Hacker News new | past | comments | ask | show | jobs | submit login
LastPass breach gets worse (reddit.com)
639 points by sunbum on Jan 25, 2023 | hide | past | favorite | 297 comments



One of the most frustrating things about the LastPass leak is that they still haven't provided all the information needed to determine whether a customer is at risk.

For example, it's clear backups were stolen, but they won't say how old the backups were, or what their retention policy is. So even if you changed your password to a stronger one, with more rotations, it may be that the attacker got hold of very old backups with weaker security. I've asked their support team for information about time windows of backups stolen, if they have a retention policy and whether it was adhered to, but they won't share that information. Instead we are left with a blog post that is more than a month old, no recent updates, and questions remaining unanswered. I'm a paying 'enterprise' customer, and they are meant to be ISO270001 compliant, so a retention policy should be a pretty simple thing to share.


At this point you should assume you're breached. If they aren't going to give you the details, you should assume the worst.

I have asked all of my team to change their passwords. We use LastPass via our parent company and will be switching off LastPass soon for our team. LastPass never would've been my choice, it was made before I joined.

But assume you're breached, change it all now, and ideally you're not going to stay with LastPass. Their communication sucks, which is just icing on the cake in this entire situation.


Export from LP and start migrating, starting with changing common social IdPs like Google, Facebook, Twitter, Github, Apple, Microsoft/Live/Xbox/Outlook. Update the password of remote access programs like Parsec, and your cell phone provider's password. Then go through your TOTP generator and start changing everything in your TOTP generator (especially since you might be using LP Authenticator - if you are, then move to a different authenticator at the same time). Next: banking, your work payroll, investment accounts, Tax/IRS, shopping. From here one out start going through the list by the amount of money involved. If you doubt that then go through them ordered by the amount of data involved.

If you get lost and stuff seems too hard, if your replacement product lets you sort by age then just sort by oldest and hit 5 today. Hit 5 more tomorrow. Keep chipping at it. At this point you might as well change one every single day.


I’ve always felt like there’s a startup in there that can reliably change all your passwords for you. Probably something like one time $299, which sounds expensive, until you realize the pain of doing this.


Ironically... isn't that something LastPass does for you?

https://www.pcworld.com/article/430756/nifty-new-lastpass-da...

This is an old article, no idea if the feature still exists or not.


More like does to you and forces you to do it yourself


Depending on how it was implemented, that could just increase the attack surface. Assuming it's a cloud service, now we have another company that has all your passwords, that can be breached. A better way would be desktop software that runs on your local machine and logs in to each web site by itself and changes all your passwords, without using any remote compute or storage, outputting a local file with all your new passwords (don't make the same mistake again using a cloud password manager).


I imagined this was local. I think it would be very difficult to trust it otherwise.


Attack surface will increase regardless of implementation. It is another point that can be attacked, one that did not exist before.


I love web scraping, maybe I can update this prior idea. With the high proliferation of botting, a lot of sites are now resistant to this type of scripting, but at this low volume of interaction, it may be doable with some effort like Undetected Chromedriver.

https://drewdevault.com/2017/05/11/Rotating-passwords.html

https://github.com/tsudoko/pass-rotate


Vault rotation++. I was bitten by this switching authenticators when one didn't have an export at the time. It was such a massive pain to login and remove, add, setup and annotate, store secrets and repeat.


This was also the final straw for our organization, we have initiated a company-wide reset of any credentials stored in in their service (thanks, LastPass) and are definitely not going to be renewing. The frequency of recent breaches, and especially the opaque manner in which they have been handled have destroyed any credibility they may have once had with regard to being trustworthy enough to store important secrets.


> definitely not going to be renewing

That reads like you're resetting credentials and then putting the new credentials back in LastPass, and then possibly maybe moving away from LastPass at some point in the future.

Given how little LastPass has disclosed, and the negligence we already know about, we should not only assume we're breached, but we should also assume LastPass is still storing critical data in cleartext, they don't have a "zero knowledge architecture", and their systems are still vulnerable to intrusion and exfiltration.


That's good advice. I already made that assumption when the leak was first publicised and changed all of my important passwords the same day. I'm just trying to decide whether it's worth changing the hundreds of other low value passwords that were once stored in LastPass. I migrated to another service a few years ago, but I'm concerned the attackers have got hold of older backups, containing sensitive data that I had deleted, but with LastPass's poor communication, there is no way of knowing.


What would your choice be?


"One of the most frustrating things about the LastPass leak is that they still haven't provided all the information needed to determine whether a customer is at risk."

Yes they have. They had a breach, and lied about it. You can't trust anything about them now. Assume a total breach and move on.


The biggest problem here is for former customers.

What if you closed your account 5 years ago, did they still have backups?


"Assume total breach" implies to update everything you had with them regardless of the timeframe.


I assume for many people that is easier said than done


It is, hence the gravity of the situation.


Honestly, even before this latest update, it's safest to assume that your data will be decrypted at some point, and get started changing everything now.

Luckily I had already switched over to Bitwarden, but I still had around 250 accounts to go through, although about 40 entries ended up being duplicates, defunct sites/products, or so old that the accounts were already deleted due to inactivity.

If you haven't started rotating all of your credentials already, this news should definitely get you started on it!


I never expected I'd experience such joy at a website failing to load, or to see it had been turned into a completely different business that doesn't even have a login form.

Thanks, LastPass!


I did the Lastpass->Bitwarden migration around Christmas, and it was probably 6 hours all told just changing passwords for the accounts I administer. The good thing is, you get pretty fast at changing them after a while.


There's ISO compliance and there's ISO "compliance". I'm pretty sure if most shops were honest they wouldn't be compliant, but more like compliance-inspired.


ISO compliance, a la “banana” or “strawberry” flavor.


Even if you change all your pssswords NOW you’ve still had the metadata of where you have accounts leaked.


In principle, your passwords might be stored as a JSON blob encrypted using a key derived from your master password. In which case that metadata could still be secure. I doubt it though.


LastPass already admitted that the metadata was all leaked. Usernames and passwords were encrypted, but all else seems to have been in the clear.


Based on what happened to my wife, if the password was encrypted, breaking it was trivial


She probably had an account that had a very low number of iterations. LastPass never updated those unless someone knew to do it manually, so if it was an old account she likely had 5,000 iterations out of the recommended minimum of 100,000.


It wasn't an old account. It was made within a year of the breach.


just checked, mine is 5,000


Yep. And the sucky thing is that the only recourse at this point is to reset all your passwords, because what was leaked was the low-iteration vault. Changing it now only saves you for future leaks.


I believe that my vault was similarly-low iteration, however my master password was an approximately 30 character string that contained no dictionary words.

Based on your understanding, does my master password length sufficiently mitigate the low-iterations, or is decryption a realistic possibility?


If your master password has enough entropy, you're safe with 1 iteration. It's not a great idea, and what "enough" is can be ambiguous. But if your master password is provably 70 bits of entropy or so, you should be fine.

But it's probably easier to just change your passwords anyway. At this point I wouldn't be suprised if the story gets even worse somehow.


I don't know enough to know. I'd change your passwords just to be safe.


>>they are meant to be ISO270001 compliant

means that some auditor, met with someone that does not know anything, and checked boxes in a form.


The title should be updated to reflect that this wasn't data from LastPass but from other products under the Gogo umbrella.

> Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.


If you are in EU, according to GDPR, they should share information so that you can evaluate the risk. Otherwise they are breaking the law.


> One of the most frustrating things about the LastPass leak is that they still haven't provided all the information needed to determine whether a customer is at risk.

Worst case: it’s entirely possible they don’t know.


Do they even know?


The fact they're drip-feeding how bad this breach actually was is terrible enough and yet their entire product is built on nothing but trust.

Part of me wonders if this was an intentional strategy: Downplay during the initial media round then very quietly reveal this was a worst case scenario.

Personally I'm never touching them again - anecdotally everyone I know who was an individual customer has migrated away and inside companies lots of engineers have stopped adding new passwords.


