This is unbelievably bad. The "threat actor" (and anyone else the info is shared with on the hacker forums) now has copies of:
- Customer Names
- Company Names
- Email Address
- Billing Address
- Telephone Numbers
- IP addresses (from where customers accessed the service)
- Website URLs saved in LastPass vaults (LastPass doesn't encrypt the website URLs)
- Encrypted vaults
That is a massive privacy violation and a puts every customer at risk for massive automated phishing, blackmail, and doxing. They marketed the whole vault as being encrypted in their Zero Knowledge architecture(TM).
And LastPass probably knew since AUGUST and tells us the day before Christmas. Note to obfuscating, dense language in the blog notice. Specifically "unencrypted fields such as website URLs", implying other vault fields could have been unencrypted but they can't/won't say.
LastPass will not survive the pending customer exodus and class action lawsuits.
Seems like instead of spending Christmas with my family, I will spend it changing passwords for 100s of accounts.
I see it being called "The Friday Afternoon Dump" here [1]. The PR and marketing term for finding best timing is "press release timing".
Weekends are a prime candidate because press and journalists are off, but social media thrives in weekends. Friday afternoon is the sweetspot if you want to avoid press and social media virality.
> LastPass will not survive the pending customer exodus and class action lawsuits.
Literally nothing will happen. Mark my words.
Don't know where you are getting this fantasy of the company not surviving, and class action lawsuits. Every similar example in the last 10-15 years that I remember was the same (people forgot after a week and nothing happened).
>Seems like instead of spending Christmas with my family, I will spend it changing passwords for 100s of accounts.
Why didn't you just use decent passwords in the first place? You were using a password manager, what's the fucking point if your password is still "kittens1"?
Only the encrypted randomized passwords were leaked. Unless you knowingly used a bad password for your cloud-based password manager, you're fine.
If you did use a bad password for the cloud based password manager, you're the walnut. The whole sales pitch is that lastpass can't fuck you as long as you have a reasonable password protecting your vault.
Your encrypted data is compromised, it is in the hands of an attacker who really wants to decrypt it. You're pinning all of your digital security on encryption holding against an active attacker. What if there is an undiscovered or undisclosed vulnerability in the encryption? What if last pass isn't using encryption as secure as they claimed? What if the attacker just gets really lucky and your password is in the first thousand bruteforce attempts?
Same rationale applies when a random website gets hacked and leaks their password database. Yes, your password is salted and hashed, and hypothetically unrecoverable. But you change your password anyway.
You have the option to guarantee your accounts are secure, or do nothing and hope it will be fine.
There's a lot of situations where your vault might be decrypted. Sure, they're all pretty unlikely, but the risk is not zero. Changing your passwords does make that risk zero.
You're already fucked. LastPass lied in their sales pitch, and they released a bunch of your data unencrypted. Having absolute trust in their encryption as your sole layer of security at this point is incredibly reckless and stupid. You don't know that your master password isn't uncompromisable, you're trusting the company's sales pitch, and they've already lied to you. There is no reason at all to assume your vault will be secure forever.
n? What if last pass isn't using encryption as secure as they claimed? What if the attacker just gets really lucky and your password is in the first thousand bruteforce attempts?
This is why you always do your own encryption on offline computer using trusted tools like VeraCrypt . Relying on cloud storage to encrypt is doomed to fail eventually.
> Your encrypted data is compromised, it is in the hands of an attacker who really wants to decrypt it. You're pinning all of your digital security on encryption holding against an active attacker.
Well, yeah. Just like you leak your encrypted password to the internet every single time you log into a website.
>What if there is an undiscovered or undisclosed vulnerability in the encryption?
lmao, if aes-256-cbc is broken then LastPass is probably the least of anyone's concerns. This happens to also be one of the more difficult AES modes to screw up.
>What if last pass isn't using encryption as secure as they claimed?
Shit, if that was a real concern you would have to be a complete idiot to use LastPass in the first place.
What proof do you have that last pass uses that encryption scheme? Is there any evidence to suggest that it meets rigorous standards?
Remember that last pass has just been caught lying about their security, and you can't trust what they say.
Calling other people idiots just makes you look like an uninformed asshole, so stop that. You're wrong, and you're trying to justify yourself rather than just back down.
