So is it safe to use online password stores?
What is your opinion?
Lastpass announcement
https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/
Best answer by Iams3le
View original
Looking for comments on this security incident at LastPass
Userlevel 7
+22
Userlevel 7
+17
Everything that is reachable over the network is attackable….
Userlevel 7
+22
Everything that is reachable over the network is attackable….
for sure but do you believe their claim in the announcement about the zero.. blah blah?
Userlevel 7
+14
Forgot to post this yesterday. Seems like their customer data isn't affected and if they've done it right like they claim, there's nothing an attacker could do. But still it's the 4th or 5th incident, which is too much in my opinion.
Userlevel 7
+13
Absolutely safe. Even it was breached, passwords are encrypted AES-256 before sending to their servers. Without knowing the master key used to encrypt them, used by each users, there’s no issue.
BUT.
As
Userlevel 7
+17
Everything that is reachable over the network is attackable….
for sure but do you believe their claim in the announcement about the zero.. blah blah?
I think it’s good that they communicate the issue transparently.
But this could be a problem, depending what the background is:
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
Is the same weakness used as in August? Did they use customer password obtained in August and the customer did not change their passwords?
And regarding the Zero Knowledge… Seems that all password are AES-256 encrypted on your machine before they are sent to the LastPass Server. So, they should not know any of your saved passwords….
Userlevel 7
+20
Forgot to post this yesterday. Seems like their customer data isn't affected and if they've done it right like they claim, there's nothing an attacker could do. But still it's the 4th or 5th incident, which is too much in my opinion.
This is the scary part that they keep trying to get in there. I have LastPass but mainly use Dashlane instead for my password management and always keep things secure with randomized 40-character passwords, etc. Also, MFA when available is always turned on. I believe LastPass does that too.
They do seem to be secure based on their model, but you never know right nowadays.
Userlevel 7
+13
Maybe guys give a try to Bitwarden or 1Password!
The paid version.
Userlevel 7
+20
Maybe guys give a try to Bitwarden or 1Password!
The paid version.
I have 1Password as well and tried Bitwarden. The Dashlane I have is the paid version.
Userlevel 7
+9
Like
To avoid this concern, just setup your own password manager (I think I have done this in the past for two companies using ManageEngine Password Manage, and Pleasant Password Manager)!
Note: Any company can be targeted. Twilio, Zoom, Twitter, Microsoft, Cisco etc have all been targeted numerous times, Another simple solution is KEYPASS!
Userlevel 7
+9
Everything that is reachable over the network is attackable….
for sure but do you believe their claim in the announcement about the zero.. blah blah?
I think it’s good that they communicate the issue transparently.
But this could be a problem, depending what the background is:
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
Is the same weakness used as in August? Did they use customer password obtained in August and the customer did not change their passwords?
And regarding the Zero Knowledge… Seems that all password are AES-256 encrypted on your machine before they are sent to the LastPass Server. So, they should not know any of your saved passwords….
I love the fact that the spoke up, else they will end up like Uber's former CSO Joseph Sullivan :-) Maybe they could increase their security)
Userlevel 7
+13
Note: Any company can be targeted. Twilio, Zoom, Twitter, Microsoft, Cisco etc have all been targeted numerous times, Another simple solution is KEYPASS!
Fun fact: Apple employees adopted while ago 1Password.
well it say so as i say AES-256 but not sure attackers now a days more smart and intelligent ..
Userlevel 7
+13
Nono mate, it’s purely mathematical :)
Using 256 and super strong password is safe, even with rainbowtables.
Userlevel 7
+7
Hopefully the attackers have not managed to modify the part that handles the Master Password mechanism. From the announcement it does not seem like it.
Userlevel 7
+8
I like keeping my passwords separated, personal and professional use.
For the personal ones, I use apple password ring, so everything works and shares ok.
For personal critical passwords, like bank, I still using brain, no stored anywhere.
For the work ones, we use a net solution, Passbolt, implemented on-prem, and as a backup, local keepass installation importing the backups from Passbolt periodically, just in case the infrastructure is affected by any threat.
I think it´s very cool to store and use password vaults to make our life easier, but always have a plan b if something goes wrong, and be prepared if you get hit, to move as quick as possible with a fix!
cheers.
Userlevel 7
+7
An update from LastPass. It does look quite bad.
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
Userlevel 7
+20
An update from LastPass. It does look quite bad.
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
Very bad. Won't be using them again for passwords.
Userlevel 7
+22
Hard to see how they can survive this but.. you never know
Userlevel 7
+14
There's an update regarding the breach. While it doesn't mention Lastpass, I thought it would still be interesting to read.
Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.
https://www.goto.com/de/blog/our-response-to-a-recent-security-incident
Comment
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.