Submitted by BasedSweet t3_10z1kx5 in technology
Comments
ivanoski-007 t1_j82pdby wrote
Why not google password manager
teh_maxh t1_j82rm5m wrote
It's missing a lot of features. Until recently, it didn't even support on-device encryption.
ivanoski-007 t1_j83tolj wrote
>It's missing a lot of features.
Like what, what more do you need that google password manager doesn't have?
teh_maxh t1_j855u75 wrote
Its records can only include a single domain, username, and password, and only the password can be changed.
ivanoski-007 t1_j85eoax wrote
So?
teh_maxh t1_j86387i wrote
A website and an app, as far as Google password manager cares, are two completely separate passwords. It also interacts poorly with subdomains.
GigaChartock t1_j85rwhy wrote
Can't use it without a URL, so I can't use it to remember SSH key phrases, generator doesn't do passphrases, locked into the google ecosystem, and no app separate from chrome.
MC_chrome t1_j83th40 wrote
Google’s main focus isn’t password management, for one
ivanoski-007 t1_j83tskm wrote
But it does it better than most
MC_chrome t1_j83tzxo wrote
No, not really. If you were to take a peek at Bitwarden or 1Password (especially 1Password), you would realize what a joke Microsoft/Google/Apple’s password managers are.
To begin, you can’t use Google’s password manager outside of the Chrome browser because the service lacks its own app.
ivanoski-007 t1_j83ufx3 wrote
People... Don't use chrome? Shocking
fusterclux t1_j85vre1 wrote
have you ever signed into an app on your phone? other password managers have shortcuts to make this faster. even FaceID to auto-input your password on sites/apps that don’t have FaceID
[deleted] t1_j8867oy wrote
[deleted]
Siberian473 t1_j886oxo wrote
Despite a lot of dislikes that your comment got I also do believe that Google password manager or Apple Keychain (for those who are all in on Apple ecosystem) are better and safer solutions.
Like where is your data more safe: at Google and Apple or at some random small startup with five employees total?
[deleted] t1_j82r8h1 wrote
[removed]
ADroopyMango t1_j82r8m1 wrote
you could also just write some down, can't hack paper
edit: seriously, think about it. why would you want to put ALL of your passwords into the hands of ONE vendor or company? it makes no sense. those services are so worthwhile to hack, it's almost certain they will be targeted. the company may even get hacked and not disclose anything about it to cover their own ass.
just think twice before trusting a random company with the keys to your life. anything you can say about how "secure" 1Password or BitWarden is was probably said about LastPass.
Bitwarden password vaults targeted in Google ads phishing attack
rastilin t1_j82y9fk wrote
I don't get the anger against paper. Do people think that there's someone going through their drawers and all the notebooks in them? If someone's in your house and reading all your notes you already have a much bigger problem than them getting into some random site.
Dominicus1165 t1_j83syqq wrote
I habe around 150-200 passwords. Writing them all down is lots of work. But not only that. Maybe I need them somewhere else. Like on my phone on the go. So I need to take all my passwords with me.
And that paper can be stolen or lost easily. Like in a restaurant when going to the toilet or in a club.
Super insecure
[deleted] t1_j846asy wrote
[deleted]
[deleted] t1_j846dle wrote
[deleted]
ADroopyMango t1_j846964 wrote
a piece of paper is much more secure than a database. physical access will literally always take more effort than if I can just steal your shit from the comfort of my own home.
you're talking about trading security for convenience. and you can do that as long as you use some common sense.
for example, you could write down your most sensitive passwords (bank etc.) and do your best to commit those to memory if you're "at the club" as opposed to your ESPN account or whatever where the hack to life impact ratio is minimal. store those in your password manager all you want.
there is no easy way to have 200 passwords lol. it's like having 200 keys on a keychain.
SlowMotionPanic t1_j85cc8d wrote
> a piece of paper is much more secure than a database.
Hard disagree. Just require authentication with something like a Yubikey for the best of both worlds. People can take vaults all they want, but they are never getting in it without both the master password and a Yubikey and a biometric component if also enabled.
Unless they kidnap you, in which case you have bigger problems on your hand.
Or one is talking about seed phrases for crypto wallets, in which case they better stamp it into metal and hide it well.
Paper burns and you’ll be locked out for a good long time if not forever. Yubikeys can have a duplicate kept in a safe deposit box. Can’t do that with a paper book in active use.