Changing passwords in the face of a breach like this is standard practice and is the only logical step forward. You cannot trust last pass security from this point forward. Whether or not you should have trusted them in the first place is irrelevant in the extreme.
Last pass users should change their passwords, period. Telling those users that they're idiots who shouldn't have trusted them to begin with makes you look foolish and toxic.
>Shit, if that was a real concern you would have to be a complete idiot to use LastPass in the first place.
What are you even talking about? Of course it's a real concern. That exact kind of thing happens constantly. And of course, the nature of the concern here involves us not knowing that LastPass was fucking up. LastPass might not even know. It's not like companies regularly announce in public, "hey, customers! We're actually massive fuckups, we know it, we haven't fixed it, and we just thought you'd like to know!"
One has to wonder what would prompt someone to issue such a violent, random, unhinged threat, in response to a simple question.
You're clearly here propping up LastPass, you don't seem to have a particularly strong argument, as noted by many, you have no substantial history of doing anything constructive on the site, and now you're threatening SWATting me?
I have a better idea: stop the childish, dangerous, violent, criminal threats, and just answer my question, instead.
Do you feel big and powerful issuing threats from behind a cloak of anonymity? Go for it.
Obviously the GP comment was worse, but you also have been breaking the site guidelines repeatedly lately, and not that long after we banned you following countless warnings over many years (https://news.ycombinator.com/item?id=33153801). I was willing to give you another chance, but since it hasn't worked, I think we have to ban you again.
You came looking for a fight, don't act so surprised when you get one.
Go verbally attack random people on the street, see if you don't come home with a bloody nose.
If your comment hadn't been so obviously in bad faith, you'd have received a different response. A 7 months old account that has only mentioned LastPass within the past 24 hours was obviously not created to systematically defend LastPass.
In fact, the account you were replying to hadn't even been "knocking down any criticisms of LastPass" as you accuse. There's not a single comment made by "rosnd" you could reasonably describe as defending LastPass.
Thanks, smartass. This wouldn't have been a problem to this degree if their product matched up to their promise and the whole vault was actually encrypted.
I willingly accepted the dox risk of personal identifiable data because they were transparent they maintained this and hence this would leak. I would never have used their service if I knew website URLs were unencrypted.
Don't trust people you don't know with your secrets...why do you even think they encrypt anything (trust?), in the real world you would never be that ignorant right?
If you’re being so cocky, I’m sure you would never type your secrets into any piece of software that auto-updates, right? After all, you’re trusting someone else not to release a software update that leaks your secrets. And I’m sure you do a full audit of the Chrome source code every time a new version is released. And for your locally hosted password manager software too, right?
>I’m sure you would never type your secrets into any piece of software that auto-updates, right?
Never all of them, with notes, urls and other stuff....what has auto-update todo with it?
I don't save my passwords in a password-cloud-service....is that really so hard to understand why it is a bad idea if you do that? Well here you have it why it's a bad idea.
Any software running on your PC can gain access to any online account on your PC. If you have auto-updates enabled, a malicious update could be pushed to your PC at any time to compromise you and tens of millions of other users, even with something as ubiquitous as uBlock Origin.
At some point you have to trust someone unless you wish to live off the grid, that's just an unfortunate reality.
My argument is that a chain is only as strong as the weakest link in the chain.
After all, what's the alternative?
- Remembering all of your (strong, unique) passwords?
Impossible.
- Using a single password, or a system for deriving "unique" passwords to make them easy to memorize?
More insecure than an cloud-based password manager. People forget and get injured.
- Using an offline password manager such as KeePass?
Doable, but you trade one set of concerns for another. How many NPM packages have been compromised, stealing data from developer machines? How many people get knowingly, or unknowingly infected? Are you certain that the likelihood of your own machine getting compromised is lower than that of e.g. Bitwarden? Furthermore, if you use something like DropBox to sync your "offline" vault across devices, you're once again trusting someone else to keep the vault safe.
Your risk of a targeted attack might be lower with offline storage, but your risk of an automated attack is significantly increased, because most people don't know how to properly secure their $5 VPS or Raspberry Pi that they're using to self-host their password manager.
You claimed that using any cloud-based password manager is a bad idea, I disagree.
Password managers are not made equal so it's important to do some research and pick one that undergoes extensive security audits, is preferably open source and use a strong passphrase to secure it.
