- My Forums
- Tiger Rant
- LSU Recruiting
- SEC Rant
- Saints Talk
- Pelicans Talk
- More Sports Board
- Fantasy Sports
- Golf Board
- Soccer Board
- O-T Lounge
- Tech Board
- Home/Garden Board
- Outdoor Board
- Health/Fitness Board
- Movie/TV Board
- Book Board
- Music Board
- Political Talk
- Money Talk
- Fark Board
- Gaming Board
- Travel Board
- Food/Drink Board
- Ticket Exchange
- TD Help Board
Customize My Forums- View All Forums
- Show Left Links
- Topic Sort Options
- Trending Topics
- Recent Topics
- Active Topics
Started By
Message
Lastpass compromised
Posted on 12/24/22 at 3:08 pm
Posted on 12/24/22 at 3:08 pm
PSA for those who use Lastpass and may not have seen some of the articles about the hack, the entire database / vault of passwords was apparently downloaded. With the hackers having access to the list of Master passwords and the “vault” they can simply run a brute force against the list and unlock everyone’s password in time.
Nakedsecurity blog
Lastpass most recent communication
Nakedsecurity blog
Lastpass most recent communication
6
Posted on 12/24/22 at 7:24 pm to Cymry Teigr
Again.... Storing your credentials in 'the cloud' always sounded dumb, and here is why.
This should end them, but it won't.
This should end them, but it won't.
Posted on 12/24/22 at 8:05 pm to Cymry Teigr
Should have been using Bitwarden. You can even self host if you want. But regardless it's open source and end to end encrypted.
If the company managing your passwords has a backdoor so can any attacker.
If the company managing your passwords has a backdoor so can any attacker.
Posted on 12/25/22 at 2:43 am to Cymry Teigr
a pen & paper list tucked into a safe hiding spot is much more secure.
Posted on 12/26/22 at 5:02 pm to M. A. Ryland
If you're going to go that drastic then why not just not even write anything down and reset your password every frickimg time you log in, right?
Of course not, because there comes a point where inconvenience outweighs security.
Of course not, because there comes a point where inconvenience outweighs security.
Posted on 12/26/22 at 6:14 pm to emanresu
Not only that, but a pen/paper password list makes you less likely to update your passwords regularly, reducing your overall security.
Posted on 12/27/22 at 11:28 am to Cymry Teigr
I thought the master passwords were hashed.
Posted on 12/27/22 at 12:05 pm to chryso
quote:
I thought the master passwords were hashed
They are, but still crackable.
Posted on 12/27/22 at 2:04 pm to Korkstand
quote:
They are, but still crackable.
This is pretty in depth coverage of the event. LINK / The TL;DR version is if you are Joe Six Pack and used a reasonably long master password you should be fine, just watch out for phishing attempts. If you're a 1 Percenter worth throwing the computer resources at, they can crack it and you should probably change all of your passwords now.
Posted on 12/27/22 at 2:26 pm to Cymry Teigr
Seems like a pretty sophisticated attack (likely Russian or Chinese state sponsored). They actually targeted LastPass employees and stole crypto keys from them (oops).
LastPass claims that the password database is still encrypted and will be as secure as your master password is. Unfortunately, this means not very secure (for most people).
As Bruce Schneier said:
Exactly.
LastPass claims that the password database is still encrypted and will be as secure as your master password is. Unfortunately, this means not very secure (for most people).
As Bruce Schneier said:
quote:
But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.
Exactly.
Posted on 12/27/22 at 2:42 pm to AUstar
quote:
But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.
Spot on. For years now the cloud has been sold as a panacea. Just like anything else, while the cloud has valid use cases, it just isn't a good fit for everything under the sun.
This post was edited on 12/27/22 at 2:43 pm
Posted on 12/27/22 at 3:00 pm to jdd48
Y'all know all of your bank accounts (Regions.com, USAA.com, etc.), cell phone service (ATT.com, iCloud phone backups), etc., are all hosted on "a cloud?" The ability to move money presents a far greater fraud impact than anything else.
Focus on the right targets: password re-use and weak passwords, particularly master passwords.
Teaching people how to sync passwords using local storage will get you laughed at by 99.999999% of people. They'll just keep using "geauxtigers" for every single website and service that they use.
I switched to Bitwarden years ago, but that was more of a functionality issue than anything else.