[deleted] t1_j844jgu wrote
Because it's a dumb way to go about it and a waste of time. Are you going to be writing down all of your passwords by hand? Manually updating it as you change them? Getting the paper out of the drawer every time you need to log in? What if you need to log in on your phone when you're away from home?
None of these hacks result in your password being usable. The data these hackers get is a non-sensical string that they can't do anything with. I still wouldn't stick with LastPass. It's clear they give zero shits about internal security at this point. But saying that paper is an equal substitute to a password manager is just wrong.
ADroopyMango t1_j848ne3 wrote
ok, you're just talking about trading convenience for security. you're saying it's a waste of time aka inconvenient. that doesn't mean the paper method is less secure.
nobody said anything about an "equal substitute." there are obvious tradeoffs.
ecksfiftyone t1_j85xkhj wrote
Because you're missing the whole point. Password managers are there so you can generate a password like G&li/PdsZH-)73m?Df78:+pJS*(9dD79. You don't have to remember it and the password manager "should" be secure and encrypted. The Password manager will auto fill in the password across your devices so you don't need to dig out your notebook and type that thing in. You also wouldn't be able to log into your bank account app, or other apps or websites from your phone if your password isn't saved unless you always carry that paper with you.
Then, there is the sharing part. I share passwords for sites with members of my family. I have to share thousands of passwords with members of my team at work. A shared vault that's encrypted and secure works great for that.
Paper is great for my mother. 1 computer in her house, doesn't use her smartphone for anything smart. Wouldn't need those passwords away from home. Doesn't need to share. She actually uses an address book with the little alphabetical tabs. If she needs her google password, she flips to G.
MaximaFuryRigor t1_j82sa3a wrote
Ah yes, the old sticky note on the monitor solution.
[deleted] t1_j83ttko wrote
[deleted]
SlowMotionPanic t1_j85b8os wrote
The BitWarden example isn’t even comparable. It is 100% user error to use an unknown login portal based off an explicit paid advertisement result in Google.
A paper password book user would fall for the same scam but for whichever targeted sites. They are, in fact, more likely to get scammed because they lack an app like BitWarden which can identify and fill the actual portals thus removing the potential for error.
Password managers with a Yubikey are probably the strongest option for most people honestly.
Admetus t1_j83ft2i wrote
To be honest, not even paper. I would place a website and password clue in a text file. I'm not talking something simple like animal+49 = giraffe49, I'm talking about a clue where you already remember a whole bunch of passwords, you just need to know which one you used for that specific site so that you don't have to annoyingly try them all or get locked out.
Dominicus1165 t1_j83t3hj wrote
Oh yes. A list of 150 passwords.
And still super insecure. A good hacking tool would need like 0.0001 seconds to check them all. With 4GHz and 6 cores (24 million tries per second), this is an easy task.
Admetus t1_j84dpa7 wrote
Nah, a reference to each password completely internal to your head. Even if it's something like 'password 1, password 2, etc.' There's zero correlation between the passwords and what I stated.
Admetus t1_j84dqlk wrote
Nah, a reference to each password completely internal to your head. Even if it's something like 'password 1, password 2, etc.' There's zero correlation between the passwords and what I stated.
Dominicus1165 t1_j84vfnr wrote
But again. With 150 services it’s quite hard to remember even with reference. And I look it up again. I have exactly 241 passwords in my manager.
They each need to be secure and not dependent on each other.
altodor t1_j86hz7f wrote
This sounds like a very complicated Caesar cipher mixed with password reuse to me.
AwakenGreywolf t1_j81im72 wrote
How exactly!? Aren't they always boasting about "top of the line encryption this and encryption that"?
jmpalermo t1_j81z2rv wrote
The data stolen was encrypted. LastPass doesn’t ever have unencrypted passwords. However, the encryption is only as strong as your master password.
PMs_You_Stuff t1_j82uslf wrote
So, my 16+ digit alpha numeric password is safe?
jmpalermo t1_j82v4yx wrote
If that is your master password, yes. If that was a stored password and your master password was “Password1!” like mine was, then you need to rotate all the stored passwords.
steven4297 t1_j85u4zv wrote
I use a simple phrase and convert it using base64encode.org
So say I type "I love pizza!"