A password manager that fits this criteria will produce a vault file that would take hundreds of years to crack, even if their servers get breached and all data is stolen. This was notably not the case with LastPass. It was neither properly implemented, nor (properly) audited, nor open source.
Use keepass and don't upload your password in cleartext to someone who just tells you they are encrypted.
Trust someone else with your passwords is 99% the weakest link.
>Your risk of a targeted attack might be lower with offline storage,
We don't talk about targeted attacks, but a breach of every user who uses the service, are you from marketing? Because you really try to justify uploading your passwords to a 3rd party with proprietary software is a good thing, are you absolutely out of your mind??
If you have told anyone in the year 2000 to upload all your passwords to a service, in clear-text but who tells you it's absolutely safe and everything gets encrypted, you would have been laughed out of the room, so you should today.
>to self-host their password manager.
Gosh, are we really that far from commonsense that we think we have to host a personal password manager??? It's an encrypted file basta. It's like unix never existed and now we need an oracle database and php to "host" our 20 passwords...bravo. Hey why not install github-enterprise so we can use git?
Feel free to respond if you're willing to address any of my points in good faith. I've made it abundantly clear I only believe in audited, well behaving and open source solutions. I'm not advocating for sending your passwords off to an unknown entity in clear text.
My point about self-hosting password managers was aimed at a relatively common (but in my opinion, unwise) advice for people to just host their own instances of vaultwarden[1], but it also applies to file-based storage such as KeePass.
When you're using a password, you're entrusting that password to:
- Your web browser (which you're entrusting with a WHOLE LOAD of things by the way)
- Your operating system (Same same)
- A crapload of software that runs locally, depending on which OS you're running
- That security camera behind you in the Starbucks you're working from
- That guy sitting next to you in the metro looking at your phone. Surely you're using a privacy screen, I hope?
- Whoever manufactured your computer's hardware
- Whichever god you're praying to if any. Hopefully your password isn't naughty.
Hey, you know, just... don't be a smartass with people. opsec is extremely difficult, and there's always a thing to find to victim-blame. I mean, fuck, Lastpass didn't have great reputation in the first place (they fucked up several times in the past) and people should be using bitwarden/1password/keepassxc, not LP. That is STILL NOT A REASON to victim-blame.
You could simply apologize to the GP instead of tripling down on snark, here and in sibling comments. Whatever happens makes no difference to me personally, it's more about making HN a nicer place.
>You could simply apologize to the GP instead of tripling down on snark
No why? It's wrong to give your password to a 3rd party, you cant be a victim if you jump of a cliff all by yourself...so no victim-blaming here...the victims could be the (theoretical) customers of him.
And btw i never called him "smartass"....so i would say if anything the "apologize"-thing is on the other side, but no feelings hurt ;)
Oh and you used that word too...so much for a nicer HN and victim-blaming ;)
Of course, lesson learned, I chose convenience over common sense. Self-hosted, encrypted passwords it is from now on. LastPass is luckily(?) the only counterparty I ever trusted to this degree except for maybe my banks.
(Great, after I fix this password mess, I will have to start looking into trustless banking)
Some geeks with some kinds of internet connections could set up their own server to sync passwords. But what does literally everyone else do? Re-use the same password everywhere?
Most people who use a password manager need to sync their passwords between devices. I need to be able to log in to things on my laptop, my desktop, my tablet and my phone. And I need to be able to save a new password into the password manager from any of those devices.
Now I personally could sync those passwords in my own self-hosted Nextcloud instance that's hosted in my house from a raspberry pi. But most people don't know how to, or don't want to invest the time into, administrating their own file syncing service on their own hardware. Others don't have an Internet connection which makes it possible to host stuff.
i have been a hardened user of keepass and it is strange to find people who "HATE" the idea of keepass over anything online, bitwarden or lastpass or 1password or whatever BS "zero knowledge backup" or other nonsense. you dont need to have LIVE SYNCING for your passwords.
i have a keepass on my laptop and its copy on my phone. if occasionally i have to update anything, i do that and copy the file to the other place. say i update on the phone so next time i just share the file to the laptop and i am synced.
this "janky" method has worked for over 5-7 years now without any problems so i dont understand why anyone wants to "keep live sync" enabled for such things and have to pay someone for the privilege and then have to wait for them to get hacked. nonsense
Why don't I want live syncing between my phone and my laptop? I use my phone quite a lot despite my laptop being within an arm length or two. Having new passwords accessible between them seems like an obviously useful thing.
good for you. are you worried a threat actor would hack your dropbox and steal your keepass file and break your password? probably but that would mean keepass has been broken, something that hasnt been the case so whats the problem?
