Lastpass says hackers accessed customer data in new breach

[I Walk MY Way]

Dont think of last pass as a Password Manager think of it a a IQ test, last pass has failed on security lied and been far from truthful about security incidents, why would you trust them with your data? Would you ask a fraudster to look after your money ?

 

[Guilhermesene]

Dont think of last pass as a Password Manager think of it a a IQ test, last pass has failed on security lied and been far from truthful about security incidents, why would you trust them with your data? Would you ask a fraudster to look after your money ?

Yes, I understand and I won't do that.

As I am new and have NEVER used the service, I was just curious to know if some users will continue to use it and if it is safe.

Right now all my passwords are managed by KeePass (fully offline). It is a pity that LastPass reached this point, for the short time I "used" the service, about 30 minutes, it seemed to me to be a great password manager.

 

[Divine_Barakah]

Hello guys,

I have a doubt: I didn't know about Lastpass, I only used Bitwarden (I'm sick of it) and offline password managers like KeePass. I created a random account just to check how Lastpass works and I liked it. Is anyone still using it? Is there any risk? If so, is there a product similar to LastPass?

I was reading on the LastPass blog and from what I understand, even if the data has been leaked, hackers will not be able to access the vault since there is no way to know the master password of each vault because LastPass is zero knowledge, but I could be wrong because I never used the service. What opinion can you give me about this?

Thank you all!

Functionalit wise, Lastpass is great. In terms of security, any cloud password manager is not to be trusted no matter how they market it.

Please any password manager that offers offline syncing (via wifi). Sticky Password and Enpass both offer such functionality.

 

[Amnesia]

N I C E

 

[Guilhermesene]

Functionalit wise, Lastpass is great. In terms of security, any cloud password manager is not to be trusted no matter how they market it.

Cool, that's good to know. That's what I thought, as a password manager (in terms of functionality) it seemed excellent to me, but it has this other downside that you mentioned.

I have a lifetime license of SP, however, I don't know if it works on MacOS as well.

I would like something similar to LastPass that syncs between my devices (android, mac and windows). The way is to continue using KeePass despite the difficulty in synchronizing between devices.

 

[Divine_Barakah]

Cool, that's good to know. That's what I thought, as a password manager (in terms of functionality) it seemed excellent to me, but it has this other downside that you mentioned.

I have a lifetime license of SP, however, I don't know if it works on MacOS as well.

I would like something similar to LastPass that syncs between my devices (android, mac and windows). The way is to continue using KeePass despite the difficulty in synchronizing between devices.

Users complained on Trustpilot on SP functionality on Mac. Anyway, give it a try and see how it works. Then try Enpass and see how it works and then you can decide what works best fir you.

 

[Arequire]

I was reading on the LastPass blog and from what I understand, even if the data has been leaked, hackers will not be able to access the vault since there is no way to know the master password of each vault because LastPass is zero knowledge

While the hackers don't know the master passwords, by having copies of the vaults in their possession, they have an unlimited amount of time to crack them. Think about how bad people are at coming up with secure passwords on their own, and now imagine how many LastPass users were using weak master passwords when the vaults were stolen. The fallout's not going to be pretty.

 

[Divine_Barakah]

While the hackers don't know the master passwords, by having copies of the vaults in their possession, they have an unlimited amount of time to crack them. Think about how bad people are at coming up with secure passwords on their own, and now imagine how many LastPass users are using weak master passwords. The fallout's not going to be pretty.

Exactly, it is a gample I am not willing to take.

But what users are doing is unrational. Most of them migrated to BW, which is also cloud-based. The fact that jt is open source does not make things any better. The data is stored in the cloud and the same thing can happen.

 

[Guilhermesene]

Exactly, it is a gample I am not willing to take.

But what users are doing is unrational. Most of them migrated to BW, which is also cloud-based. The fact that jt is open source does not make things any better. The data is stored in the cloud and the same thing can happen.

Really you are right.

Right now I'm using KeePassXC (because it works on both Mac and Windows) and I keep everything offline with backup copies on other external devices that are also protected by Bitlocker.

Even though the synchronization between the devices is a little inconvenient, I'll keep it that way, for the sake of greater security.

Thank you for your answers and for your attention. @Divine_Barakah and @Arequire.

 

[RoboMan]

"We have determined that an unauthorized party,[U] using information obtained in the August 2022 incident, was able to gain access[/U] to certain elements of our customers' information."

How on earth do you have a security incident and still manage to keep the same configurations? Even more, how do you get information compromised and don't take the necessary measures as to avoid stolen information being used to attack again?

 

[Azure]

I don’t think the problem is being a cloud pw in itself. But rather how badly Lastpass handle the security of its users.

If they had

- Encrypted website URLs
- Properly notified users of weak master passwords
- Properly increase all users password iterations

Could this had prevented the hack? Nah, I don’t think so. But the hack wouldn’t have been as catastrophic as we have today.

 

[Arequire]

Exactly, it is a gample I am not willing to take.

But what users are doing is unrational. Most of them migrated to BW, which is also cloud-based. The fact that jt is open source does not make things any better. The data is stored in the cloud and the same thing can happen.

Ultimately it's a personal decision. There's always risk no matter where you choose to store your data. Obviously this LastPass breach shows how damaging it can be if you choose to store your data on someone else's server, and that data is accessed by a malicious actor, but that doesn't mean it's guaranteed to happen. But even those who opt to store data locally are still at risk of malware infecting their system and exfiltrating that data (which, again, doesn't mean it's guaranteed to happen, but the risk is still present).