It returns "SSBsb3ZlIHBpenphIQ=="
Best way I've found to make passwords
jmpalermo t1_j85w796 wrote
Just a phase itself is a really good password
thirdender t1_j85zxsq wrote
Is it bad that I know exactly which xkcd that is without checking?
cryptosupercar t1_j839wmc wrote
Do a quick check. Every year produces faster processors and gpus
FreeWildbahn t1_j83qro8 wrote
Did you calculate the number of combinations? 62^16 are 4.7 * 10^28 combinations. This will hold for a veeeery long time.
Dominicus1165 t1_j83t9mx wrote
As Long as the password is not vulnerable to a rainbow table attack
FreeWildbahn t1_j84wf1x wrote
For a rainbow table attack you need a hash like the passwd file on linux systems. But we are talking about cracking a password safe.
jmpalermo t1_j85whp1 wrote
Any responsible site will salt the password before hashing it which makes rainbow table attacks worthless. Not every site is responsible though…
sopwath t1_j87biaq wrote
That’s not what a rainbow table is. Also, rainbow tables are defeated by salting.
Dominicus1165 t1_j87obtb wrote
Yeah i know. I meant a dictionary attack… with the dictionary provided by the user and only the correct websites to be found.
Toasty27 t1_j881vl9 wrote
Rainbow tables are easily thwarted by salting passwords before hashing. Most systems do this nowadays. Pretty sure LP also does this.
[deleted] t1_j84dyw4 wrote
[deleted]
guatemaleco t1_j84e7xv wrote
16 characters seems low unless it’s a randomly generated password. PBKDF2 iterations would also matter a lot here. The most determining factor is probably how likely of a target are you? Are you likely worth the compute time?
[deleted] t1_j84lawy wrote
[deleted]
belteshazzar_der t1_j85klag wrote
This is incorrect. They stole the password vaults themselves, so if they crack your master password they'll get access to all of your passwords. Doesn't matter if you have 2FA on. This is one of the main reasons why this breach was so bad.
guatemaleco t1_j8gt399 wrote
Yea, 2FA is not used in encryption at all. It's only part of authentication to retrieve the encrypted vault. Since the vaults were already stolen, 2FA is meaningless here.
nlgenesis t1_j83tdn5 wrote
If you read the article, you will read that, while the passwords were encrypted, a lot of other stolen data (usernames, websites, other data) was stored unencrypted.
[deleted] t1_j84dgai wrote
[deleted]
guatemaleco t1_j84dahy wrote
Usernames WERE encrypted.
spsteve t1_j85qm3y wrote
I have heard both options from reputable sources. Normally I would trust the company statements, but given their handling of this I trust NOTHING that touched them.
schussboomer t1_j86n943 wrote
username, password, and password notes are encrypted. The website URL is only hex encoded so it might as well have been in plain text. In other words, hackers know which websites you have passwords for (so beware of phishing attacks) but if you have a strong enough master password, they are still probably trying to crack your vault. You can see for yourself what is encrypted by downloading your encrypted vault - this was a good article which helped me figure that out: https://palant.info/2022/12/24/what-data-does-lastpass-encrypt/
At any rate, going forward, 1password seems to be a better choice because of the additional secret key required to unlock the vault.
In the end, there is no substitute for a good, strong master password.
ISLITASHEET t1_j86o22x wrote
The same vault that is stored server side should be what is available locally. Older vaults may be different, so your mileage may vary.
I know that I examined my local vault and fields that were associated with a credential were encrypted, but names and URLs were not. Some URLs were stored with a token in them. Regardless of that fact, I cycled all of my credentials as I migrated to another provider.
spsteve t1_j875o99 wrote
As I understand it a lot depends on when you started using the service, including the number of rounds used on the master password.
guatemaleco t1_j89nwz6 wrote
I wasn't basing that on statements from Lastpass. I just presented on this at work and as part of preparing the presentation, we analyzed Lastpass Bitwarden and 1Password vaults as they are synced to their respective services. Palent's blog was certainly one of the sources we used in putting together the analysis.
Some interesting takeaways are that Shared Folders and Federated authentication offered some additional security. 2FA is completely meaningless in this situation as nothing from 2FA is used as part of the encryption key derivation.
