Lastpass says hackers accessed customer data in new breach

[Divine_Barakah]

For Keepass, take a look at Keepassium and Strongbox available on iOS, not sure about Android.

I am well-aware of thoses apps, but I know nothing about their security.

 

[mlnevese]

Hello guys,

I have a doubt: I didn't know about Lastpass, I only used Bitwarden (I'm sick of it) and offline password managers like KeePass. I created a random account just to check how Lastpass works and I liked it. Is anyone still using it? Is there any risk? If so, is there a product similar to LastPass?

I was reading on the LastPass blog and from what I understand, even if the data has been leaked, hackers will not be able to access the vault since there is no way to know the master password of each vault because LastPass is zero knowledge, but I could be wrong because I never used the service. What opinion can you give me about this?

Thank you all!

Breaching the servers and getting access to you vault file doesn't do much actually. It's still necessary to know your vault's password to decrypt the file so, unless you use an extremely weak password, it would take thousands of years to decrypt with current technology.

Actually, depending on your key strength, the heat death of the universe will happen first...

128 or 256 bit Encryption: Which Should I Use?

When considering symmetric encryption algorithms such as AES-128 or AES-256, does it really matter which of the two options you choose?

www.ubiqsecurity.com

How long would it take to brute force AES-256? | ScramBox

scrambox.com

 

[Divine_Barakah]

Breaching the servers and getting access to you vault file doesn't do much actually. It's still necessary to know your vault's password to decrypt the file so, unless you use an extremely weak password, it would take thousands of years to decrypt with current technology.

Actually, depending on your key strength, the heat death of the universe will happen first...

128 or 256 bit Encryption: Which Should I Use?

When considering symmetric encryption algorithms such as AES-128 or AES-256, does it really matter which of the two options you choose?

www.ubiqsecurity.com

How long would it take to brute force AES-256? | ScramBox

scrambox.com

But what if a password manager had a backdoor and the malicious actors got access to that? What about wrong implementation of encryption? What if the password manager lied about storing the master pssword or it derivative.

 

[mlnevese]

But what if a password manager had a backdoor and the malicious actors got access to that? What about wrong implementation of encryption? What if the password manager lied about storing the master pssword or it derivative.

Then your passwords are not safe with that software, no matter where it's stored.

 

[Divine_Barakah]

Then your passwords are not safe with that software, no matter where it's stored.

If the data is stored locally, then it does not matter if the master password or its derivate is stored elsewhere.

If someone has a key to your safe, but has no access to the safe itself, then the key is useless.

 

[R2D2]

Take a look at this, Steve Gibson cites a method to download and deobfuscate an old LastPass vault. It allows you to prepare an Excel spreadsheet of the contents.

https://www.grc.com/sn/sn-905-notes.pdf

 

[piquiteco]

@mlnevese Testing 1password seems good, I liked it and it's convenient and very friendly, it left my heart even divided with other PMs

Spoiler: 1password

 

[HarborFront]

@mlnevese Testing 1password seems good, I liked it and it's convenient and very friendly, it left my heart even divided with other PMs

Spoiler: 1password

View attachment 272016

FYI
1Password android app has trackers

 

[mlnevese]

@mlnevese Testing 1password seems good, I liked it and it's convenient and very friendly, it left my heart even divided with other PMs

Spoiler: 1password

View attachment 272016

They have been adding a lot of features lately. For instance if you use your Google account to login somewhere and have multiple Google accounts it's I'll not only record that you used a Google account but which one should be used. It also works with Facebook and other 3rd party login methods.

I really like it. From all the managers I tested it was the one that better covered my needs. The ability to show your password in big characters is a gift when I have to configure a new TV, for instance.

 

[R2D2]

@piquiteco about 1Password - their customer support is friendly and quite responsive. I think they're flooded, as would be Bitwarden support, with enquiries after the LP fiasco. For good user interface look no further than 1Password. Next is Dashlane and then Bitwarden. In terms of security they all claim to be secure but then Lastpass claimed this too until the #hit hit the fan last month. For noobs I'd suggest 1PW without a doubt and for flexibility (self hosting) and geeks it would be Bitwarden. Dashlane is somewhere in the middle. Like LP, Dashlane only has a web UI. They discontinued their desktop app in '21 or '22. Dashlane uses the Argon2 KDF by default but can switch to PBKDF2 in the account setting.