I get downvoted every time this comes up but meanwhile y'all are upthread arguing over the finer points of keeping your digital list of passwords in the cloud or on a local drive. I thought minimizing attack surface was the name of the game?
My passwords are all unique and contain plenty of entropy and memorizing them was not actually very hard. I also memorize various phone numbers, email addresses, important dates, etc.
Maybe google has wrecked your brains, but I suspect this technique is more accessible than you think. Or are you arguing that it's less secure?
As someone who started out at a help desk, this method definitely doesn't work for people for some unfixable reasons:
- people forget
- you can't remember dozens of passwords without a system, and having a system is bad, and almost everyone has dozens of passwords
- this still doesn't help you when a provider (like your ISP or credit card company) is hacked, and since you're probably using some kind of system or the same password in lots of places for ease of memorization, you're hugely at risk
These discussions basically end up speedrunning to "everything is a magic link email" a la Slack (once you filter out the mob pushing their fave password manager), which more and more services are moving to. It's nice because:
- you don't store passwords
- you have no password recovery flow (or, you could also say you only have password recovery flow, but your users never actually set a password)
- your users can't forget their passwords
- it's pretty much just as secure as your email, which is probably gmail, which is fine
I think you get downvoted because your method isn't broadly applicable. I don't doubt it works for you--and I'll side note that I'm old enough to remember actually remembering things like phone numbers and what-not--and that we could all probably use some practice remembering. I'll also say that it's probably the case that most "accounts" are just to harvest your email address to spam you or track you and sell your info to marketers, so a system with some built in back pressure on adding an account is useful in that sense. But if we geek ambassadors go out there and tell people "just remember dozens of passwords or you're asking to be hacked" we're inviting them to spend a lot of time with customer service and in forgot password flows.
Your assertion that you need a "system" to remember multiple passwords is simply false. In fact, I generate passwords with a random generator I wrote in python, just like any software "solution".
You did touch on one of my secrets, I don't maintain hundreds of superfluous "accounts". I'm not going to count them, but I suspect I'm at around 30. If I don't log into a service for a long time then I just go ahead and transition that to "never" in which case it doesn't matter if I remember the password or not since it's clear I don't need that account anyway.
I also use unique logins and emails with each service which I guess is even more to remember.
For throwaway accounts and things that really don't matter I use an easier to guess (and crack) leetspeak pw and/or a post-it note.
I suspect people who are not techies have even fewer accounts to remember so this may actually work for many (though I agree, not all) of them. Probably more than you give credit. In fact I assume that most non-techies are simply keeping credentials in their memory in which case the best advice is probably just to remind them to use unique ones, at least for their email and their bank...
I've also worked help desk and no one ever called to report that everything was hunky dory.
Anyway, I appreciate you taking the time to address the issue rather than just leaving another drive-by downvote.
Yeah I mean, there may be a goldilocks zone of sophisticated enough to remember 30 random strings of text but not sophisticated enough to need to remember 300 random strings of text, and yeah if it works for you that's awesome (I keep thinking I'll try and get my memory back to where it was when I was in college, but I keep forgetting to do it!! :P)
And yeah I think the big bad we're working against is people using the same password (or a password with some very small variations that's super easy to guess from a variant) across all their services. I'm sure almost everyone does this, I even know sophisticated engineers who do it, I also do it for accounts I don't care about. "Use a password manager browser extension" is the easiest thing for us former help deskers to tell people, and as long as that person didn't choose LastPass (which you should never have chosen, how many breaches will it take) they'll be in great shape.
Maybe not every month, but having hundreds of unique accounts is quite trivial to do. For example I manage dozens of accounts for friends and family for a variety of reasons. The fact that I don’t log into these accounts every month makes it even harder to remember them.
“Just have less accounts so you can remember your passwords!” is not real advice
I'll warrant that if you have hundreds of accounts you rarely log in to then it may behoove you to record them somewhere. However in this case I'm not sure a password vault is superior to just keeping them on an encrypted volume on a thumb drive. And I'd still argue its best to keep these rarely-used credentials siloed from your day-to-day passwords, especially if they're being held in trust for someone else (really each client should have their own silo).