As you also mentioned, age of the account made some differences (though not in username encrypted or not). Default iterations being a big one, and AES-CBC vs AES-ECB, which would certainly make usernames more easily determined.
mrDragon616 t1_j85fdig wrote
Wouldn't that be the same as a hash password? Or wouldn't it be better if everything was hashed as opposed to it being encrypted by it's master password?
jmpalermo t1_j85g5cn wrote
Hashed passwords are only useful for verifying somebody has the password. So if you are a website, you store only a users password hash, then when they try to sign in, you hash the password they’re logging in with to verify it matches.
You can’t reverse a hash back into the original password though.
So for you to be able to retrieve your passwords from LastPass, the password must be stored, not just the hash.
mrDragon616 t1_j85i8aq wrote
Oh ok that makes sense. Thank you!
blackenedEDGE t1_j870qic wrote
While true, LastPass derives the encryption key from your master password using an algorithm called PBKDF2. There are guidelines for how many iterations of the PBKDF2 you're supposed to use--on the client side, server-side iterations are mostly irrelevant in regards to overall security. LastPass failed to follow these guidelines and failed to guarantee those who had vaults prior to each increase in the recommended iterations--or at least whenever LastPass actually increased the number by default for new vaults--were encouraged to login asap and re-encrypt their vault with a key using the new default number of iterations to derive the key from their master password.
The current guidelines--which LastPass was informed of by OWASP--are to use at least 600,000 iterations. Only after being breached did the increase it...but only to the previous recommended number, 310,000. However, as of the breach that saw vault backups stolen, there were still some vaults that had less than 310K, even as low as 1 for a few people who've been customers for a long time.
SatisfactionAny20 t1_j878cc0 wrote
It's not as straight forward as that, as it turns out, LastPass doesn't encrypt everything. The hackers managed to steal customer's unencrypted email addresses, and the list of websites that the customer has passwords for. Maybe even billing addresses
LeoBeMe t1_j86nav6 wrote
The vault backups is what was breached, which is even worse
EntertainerOrk t1_j83vbsq wrote
Terrific, so instead of having to crack a dozen different passwords for your different accounts, they have to crack one and they got them all. The modern equivalent of using the same password fir every account. Top notch, guys.
Distracted-Tinkerer t1_j84zxwy wrote
This is why you use a strong master password. Tip: 25+ character passphrase with at least one capital letter, number and special char is S-tier. Also pretty easy to remember.
HanaBothWays t1_j8274cb wrote
LastPass does boast about that and it used to be true but they’ve been slacking off since the original founder sold the company. They are not keeping up with best practices that other password management services do (like encrypting most of their metadata).
AyrA_ch t1_j83ghj7 wrote
Any online service you use is volatile to your password being stolen. In this case they just got the encrypted database, but with those remote services you usually run a browser extension. They're updated automatically, so you as a user would not even know if someone manages to smuggle password stealing code in there. The best password manager is one that is run on your local device only. If you use a good master password, you don't have to be concerned about your password database being synced over untrusted cloud storage providers.
End to end encrypted providers do exist though.
The people that stole the databases are not after anyones password specifically. They're running a huge password list against them and take what they can. data breaches usually work like this.
autotldr t1_j80xbun wrote
This is the best tl;dr I could make, original reduced by 85%. (I'm a bot)
> A hacker stole a file from password manager LastPass that contained the passwords of 30 million users and 85,000 companies.
> As long as customers had a good master password, their passwords were safe, the company said.
> Unlike what many users thought, their personal password vault was not a fully encrypted folder but a text document with a few encrypted fields, according to FTM. FTM also pointed out that by still claiming that the passwords are safe if people used a good master password, LastPass is shifting the responsibility to its users.
Extended Summary | FAQ | Feedback | Top keywords: password^#1 hack^#2 LastPass^#3 users^#4 information^#5
zevelj t1_j82ocr1 wrote
Does anyone know if what are called "Secure Notes" stored in Lastpass vault are safe/encrypted? Or saved credit cards?
Deckma t1_j86uae9 wrote
Yes secure notes and the notes attached to passwords were encrypted.
rlaxton t1_j83gpkh wrote
Everything in the vault is encrypted using your master password as far as I know.
zevelj t1_j83styi wrote
They say that URLs for sites stored is not encrypted, but passwords are. So just wondering what else isn't
gurenkagurenda t1_j83s6ne wrote
Well, all the directly sensitive content. LastPass has always been bad about storing metadata in the clear. It doesn’t make it easier for an attacker to get your password, but it does let them narrow down who to try to attack.
spsteve t1_j85swbk wrote
It does if a site did something stupid and included something useful in the url that lp has stored.