I don't think it was intentional: this is one of those places where ripping the band-aid off is far better than slowly dragging it out. The drip-fed reveal increases the raw number of headlines about the breach and drills the idea "GoTo is bad at security" into people via spaced repetition. If they said "our entire company was pwned" on day one, they would have had their day in the media and by now only HN would still be grumbling about it.

I think what's actually happening is that they're just really bad at security. Either every few weeks they discover something new or they still haven't successfully locked the attacker out.


I do think they are being very intentional in how they release and frame things, and one of the things dripping it out can do also is produce some level of fatigue on reporting it. It definitely seems like they knew some things before it came out - some people have looked at changes to their site and there are new or updated marketing changes that in retrospect seem very correlated to what we're learning now. Not definitive proof, but very concerning.

I also think you are correct to a point, they are really bad at security so it is also possible that some of these things are just coming out also.


This assumes everyone sees all the headlines. This approach is very bad for people paying attention, but the type of people to pay attention to this kind of news would probably be unwilling to go near LP again if it was revealed all at once. Their play might be to assume the initial headlines get the most coverage so soften the message there, then wait for a general audience to tune out and reveal the worst parts.


When it comes to important stuff I think it’s important to trust no one.

I’m sure LastPass tried really hard to protect data. But everything fails eventually. If there’s things that are life threatening or financially devastating then I don’t think I can afford to audit people sufficiently to trust them with the info.

This is also why I can’t imagine ever using Plaid/Mint/etc that require my bank credentials just to do minor stuff like make payments or read transactions.

These password managers are in a tough spot market wise as they aren’t smart enough to secure super important stuff and for unimportant things, iOS/chrome password management is pretty good. I don’t mind if my audible account gets rooted, but it would be very bad if my bank or brokerage gets rooted.


> This is also why I can’t imagine ever using Plaid/Mint/etc that require my bank credentials just to do minor stuff like make payments or read transactions.

That's the fault of banks. We need open banking, with APIs using OAuth or similar with scopes or some way for per-action/item access.


They could have started simpler with app passwords that provide read only access. They purposefully drug their feet under the false principal that they own their clients' data.


What if the bank were collectively owned and operated, and used a clever cryptographic scheme to simultaneously allow full transparency and full monetary autonomy?


Then I guess that multiple bad actors would jump at the chance to irreparably scam thousands of accounts out of millions of dollars. Or something like that.


Things are improving bit by bit. BofA and Chase both have OAuth and pretty granular permissions now. Citi and Wells Fargo have OAuth APIs too, though I haven't worked with them personally. That's the top 4 consumer banks, but many credit unions are stuck in the past. Credit unions in general need to wake up about how far behind they are in IT investment, and use a common IT vendor to modernize.


Exactly. I should be able to create read only tokens. I think banks don’t really want us getting our own data without going through their marketing interface.


Already exists in EU.


As far as I know, there is no common, open banking API in the EU, unless you are talking about IBAN, which is more like an exchange framework.


Open Banking aka PSD2 exists, and it is very different from IBAN.


unfortunately, individuals are not allowed to make use of it for private purposes. You must be a registered business and then be entered in a register before you get any keys.


"but it would be very bad if my bank or brokerage gets rooted"

Yup. I put everything in the password manager except primary email and bank/brokerage.


> I’m sure LastPass tried really hard to protect data. But everything fails eventually.

Sure, but password managers available over the internet are especially vulnerable. They're major centralized honeypots given the data they handle, and leaks are probably worth millions on the black market. To think that any company could handle this responsibility is naive at best.

Password managers are an entire section of software that shouldn't exist. They're too confusing and a chore to use for the general public, even if users are educated about their importance, and would like to secure their accounts. Many non-technical people don't bother or care at all.

The way forward is to get rid of passwords altogether and make passwordless authentication the norm. There have been some usability improvements in recent years in this area, to the point where it could reach mass adoption, but the change needs to start with developers.

I was a LastPass user for many years, many years ago, and trusted them, but have since moved all my passwords offline. And I would very much like not to worry about maintaining accounts, updating passwords, etc. Ugh, what a chore.


> [Password managers are] major centralized honeypots given the data they handle, and leaks are probably worth millions on the black market.

My knowledge in this area is admittedly limited but shouldn't password managers be fully encrypting your data with a key only you have (like 1Password). The way I understood it was that these leaks shouldn't be a problem because the data is worthless without the master key. Although I guess LastPass wasn't doing it that way.


I was specifically talking about _online_ password managers in that quote. Even in the best case scenario that they do follow all best modern security practices for storing the data at rest, there are countless exploit opportunities while the data is in transit, especially considering the clients are web browsers, with their own security issues. Not to mention the vulnerability from rogue employees, social engineering, etc.

Entrusting _any_ company with the secrets to your digital life is a bad idea in general. I know that 1Password is the darling in this space, but breaches are a matter of time. They only need to mess up once. Their entire business reputation relies on being 100% secure, which is impossible. I'm not surprised LastPass is reluctant to share more information; they want this to go away as soon as possible so that business can continue as usual. It also wouldn't suprise me if there were other breaches that were never made public, at LastPass, 1Password, or any of these companies.


> I was specifically talking about _online_ password managers [...] considering the clients are web browsers

Is that an actual thing?! I'm only familiar with password managers that use the Internet to synchronize, i.e. it's still 100% possible to apply the cryptography such that the service vendor or anyone else cannot read your passwords stored or in transit.

I can maaaybe imagine password managers with a web interface that however still decrypts locally, client-side.


TLS does a good job at this, and I'm not assuming it's compromised. But it's complex to setup correctly, and I'd rather avoid the need to transmit sensitive data everytime I access my credentials, and entrust my most critical information with a 3rd party, all to support a service that shouldn't exist to begin with.

Password managers are currently a necessary evil, so if you must use them, use an offline one, and sync across devices via any other secure mechanism.


> TLS does a good job at this, and I'm not assuming it's compromised. But it's complex to setup correctly

TLS has nothing to do with it. TLS is transport security, which is relatively useless for preventing the service provider to access your data.

I'm sorry to say this, but this is just word salad, including the "I'm not assuming it's compromised" bit.

> and entrust my most critical information with a 3rd party

The point is you don't need to do that, and can still sync over the Internet.


> I’m sure LastPass tried really hard to protect data

Not really.


If drip-feeding the details is an intentional strategy it is a stupid one. Keeping the negative story in the headlines for a day longer means it will reach more people and draw more attention.


Not just that, this drip feed of information makes formulating a proper response very difficult.

If, for example, you deleted your account after the first report in August (a rational decision), you have no way of checking what iterations setting you had, now that people are talking about it.

It's also unclear whether you will receive any data breach notifications detailing the exact impact to your data, since your account is now deleted - do they keep a history for "post-fact" situations like this?

And of course, if you didn't keep a backup of your passwords before deleting your account, you'd have to reset everything to be sure.

Terrible, awful company with no respect for their users.


There's not really any benefit to deleting the account other than forgetting they're untrustworthy and accidentally using them in the future. I would think it's better to change all passwords (at each service, not at lastpass) and leave the account at lastpass active, precisely to be in the know for such things in the future. That's unless I'm misunderstanding something about their service that makes it better off to delete the account. I've never used them.


They still have a list of accounts, email, usernames, even if the passwords have been rotated, plus whatever happens to be in secure notes and the like. Deleting the account is really easy (has to be for EU customers) and they're obliged to delete all data they hold on the user (under EU law), so I don't see any reason to let that kind of data sit around on an untrustworthy party's servers. I certainly won't need a reminder that they're untrustworthy.


Forgot Europeans have a valid reason to believe "deleting" an account actually deletes anything instead of just withdrawing your access.


If you’re in California the CCPA should give you this right too.


They’ll only piss off the people paying attention to every drip.


> Part of me wonders if this was an intentional strategy: Downplay during the initial media round then very quietly reveal this was a worst case scenario.

Seems like a poor strategy. This is like an infected wound that keeps on festering. A turd that will not flush. A house guest that won't take multiple hints it's time to leave. Better to just get it over with in one go; next week the news cycle will be something else and it will be over; now it's in several news cycles again and again.