That’s a good point about siloed credentials, I honestly never thought about that.
However I’d say give that the password vault is open-source and can be self-hosted (like Bitwarden) there are many reasons to use it over an encrypted flash drive. It can be automatically backed up easily, is supported on every device (including mobile) via a web browser. It also includes useful tools like a configurable password generator, versioning, and auto fill. For the average person that is much better than an encrypted flash drive volume, which IME are platform locked (LUKS doesn’t work on Windows, Bitlocker doesn’t work on Linux), are much less convenient, and are much more fragile.
Of course, use whatever works best for you, I don’t know your situation.
Not the person you're responding to, but: My keepass database has over 250 entries over the last decade. There's no way I could remember a unique password for each entry.
If you could explain how "monthly" is relevant to the discussion, that'd be great.
I’m a happy user of 1Password for Families, which I only mention since it means >1 person is storing in our vaults (and 1P isn’t as vulnerable to “my backup has unencrypted URLs stored in it” — one of my main issues with LastPass’ latest breach).
Like you we have TONS of credentials (and other supported items), around 2800 vault items in total, some of which we definitely only use once a year, others we use multiple times per day. Probably started using a password manager and some technique to share some vaults around 2010, so also a decade.
The number of people reporting needing access to multiple hundreds or more of required credentials is blowing my mind. If this is the reality of how people are using the internet these days then we desperately need a better cross-platform solution to identity management and authentication than can ever be offered by passwords. These vault programs are sounding more like a horrendous bandaid than the mere unnecessary convenience I viewed them as.
If you need to share passwords amongst multiple people I guess I can see some of the appeal of these networked vaults, but it strikes me that even this is a drastically subpar situation that ought to be handled on a deeper architectural level (like with sub-accounts and ACLs).
What's absolutely insane to ME is how consistently your responses seem to ignore that other people have different use cases for passwords. Nobody cares if something seems "insane" to you. It may surprise you to discover that services like these exist, perhaps, because people interact with passwords in a different way than your "I only keep passwords that I use monthly" brain database paradigm.
You can't seriously be telling me that managing 2800 secrets for a single "family" isn't evidence of a broken system. Unless GP is doing IT for the actual mafia I stand by my assertion that this is nuts and we ought to consider whether there's a better paradigm we could be pursuing.
To whoever is reading this: I am not doing IT for the Mafia. ;)
I mean, this is all apples and oranges, but if you could, examine your browser history across all devices as a household going back let's say 10 years. Lots of sites, right? How many did you ever create an account on for whatever reason? Are those all in your vault today? They essentially are for us. To the very best of my knowledge (and there's functionality in 1Password to analyze this, obviously anything not in vaults is invisible to it however) we have no duplicated passwords, anywhere on the internet.
To give some examples of how we do use 1Password, in terms of "Online Shopping" (just one of our shared vaults) that has 100's of credentials for everything from Amazon through Walmart and covering whatever we buy online from groceries to ammunition. Tons of more specialist or niche suppliers like Christmas Designers also make you 'Create Account' to have order histories and to be able to track shipments - this one in particular is a great place for garland, lighting and other holiday items, tis the season!
1Password also stores all our rewards programs (i.e. Store Cards, Airline, Hotels). I'd guess we are signed up with 40-50 merchants for some kind of "Rewards" (i.e. Fred Meyer or QFC, and where the ROI for signing up for their program is some items will be $2.49 instead of $4.49 on offer). I have traveled a lot for business and so can't always fly one carrier alliance or stay entirely within one hotel chain, so I guess that's another ~20 (airlines) and ~20 (hotel chains) for you.
I'm not going to memorize software licenses (serial numbers or license files for e.g., Bartender for macOS), nor other access tokens (i.e. SSH Keys, API Tokens) to various geekery.
Two other things which end up helping a lot, one of which adds lots of vault items: the integration story with Privacy [1] and Fastmail [2]. We've used and loved Privacy for a long time, and this integration stores the unique per-merchant credit card details in a vault. With Fastmail you can create 'Masked Emails' so you've got a unique email for each place you signed up. We've easily rotated both card details and emails on accounts when we find out someone was compromised, and with these integrations we're only rotating that site, not potentially 100+ sites using say the same Chase Sapphire card.
