LastPass says hackers stole customers’ password vaults

Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
I make it a rule that critical login information has to be done manually with 2-factor authorization: banking, paypal, ebay...anything with credit card info.
However, general logins such as to IPCT are remembered by Google. Though I am a IPCT+ member (hay...gotta support these fine folks here somehow other than my witty banter), the actual purchase of upgrade acct is done via paypal.
 

prsmith777

Getting comfortable
Joined
Dec 23, 2019
Messages
268
Reaction score
379
Location
Colorado
Article said the hackers still need to brute force your master password to gain access to your passwords. I for one have a very long random master password with numbers letters symbols etc. They would move one to someone elses password before getting into mine.
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Article said the hackers still need to brute force your master password to gain access to your passwords. I for one have a very long random master password with numbers letters symbols etc. They would move one to someone elses password before getting into mine.
I watched a video of a guy brute forcing WiFi passowords. I am no IT security specialist so unsure if what was said in video is true or not. But the video guy said to use some "Z's" and "9's" in passwords as that will take years to crack, since most if not all brute force scripts/programs start at A and 1.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
940
Location
CT
Article said the hackers still need to brute force your master password to gain access to your passwords. I for one have a very long random master password with numbers letters symbols etc. They would move one to someone elses password before getting into mine.
Using multi-factor auth helps reduce the risk as well. They would need not only your password but the next token to get into your data.
 

looktall

Getting comfortable
Joined
Sep 3, 2022
Messages
515
Reaction score
749
Location
Australia
I make it a rule that critical login information has to be done manually with 2-factor authorization: banking, paypal, ebay...anything with credit card info.
However, general logins such as to IPCT are remembered by Google. Though I am a IPCT+ member (hay...gotta support these fine folks here somehow other than my witty banter), the actual purchase of upgrade acct is done via paypal.
I used 2fa as well for ipct.
I use it for anything that has it available.
 

BobbyArcher

Getting the hang of it
Joined
Jun 15, 2016
Messages
37
Reaction score
65
Location
South Carolina
If you really want to have a secure password make it a "Double Blind Password". When you use a DBP neither you nor the password manager app know the full password. You create a strong password that is stored in the password manager and then you add a unique identifier that only you know.

You split your password into 2 parts - one which is stored in the password manager, and the other which is stored in your head, If your password manager is hack/stolen or compromised due to a security breach they will not have a working password

Example ...

Generated password ... L%^&m$^aSurYH:*\6Vr6'T
Blind ... DefCon
Actuall PW needed to access site ... L%^&m$^aSurYH:*\6Vr6'TDefCon

The password manager inputs the generated password then you type in the blind. You use the same "Blind" PW for every site and you never store it in the PW manager or write it down. I have several elderly clients that can not/will not learn to use a PW manager and write down all their passwords. I got them to use the DBP method, they still write down their passwords just not the "blind" they memorize.
 

CCTVCam

Known around here
Joined
Sep 25, 2017
Messages
2,660
Reaction score
3,480
I prefer to store mine in Excel on my own pc and never ever keep financial or banking passwords on a my pc. I keep those offline, in a physical form and encrypted in a way only I can decode. Yes some might say a PC is equally vulnerable. But apart from the fact my pc is likely to be of little interest to a hacker, I'm just one of trillions of private pc's on the net, even if they can find me, I have the usual hiding techniques active to make me unsearcheable, I'm also behind 2 firewalls - a low level commercial Modem with Firewall and then a separate Router Firewall. Add into that the fact my pc is switched off when not in use and the chances of me being hacked for PW's is very very slight. Even if they do get in, there are no financials. Something to be said for keeping you oiwn passwords in a list.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
940
Location
CT
With all that said, I am looking at other solutions now. This last breach pushed me over the edge I guess. It just seems indicative of LP growing complacent over the years. This was like breach #3 actual in total from what I recall and even though I use MFA and a really strong master password (which I changed yet again) I don't like the fact that a lot of the metadata included in the vaults that were stolen were in fact not encrypted. So the assumption is, they do have my name email address, URLs etc. and for me, it's the straw breaking the proverbial camel's back.
 

BORIStheBLADE

Getting comfortable
Joined
Feb 14, 2016
Messages
739
Reaction score
2,067
Location
North Texas
With all that said, I am looking at other solutions now. This last breach pushed me over the edge I guess. It just seems indicative of LP growing complacent over the years. This was like breach #3 actual in total from what I recall and even though I use MFA and a really strong master password (which I changed yet again) I don't like the fact that a lot of the metadata included in the vaults that were stolen were in fact not encrypted. So the assumption is, they do have my name email address, URLs etc. and for me, it's the straw breaking the proverbial camel's back.
What are you using right now?
 

Smilingreen

Known around here
Joined
Sep 17, 2021
Messages
3,599
Reaction score
14,374
Location
Tennessee USA
I never have grasped the concept of why you would want to put valuable or irreplaceable data, out on a remote server, in gawd knows what country, for gawd knows who to have access to it. Home built NAS out of an old PC with some WD RED drives in it has been my data storage for years. It doesn't have access to the internet. Has worked flawlessly and no one knows what it is just by looking at it.
 

BORIStheBLADE

Getting comfortable
Joined
Feb 14, 2016
Messages
739
Reaction score
2,067
Location
North Texas
I never have grasped the concept of why you would want to put valuable or irreplaceable data, out on a remote server, in gawd knows what country, for gawd knows who to have access to it. Home built NAS out of an old PC with some WD RED drives in it has been my data storage for years. It doesn't have access to the internet. Has worked flawlessly and no one knows what it is just by looking at it.
I use the program called SafeinCloud. Password Manager SafeInCloud for Android, iOS, Windows, and Mac It puts a encrypted database on my google drive then I sync my laptop and devices to it. You can also host the file on your own server at home, but I've never done it. I've been looking for another program like it, but haven't found anything that works so easily.
 
Top