I'm now expecting a raft of these sort of leaks.

This sort of thing, will all encourage us to 'naturally' move towards a government backed, biometric solution. Which will of course be phone based, will hold your wallet, id and medical information, and will be provided to us by kindly corps such as twitter, google, apple, microsoft, meta, etc.


surprisingly the government based sites i use let me use email for 2fa which is better than phone since i can add 2fa for my email as well. It’s the banks that keep insisting i use a phone for 2fa. I have moved away from ally because of this


And each drip paints a bigger crosshair on the back of keypass wrt supply chain attacks (the only angle where keepass isn't inherently better than others). I wish lastpass all the best in terms of improving their communication!


Can confirm. Migrated from LastPass -> 1Password last month.


After using LastPass for years, this breach led me to do something I should have done long ago: remove my bank account & email account passwords from it (and change them, of course). My wife did the same thing. At some point I'll probably switch password managers, but the basic realization was that those passwords are qualitatively different than the rest and should never, ever be trusted to any password manager.

So now I remember ~3 passphrases, instead of 1, and sleep much better at night.


I disagree, mostly because the password manager is more than just a place to store passwords. The origin binding also prevents you from typing the password on the wrong domain. For many people they’re probably more likely to get phished for a memorized password than pwned for a managed password.


That's a good point that I hadn't thought of before.

I used LastPass for years and switched to BitWarden a couple of years ago. I did delete my LastPass account after switching, but I have zero confidence that they actually deleted my data.

Fortunately, my master password from back then is long and complicated.


Yet another point of absurdity. Only if I live in California do I have the right to demand a company clear all my personal data. Meanwhile we have multiple large organizations that have hemorrhaged data to the world and caused irreparable harm to individuals, with little or no consequences. We're all held hostage by tech.


I wonder if there's an app/extension that streamlines remembering/autofilling usernames but not passwords. I doubt many people would be into it, but it would be the best of both worlds for the case you describe, I think.

Or simply a personal allow list of origins, with a happy green indicator prominently overlaid onto login forms on those origins you've saved -- doesn't even need username storage.

Maybe even a community-sourced allow list, but that would need some seriously trusted management (including purging upon domain registration expiry/transfer) but that would mostly duplicate the domain warnings that browsers already offer, anyhow.


You can create an item without a password for this purpose - it would show an indicator if you have an account at a given domain, would even autofill the user name But you still get to save the critical password from the poor security of password managers Win Win


> the critical password from the poor security of password managers

Just because one restaurant has a bad health inspection score and is constantly making everyone who eats there sick does not mean all restaurants are bad. People who just lump "password managers" into one group are fundamentally assuming that one bad password manager means that all password managers are automatically bad, we just somehow don't know it yet. Don't bother eating at restaurants ever again if you feel that way, I guess. I know people who have gotten sick eating at restaurants, but that doesn't stop me from finding good restaurants.

Most password managers have a very good security track record. Users creating and remembering their own passwords does not have a good security track record at all.

Better to use a completely offline password manager (which risks you losing your backups or getting into a conflicting sync state) than no password manager at all, but a password manager that actually encrypts all your data end to end (which LastPass does not) and requires a strong key to unlock (such as the 2SKD method, which again... LastPass does not) is extremely safe, even if you don't trust "the cloud", because you don't need to trust the cloud.


ive thought of a mitigation for this - always intentionally enter the wrong password on the first try. if you're being phished, you'll notice when the wrong password gets you in


I thought some phishing attacks act as a relay or middle-man? I don't know how common that is.


100% correct. You might have 2 factor enabled, so they also need to check that and phish the 2FA code as well. That 2FA code expires quickly, so it needs to be used in real time to get a session.

I'm sure there are some very basic phishing attacks that just save whatever you entered, but... let's avoid trying to come up with "clever hacks" that only lend a false sense of security.


a much more convenient mitigation - create an item without a password, so it would autofill username (and not autofill if you're being phished, so domains wouldn't match), so all you'd have to do is enter the password from memory


It is absolutely insane that you're going back to LastPass after this. We have no reason to believe they're not still fully compromised.

Switch to 1Password. It takes ~5 min to export and import.


> Switch to 1Password.

Doesn't cease to amaze me with what confidence people recommend these "Switch to 1Password", "Just use BitWarden". I switched to KeePassXC because it seems all the cloud-based password managers have the same endgame: get hacked.

> It takes ~5 min to export and import.

Only 5 minutes, and you've just doubled your attack surface area. Congrats.


I switched to only eating food I prepared myself because it seems all restaurants have the same endgame: spread salmonella.


That's a pretty bad analogy.

If by going to a restaurant I'd have to commit to eating at that particular restaurant forever, I probably would choose to prepare food myself...


This logic is like learning that most accidents occur within 50 miles of your home and then moving 51 miles away.

Why would you remove those bits of information and also not switch password managers too?


I was always a bit wary of these services. They sound great, and the convenience is amazing, but I have not much of an idea how everything works behind the curtain.

I went with unix pass installed inside of a FreeBSD jail. It's more complex than auto-filling with a browser plugin (though those exist), but as long as I can get an SSH terminal I can get to my passwords, and various other bits of data. You have to allow password login from sshd (which isn't ideal, but I was going for "access from anywhere I can get an SSH session), so your passphrase had better be good. And you need to have terminal discipline to be sure you clear the screen if shoulder-surfing is an issue.

But it has the advantage of knowing exactly what's going on at all times. And, for added benefit, there are only a handful of things you need to have printed out and stored in a safe or whatever so that your family can access all of the encrypted important stuff if you get struck by lightning.


> I went with unix pass installed inside of a FreeBSD jail.

> And, for added benefit, there are only a handful of things you need to have printed out and stored in a safe or whatever so that your family can access all of the encrypted important stuff if you get struck by lightning.

Presumably this print out includes an instruction manual for using FreeBSD, opening a terminal on a FreeBSD machine, launching a shell inside a jail, and accessing this "user friendly" software? Exactly how technical is your family?

Forgive my disbelief that this is an actual solution for anyone but yourself.

> but I have not much of an idea how everything works behind the curtain

You could choose to learn: https://1passwordstatic.com/files/security/1password-white-p...

Any good password manager documents this stuff very well. LastPass has a very shallow white paper that constantly refers to encrypting "sensitive data", but they never define what that sensitive data is, which is suspicious, and it turns out that LastPass doesn't encrypt everything, which everyone who cares about this stuff has known for years. In the 1Password document, they talk about how every item in the vault is encrypted, and every item contains various fields such as Title, URL, etc. 1Password encrypts everything.

1Password also talks about the benefits of using a user password plus a generated 128-bit "Secret Key" (2SKD), which is a security feature I strongly appreciate.


>Presumably this print out includes an instruction manual for using FreeBSD, opening a terminal on a FreeBSD machine, launching a shell inside a jail, and accessing this "user friendly" software

I never said, nor meant to imply, that it was user friendly. But, yes, showing a moderately intelligent person how to access it is easily done with a set of instructions, maybe a single printed page. Not "user friendly," but certainly usable. If I am a smoldering corpse, they can rescue whatever is stored there relatively easily. Since the software is ridiculously stable, the instructions will be equally stable.

It's not a universal solution by any means. I tossed it out there as an alternative. I'm sure you really love 1Password, and if it works for you, fantastic. I'm distrustful of any service in general, but maybe 1Password is 100% rigorous in all of their security measures. I have no idea, as I don't work there, or know anybody who works there. I'm relatively confident in mine, as I built every step of it (which wasn't much), and it has very few moving parts.


The best solution I’ve found is mooltipass: https://www.themooltipass.com/

Is a hardware device, password never leaves device except when filling in form, requires hardware confirmation, and works as usb/bluetooth keyboard and is compatible with most everything.


Whilst not good, this seems to be bad news for some GoTo products but not specifically Lastpass:

> a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere

Lastpass is a GoTo product, so in general the multiple security breaches undermine confidence in all their products. Your password manager is not something you want low confidence in.


