LastPass says hackers stole customers’ password vaults

[CCTVCam]

Just make a list in excell like I do:

3 columns:

Site Name - Email Address - PW

If there are other fields such as UN required or some extra pasword, just put them in a spare cell to the right hand side. Sort them alphabetically everytime you add a new one and logging into a site is as imple as opening the excel file -looking at the site name then entering the credentials. The file is entirely under your control. I have mine open as it's behind the said 2 firewall, but if you want it more secure, you could PW or encrypt it on your drive. Ultimately, as I mentioned above, I never store my ISP details in the same file (speperate Word file with those in as also some text) and never store financial passwords or login details on my pc at all. Just name the file somehting like SPWS (site passwords or similar) so it's not obvious as well. Passwords is too easily spotted or searched by bots.

 

[mikeynags]

What are you using right now?

I moved everything over to Bitwarden. It's open source and you have the option to host the vault yourself. The feature functionality is very close to lastpass so it was an easy transition.

 

[mikeynags]

Just make a list in excell like I do:

3 columns:

Site Name - Email Address - PW

If there are other fields such as UN required or some extra pasword, just put them in a spare cell to the right hand side. Sort them alphabetically everytime you add a new one and logging into a site is as imple as opening the excel file -looking at the site name then entering the credentials. The file is entirely under your control. I have mine open as it's behind the said 2 firewall, but if you want it more secure, you could PW or encrypt it on your drive. Ultimately, as I mentioned above, I never store my ISP details in the same file (speperate Word file with those in as also some text) and never store financial passwords or login details on my pc at all. Just name the file somehting like SPWS (site passwords or similar) so it's not obvious as well. Passwords is too easily spotted or searched by bots.

That won't work on my phone

 

[c hris527]

"Password manager giant LastPass has confirmed that cybercriminals stole its customers’ encrypted password vaults, which store its customers’ passwords and other secrets, in a data breach earlier this year."

Hahaha, Talk about in your face, Hacking a password company, Things like have a big red bullseye on them anyway. Good luck on the brute force encryption, in some cases depending on the encryption, it might take years to do that. I think we all know Cloud is not safe by now anyway. I have dental office clients who use cloud for Imaging and Charting and even X-ray. When their 3rd party cloud server got hacked, They lost 3 days in multiple offices, they could not even take a x-rays for routine checkups let alone and type of drilling or fixing. Their production losses were over 6 figures so I was told.

 

[mikeynags]

Hahaha, Talk about in your face, Hacking a password company, Things like have a big red bullseye on them anyway. Good luck on the brute force encryption, in some cases depending on the encryption, it might take years to do that. I think we all know Cloud is not safe by now anyway. I have dental office clients who use cloud for Imaging and Charting and even X-ray. When their 3rd party cloud server got hacked, They lost 3 days in multiple offices, they could not even take a x-rays for routine checkups let alone and type of drilling or fixing. Their production losses were over 6 figures so I was told.

Well the passwords are still pretty protected especially with MFA. The part that bothers be is all the other non-encrypted data which was also stored in the vault. Not sure why they wouldn't have encrypted all of the data, just the passwords. Probably for speed.

 

[c hris527]

Well the passwords are still pretty protected especially with MFA. The part that bothers be is all the other non-encrypted data which was also stored in the vault. Not sure why they wouldn't have encrypted all of the data, just the passwords. Probably for speed.

Yea who knows why they do what they do, encryption does play a role in accusation time for sure. Good to see you around here Mike happy new year.

 

[mikeynags]

Yea who knows why they do what they do, encryption does play a role in accusation time for sure. Good to see you around here Mike happy new year.

Thanks - same to you and yours

 

[IAmATeaf]

I moved everything over to Bitwarden. It's open source and you have the option to host the vault yourself. The feature functionality is very close to lastpass so it was an easy transition.

Did the same myself when Lastpass announced they added restrictions to their free service.

To the people who say use a spreadsheet what do you do when you need a password whilst out and about? VPN access back to your home network I understand but even Lastpass claim to not know your actual master password for your vault. I suppose it comes down to if that statement can be trusted?

 

[wittaj]

Did the same myself when Lastpass announced they added restrictions to their free service.

To the people who say use a spreadsheet what do you do when you need a password whilst out and about? VPN access back to your home network I understand but even Lastpass claim to not know your actual master password for your vault. I suppose it comes down to if that statement can be trusted?

That is what the "I forgot my password" feature is for

 

[mikeynags]

I think if LastPass had done things 100% right, this wouldn’t be an issue given the encryption in use today. The fact they don’t encrypt certain metadata contained within the vault, combined with their lack of due diligence to secure their development environment adds up to good old incompetence.