Edit: it also makes phishing much easier. That Metadata can be used like this:
You have an ms account and an Adobe account. I know because I have your Metadata. I send you a sophisticated phish saying that Adobe is no offering to link to your ms account for single sign in. Just enter your Adobe and ms ids on this form...
It might not hit you but it would get a lot of users.
Deckma t1_j86v4s8 wrote
That's what they wanted us to believe. Unfortunately that's not true.
You can see the vault structure of popular password managers here: https://i.imgur.com/QAvoPmb.jpg
URLs we're not encrypted in Lastpass. And almost all the meta data and field names were not encrypted.
andrewhy t1_j839gc8 wrote
Maybe passwords are a terrible way of authenticating users, and we need to move towards something else. Even two-factor authentication is an improvement. I dunno about you, but I have more passwords than I can keep track of, and the alternatives to using a password manager are much worse, such as reusing passwords. A single compromised username/password that is reused elsewhere can lead to you being hacked.
newprince t1_j85lkpw wrote
There are actual protocols that attempt to do away with most passwords, such as OpenID. The problem though becomes adoption. It is very easy to rely on the classic Web 2.0 login/password implementation
Deckma t1_j86vijy wrote
Passkeys are something a few vendors are getting behind.
Chilio95 t1_j86dchq wrote
Dammit LastPass! >:( now I have to switch. What's a really good password manager? Anyone have any recommendations?
t0ny7 t1_j89ti58 wrote
I've been very happy with bitwarden.
gr1mzly t1_j88opeg wrote
1password is great. Exported from lp to 1pw and been a nice transition
canyonero7 t1_j87n0me wrote
Longtime LastPass user. I've switched to using the password function in Microsoft Authenticator, which I was already using for MFA. HUGE PITA - I had over 200 passwords on LastPass. But I'm done with them.
Jsharp5680 t1_j86z0cl wrote
Fuck these mother fucking pieces of shit and the horse they rode in on.
That's how I feel about LastPass. Fucking absolute failure at the one thing they were supposed to get right.
Sad irony about this... I stopped using LP for my family about 2.5 years ago and migrated to a self hosted Bitwarden instance. I kept my free LP account as a "just in case" something goes wrong with self-hosting.
Fast forward to now. Self-hosting Bitwarden has been simplistic, easy to secure and 100% reliable.
Now I'm finding myself going through all of my more sensitive secrets in LP, rotating encryption keys I backed up there, passwords and the like. Major pain in the ass (some of the services used / encryption keys require a full reset and reconfigure - things like off site backups - so, resetting and reconfiguring backup jobs).
Then I have to go take care of my wife's secrets (less sensitive things).
But yeah, for the less technical savvy folks using LP, much more of a nightmare.
[deleted] t1_j80xqol wrote
[deleted]
HanaBothWays t1_j81a7ks wrote
The ones about which sites you have accounts on are unencrypted. Most other password managers encrypt this information.
Diknak t1_j83ysll wrote
This is why I like Enpass. Your passwords aren't on a server with a vault of everyone else's passwords. It's much less centralized.
Deckma t1_j86vpi9 wrote
And enpass supports keyfiles which is an awesome 2nd factor.
emaij t1_j84stgy wrote
Where is Karim Toubba, CEO of last pass? Has not uttered a word about this complete failure. I would place this kind of negligence or recklessness on par with the Catholic church catastrophe. Why is the CEO not taking some responsibility for this?
newprince t1_j85ksr5 wrote
Although I am relatively safe, I am unsubscribing from LastPass completely. They lied.
Moving to Bitwarden
WINSEVN t1_j863j9y wrote
I think this makes 3 or 4 breaches in the last 10 or so years.
56kul t1_j86f24k wrote
It’s stuff like this that makes me wonder if I should pull from my password manager.
I’m subscribed to Dashlane and as of now, their records are clean, but this is worrying.
Breklin76 t1_j86p8q7 wrote
They had a breach a while back, too. I switched to LastPass! 😂😂😂
56kul t1_j86w8wf wrote
They did? I tried to look up if they had any history of breaches and everything says they’ve never had one…
DashlaneCaden t1_j8e1fro wrote
Correct - we have never had a security breach (we even confidently state it front & center on our website). I'll never say it's impossible, but we are confident we deploy the highest level of security practices possible to ensure a breach will not happen.