So, your own approach may vary, and I see from other comments that you memorize all your accounts (?) and commented on the frequency of access ("monthly") being relevant to you, so I'd assume frequency/recency plays a part, and you duplicate credentials for less important sites or rely on 'Forgot Password' functionality for less used sites? How do you deal with accounts you didn't need in the last 60 days? In any case, 1Password works amazingly for us, and quite a large number of our friends too, although anecdotally they've usually got 100's not 1000's of items in vaults. :)
"sub-accounts and ACLs" sounds just as awful to me, if not worse, quite honestly. Imagine managing an "Account" at each of 100's of online merchants and other sites like Netflix, where each has >= 1 "User", and "ACLs" (permissions).
I am entirely happy for my family to just have access to the Amazon or Netflix email addresses (logins) and passwords without any of that overhead.
Monthly is just a simple test to see if you're actually using these accounts. I'd say start by reconsidering if you need these accounts at all and if you decide you do, go ahead and keep them in a software vault. But I still recommend keeping the ones you use once a month or more in your head. It will be more secure (and possibly more convenient) and if you are using them this frequently it will also be easy to remember them. I'd also posit that these frequently-accessed accounts are likely to be your most important ones, deserving of a little extra security.
Glad that method works out for you. Fortunately for the rest of the world, technology has progressed far enough that Password Storage is a solved problem.
I think it's very typical to think of HN users to think of the average person as tech-savvy enough to do what you're doing, but they aren't. People are fallible, people forget things, people lose things. Some people would rather entrust a reputable service to handle the very menial task of managing their passwords for them, rather than go through the hassle of doing it themselves.
Not only do these services provide better convenience, they make you more secure! Many people reuse the same password, so when a site gets "owned", any site using that same password is now compromised as well. Some of these services will even automatically tell you when a site gets "owned" and offer to change that password for you retroactively.
Now, if you want to go ahead and use a local only method, be my guest. But please, don't ever suggest to anyone else that they should do the same, that's just bad security advice! By the way, getting hacked in the password manager does not mean all your passwords leaked. It just means some extra metadata about you may get discovered, which I'd argue is a reasonable trade-off.
There is no universe in which having a local encrypted key vault that is not online and not synced to the cloud is less secure than having a cloud synched version of the same thing.
There is literally no way that can possibly be less secure.
So if your argument is that the convenience of it makes it more secure … I dont know to say except:
you’re wrong.
> Not only do these services provide better convenience, they make you more secure!
Nope.
> By the way, getting hacked in the password manager does not mean all your passwords leaked.
Nope. That’s not what it means. It means your encrypted vault was leaked, which includes your passwords, if they bother to crack it.
> which I'd argue is a reasonable trade-off.
Well, at least it’s fair to say you saved that as an opinion; fair. Other people probably agree that the security risk of using an online password vault is worth the convenience of using it.
Fair.
…but, fundamentally less secure.
Anyone who chooses to manage their own passwords, offline, is choosing a more secure, less convenient alternative.
I think that’s fair too; and, given number of hacks to lastpass, okta, etc… not, perhaps, terrible advice.
You could get robbed of your physical key. simpler than an actual burglar. however they could not even do an autopsy of your brain to recover your cloud keys.
I don't feel too strongly about this, just replying since you were being an absolutist.
If they can rob you they can also use the 5$ wrench attack to force you to give up your cloud password manager master password. So even in that case having a local vault is at least as secure as a cloud vault.
>I think it's very typical to think of HN users to think of the average person as tech-savvy enough to do what you're doing, but they aren't. People are fallible, people forget things, people lose things.
this should be taught in schools if that is your concern. what i am doing with the "manual sync" for files is because i have 2 machines i want to get my passwords. there is a HUGE population who only have a phone. for them, keepassdroid or some other keepass app is the only thing that they should ever need or use. i know because i have set up the files for my family members, they only have their phones at hand and the file has served them well for years without any problem.
now they "whatsapp or email" the file to themselves or to me if they have to change their phone and get it back in a matter of minutes. this is not as big of a deal that you need to have online tied system and be a techie otherwise
If I only had a phone, I would definitely want live sync, so I had a chance of recovery if my phone was gone. Keepass isn't even something I'd consider.
