfully I did delete* my LP account. I got my Dad on LP years ago, now I need to get him migrated as well. Unfortunately, I doubt he's using a strong password, so I'll also have to impress on him to change all sensitive passwords (banking, etc). Ugh, there goes a few hours...
*Assuming when they say they're deleting an account, they actually are deleting it.
Upvote
1
(1
/
0)
Currently using LastPass with 2 factor authentication enabled wherever possible. My master password is around 40 characters long, with numbers, special characters and mixed case. The password has nothing in it that could be tied to anything about me that could be found online or in any documents, but it's easy for me to remember. The password also isn't a famous quote or from any literature, movie or song or any trivia, fact or historical event. It's not used elsewhere. I'm not worried about it getting cracked, but I'm moving off LastPass. It's inexcusable as far as I'm concerned to have any customer data unencrypted for a service like this. I'm pissed about having to move. I'm pissed about having to create new passwords. And I'm really pissed about needing to come up with a new master password.
Upvote
3
(3
/
0)
There are numerous comments here about the 5000 iterations that many people have, because they set up their lastpass master password when that was the standard. But aren't all other password managers affected by the same issue? If they don't have your master password, they can't re-encrypt with newer, stronger algorithms.Sadly, I'm in the same boat. 5000 iterations (now set to 200k until I migrate to bitwarden/1password), so starting the arduous journey of changing every password.
So I am guessing that whatever password manager you use, you should change the master password periodically, if only to re-encrypt your vault with the new algorithm.
Upvote
-1
(0
/
-1)
I've used keepass for years with no issues except a rebuild of database file after errors or whatever. What I like about it aside from free/open source is that you can store the file wherever the hell you want to. Local if that's all you want, google drive, dropbox, onedrive, whatever. I use google drive. Syncs with my multiple pcs, android phone, etc. What I find compelling about it is that this random storage of files on various drives is not a specific target of hackers like Lastpass etc central storage is. People can try to hack my google drive account, but they're not specifically looking for my keepass file because they have no idea a) if I'm a keepass user and b) where the hell I stored it. Plus I trust Google more than Lastpass or the others to keep my data safe. No bells and whistles, no ads, 1990s interface (ftw).
Upvote
1
(2
/
-1)
Isn't that usually jargon for FIPS140-2 compliance? Which, until relatively recently, meant including the backdoored Dual_EC_DRBG generator.
Upvote
4
(4
/
0)
If you are using a shell script to generate password candidates like I do, you can make up your own word lists. For example, if I wanted a word from this comment page, I could do something like:
Code:
$ cewl -d 0 https://meincmagazine.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/?comments=1\&comments-page=9
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
and
the
LastPass
data
that
The
Share
Ars
customers
...
encrypted
stored
storage
hackers
hit
single
Google
...
Upvote
1
(1
/
0)