 

[Divine_Barakah]

Really you are right.

Right now I'm using KeePassXC (because it works on both Mac and Windows) and I keep everything offline with backup copies on other external devices that are also protected by Bitlocker.

Even though the synchronization between the devices is a little inconvenient, I'll keep it that way, for the sake of greater security.

Thank you for your answers and for your attention. @Divine_Barakah and @Arequire.

I really like KeepassXC, but the absense of dedicated mobile apps made me look elsewhere.

I don’t think the problem is being a cloud pw in itself. But rather how badly Lastpass handle the security of its users.

If they had

- Encrypted website URLs
- Properly notified users of weak master passwords
- Properly increase all users password iterations

Could this had prevented the hack? Nah, I don’t think so. But the hack wouldn’t have been as catastrophic as we have today.

But storing password locally gives more control and peace of mind.

A havk is still a hack. If for example Bw was havked and they informed users that no data was accessed? What would you do? Youll have doubts and most likely you will panic.

Thus, it is sound to keep you data locally stored.

Ultimately it's a personal decision. There's always risk no matter where you choose to store your data. Obviously this LastPass breach shows how damaging it can be if you choose to store your data on someone else's server, and that data is accessed by a malicious actor, but that doesn't mean it's guaranteed to happen. But even those who opt to store data locally are still at risk of malware infecting their system and exfiltrating that data (which, again, doesn't mean it's guaranteed to happen, but the risk is still present).

You are right. Offline password managers have attack vectors, but they are simply not prone to the same attack vectors of online password managers.

A server containing the dafa of millions of users is a valuable target.

 

[Azure]

But storing password locally gives more control and peace of mind.

A havk is still a hack. If for example Bw was havked and they informed users that no data was accessed? What would you do? Youll have doubts and most likely you will panic.

Thus, it is sound to keep you data locally stored.

You are right. Offline password managers have attack vectors, but they are simply not prone to the same attack vectors of online password managers.

A server containing the dafa of millions of users is a valuable target.

Remember not all users want control. (it’s the reason why HIPS aren’t popular) they rather have convenience.

 

[Divine_Barakah]

Remember not all users want control. (it’s the reason why HIPS aren’t popular) they rather have convenience.

You have a point here. Tbh if users are responsible of taking care of syncing password using for example Enpass, they might lose all of their passwords. Cloud password managers take care of that but that comes at a price.

 

[Guilhermesene]

This article is very interesting to read

Not in a million years: It can take far less to crack a LastPass password | 1Password

How 1Password goes above and beyond to protect you in the event of a data breach.

blog.1password.com

 

[piquiteco]

I will sync my passwords to the cloud no problem, but I will do the following, keep only a part of the password like this "3zN$KSohZn!vR78&cvXC" the rest that would be suffix or prefix would be basically like this + U4!5J%x^s* I will memorize the rest in my memory and if the cloud service is hacked good luck to the hacker

 

[Azure]

I will sync my passwords to the cloud no problem, but I will do the following, keep only a part of the password like this "3zN$KSohZn!vR78&cvXC" the rest that would be suffix or prefix would be basically like this + U4!5J%x^s* I will memorize the rest in my memory and if the cloud service is hacked good luck to the hacker

I remember a few years ago. In another security forum, a user doing and suggesting what you describe here. Splitting passwords between password managers and IRL

 

[R2D2]

I really like KeepassXC, but the absense of dedicated mobile apps made me look elsewhere.

For Keepass, take a look at Keepassium and Strongbox available on iOS, not sure about Android.

I've been a Lastpass refugee/victim thanks to their nonchalant attitude towards security not just recently but going back years when it was clearly their job to educate and update customers/users about the risks & the mitigation strategies users ought to take immediately in case of hack attempts AND strengthen their own defences against such breaches.

Lastpass it seems was a sitting duck. I mean what so called security company employee falls for a phishing scam?! Aren't the employees trained and do they attend refresher courses in data security at regular intervals?

I've used Lastpass for about a decade or maybe just a bit longer, since 2012/13 IIRC. When I look back I think ever since LP changed hands and with the entry of PE investors something fundamentally changed in their outlook. LP became more profit oriented with my subscription increasing from $12/year to $24/year to $36/year, restriction in # of devices that can access the service (2021). Security of data became low priority just as hack attacks increased.

As I said earlier on this thread I blame myself for not seeing the danger signs and moving out instead revelling in the comfort of using, what is even today, one of the most user friendly and complete password managers on the market. And this after coming straight from Roboform an established PM in its own right (and the 1st one I ever used ) but one that hardly gets any love by reviewers or even on social media and other fora. LP does everything so well and it's really hard to fault LPs functionality and ease of use. The UI could do a bit of sprucing up but that's secondary.

I admit what happened to LP can happen to BW or 1Password or other cloud PM but I found Lastpass' approach and response extremely lackadaisical and wanting. The current brouhaha smacks of a CYA operation that is driven by lawyers to minimise the risks of legal fallouts. I get the feeling things are much worse on the inside than LP cares to admit publicly.

Oh well, live and learn.

 

[piquiteco]

For Keepass, take a look at Keepassium and Strongbox available on iOS, not sure about Android.

For Android it is Keepass2Android or KeePassDX

I remember a few years ago. In another security forum, a user doing and suggesting what you describe here. Splitting passwords between password managers and IRL

Yes, exactly it was in security forum, I just remember where, later I saw it on Youtube, the curious thing is that the person who uses it this way is a developer seems more paranoid than me.