I'm not sure what you're referring to that should be taught in schools. The problem of forgetting things is often "human error" not "pilot error", a random packet loss of the mind rather than lack of skill.
There's strategies to mitigate it, like always leaving the house with the same set of items and never changing it up, and avoiding situations where you rely on memory, but live sync is going to prevent a lot of mistakes.
The threat model of storing passwords in an encrypted file with live sync is gonna be smaller than only keeping it in one device. Yeah you are at more risk of getting pwnd but at almost no risk of losing your passwords. Your phone dies and you lose everything. And if you send your passfile through a convenient service like whatsapp or telegram you risk your data also getting leaked through them without the benefit of live sync.
But doing password saving and live sync through a third party service it's pretty crazy to me. Why not split the threat? One program to store your passwords and one service to sync them. I use keepass2android and keepassxc with my own file sync server as sync method. If you don't want your own server you can use a multitude of third party ones.
What should be taught in school is to store your passwords in a secure way just like any other important real life skills like doing your taxes, basic eating and physical health, etc.
The trouble is losing a phone is probably just as common or more common than getting hacked, and keepass sync is purely manual.
I suspect the most secure way to store passwords is in your Google account, because they have a far higher budget than almost anyone else. They will spy on you, but they also keep random hackers out.
I use BitWarden (with gmail as the 2FA) instead because I wanted the ability to try different browsers, and I like being able to store other bits of critical info in my vault.
You generally can't get hacked on anything important unless you already lost your phone, even if they have your password, because of 2FA.
You also don't lose your account if you lose your phone if you use SMS 2FA like most people do even though it's not perfectly secure, because your cell carrier can recover your number.
I wonder if these risks are also with a service like 1Password. How can you know if they are in fact, actually encrypting every single detail associated with the login? It’s not like we can view the servers ourselves.
1Password also uses a secret key in addition to your master password to encrypt your data. You enter the secret key when setting up the account on a new device.
So a hacker would have to get hold of the encrypted data, together with the secret key for each account. The secret key isn't stored by 1Password, requiring the hacker to brute force it. However, each key provides 128 bits of entropy, which makes it infeasible to brute force with current technology.
But the issue in this thread is less about how the encryption is done compared to the amount of data that is actually encrypted. I wonder if 1Password encrypts everything, in addition to passwords.
My understanding is that they do, but there are some caveats. For example the feature that tells you if 2fa is available for a website presumably requires sending an HTTP request to 1Password servers including the domain of the website.
Although it's possible they implement this with a local bloom filter or something. I'm just speculating. And either way, those requests would only end up stored in some server logs somewhere, rather than in a database row directly linked to your vault.
BitWarden and other self-hostable open source solutions do allow you to verify everything is encrypted, though you have to self-host to truly verify it (since it's always possible the official hosting service runs different software)
After they've already been shown to have been dishonest previously, and after they chose to make an additional disclosure on the last working day (for most) before Christmas, I think you have to assume your data is at risk, and act accordingly. I certainly would.
Do you trust them to tell the truth about whether all your data was reliably, securely, and permanently deleted? Can they tell you when and how?
You’re right I’m assuming my account was breached and I’m resetting my passwords.I already started noticing hack attempts (e.g. reset password attempts) this week, so that indicates it’s likely to have been breached.
I used lastpass reluctantly, knowing the risk but also knowing it was better than re-using passwords.
What a fun way to spend christmas holiday resetting passwords
- Customer Names
- Company Names
- Email Address
- Billing Address
- Telephone Numbers
- IP addresses (from where customers accessed the service)
- Website URLs saved in LastPass vaults (LastPass doesn't encrypt the website URLs)
- Encrypted vaults
That is a massive privacy violation and a puts every customer at risk for massive automated phishing, blackmail, and doxing. They marketed the whole vault as being encrypted in their Zero Knowledge architecture(TM).
And LastPass probably knew since AUGUST and tells us the day before Christmas. Note to obfuscating, dense language in the blog notice. Specifically "unencrypted fields such as website URLs", implying other vault fields could have been unencrypted but they can't/won't say.
LastPass will not survive the pending customer exodus and class action lawsuits.
Seems like instead of spending Christmas with my family, I will spend it changing passwords for 100s of accounts.