Breklin76 t1_j8e9clo wrote
I stand corrected. I thought they did a couple of years ago. That’s good to know. I might return as a customer.
56kul t1_j8eapiz wrote
Do you work for Dashlane, by any chance? Because you’re speaking in first person.
DashlaneCaden t1_j8eatvh wrote
Yep ! I'm an engineer on our web app / extension.
56kul t1_j8eb97o wrote
Ah, alright.
So may I ask why Dashlane isn’t on Firefox’s extension store? Since you’re specifically working on the extension.
I know it’s not really the place to ask about it, but I tried looking it up and found a Reddit post from over a year ago.
DashlaneCaden t1_j8ecrbu wrote
Absolutely!
So I cannot speak to why we went the route of hosting the extension ourselves rather than listing via the Firefox add-on store in the first place, but I can say it's on our roadmap to explore listing this year. I'm not on the team that handles our store automation & deployment processes, but from my understanding there is some work needed making the migration still & it's slated this year (with no specific date planned yet).
Our hosted version will still receive automatic updates, we're just missing out on the marketing / discoverability that the add-on store provides.
56kul t1_j8ed5jp wrote
Well, I just hope it’ll be resolved soon.
I definitely trust that your self-hosted extension is safe, but I’m not a fan of using such extensions. I just like the piece of mind of using one directly from the store.
DashlaneCaden t1_j8ee111 wrote
Ah yes & just to clarify, our extension still has to go through the signing & review process at Mozilla, including submitting source code occasionally for them to reproduce builds & validate + approve our extension. We just opted to distribute it ourselves rather than in the add-on store originally.
56kul t1_j8ee8gg wrote
Wait, if you still need to verify it through Mozilla, doesn’t it mean that you’re already clear to host it through the add-on store?
DashlaneCaden t1_j8eeenv wrote
I believe the biggest hurdle is how to migrate users best from our hosted extension to the add-on store version, so we can avoid having to deploy & maintain the distribution of both versions. Moving from an unlisted extension -> listed is not as seamless as you'd expect, as it would technically be a new / separate extension on the add-on store.
DashlaneCaden t1_j8e18yu wrote
Dashlane has never had a security breach
williamogle t1_j86ge4y wrote
I think I am just going to have to host my own password manager… it’s the only way I can think of to avoid it being lumped in together with a large collection of other peoples valuable information
[deleted] t1_j86niyc wrote
[deleted]
Jsharp5680 t1_j86znhp wrote
Look at Vaultwarden (Bitwarden written in rust). I've been self hosting for almost 3 years. It's the bees knees!
Breklin76 t1_j86pcj3 wrote
Apple’s Keychain is looking better and better, now that they have password support for Windows iCloud app.
sopwath t1_j87c340 wrote
Half the people posting here need to go read Cryptography by Keith Martin. An easy to read book that explains, among other things, that encryption and hashing are not the same thing.
wonderfulworld99 t1_j80wrcz wrote
LastPass won't last, everyone will give it a pass. Self fulfilling prophecy name.
Danzzo36 t1_j852u58 wrote
Can't steal from my notebook
FatedMoody t1_j85bb7t wrote
But you could lose it or it could be destroyed
spsteve t1_j85ucgx wrote
And last pass could have an outage or go bankrupt. Lots of arguments on your side, but you picked two bad ones.
FatedMoody t1_j85v4b5 wrote
From what I understand this isn’t an issue. LastPass stores a copy on each computer/phone
spsteve t1_j85wswg wrote
And the tools to decrypt that are where?
FatedMoody t1_j85x33y wrote
Huh? There is no need to decrypt, you just unlock with your password. I can use LastPass without being online. Have you ever used LastPass?
spsteve t1_j85xrlg wrote
I have used it. I have never tried to use it in an offline state. I asked a question. Forgive me for asking a question. So sorry I don't know everything like you obviously do.
Edit: but since you are so knowledgeable, let's say I updated a bunch of passwords on my office device and haven't used last pass at home for a few days. When does last pass sync its database to "every device" as you said.
