More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists
Bitwarden or keepass ftw
I dumped LastPass for Bitwarden a few years ago. So glad I did.
There’s no such thing as an impenetrable password manager. I keep my most secure passwords in my head, and so should everyone.
Even if the software were perfect, people aren’t. Anyone can be fooled under the right circumstances. It’s better to expose one service than all of them at once.
How would someone steal my password and my physical yubikey for 2fa?
Nearly every victim was a LastPass user.
But every victim was a cryptocurrency user.
I’d be willing to bet that people store their key phrases in the notes section in LastPass which was not encrypted at rest
This is incorrect information. Notes are encrypted, just not their “type”. Unfortunately the most direct source for this is a reddit link, but here it is anyway.
okay thanks for that I was going off of an earlier report
This doesn’t say anything about crypto.
It says everything about the users themselves.
These guys saved their seed phrases to LastPass, not just account passwords. You can’t just change your seeds without moving funds to a new wallet.
The main lesson here is never store your seeds in digital form, ever. Write it down by hand on paper at creation and then take additional efforts to safeguard it.
I wrote my seed information down for my poop coin wallet directly on Charmin double ply and then promptly wiped my ass with it and flushed.
All my apes gone!
Shit coin is far superior than poop coin. All the apes have shit coin. You never lose the password to shit coin, there’s always more shit coin passwords.
How were the wallets cracked? Cracked the master password?
I know Lemmy’s classic “Google bad” but you know what? Google’s password manager and authenticators never lost my passwords, never charged a subscription, didn’t require me to invest money and effort into self hosting, never leaked, never disappeared, and always worked perfectly on any device within seconds of logging into my account.
I’d be worried about losing access to the entirety of your passwords if Google up and decides that one day your account is suspended. There’s been a few reports historically where someone gets their Gmail account suspended for some mistaken reason and all their associated access gets pulled (e.g. from drive, sheets, etc)
That’s what happened to me once due to Bitwarden - it lost all my 2FA codes. It was an absolute pain getting access back to all accounts.
My Google account has been rock solid from the day I created it as a child to today, even though my needs and their services changed dramatically over the years.
Most of the issues with people claiming their accounts got locked up “for some unknown error” are actually hosting and sharing copyrighted material, like creating public Google Drive links to a movie or sharing a game ROM via Gmail.
My Google account has been rock solid from the day I created it as a child
Hopefully you were of legal age to accept the Terms of Service, otherwise it might’ve been an irregular account all this time.
It probably was an irregular account, yes. Not that it ever mattered.
If it was, and you haven’t accepted the ToS as of legal age, then you might want to make a new one.
Google is getting ready to purge inactive accounts starting next year, and it wouldn’t be the first time when a service purged irregular accounts many years after the fact, so… better safe than sorry.
…so far.
For those that don’t mind self-hosting, which can be as easy as just running syncthing or resilio sync on your NAS, I can really recommend keepass.
Me with interest, but no technical knowledge reading your comment:
which can be as easy as
:-)
running syncthing or resilio sync on your NAS
:-(
I didn’t understand any of those words
A NAS is a home storage server, like Synology that you can use to store images, videos and backups, etc on so you can access them from any computer or device in your home. With a couple of clicks, they can easily run applications like Syncthing or Resilio Sync, which are kinda like Dropbox, except you don’t have to pay Dropbox, you’ll just be storing the files on your own service.
If that’s too much to handle, you can still just store your Keepass file in Dropbox, so that it’s available on all your devices. But in the end you’ll still be storing your personal data on someone else’s harddisk.
So in short, is at easy as using a prefab service? No, you’ll have to invest some time, money, and knowledge yourself. But in the end, your data is not gathered in silo together with countless other users, which makes it a lot less attractive for hackers to try and steal it.
edit - nevermind I can’t even format a comment, let alone self host a… Thingie. What the other guy said.
so far
Yeah, that’s true for literally everything.
Your self hosting setup never failed I guess… So far!
Self hosting is less appealing for criminals, though. Especially if the protocol is “vanilla” like ssh.
When you hack LastPass you know what you’ll find, millions of passwords. When you hack a dude ssh you have one chance over one million that there is one dude password wallet.
It doesn’t make financial sense to hack self hosting (unless it’s specific server software)
That’s an average of over 200k each. I’m wondering how they managed to target people with so much money.
Pro Tip: You don’t need to give a private company all of your passwords. That literally defeats the purpose of having passwords.
This. This. This.
I vote for you to be chair person of the board for common sense.
migrated my shit out of lastpass like 10 years ago or whenever it was bought by logmein. douches.
Any obvious holes in keeping a text file on my laptop that I encrypt when not using it? Using ccrypt on linux.
I do not want my passwords - even encrypted - on the cloud or at the mercy of a 3rd party in any fashion.
Why not use KeePass then? It’s entirely local and you don’t have to risk running your own encryption solution.
All it takes is a malicious program accessing your clipboard or running commands to find your password file while your machine is booted and decrypted.
If something happens to your SSD, you lose all access to everything. And SSDs can die without warning, and be un-recoverable.
deleted by creator
The idea is fine. Still trusting lastpass was the bad idea. Others have much better implementations to protector your vault and don’t drop the ball on security time after time.
I mean, they’ve had more than long enough to change passwords.
Nobody is after your password for the Moravian rug weaving forum but in this day and age it’s on you, if you know there’s a breach and you don’t change your banking / crypto passwords.
Cannot change crypto seed phrases (but that can be mitigated). Cannot change addresses, social security numbers etc
After years as a family plan subscriber, I moved my personal (1k+) passwords off of LP after the last – and most egregious – breach. I have quite a bit self hosted in my environment but Proton Pass interests me as I can get my wife and son in it easily as we already have the family plan. Lemmy is loaded with tech savy, so my question is; same devil different form? I’ve tried BW but it wasn’t condusive to the whole familys use (at least not a few years ago).
If it is cloud hosted then there is always a possibility. Programs like keypass run locally and are only in jeopardy once your system is compromised. The issue with keypass is implementing it for multiple users is probably a chore (never looked into it).
All that promotion/awards tagging as best password manager for nothing. Glad I picked up KeyPassXC and KeyPassDX and sync between my phone and PC with gdrive
At first I was confused about why this was being downvoted, but then I noticed the “gdrive”. You’re using a different cloud to avoid this specific cloud.
I know google sucks but it’s easier to sync across and I have separate key file locally on both devices… 🤷
So what makes lastpass untrustworthy and do we think competitors like 1pass are any different?
Is there any reason to use a password manager over just an excel spreadsheet?
The only password manager I trust to connect to the internet is the Firefox manager, Keypass for the important stuff.
