- Apr 28, 2015
- 8,911
KeePass (offline without browser add-on) -> manually Perform Auto-Type + FF here...
LastPass master passwords may have been compromised
- Thread starter Gandalf_The_Grey
- Start date
- Status
- Jun 5, 2014
- 276
the security model of lastpass is kinda outdated! look at the 1password security model . it requirers a secret key with 128 bit strength every time you want to login from a new device and the master password itself and even when the master password leaks it is used for local encryption not in the cloud. the security model of 1password is miles ahead of any other manager in the market. this incident is maybe because of what lastpass says an internal error but i myself dont trust them really shady company and really clunky password manager.
- Aug 17, 2013
- 229
The reason this keeps happening to them is because the amount of users they have , if one is able to hack into LastPass the rewards would be far greater than hacking into a less known password service, so it doesn't really matter which service you use , if it stores your info online , eventually it will be targeted, the key is for the service to be prepared and protected which it seems LastPass never is.
Never store anything online that you cannot afford to lose.
Never store anything online that you cannot afford to lose.
- Jul 27, 2015
- 5,458
Let me try help and remind anyone else that can't fully grasp basic service email warning messages.
In basic plain English that means : the service worked as intended and no access or no bypass was made. If messages like that makes some people upset and more paranoid, they should avoid check Microsoft accounts. That would really make them loose it.
- Jul 3, 2015
- 8,153
I don't pay for the service, I am on the free version.
Yes, there are people who have good memories, and don't tend to fumble and forget when under stress and time pressure. For them, the risk of an online password manager may be greater than the benefit of easy access to critical web services. It is the individual's decision when it comes to questions of risk management such as this.
People are mostly concerned about the part that says “someone just used your master password”.Let me try help and remind anyone else that can't fully grasp basic service email warning messages.
In basic plain English that means : the service worked as intended and no access or no bypass was made. If messages like that makes some people upset and more paranoid, they should avoid check Microsoft accounts. That would really make them loose it.
It’s great that the access was blocked. But they still want to know how anyone managed to get their passwords in the first place.
- Jul 27, 2015
- 5,458
Rants, account deletions info and other service advertising along with crystal clear disinformation. Not what I would call and interpret as " concerned ".
Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,260
We probably will never know what really happend.
The best users of LastPass can do is change their master password AND turn on 2FA.
Check your master password and your emailadres at "have i been pwned?".
Recently RedLine Stealer malware logs were added containing thousands of LastPass login pairs:
haveibeenpwned.com
The best users of LastPass can do is change their master password AND turn on 2FA.
Check your master password and your emailadres at "have i been pwned?".
Recently RedLine Stealer malware logs were added containing thousands of LastPass login pairs:
Have I Been Pwned: Check if your email has been compromised in a data breach
Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
- Apr 5, 2021
- 620
Is 2FA really that necessary if a very strong - especially length - master pw is used? I ran mine through a couple different pw strenth test sites and the minimum time to crack it was a million years! I did assume this would be offline cracking. Honestly it seems like a lot of overreaction to this, though I'm one to talk, as this thread resulted in me switching to KeepassX(Linux) & Keepass 2 (Windows) 
Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,260
In case a (master) password is leaked, 2FA is second level of defense against account takeover.Is 2FA really that necessary if a very strong - especially length - master pw is used? I ran mine through a couple different pw strenth test sites and the minimum time to crack it was a million years! I did assume this would be offline cracking. Honestly it seems like a lot of overreaction to this, though I'm one to talk, as this thread resulted in me switching to KeepassX(Linux) & Keepass 2 (Windows)
I have and advice others to enable 2FA on all important accounts like email, social media and passwordmanagers
- Apr 5, 2021
- 620
I agree 2FA indisputably adds security on the password, but I am really curious how long it take to crack a leaked 13-15 character, well hashed encrypted pw. I get the feeling 2FA isIn case a (master) password is leaked, 2FA is second level of defense against account takeover.
I have and advice others to enable 2FA on all important accounts like email, social media and passwordmanagers
Last edited:
Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,260
I agree with your post, but the rumors say that they are leaked and used, highly unlikely, but again not real issue with 2FA.
- Apr 13, 2013
- 3,224
(note: this post is only directed to a LastPass user who may be rightfully and understandably concerned, as I'm certain that Old Hands here will find the below Intuitively Obvious and thus not needed).
The main issue with LastPass may be that the LP user may be defeating any security provided by LP by storing the master password locally. So see see this could be the case, try to open the Password Vault. If the vault opens in the default browser AND the login credentials are populated by the browser this obviously could be an issue if one is affected by a credential stealer (like Redline).
So for any LP users so effected (and want to continue with LP), best practice would be to:
1). Delete any reference to Lastpass in the browser password section
2). Change Password (duh...)
3). Store the changed login credentials locally (easiest thing here would be to create text file and save it somewhere on the drive as a password protected archive)
4). When going back into the vault, cut and paste the previously saved credentials. disregarding saving the same to browser
5). Always and Forever use an outbound alerting firewall as any keyloggers, credential stealer, etc will be ineffective if outbound connections are blocked for it.
The main issue with LastPass may be that the LP user may be defeating any security provided by LP by storing the master password locally. So see see this could be the case, try to open the Password Vault. If the vault opens in the default browser AND the login credentials are populated by the browser this obviously could be an issue if one is affected by a credential stealer (like Redline).
So for any LP users so effected (and want to continue with LP), best practice would be to:
1). Delete any reference to Lastpass in the browser password section
2). Change Password (duh...)
3). Store the changed login credentials locally (easiest thing here would be to create text file and save it somewhere on the drive as a password protected archive)
4). When going back into the vault, cut and paste the previously saved credentials. disregarding saving the same to browser
5). Always and Forever use an outbound alerting firewall as any keyloggers, credential stealer, etc will be ineffective if outbound connections are blocked for it.
Last edited:
- Nov 10, 2017
- 3,250
- May 19, 2016
- 1,580
Thanks @CyberTech
And do you know if it exists an easy way to delete all passwords stored in password managers (AV suites or softwares) ?
- Nov 10, 2017
- 3,250
There is a way to delete passwords/notes/logins/etc list in the vault so it would take a long if you have alot of saved password item.
- May 1, 2015
- 314
- May 19, 2016
- 1,580
If my understanding is right you mean that the only solution is to delete manually every password stored ?
If I close/delete my account , my passwords/informations are not deleted ?
- Status
Similar threads