GoTo has been bad for a while. I recently sent their team a support ticket for their GoToWebinar API (API response contained completely different/wrong data). They said it's not that much of a problem and said they weren't gonna fix anything. Hilariously bad.


I was under the impression LogMeIn (GoTo’s previous name) already was known as malware many years ago when they bought Lastpass.

Lastpass was the first password manager I used, and when it sold to a scummy company like LogMeIn, I learned my lesson to just stick with KeepassXC.


KeepassXC + unison is the best combo for me. I'll never let some cloud service lay their hands on my passwords.


What does unison provide in this strategy. I remember the old Keepass, is KeepassXC the next generation in this?


> I remember the old Keepass, is KeepassXC the next generation in this?

It's the same database format, KeepassXC is a fork of KeepassX with more active development.

https://superuser.com/questions/878902/whats-the-difference-...


They were a red headed stepchild within the Citrix portfolio before they were carved up like a turkey. I wouldn’t expect anything positive from them going forward.


If that wrong data contained emails, etc. Then that would be a data breach and legally they need to fix, inform affected users, and report the data breach. If they said they weren't going to fix it, report it.


I'm on hold with lastpass enterprise support as I type because upon reviewing our account we found a super-admin that is 'blank', no text appears but it has been granted policy access to all shared folders. This is nuts. We use SSO so iirc the keys were 128bit x2 which was supposed to be completely unaffected by the dump. Perhaps not. Screenshot here: https://freeimage.host/i/H0RICCu


I didn't realize that Lastpass was part of the same company who brought us GoToMeeting.

It makes me wonder if this is all a result of GoTo general culture permeating into Lastpass. GoToMeeting and Webinar feel hilariously outdated, and I think that people use them mostly because corporate inertia.


We are heavy users of GTM, and have been for over a decade.

Initially, it was FAR AND AWAY the best and most reliable option for meetings. It worked well across platforms, and the screensharing -- especially the ability to see a participant's screen, not the host's screen -- was stellar. This was key for us; we're a small software company, so GTM sessions to help client IT install, or help a customer with a problem, or even get the system configured initially, were all our bread and butter.

Sadly, GTM over time has fallen prey to the same thing that ails lots of older products: it just keeps getting worse, and it feels almost deliberate. We do not give two shits about video, but they're pushing it hard. Sharing controls change revision to revision, which makes it harder for us to coach customers on how to use the tool. Lag and delay has become a real issue.

It's just super frustrating.


Makes me pleased to be a loyal Zetetic Codebook[1] (née STRIP) customer.

The thought of storing my passwords on a web/cloud-based service always struck me as the dumbest thing anyone could do as it would be only a matter of time until such a service was hacked.

I started using Zetetic after learning about them via a 2012 Black Hat conference presentation[2] where they took a bunch of password managers and STRIP came out on top. I figured if it was good enough for them, it was good enough for me. The product has only got better and better since 2012 (note that the presentation PDF is out of date in terms of security, they have of course changed hash and substantially increased rounds ! see their website for detail).

Their support is first-class too.

[1] https://www.zetetic.net/codebook/ [2] https://media.blackhat.com/bh-eu-12/Belenko/bh-eu-12-Belenko...


+1 for Codebook. I’ve been using it for ~5 years and haven’t had an issue, I feel secure in managing where my vault is stored and haven’t had issues with syncing. It’s a one-time fee per device type - I paid for iOS, macOS, and Windows without any hesitation.

Additionally their support is really good. They added a feature on iOS version (and Android I assume) which copies the TOTP when you use codebook to auto fill a login. However it cleared the clipboard when the TOTP code expired which was sometimes too soon - I suggested they add a buffer of ~15-30 sec which most TOTP validators allow, giving the user a bit more leeway in pasting it. They added it in the next version.

Some cons though: They do lack Linux support. Syncing is manual (I think they mentioned the next big update will make it more automatic), and there aren’t any family/team sharing capabilities. For these reasons I would really only recommend it for tech-savvy individual use. I’ve recommended it to a few colleagues and they have had great experiences and continue to use it for several years now.


> They do lack Linux support

That is true although I understand this is simply down to lack of user demand for it[1].

There appears to be an UNOFFICIAL Linux tool called Read-Codebook[2] though...

[1]https://discuss.zetetic.net/t/codebook-for-linux/1063/26 [2]https://github.com/teracow/read-codebook


No Linux support =/


How many more times can we shout it. KeePass with Syncthing.


Have a look at unison, it's what I use instead of Syncthing and I couldn't be more happy.

https://github.com/bcpierce00/unison

edit: Also, KeepassXC!


Why Unison over Syncthing? Just curious because I've been happy with Syncthing and haven't heard of Unison.


While I use Syncthing over on Android because there is no good Android port of Unison, and like it, here are some of the things that make me use Unison on my laptops and desktops: - The way I use Unison, I review the proposed changes before hitting go on a sync. Caught a few mishaps and accidents over time (not Unisons faults, talking about me messing up my files and stuff). Reading these reviews regularly gives me a good feeling for what is going on with my data, too.

- Unison is easier to use over ssh. With Syncthing, I need to forward a port or use the ssh client's proxy to get at the webgui.

- I find Unisons behavior more predictable and dependable than Syncthings. Maybe it's the Android port that's to blame here, but with Unison I start it on the CLI and it runs through to completion, done. With Syncthing, it seems to sync on it's own volition. I have configured Syncthing to run when my phone is connected to my WIFI. Sometimes it starts right away when my Android phone enters my WIFI, sometimes it takes a while, sometimes it needs a little prodding with the webgui to follow through on this or that folder.

- My Unison config consists of 3 lines. I recently had to reconfigure Syncthing on my phone, took me quite some time of carefully re-mating the app with my server for all folders with a ton of potentially out-of-sync content on both sides.


The only problem I have with Syncthing is how it deals with conflicting updates... The interface make it difficult to see which file is conflicting. Is it better with Unison?

+1 for keepassXC


Looks interesting! What it's missing that Syncthing has (from a first glance) is the ability to setup encrypted sync on a possibly untrusted node.


As a long time KeePass user, I throw in KeePassXC. Much more polished.


For sure! I meant KeePass the database format :). I use KeePassXC also.


I love KeePassXC and have used it forever.

However is there any good way to use it with my phone? I do find it frustrating to have to type in passwords manually sometimes, even though it's not very often.


Yes there is. Sync it with syncthing (or next cloud or seafile or...) and use a compatible client to read it on your phone like KeePassDX.


I use Keepass2Android on Android devices and Strongbox on iOS devices. They've served me well.


I use KeePass2Android offline. This is also safer because the database isn't synced over the internet, only when I'm in the same network as e.g. my laptop.


I use an app called KPass that reads my .kdbx file perfectly, and I use Syncthing as well.


I use 1Password with a family account. Good luck getting my mother to understand the nuances of KeePass with Syncthing.

Previously she wrote her passwords down in a notebook.


Well, as long as you understand it, you could use it. As for her, maybe using a notebook is not even the worst idea.


What is Syncthing? A thing that syncs?


Yes, it's a service to keep files on your devices in sync with one another. https://syncthing.net/


Peer to peer dropbox, kind of.


A self-hosted replacement for Dropbox.


Hum... No, it's not a replacement for Dropbox.

It solves issues Dropbox doesn't (like dealing with segregated networks), and doesn't solve issue that Dropbox does (like sending files to people).


I use strongbox pro, which is an iOS keepass app, and keep it on iCloud Drive. It’s a simple no fuss solution.


And yubikey


I have recently moved away from lastpass onto 1password and find myself with some 1000+ credentials that I will now have to change. Been working though the list and made a small dent of 50 accounts so far... There must be a quicker way to do this?


One thing I've found is "forgot password" is typically far, far faster/easier than hunting around trying to figure out how to change a password.


We should introduce an industry best practice for account management. A "/.well-known" url for changing passwords would make this trivial to do in bulk with a password manager.