FatedMoody t1_j85xxpt wrote
you’re the one that called my argument bad without even knowing details how LastPass works and now you’re calling me the know it all? Lol
spsteve t1_j85ykwi wrote
"And the tools to decrypt it are where?" is what I asked you. After stating lastpass can go down. You could have corrected me without the attitude but no. The big bad keyboard warrior has to talk down to people about something. And my follow-up question?
FatedMoody t1_j85zcsf wrote
Hey already replied first time without attitude even though you called my arguments bad without even understanding how LastPass works. Do you now see how LastPass going bankrupt or offline isn’t that big a deal as opposed to losing a piece of paper with all your passwords and no backup?
Now as for your follow up question. Yes if you updated a bunch of passwords at your office and LastPass goes down other devices won’t get the updates. However this shouldn’t be that big an issue since the work computer should have those changes you made locally
spsteve t1_j869c9r wrote
Next question; what happens if someone breaches last pass and destroys the vaults and nukes the backups (and given they've been so heavily breached, and I have 0 confidence in them corporately to store safe backups) then what.
My initial point was, there are lots of good reasons to argue against paper vs password manager, but loss isn't one of them. Anything can be lost, and with these companies getting breached at this level (including some having backups deleted) I don't think THAT is the argument to use.
Finally, I am genuinely curious; when have you used lastpass in an offline state? Like why??? LOL If your network is down, what are you signing into you don't have memorized?
FatedMoody t1_j877bdj wrote
> what happens if someone breaches last pass and destroys the vaults and nukes the backups (and given they've been so heavily breached, and I have 0 confidence in them corporately to store safe backups) then what.
I don't see this any different than your previous scenario. All your devices should have local copies. Sure, they may be a bit out of date but for the most part you should have most of your credentials
>My initial point was, there are lots of good reasons to argue against paper vs password manager, but loss isn't one of them
Well then we disagree. In my mind of the major features for LastPass is redundancy and they are more likely to be much better at it than I am and worse case I have copies on my devices. Truly losing a password can be extremely devastating, case in point (though an extreme example):
https://www.bbc.com/news/technology-55645408
>LOL If your network is down, what are you signing into you don't have memorized?
Imagine laptop you don't use often being locked and you're on a plane with your phone in airplane mode...
spsteve t1_j878g8s wrote
What I meant by destroy the vaults is corrupt them. Then your devices syncs the corrupted one. Done.
As for the use case, fair enough. I don't know I've ever had that issue as my physical devices all have passwords I remember and their passwords never leave my brain. If my physicals get compromised it is game over for everything else as far as I am concerned.
FatedMoody t1_j879aee wrote
Sure ok if there is a massive breach and that corrupts all your passwords and destroys backups but still allows to sync with every device you have destroying those copies and those devices also don’t have backups then yes you might be in trouble. No solution is absolutely foolproof. However what’s more likely, the scenario described here or someone accidentally throwing away their password list or it being lost in some home accident? That’s literally single point of failure
spsteve t1_j87aknf wrote
Normally I would agree with you, but given the level of breach suffered here AND the ABSOLUTE lack of transparency by the company, I wouldn't rule it out as an unreasonable concern.
With all the government supported bad actors in the world today the threat landscape has changed. State sponsored hacks designed to cause economic damage are becoming more and more common place. Sites like this are huge targets.
For the home user this is a difficult game but for the enterprise a well designed self-hosted solution (bitwarden for example) is the way to go right now IMHO.
Any of the big "public" cloud options are just too juicy a target. It is fairly trivial to set up your own reasonably redundant manager now if you're a company. The real issue is for the home user going forward. (But most home users have such horrible security posture i suppose it doesn't matter either).
PBX1984 t1_j85k3g4 wrote
Yeah they for hacked over the summer idk why it's just coming back up now
spsteve t1_j85ukb6 wrote
Because the story keeps changing. First it was September. Then right before Christmas they dropped news about how bad it was. Now it was apparently earlier. A company who's job is based entirely on being trustworthy has been anything but open and transparent.
ThrowawayNo4910 t1_j81313l wrote
Well that's awkward.
nudifyme69 t1_j82p8t8 wrote
build ourself a simple password manager is more safe. like ask chatGPT how to build ...
AGriggs191 t1_j82ntlx wrote
There's a good reason I don't use a password manager. I don't trust anyone.