Focus on the right targets: password re-use and weak passwords, particularly master passwords.
Teaching people how to sync passwords using local storage will get you laughed at by 99.999999% of people. They'll just keep using "geauxtigers" for every single website and service that they use.
I switched to Bitwarden years ago, but that was more of a functionality issue than anything else.
Posted on 12/28/22 at 11:36 pm to Cymry Teigr
Your passwords in Lastpass are still safe though.
(unless you used a weak password)
The architecture of products like LastPass and Bitwarden are that they don't know your passwords and they don't know or store your master password to the vault. This protects you against bad actors be it internal or external to LastPass.
(unless you used a weak password)
The architecture of products like LastPass and Bitwarden are that they don't know your passwords and they don't know or store your master password to the vault. This protects you against bad actors be it internal or external to LastPass.
Posted on 12/29/22 at 12:14 am to BeepNode
quote:
Your passwords in Lastpass are still safe though.
(unless you used a weak password)
Even strong passwords are crackable eventually.
quote:This is true of every site or service with a password (at least it should be), but the thing about password managers is you only have to crack one password to crack them all (for a given user). That makes each one of much higher value than typical account passwords and as such more resources may be devoted to cracking them. Especially since, as mentioned in the link posted above, LastPass apparently didn't encrypt URLs stored in the vaults giving the attackers a super effective way to sort cracking priority.
The architecture of products like LastPass and Bitwarden are that they don't know your passwords and they don't know or store your master password to the vault. This protects you against bad actors be it internal or external to LastPass.
Posted on 12/29/22 at 1:05 am to Korkstand
quote:
Even strong passwords are crackable eventually.
Not really, in practical terms.
quote:
This is true of every site or service with a password
Nope, not even close. Most sites have sys admins that can technically access your data either directly, through delegation, or by resetting your pw and logging in. This is true even with big secure companies like Google. Just ask the FBI, NSA, DHS, and CIA.
Posted on 12/29/22 at 1:33 am to BeepNode
quote:
Not really, in practical terms.
Security recommendations are updated often because what was once impractical has become practical. I don't expect that to end.
quote:
Nope, not even close. Most sites have sys admins that can technically access your data either directly, through delegation, or by resetting your pw and logging in. This is true even with big secure companies like Google. Just ask the FBI, NSA, DHS, and CIA.
Your data in many cases yes, your password no. And yes they can reset your password but they cannot reveal or recover your existing one (without brute force cracking).
I do realize that the password vaults (your data) are encrypted whereas a lot of other sites and services store your data unencrypted, however that does not make me feel warm and fuzzy inside because still only one password has to be cracked to reveal dozens or hundreds more.
The encrypted data is out there. It can't be taken back or encrypted any stronger. All passwords ever stored with LastPass have to be assumed compromised.
Posted on 12/29/22 at 5:15 am to Korkstand
So should people be worried? I have everything on LP. I got their email about this and they played as though it's going to be fine. I changed my Master, even though it was already a good password, as I figured another new long one wouldn't hurt. Am I likely safe?
Posted on 12/29/22 at 9:00 am to Sho Nuff
quote:
So should people be worried? I have everything on LP. I got their email about this and they played as though it's going to be fine. I changed my Master, even though it was already a good password, as I figured another new long one wouldn't hurt. Am I likely safe?
Yes, you will be fine so long as your master was a decent password and was unique. Changing your master now doesn't really help because your master in their copy of the vault will never change. You should always use two-factor authentication when possible.
Big tech is trying to move away from passwords, believe it or not.
Posted on 12/30/22 at 4:21 am to BeepNode
quote:
Changing your master now doesn't really help because your master in their copy of the vault will never change.
Yikes. I had a unique password. It was 12 characters and nothing that could tie to me, but if they have a long time to just keep trying then who knows...
Posted on 12/30/22 at 3:10 pm to Sho Nuff
quote:
Yikes. I had a unique password. It was 12 characters and nothing that could tie to me, but if they have a long time to just keep trying then who knows...
The passwords your LP account was protecting will be susceptible forever unless you change them along with your 'master' pw.
Are you likely to be targeted? Who knows, but I know I would spend 5 minutes of my day to change all my pws if it were me.
Page 1 of 2
Popular
Back to top
Follow TigerDroppings for LSU Football News