Nothing could go wrong with having a way of hitting millions of websites at once with a 0 day exploit :)


The functionality provided by such an API could be limited to disabling the account until the password is manually reset given that the client provides a valid email and password. The blast radius for that would be pretty small.

I don't use 90% of the entries in my password manager on a monthly basis so anything that allows me to delay the password change on hundreds of accounts until I need to use the account again would be valuable.


Obscurity is security, as the saying goes.


Isn’t the saying, “security through obscurity is no security at all”?


I believe the person you replied to was being sarcastic.



so if i get access to your PM, then i would be able to destroy all your accounts en masse.

at least this way they would have to prioritize


I don't think this matters that much. Most accounts are just for random websites that don't let you use basic functionality without a login. Being able to manage such accounts efficiently & without dark patterns in one program would be a massive time-saver, but whether a bad actor takes a few seconds or a few minutes to take over my important accounts I'm screwed either way.


Ironically I believe I remember that LastPass had such a feature, though it didn’t work for more than about 2% of my passwords when I used it a long time ago.


I remembered that and before I learned more about the breach and was feeling "breaches happen" about things (I have strong master password) my thought was to use that to update passwords by age... but they actually removed the feature! That seemed so user hostile it made me mad enough that migrating somewhere where I can work with password age became my goal. Then as I've learned more about the breach, their design and their response it's just put wind in my sails.

Bitwarden isn't much better, but they do have a cli technical users can cobble something together. (I ultimately decided to skip on Bitwarden also)


I imagine you can triage that quite heavily; change the critical ones (bank/email/etc.), then change anything where passwords and usernames have been duplicated. Anything else is probably pretty low priorty both in importance or criticality.


Currently in the process of cycling a few thousand passwords myself. Realised I just have to nip away at it a bit each day

Time boxed to about 15 mins a day, it hasn't felt like too much of a burden. But also finding I can just delete quite a few, as my vault is over a decade old and many sites/services are now defunct

Will take another month or so, but have the more recent/crucial ones done already so worst case someone might crack my old digg password


Why not just go through them in one go and be done with it?


Because telling your boss you will be spending the next 3 working days going through all your password might not be the best use of time and might want to spread it out a bit. Especially when most of them are obscure website that are not likely to be the first target in a password leak.


Dashlane claims to be able to do this for you.

I don't personally use Dashlane and cannot speak to its security.


Updated a blog post from November in January, classy move.

Not to mention https://en.wikipedia.org/wiki/LastPass#Security_incidents


I just migrated over to 1Password and deleted my LastPass account. Better late than never, I suppose.

It was surprisingly easy- for all of LastPass's faults, at least they don't use shady vendor lock-in practices (like making data export needlessly difficult). And 1Password has a LastPass-specific import page, which made the migration dead-easy.


Hopefully you reset all your passwords and didn’t just migrate over.


Honest question: what's the point of password managers? By migrating from one to the other, aren't you exposing yourself to the exact same risk?


Password reuse is the most common way people are breached. Until there’s pervasive WebAuthn passkey support, that means you need a way to store unique passwords for everything you use and that can’t be algorithmic because different sites have conflicting policies.

Other password managers don’t have Last Pass’ long history of security concerns. They also have hardening against this specific scenario. For example, 1Password assumes they could be breached and includes a strong random key which is unique per-user so in an event like this the attacker would have to do a lot more work to break vaults:

https://support.1password.com/secret-key-security/


The point is to allow oneself to use a different password for each website, and strong ones at that. The time required to memorise a large number of strong passwords is significant, and a password manager alleviates that.


Why not store them locally (in a file on your laptop) or on a piece of paper in your wallet?


Lol. A piece of paper with 200 passwords?


I don't have my laptop with me everywhere I go and use my phone, iPad etc to log in to services.


What happens if your laptop is stolen or its hard drive fails or you lose your wallet?


The same thing like when you lose your car-key or any other valuable.


> By migrating from one to the other, aren't you exposing yourself to the exact same risk?

My main gripe with LastPass is that they did not encrypt everything. Vast amounts of important information (email addresses, billing addresses, telephone numbers, IP addresses, website URLS [0]) were not encrypted on user's local machines with the master password, and subsequently have fallen into the hands of a malicious actor.

I would feel much better about LastPass if the security genuinely was safeguarded by a strong master password. But they've demonstrated that it's not.

Other password managers, as far as I can see, provide much greater protection in terms of encrypting everything. That's why I'd feel better about using them.

[0] https://blog.lastpass.com/2022/12/notice-of-recent-security-...


The alternative right now is to use the same password everywhere. That's even worse.

If one site is breached you have to go change your password everywhere. By using a password manager if one site is breached you just have to change that one password for that site. Using the same password everywhere is a real concern that should be avoided at all costs.

LastPass's breach is the exception to the rule. Generally speaking password managers have had a far better go of things than LastPass has.

By far, using a quality (LastPass is not one of them and frankly never has been) password manager is likely going to be the most secure thing that any average user uses every day.

This breach is much the same as the typical media stuff, hyperbole does no one any good. One bad thing happens and the sky is falling (hyperbole). No, the sky is falling for that app (LastPass) but not for every password manager. You have two really good options: Bitwarden and 1Password. I, personally, wouldn't touch any others that are cloud based. Local password managers are another matter, but they're simply a non-option for me and I'm not willing to give up the convenience, or the administration abilities that come with it in a business environment.


> The alternative right now is to use the same password everywhere. That's even worse.

Or to just use the browser's saving functionality and never push your passwords online in the first place. They're probably only using one primary device like me; I generally don't log in to stuff on my phone, or personal stuff on my work laptop/work stuff on my personal laptop.

If their habits are like mine then these cloud password services are pretty pointless.


You're unlike most people in that regard. I'm signed into services on at least two or three devices -- a desktop, a laptop, and my phone.

Also, with your setup, what happens if the computer with the browser containing all of the saved passwords is destroyed somehow?

I don't know if this has changed, but a few years ago the stored passwords in Chrome were stored unencrypted in a sqlite3 database. (on Linux, at least) I'd use an audited service such as Bitwarden or roll my own Keepass thing before using the browser's saved password feature. All it would take is one RCE exploit in a browser to expose your passwords.


> Also, with your setup, what happens if the computer with the browser containing all of the saved passwords is destroyed somehow?

This has already happened a few times over the past decade: I restore from local backups.


Okay, one step further then. What happens if your house burns down? Eventually you will want some sort of offsite backup.

Also: https://ohyicong.medium.com/how-to-hack-chrome-password-with...

Passwords are still easy to obtain outside of Chrome, and apparently Firefox is just as easy.

By using the browser's saved password feature you are one RCE away from someone being able to automate the extraction of all of your passwords.


I have one, and minimal one on my keychain, both in an encrypted disk image I do memorize the password for.

I'm pretty sure on Firefox if you have the master password set, they're actually encrypted, and has done that for a long time.


I think that using multiple devices is probably by far the most common use case. Personally I have my own PC, a work laptop, and a phone that I regularly use, and a tablet that I use irregularly (but often enough that I want my account information available).


> The alternative right now is to use the same password everywhere. That's even worse.

What's wrong with storing them locally on your laptop or on a piece of paper in your wallet?


Storing on a laptop is inconvenient because I need to use them on my phone and other devices.

Storing on a piece of paper is inconvenient because there are roughly 350 logins in my password manager.


and because transcribing a password from a piece of paper encourages short passwords.


My work keepass has 68 credentials in it. I am not going to memorize all of that.


I am so happy I left and destroyed my account before this breach and went with Bitwarden.

They showed red flags a long time ago!


This doesn't necessarily mean you're in the clear, as we don't know what the age of the backups that were stolen are.

If you were a LastPass user at any point you should rotate all the credentials that touched that service.


You’re completely right. I’m slowly changing password on every important account.

But I had sensitive notes too, so IF my details got leaked then I am ruined either way.


Same here but unfortunately have done it 1 month ago.

This breach helped me learn why it is important to have strong passwords.