EntertainerOrk t1_j83v4nc wrote
I get downvoted every time when I clown on these pass companies. Handle your damn passwords yourself. Put them in your browser, hell even write them on your hard drive. No one's gonna find them there. If someone has your computer, it's game over for you anyway, at that point nothing matters anymore. Maybe Lastpass should use a better password on their datacenter or something. Weird how I don't get hacked, yet every couple of months I hear another story like this of a big password vault type application company being hacked.
[deleted] t1_j823t1p wrote
[deleted]
semje t1_j83g239 wrote
Just curious, what would you have used instead?
CervantesX t1_j812mgs wrote
Shockingly, putting millions of passwords into the same place didn't turn out to be a brilliant idea.
SomethingMatter t1_j81ugyu wrote
You have two options:
- Put your passwords in a password manager - this can be local only
- Remember all of your passwords
The second one means that you will either have duplicate passwords or a system in place where a person who knows one password can figure out the others. The only real option is a password manager. All password manager worth anything won't be able to get hold of your passwords without you first entering your master password so the trick is to keep a good master password and you should be fine.
spsteve t1_j85ta1m wrote
Local is the big part here. Password manager sites just are too big a target.
CervantesX t1_j88dm1i wrote
Don't make it sound like it's that hard to make a site-unique password scheme. And all it takes is buying a domain name, and you can have unique site-specific login emails as well. Even if one of the sites gets hacked and your L/P are in plaintext, it would take an actual person intentionally targeting just you to even have a hope of noticing your scheme, let alone figuring it out. Sprinkle in some 2FA and there's no way anyone is finding another accessible account before that site auto locks for bad logins, and/or you notice all the notifications thereof.
Or you can put your entire life worth of passwords into the hands of a company dedicated to making as much profit for as little work as possible, and hope it works out for you.
Infinite-Eggs t1_j82e716 wrote
Your PC will always be a single point of failure. At least a password manager tries to secure the data even when its sitting in your RAM and has features to try and thwart keyloggers. This buys you time to change your passwords.
Manually typing your passwords or copy/pasting via clipboard is the least secure method by far and is the main method key loggers plan on exploiting.
Shaila_boof t1_j81gqoa wrote
I save all my password in the browser saving password thing, is it bad?
NiftyNumber t1_j81n0vi wrote
Information is encrypted before sending to Google ( I am assuming you are using chrome), so even Google doesn't know your passwords. Therefore, generally pretty safe.
teh_maxh t1_j82rr2e wrote
> Information is encrypted before sending to Google ( I am assuming you are using chrome),
That's a new feature (only since June 2022), and AFAIK isn't automatically enabled.
Fickle-Razzmatazz827 t1_j85kajk wrote
Definitely not. It's been used way longer. No one sends plain text passwords since the late 2000s unless it's an amateur made website.
teh_maxh t1_j864onn wrote
I guess Google is made by amateurs, since on-device encryption was introduced just last year.
Fickle-Razzmatazz827 t1_j8729eg wrote
completely a different thing and this encrypts using your device and you need to enter your password to decrypt it. The password is still is not being sent to google as plain text and has never been.
teh_maxh t1_j87uadc wrote
Are you really arguing that "well, technically it's sent via TLS" is actually adequate for a password manager?
[deleted] t1_j81ppwp wrote
[removed]
SomethingMatter t1_j81tph3 wrote
It's not the best. Depending on how things are set up, anyone getting access to your PC can log onto any of the sites that you log into. You are also tied to the browser. e.g. Want to use an iPhone and chrome, tough. There are free options for password managers.
MrPissedHimself t1_j81v48q wrote
Think if they're saved they go head to saved passwords and click a button to see it in clear text. Might have changed now but I remember doing that on a publicly used computer a few years back
HanaBothWays t1_j826yvl wrote
It’s probably not bad and it’s better than nothing, but it’s less portable than a good password manager.
Infinite-Eggs t1_j82eqo9 wrote
It's better than typing them manually. The main point is that all your passwords should be complex and unique. That should help you in 99% of cases.
CervantesX t1_j88dpai wrote
It's not ideal, but it's common. Best practice is to at least not save your hyper sensitive logins like bank pwds.
HanaBothWays t1_j80uzv6 wrote
Move yourself to BitWarden or 1Password or something, these folks don’t have what it takes to keep up a good password management service now that they’re owned by a hedge fund.