Skip to main content

So is it safe to use online password stores? 

 

What is your opinion?

 

Lastpass announcement

 

https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/

Everything that is reachable over the network is attackable….


Everything that is reachable over the network is attackable….

for sure but do you believe their claim in the announcement about the zero.. blah blah?


Forgot to post this yesterday. Seems like their customer data isn't affected and if they've done it right like they claim, there's nothing an attacker could do. But still it's the 4th or 5th incident, which is too much in my opinion.

 


Absolutely safe. Even it was breached, passwords are encrypted AES-256 before sending to their servers. Without knowing the master key used to encrypt them, used by each users, there’s no issue.

BUT.

As @regnor says, this is the fourth/fifth time that something like this happens to LastPass, and that’s not a good things to their reputation...


Everything that is reachable over the network is attackable….

for sure but do you believe their claim in the announcement about the zero.. blah blah?

I think it’s good that they communicate the issue transparently.

But this could be a problem, depending what the background is:
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
Is the same weakness used as in August? Did they use customer password obtained in August and the customer did not change their passwords?

 

And regarding the Zero Knowledge… Seems that all password are AES-256 encrypted on your machine before they are sent to the LastPass Server. So, they should not know any of your saved passwords….


Forgot to post this yesterday. Seems like their customer data isn't affected and if they've done it right like they claim, there's nothing an attacker could do. But still it's the 4th or 5th incident, which is too much in my opinion.

 

This is the scary part that they keep trying to get in there.  I have LastPass but mainly use Dashlane instead for my password management and always keep things secure with randomized 40-character passwords, etc.  Also, MFA when available is always turned on.  I believe LastPass does that too.

They do seem to be secure based on their model, but you never know right nowadays.


Maybe guys give a try to Bitwarden or 1Password!

The paid version.


Maybe guys give a try to Bitwarden or 1Password!

The paid version.

I have 1Password as well and tried Bitwarden.  The Dashlane I have is the paid version.


Like @marcofabbri mentioned, it is safe based on the protective measures in place. This is one reason why some firms do not use the cloud till date, they feel it is not safe. Organisation concerns and data residency are some of the reasons some organizations are being skeptical. 
 

To avoid this concern, just setup your own password manager (I think I have done this in the past for two companies using ManageEngine Password Manage, and Pleasant Password Manager)!


Note: Any company can be targeted. Twilio, Zoom, Twitter, Microsoft, Cisco etc have all been targeted numerous times, Another simple solution is KEYPASS!


Everything that is reachable over the network is attackable….

for sure but do you believe their claim in the announcement about the zero.. blah blah?

I think it’s good that they communicate the issue transparently.

But this could be a problem, depending what the background is:
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
Is the same weakness used as in August? Did they use customer password obtained in August and the customer did not change their passwords?

 

And regarding the Zero Knowledge… Seems that all password are AES-256 encrypted on your machine before they are sent to the LastPass Server. So, they should not know any of your saved passwords….

I love the fact that the spoke up, else they will end up like Uber's former CSO Joseph Sullivan 🙂 Maybe they could increase their security) 


Note: Any company can be targeted. Twilio, Zoom, Twitter, Microsoft, Cisco etc have all been targeted numerous times, Another simple solution is KEYPASS!

Fun fact: Apple employees adopted while ago 1Password.


well it say so as i say AES-256 but not sure attackers now a days more smart and intelligent .. 


Nono mate, it’s purely mathematical :)

Using 256 and super strong password is safe, even with rainbowtables.


Hopefully the attackers have not managed to modify the part that handles the Master Password mechanism. From the announcement it does not seem like it. 


I like keeping my passwords separated, personal and professional use.
For the personal ones, I use apple password ring, so everything works and shares ok.

For personal critical passwords, like bank, I still using brain, no stored anywhere.

For the work ones, we use a net solution, Passbolt, implemented on-prem, and as a backup, local keepass installation importing the backups from Passbolt periodically, just in case the infrastructure is affected by any threat.

I think it´s very cool to store and use password vaults to make our life easier, but always have a plan b if something goes wrong, and be prepared if you get hit, to move as quick as possible with a fix!

cheers.


An update from LastPass. It does look quite bad. 

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/


An update from LastPass. It does look quite bad. 

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Very bad. Won't be using them again for passwords.


Hard to see how they can survive this but.. you never know


There's an update regarding the breach. While it doesn't mention Lastpass, I thought it would still be interesting to read.

Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.

https://www.goto.com/de/blog/our-response-to-a-recent-security-incident


Comment