Years ago, I told them privately of a vulnerability in their implementation of 2FA. They dismissed it as a non-issue.

A couple of weeks later they sent out a statement "clarifying" how their 2FA had a caveat. It was basically marketing bullshit glossing over the fact that they don't enforce 2FA locally (sorry, details are very vague in my memory now, but I remember it being a serious mis-implementation).

Clowns.


I spent part of my holiday break cleaning up after this mess, resetting hundreds of credentials. On the plus side, it provided a much needed opportunity for some house cleaning.


It also made me realize just how many sites have broken or missing password reset flows.


Did the same. Took several days but feels good to not have to worry about LastPass anymore.


The other difficulty is it appears there is little-to-no support for API/automation:

https://github.com/lastpass/lastpass-cli/issues/602

https://github.com/lastpass/lastpass-cli/issues/624

https://github.com/lastpass/lastpass-cli/issues/604

...their CLI tool is de-facto deprecated (unsupported) and has several unreliability issues (ie: `lpass ls/userls ...` reports differing amounts of values depending on when a user was added to the folder or not). Basically `lpass ls ... | xargs -n1 ...` cannot be trusted, and you can only get an accurate list of passwords (or users) from the actual GUI.

It makes automation, auditing, reporting, near impossible.


First rule of security breaches: it’s always worse than they let on.


From paying customer, to deleted account.


What’s the best way to delete an account? Overwrite all password values? Wait a month, overwrite again, wait a month, delete? It’s hard to tell what’s sufficient to reduce risk of someone who breaches in the future will use my data.

I doubt LastPass deletes my data when I delete my account. I even wonder if to comply with GDPR, they just disassociate the data from me so it can never relink, but keep the data so it can be used, sold, or rented.


> What’s the best way to delete an account? Overwrite all password values? Wait a month, overwrite again, wait a month, delete?

The only sensible approach is to change every password on every site that you’ve ever stored credentials in LastPass for. Any attempt to change the passwords is just hoping hay their backups are better secured than their prod database (they are almost certainly not), and also that the data wasn’t popped before you changed them (which they almost certainly were, probably multiple times).

Delete your account, but revoke/update all those passwords asap as well. Since the site/url and email addresses were not encrypted, I’d be changing the email address on at least critical accounts as well where I can.


Best is to rotate all your stored passwords and not store the new ones in lastpass, delete all the items, and change the lastpass master password. Check any notes for sensitive info before overwriting and then deleting the entry and assume someone else will read what you had there.


For important accounts you should probably update your passwords.

Assuming you aren't reusing passwords, you shouldn't need to track down every online store you once bought something from. But your should consider updating your passwords for bank accounts, Paypal, Amazon, Google and whatever else would be a major headache if it were compromised.


Since I went through this a month ago:

- Migrate your vault to a new password manager

- Rotate all your passwords and save the new ones in your new password manager

- Delete your Lastpass account


And my stance against "cloud based password managers" -- and really, paid password managers -- is vindicated. Never!

I have evolved a little on using software to track passwords though, and I'm using Unix Pass quite happily now. It's just a short bash script that is very readable, and uses GPG as a backend.

Edit: What's doubly nice is how elegantly it scales from a simple folder of gpg encrypted text files to a multi user synchronized git repository on everyone's phone.

But all that's optional, and only requires you to trust other tools that you already regularly depend on.


That might be fine for the HN crowd, but cloud password managers are still the best solution out there for the typical person.


What does everyone think about just using Apple's Keychain for everything? Seems that for Keychain the most serious threat is actually being rando-banned by Apple and losing access to my stuff.


I honestly don't want to be locked out of my passwords, just because Apple decides to block my account for "abuse", because I use iTunes Music Fitness Plus from wrong country or whatever.

There are all these "lol we blocked you for abuse, good luck doing anything :^) I guess complain on twitter lol" horror stories that I don't want to be locked down to one provider that does _everything_, the way Google or Apple does.

Even the fact that I have all e-mail at Google that can randomly ban me for "abuse" makes me scared, but I don't want to figure out how to move all my mail history to ProtonMail or AOL or whatever. I will need to have that as a risk.


I think we seriously need legal regulation for that. A company should not be able to take your personal data hostage like that. If they really want to ban you, you should at least be able to legally request a copy of all your data.


The Apple Keychain items are stored locally in ~/Library/Keychains


This is true. Apple can't lock you out of your keychain. You can register with them to have an unlock key, but that is different.

For me, I find the Keychain to be too chaotic. I use 1Password.


I moved to Protonmail for precisely this anxiety, and can tell you that there's not much to "figure out". It's pretty painless, they have a guide for it, and despite what I think about Google, their "Take Out" service isn't too bad.


This is what I have been doing since migrating away from LastPass. It has been great so far (and free). I’d say that I wish I could share passwords like in LastPass/1Pass but honestly my wife always struggled with that, so it’s easier to just AirDrop a credential if we need to share. It’s also integrated so well with Apple products that my wife was using it without even realizing it. I suspect the same will happen with my daughters.

If you’re an Apple house, it’s a great solution.


One would have to exist solely in the Apple ecosystem for this to be viable, surely? Surely most people on HN have at least one device that isn't Apple!


Yes, it's only convenient on Apple devices. But it's still doable if you don't access that much stuff on other devices, e.g. when I need to access something on my Windows computer (which basically exists to run Microsoft Flight Simulator), I just manually retype passwords from my iPad.


There's a Windows app for iCloud to show passwords, but it's very basic.


I tried this app, I thought it was very elementary and a very sub-par experience for myself as the user. I would not recommend.


For Google Chrome only.


I use a mix of Keychain and MacPass (keepass compatible). I will add something to MacPass, then sign in with it and let Keychain remember it. Notes however:

1. I do not use the MFA capability of Keychain at all. Putting your MFA, username and password in the same store is fucking stupid. I have a hardware TOTP token. Backup codes for that are however kept in Keepass.

2. I keep an offline backup of everything. Never trust a cloud backup!

3. All vendors are ephemeral, regardless of their size. Everything I have I have a carefully planned exit plan for.

As other people have pointed out, your keychain is on disk, but if you lose the Mac and find out your MFA codes don't work or something (this does happen) then you're SOL. Keep a backup.


I'm not sure about apple's cloud stuff, but the keychain is an actual just a file on your system. It is password protected, but it is just your login/sudo password (depending on which file it is).

I just had my keychain corrupt last night while I was testing the SecItemAdd API. So keep that in mind, maybe make backups. I was pretty shocked that you can corrupt the keychain using just the API, the entire security process started to lock up too. I had to (manually!) delete the entire keystone and start from scratch. Luckily I don't rely on it much.

It is worth noting that after you back it up to a remote location, it may not be a very secure concept anymore.


Keychain is perfectly fine if you're all in on Apple stuff. I am, so I could start using it today. A downside is that it doesn't have much in the way of a dedicated UI, especially on iPad/iPhone. Compare the 1Password app to Settings > Passwords on a phone. Keychain also only handles passwords, and not TOTP, notes, software licenses, etc.


You can export your keychain and import into other password managers, if you have access to a Mac. I doubt this can be automated, though, and passkeys will need another solution.


What happens to the serial security recidivists? Where are the regulators? LastPass has had security incident after security incident, how are they still allowed to operate?


I think at this point, they need to get purchased by Experian, so they can combine into such an ugly mess of problems, that identity laws get overhauled.


They failed to secure sensitive user credentials, that must’ve broken some law.

Also, people can store notes on lastpass, did those get leaked too?


Yes

"that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."

https://blog.lastpass.com/2022/12/notice-of-recent-security-...


I would not be surprised if such sensitive details could ruin someones life, and that is now in hands of a bad actor.


Would this sort of thing fall under GDPR?


And probably CCPA in that case?


What regulation? Nobody will ever prosecute them.


In the comments on Reddit someone linked to a podcast where they broke down what this really means in terms of how "secure" your leaked encrypted vault is.

The TL;DR is even with 100k+ iterations of PBKDF2 an attacker can crack a password with 40 bits of entropy in about 71 days if they had access to 200 modern GPUs. For comparison if there were only 1 iteration instead of 100k the same type of password could be cracked in 61 seconds.