Sent from my iPhone using Tapatalk

 

[cyberwolf_uk]

From my understanding, they have everyone's encrypted vaults (so changing passwords on LastPass or saying "I have MFA switched on" means sh1t..) they have your vault so don't need to worry about MFA.
Now the only thing they are missing is your Master Vault password to unlock your vault. If like me your vault password is 30 digit random letters, numbers and symbols then I would put some good money to say they are not going to hack that (I could be wrong but doubt it)
But if your master password is password123456 then I guess they are already running brute force password cracking software on all the vaults they have and yours will be cracked pretty soon.

My advice is to as standard make sure MFA / 2FA is enabled on all your accounts that have it as an option (should have been there before) and change all your passwords for all your entries stored in LastPass and then move to the next Password Manager (if you need one)
Also force a logout of all devices if the website allows you too.
For me LP have f*cked up here by not disclosing the information in a timely manor, plus they have now been hacked about 3 times to my knowledge. My suggestion would be Bitwarden (for safe hosting features and being an open source product)
As all my passwords are minimum 15+ random letters, number and symbols I for one need a password manager as I just couldn't or would ever remember those random passwords.
Yes in an ideal world I would like a notebook with every password written in there and locked in a safe with an identical solution stored off site, but that isn't going to happen and I would soon get sick of typing in these random passwords every time I need to access something.

I guess everyone has to do what is best for them. Mine is password manager with MFA / 2FA / Yubikey

 

[IAmATeaf]

That is what the "I forgot my password" feature is for

Ok for me that would not be workable.

For my most important sites I use a differing password for each with extra seed extension. Even for forums I tend to use different passwords, well slightly different.

So for me even if my Bitwarden data is leaked and my data is held as clear text then my passwords would not be the complete passwords so hopefully I’d get some protection and time to allow me to update all the partially compromised passwords.

So for me having to use the I forgot a password would mean yet another password to think of and remember if I didn’t use a password manager.

 

[mikeynags]

From my understanding, they have everyone's encrypted vaults (so changing passwords on LastPass or saying "I have MFA switched on" means sh1t..) they have your vault so don't need to worry about MFA.
Now the only thing they are missing is your Master Vault password to unlock your vault. If like me your vault password is 30 digit random letters, numbers and symbols then I would put some good money to say they are not going to hack that (I could be wrong but doubt it)
But if your master password is password123456 then I guess they are already running brute force password cracking software on all the vaults they have and yours will be cracked pretty soon.

My advice is to as standard make sure MFA / 2FA is enabled on all your accounts that have it as an option (should have been there before) and change all your passwords for all your entries stored in LastPass and then move to the next Password Manager (if you need one)
Also force a logout of all devices if the website allows you too.
For me LP have f*cked up here by not disclosing the information in a timely manor, plus they have now been hacked about 3 times to my knowledge. My suggestion would be Bitwarden (for safe hosting features and being an open source product)
As all my passwords are minimum 15+ random letters, number and symbols I for one need a password manager as I just couldn't or would ever remember those random passwords.
Yes in an ideal world I would like a notebook with every password written in there and locked in a safe with an identical solution stored off site, but that isn't going to happen and I would soon get sick of typing in these random passwords every time I need to access something.

I guess everyone has to do what is best for them. Mine is password manager with MFA / 2FA / Yubikey

Just finished the migration of all of my info plus my wife's info over to Bitwarden. It involved a ton of cleanup including changing of most passwords to a long complex password - which is what added so much time to the move.

 

[BORIStheBLADE]

I wish more would incorporate a feature like this. Wi-Fi Sync - Enpass

 

[CCTVCam]

Did the same myself when Lastpass announced they added restrictions to their free service.

To the people who say use a spreadsheet what do you do when you need a password whilst out and about? VPN access back to your home network I understand but even Lastpass claim to not know your actual master password for your vault. I suppose it comes down to if that statement can be trusted?

I personally don't log into websites from my phone. I make purchases etc when back home. I do some banking via a secure banking app so am able to remember that data, but that's about it for phones logging into stuff for me.

 

[Smilingreen]

Did the same myself when Lastpass announced they added restrictions to their free service.

To the people who say use a spreadsheet what do you do when you need a password whilst out and about? VPN access back to your home network I understand but even Lastpass claim to not know your actual master password for your vault. I suppose it comes down to if that statement can be trusted?

If I am out and about, why would I need a password to my home computer system? I don't use apps on my phone, I talk on it on occasion. I got dual 27's on my desktop at home for a reason: Old man eyes can't see shit on a phone screen. I have big thumbs and spend 3 times as much time trying to backspace and get the cursor next to the word I fat thumbed then if I wait till I get home and type the e-mail out on a regular keyboard. Really, there is nothing I need when I am out and about that just can't wait until I get home. Others may experience different mileage.....