Now more about LP - deleted accounts can be restored but with no guarantee of data being available. I tested this by emailing their support team. They restored my wife's account but could not restore mine. I checked the KDF iteration value was 5000. While my LP account was set 100,100 (default) that I checked before deleting it on Christmas day. I have retained these 2 recreated LP accounts as guinea pigs..test mules.

Also, my wife's BW's account was also set at 5K, since increased to 310K. Please double check your BW settings especially for those accounts created in 2017/18.

 

[Stopspying]

Take a look at this, Steve Gibson cites a method to download and deobfuscate an old LastPass vault. It allows you to prepare an Excel spreadsheet of the contents.

https://www.grc.com/sn/sn-905-notes.pdf

Security Now: 1 | TWiT.TV

Picture of the Week.LastPass Aftermath.LastPass Vault De-Obfuscator.What more do we know this week regarding LastPass?The most alarming discovery by listeners.Understanding

twit.tv

 

[plat]

Well, this prob. deserves its own thread (I dunno) but someone big has joined the password manager breach train!

NortonLifeLock warns that hackers breached Password Manager accounts

Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks.

www.bleepingcomputer.com

Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks.

According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms.

"Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account," NortonLifeLock said.

LastPass people be like...happy? My GIF wouldn't move so I deleted it. Sorry.

 

[Divine_Barakah]

I have recently started encountring sync and Ui issues in Enpass, so I migrated to Roboform. I enabled 2FA and increased the encryption iteration to 300000. I tried increasing it to 500000 but the vault took too long to decrypt on my iPhone.

Increasing encryption iteration is good against brute force attacks.

 

[Guilhermesene]

Good thing I use everything OFFLINE (obviously with backup copies on 2 external hard drives of 4tb each).

When I say everything, I literally mean everything.

My personal files, documents etc, plus KeePass password vault.

I don't trust anything in the cloud.

 

[R2D2]

The way things are going it's going to be safer to use a product with local sync (Enpass, Sticky Password) or manual sync (Keepass) to keep your data safe.

It seems there was a concerted set of intrusion attempts (some successful like Lastpass and Norton) against these companies in 2022. Whether by hacker gangs or hostile countries is only a guess. It's only a matter of time before hackers turn their attention to 1Password, Bitwarden and Dashlane.

All we users/subscribers can do is go with local sync or use cloud PMs employing really strong passwords/passphrases along with 2FA to secure accounts. But I am more interested in what these companies are planning to tackle this menace instead of boasting "We've never been hacked" as 1Password and Dashlane have been trumpeting since the LP fiasco. They were not hacked because Lastpass is a larger and more attractive target plus it was possibly easier to break LP defences.

 

[blackice]

Norton’s situation was credential stuffing. That’s not a security failure on their part. That’s not even hacking.

 

[Digmor Crusher]

Trying Enpass now, I really like it, very slick and easy to use. In my brief time using it I like it better then Bitwarden.

 

[R2D2]

Norton’s situation was credential stuffing. That’s not a security failure on their part. That’s not even hacking.

True. It's possible they tried hacking Symantec's systems but were unsuccessful. At least Symantec took security more seriously than Lastpass did.

 

[HarborFront]

Trying Enpass now, I really like it, very slick and easy to use. In my brief time using it I like it better then Bitwarden.

It don't support non-code signed browsers like Ungoogled Chromium and LibreWolf

Enpass android app has trackers.

 

[R2D2]

This guy's YT channel was hacked. The result was mayhem. He blames it on the Lastpass breach. Watch from 29-30 minutes into the video.



2 take aways:
a) Change your recovery codes and 2FA tokens ASAP.
b) NEVER store your 2FA tokens OR recovery codes in your PM.