50 bits of entropy changes things a bit. Now it takes 1 year instead of 71 days but if you're a high value target they can just ramp up the number of GPUs to reduce the time.

The difference between 40 and 50 bits of entropy for a password look like this:

    40 bits: !climb33
    50 bits: ClimbS1@
    40 bits: any 9 lower case letters
    50 bits: any 11 lower case letters
The takeaway I got is you're probably ok if you have a really good password (150+ bits) with 100k+ iterations but if I were using Lastpass personally (which I'm not) I would absolutely re-roll everything and never use the product again. I personally use a command line tool called `pass` which stores everything locally. This story interests me though because I am mildly involved with someone who is using Lastpass and I suggested they re-roll everything. I'm happy to see someone did the math, it's the exact information I wanted to know.

The podcast show notes are on page 6 which has more numbers and practical examples: https://www.grc.com/sn/SN-905-Notes.pdf


I think this misrepresents password entropy. For example forcing a capital letter mostly results in lusers capitalising the first letter (and losing about 1 bit versus having the choice of case for every character). Requiring "special characters" further decreases the entropy (certainly in theory, and I assume in practice).


I used https://www.omnicalculator.com/other/password-entropy to calculate it by the way. I threw out a few examples but you're right, it does come down to individuals knowing what to do or not. Those aren't meant to be good examples of passwords to use in practice.


For the record, it's pretty easy to do this by hand. The calculator assumes the attacker knows how many of each kind of character there is, which is a weird assumption so I'll not use that. Anyway you can take the base-2 log of the number of possibilities, or more easily add the entropies of each character (if they're not related). If you take e.g. the 64 symbols of Base64 as your allowed space you get: n*log_2(64)= 6n bits of entropy for an n-character password.


Give that most brute forcing is probably going to be done with wordlists and various permutations, I found this site to be interesting for estimating real password strength: https://lowe.github.io/tryzxcvbn/


`pass` is lovely, but don't you need your passwords on your phone when you're out-and-about?


There are apps for mobile devices, some sync with a GitHub repository (which you should make private): https://www.passwordstore.org/#:~:text=password%20(OTP)%20to...

The contents of the GitHub repo are of course encrypted with your own key, which you need to manually sync to your other devices.


The Android app for pass, and the required gpg app, are pretty clunky and not very friendly to work with (and the Windows desktop experience is not great either).

After some time with pass, I switched to a more integrated solution, with KeePassXC on desktops and Keepass2Android on mobile, with sync via OneDrive.


Pass has clients on iOS and Android, but there was some blocker with my GPG key on YubiKey last time I tried.

Ended up on Bitwarden (Vaultwarden in my closet really) instead for web passwords. Admin passwords stayed in pass because I want to be sure I have them. Git is local to the device even if the server burns down.


You can rsync the whole directory of passwords elsewhere and then connect there from your phone using SSH. If you're handy with `pass` you probably have an SSH client on your phone anyway (I use Prompt on iOS). Some people might think you're weird for using SSH from your phone though, fair warning.


> The TL;DR is even with 100k+ iterations of PBKDF2 an attacker can crack a password with 40 bits of entropy in about 71 days if they had access to 200 modern GPUs

...

> 50 bits of entropy changes things a bit. Now it takes 1 year instead of 71 days

I don't understand this. Going from 40 bits to 50 bits increases the size of the search space by a factor of 1024. Why does it only increase the search time by a factor of 5?


That's a good question to ask the podcast host (the source of those numbers).

On the reference page I linked it mentions:

> Having 40 bits of entropy is approximately 1,000 times weaker than 50 bits since bit strength scales exponentially. In other words, random bits are worth a lot because each additional truly random bit, on average, doubles the time required to crack.

71 days vs 365 days is about a 5x multiple. I'm not sure how all of that ties together.


Has this soured the concept of a password manager? Instead of many different accounts and passwords you also add one more account that gives you access to everything. Backdooring yourself.

People will say you have to use one because you might reuse a password. If a hacker gets a hold of it they will have access to other accounts. Hopefully many use different emails and/passwords but even if they don't an attacker doesn't have a list of websites this works on and will try to login to major sites which usually alert the user. If your lastpass account has been hacked they know all sites large/small and will have an easier time stealing info/money from smaller sites with lower protections and can blackmail you because you saved your pornhub account (with a privacy email address) in lastpass.

People are going back 5 years trying to get information from a company they have no relationship with. This company kept your passwords after you left. Once you give them to lastpass they are no longer secured even if you decide to leave..10 years later coming in through that backdoor you left open.


GoTo considered harmful


This is amazing.


We’re finished with LastPass. We are actively moving employees away from it and will never touch their products again.


A good advice I was given a long time ago and I have since followed:

When you need to admit a mistake or apologize, get it all out and be truthful about it. Effectively get it over and done with.

People do appreciate honesty, but will strike back with retaliation if they find out you only appeared honest. Telling a half truth is no better than lying.


"If you have to eat crow, best to do so while it is warm."


as a keepass user, i cannot be more happy.

contrary to popular belief, maintaining a file synchronized is not difficult.

This "breach" is just as good as assuming google or apple or any other bitwarden or any other cloud password manager is broken because they all work in the same way "we promise to keep it secure". this is different from storing a keepass file on the same google cloud because an attacker has to break into your cloud login first, then hope to find your keepass file. Then try to break that file.

as opposed to breaking into your google account and seeing the passwords or by breaking into bitwarden or 1password or something else.

if someone has a login to 1password of 10 people, there is good reason to assume there will be passwords stored.


I was a long time keepass user but moved to Bitwarden. My problem with keepass is the low quality and often poorly supported closed source clients that you get on mobile.


i dont know about you but i have been using keepassdroid and another client from F-droid for years now..... maybe this was because as you said " low quality and often poorly supported closed source clients"...


Strongbox works great for me on iOS and macOS.


Me too. Yes I paid for it. Yes it works extremely well.


The occasional times I haven't been able to log into my bank because I was on a computer that didn't have my kdbx file, or the small worry I have of keeping it up to date in multiple places while transitioning my main system.. are no bother compared to constant worry that someone might have my logins because of some security breech.. That said I just give apple everything when on that echosystem. ¯\_ (ツ)_/¯.


Keepass2Android is excellent if you have an Android phone. You can use that with Syncthing to synchronise files, and InputStick to emulate a keyboard over Bluetooth if you're using a non-personal computer.


I've had good luck with KeepassXC. For an android client I use KeepassDX


Maybe an overkill, but i use cryptomator, which encrypts the files, the files are synchronized with nextcloud of remote location, but i suppose you can use whatever software you want. Inside that there is a https://keepassxc.org/ It works on a phone too, cryptomator open vault with finger, open keepassxc with finger, well not the quickest way but it will do. I still have some useless passwors in chrome but for not important stuff.


I use KeepassXC too, and Dropbox for database sync. Probably not very secure, but I store root password only in my head, and secret key offline. Never used mobile client though, not sure if they can be trusted.


Can someone explain it to me like I am 5 years old. Why would I take all my passwords, centralize them and place them onto a 3rd party site? Why is this security best practice?


Because using a password manager as intended solves several well-known and very common password-related attacks like credential stuffing.

A password manager makes it possible for the average person to have high length, completely random passwords for each and every site, and to have them available on all of their devices.

That makes it a lot less likely that people will do bad things like re-using passwords, having short passwords, or writing them down.

My LastPass account would have been in the breach, but as my vault was protected with 151,000 iterations and a very long password, it'd take an attacker a long time to be able to get to my Hacker News password, which they'd find was 50 random characters long and looked something like jtES^cqhPj3@&rgPW5#frmDpf#^gGyf3eRoPH#fUZWJQGNFJvW

They'd also find that I've since changed it!


It's a recommended practice (I hate the term "best", everything depends).

Why? Quite easy actually - having random passwords is better than reusing the same everywhere. Random passwords are impossible to remember by a regular human, hence you need a password manager. Using a local file as a password manager poses a usability/availability risk (you have to sync it yourself, you have to back it up yourself, you have to make it available on all devices without putting it at risk, you have to secure it, etc.), hence cloud-based password managers are better for the average person, especially coupled with MFA for critical accounts (banks, email, etc.). If you're a highly technical or highly security conscious person, or under threat, the equation changes of course, but the recommendation for a cloud-based password manager isn't meant to apply to everyone, just most people.


You have to consider what the security landscape looked like when LastPass got going in 2008. The common practice for non-technical people was (or still is) to reuse the same password everywhere. A password that's really easy to remember like "p@$$word".

In this context, the common alternative to LastPass isn't best practice, it's worst practice.


You can publicly post an encrypted password file and dare hackers to break it, assuming your password is >80bits of entropy. All this worry about cloud storage and web access is due to ignorance about encryption.


It's not a security best practice, but a security "good enough".


It's not.


there is only 1 rational course of action: (1) export and delete your lastpass account (2) import to new PW manager, in my case bitwarden (3) change all your passwords


I use them too, but password managers feel like they’re building atop a poor foundation. I’d like if we could go further in the direction of site login using a big, well-known identity provider (sure, let there be some independent one if you don’t want to trust Google or Facebook). Failing that, this incident does show the virtue of the old-fashioned method of writing down the passwords and keeping them somewhere safe.


What product supports Cross Platform (minimum of Windows, Mac, iOS) that is easy to setup for non-technical people?


Surprisingly, Apple built-in password manager. They have Chrome extension for windows (but not for Mac OS Chrome, unfortunately)


Just make sure people with password access update their iPhone passwords to be strong. With FaceID, this shouldn't cause too much incovenience.


1password. In addition to above, it has Linux support & browser extensions


from a position of ignorance, why/how is 1password better?


From the top of the reddit post:

>"For those that may not have seen it, since instead of a new post they “updated” the one from November…Looks like it’s even worse than they first let on"

Can anyone say if they notified their customers that they had updated the original post?


Wow! This should definitely not be downplayed, they have lost users' trust for good.


If I have 2FA set up, would I still need to change the passwords (despite the leak)?


MFA means that you're not immediately exploitable. It doesn't mean that you can't be phished — and remember that someone with your LastPass vault can make some pretty convincing targeted phishing messages — if your 2FA is anything other than a FIDO2/WebAuthn key. This has become routine and there are toolkits for attackers to make it easier so it's definitely not an emergency but not something you want to slack on.

It also doesn't doesn't help if there's any way around the MFA process. For example, could the attacker convince a minimum-wage support person / chatbot that you need to reset your MFA? Many companies skimp mercilessly on support costs and that makes this easier than it should be. I've even seen sites where your MFA can be reset using an email challenge!


2FA bypass bugs on websites are common, e.g. this PayPal bypass that stemmed from them allowing their own app through without 2FA, since their app didn't support 2FA at the time:

https://duo.com/blog/duo-security-researchers-uncover-bypass...


If everyone knows the password, then it's really just 1FA at that point. If you want it to remain 2FA, then yes, you would need to have a new password.


My personal password policy is. Never store passwords in PW-managers to important things that can be accessed without MFA. Especially not work related things.

I have not figured out where to store those backup codes though.


Is there a reason why I shouldn't just store my passwords in Firefox?


firefox and other browsers are just not very good at password management. it does seem like a feature that should be built in to the browser.


I'm confused and not trying to be argumentative, but if I enter my passwords into my browser anyway, why not store them there?


According to https://layoffs.fyi a company named “GoTo Group” based in Indonesia recently laid off 1200 employees, however they appear to have no obvious relation to “GoTo Company” which owns LastPass.

Under the circumstances, a staffing shakeup in the CISO office sometimes occurs in companies after this kind of accident.

Does anyone know what the situation is like inside LastPass headquarters?

After a previous LP incident I noticed a number of senior security officer positions advertised on the LastPass Careers site.


That "GoTo Group" was formed when Gojek and Tokopedia merged [1] and isn't related to Lastpass.

[1] https://en.wikipedia.org/wiki/GoTo_(Indonesian_company)


A reddit thread about another company. Can anyone link me to where the LastPass announcement changed?



I use KeepassXC with password + yubikey challenge response. My mental model is that this encrypts my database using my password combined with the yubikey response. With this configuration- it appears that I should be able to put my database anywhere in the open.

Which leads me to my point: If the password manager is properly used then why do we care if the encrypted databases were leaked?


Not all the contents of the databases were encrypted.


Keepass encrypts the whole database. There are no unencrypted parts, in contrast to some other password managers.


if i closed my LastPass account a year ago (migrated to a different pass manager), am I in a problem?


I’ve been sitting on what I think might be the last straw to break the proverbial camel’s back but I didn’t think readers had any more bandwidth to hear more about this breach. I have my reasons to believe there’s a good chance LP knows of a means by which the master keys if some users may have been once compromised long before this incident.


[...sound of offline password managers' users munching on popcorn intensifies...]


moved everything important off LastPass a while back; still using it for convenience on pwds/accounts that I don't care that much about, but using KeePass offline for anything of consequence. Not really ready to trust Bitwarden.


A question for those "starting to migrate away". Why bother changing passwords that you then put back into LastPass?

Change the passwords yes, all of them, but if you're going to put the new ones back in to be re-exported by your adversary you may as well save yourself the time and stay with the already breached ones.


I asked the tech lead at a past job if he'd have been willing to resign over his decision to store our keys in the "cloud", using LastPass. He never responded.


It sure sounds like they're doomed.


So glad I switched to KeepassXC


What idiot transfers all their passwords to a small private company


I use iCloud keychain - has there been any reason to suspect this is an idiotic move, especially when coupled with twofactor auth on important sites?

Really important stuff is of course handled in other ways..


One word of caution - do you realise that anyone with your iPhone + PIN code can access all those passwords?

All you have to do is go to settings > passwords and enter the pin and there they all are.

Sao if you use this, have a really good iPhone pin!


With FaceID you can set a complex iPhone password with little loss of convenience. I have a complex iPhone password, use iCloud Keychain, and have few issues.


That's absolutely insane. I use face id plus a pass though.


> have a really good iPhone pin

iPhone PIN ? Say what now ?

Only fools use PINs.

iPhones have supported keyboard entry for passwords for a very very very very long time now. And more recently, TouchID and FaceID, of course.

You can also configure iOS to erase after n incorrect entries.

At this point in time, you get what you deserve if you still use numeric PINs.


Yeah, i meant password, that was exactly the point I was making...


What idiot transfers all their passwords to any private company?


What idiot keeps all their money in a bank instead of securing it themselves?

Sometimes it’s preferable to pay the professionals, especially if you’re not an expert. I’ve recommended LastPass to my grandparents for years because it’s better than using their grandkids’ names as passwords everywhere.


Do password managers have FDIC coverage? banks do. Big difference.


Sucks that LastPass has these significant problems. From purely a product perspective it's pretty good. I used it for years quite happily as it kept myself and wife in sync with all of our accounts/passwords across all of our devices and browsers. LastPass is one of only a handful of products that truly works on virtually all platforms and browsers. Windows and Mac, home and corporate devices, mobile, you name it.


> LastPass is one of only a handful of products that truly works

“Truly works” except for the one critical feature that is the sole reason people use it. It does not keep your passwords safe.

Doesn’t matter how nice their Windows app is, or how smooth the animations on iOS are, or how well it’s browser plugins work.

It fails at its only real task, safely storing your credentials.


1Password works everywhere too, and it works much better than LastPass from everything I've heard and seen.

1Password also actually encrypts your entire vault, and it uses a strong, generated secret key in addition to your password, so even if a user does not use a strong password, their vault would still be very hard to crack.


The new addon for Firefox doesn't just work but instead is unable to match the current URL to entries. You have to switch off the "Advanced autofill" which is automatically turned on nearly every day. The android autofill doesn't "just work" but that may Android's fault.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: