LastPass says hackers stole customers’ password vaults
- Thread starter SpacemanSpiff
- Start date
I would of never expected anyone to bother to hack into a site full of rich customer passwords and secret. Who knew this would happen?
I've never understood why anybody would want to send any sensitive or personal information to the cloud.
Mike A.
Known around here
- May 6, 2017
- 4,170
- 6,992
Yet another thing that I don't trust in the cloud.
I do use a local password manager but I don't put full info even in that. I use partials with coded hints to myself to fill in the rest.
I do use a local password manager but I don't put full info even in that. I use partials with coded hints to myself to fill in the rest.
I make it a rule that critical login information has to be done manually with 2-factor authorization: banking, paypal, ebay...anything with credit card info.
However, general logins such as to IPCT are remembered by Google. Though I am a IPCT+ member (hay...gotta support these fine folks here somehow other than my witty banter), the actual purchase of upgrade acct is done via paypal.
However, general logins such as to IPCT are remembered by Google. Though I am a IPCT+ member (hay...gotta support these fine folks here somehow other than my witty banter), the actual purchase of upgrade acct is done via paypal.
Article said the hackers still need to brute force your master password to gain access to your passwords. I for one have a very long random master password with numbers letters symbols etc. They would move one to someone elses password before getting into mine.
I watched a video of a guy brute forcing WiFi passowords. I am no IT security specialist so unsure if what was said in video is true or not. But the video guy said to use some "Z's" and "9's" in passwords as that will take years to crack, since most if not all brute force scripts/programs start at A and 1.
Using multi-factor auth helps reduce the risk as well. They would need not only your password but the next token to get into your data.
BORIStheBLADE
Getting comfortable
I've been using a local password app for years. I've been wanting to try a new one but all of them seem to sync to a cloud.
Lastpass used to have a local version where you could download your vault from the cloud and work with it locally. Too bad they got rid of it.
Mike A.
Known around here
- May 6, 2017
- 4,170
- 6,992
I use KeePassium. All local and can save encrypted backups.
I used 2fa as well for ipct.
I use it for anything that has it available.
If you really want to have a secure password make it a "Double Blind Password". When you use a DBP neither you nor the password manager app know the full password. You create a strong password that is stored in the password manager and then you add a unique identifier that only you know.
You split your password into 2 parts - one which is stored in the password manager, and the other which is stored in your head, If your password manager is hack/stolen or compromised due to a security breach they will not have a working password
Example ...
Generated password ... L%^&m$^aSurYH:*\6Vr6'T
Blind ... DefCon
Actuall PW needed to access site ... L%^&m$^aSurYH:*\6Vr6'TDefCon
The password manager inputs the generated password then you type in the blind. You use the same "Blind" PW for every site and you never store it in the PW manager or write it down. I have several elderly clients that can not/will not learn to use a PW manager and write down all their passwords. I got them to use the DBP method, they still write down their passwords just not the "blind" they memorize.
You split your password into 2 parts - one which is stored in the password manager, and the other which is stored in your head, If your password manager is hack/stolen or compromised due to a security breach they will not have a working password
Example ...
Generated password ... L%^&m$^aSurYH:*\6Vr6'T
Blind ... DefCon
Actuall PW needed to access site ... L%^&m$^aSurYH:*\6Vr6'TDefCon
The password manager inputs the generated password then you type in the blind. You use the same "Blind" PW for every site and you never store it in the PW manager or write it down. I have several elderly clients that can not/will not learn to use a PW manager and write down all their passwords. I got them to use the DBP method, they still write down their passwords just not the "blind" they memorize.
CCTVCam
Known around here
- Sep 25, 2017
- 2,834
- 3,712
I prefer to store mine in Excel on my own pc and never ever keep financial or banking passwords on a my pc. I keep those offline, in a physical form and encrypted in a way only I can decode. Yes some might say a PC is equally vulnerable. But apart from the fact my pc is likely to be of little interest to a hacker, I'm just one of trillions of private pc's on the net, even if they can find me, I have the usual hiding techniques active to make me unsearcheable, I'm also behind 2 firewalls - a low level commercial Modem with Firewall and then a separate Router Firewall. Add into that the fact my pc is switched off when not in use and the chances of me being hacked for PW's is very very slight. Even if they do get in, there are no financials. Something to be said for keeping you oiwn passwords in a list.
With all that said, I am looking at other solutions now. This last breach pushed me over the edge I guess. It just seems indicative of LP growing complacent over the years. This was like breach #3 actual in total from what I recall and even though I use MFA and a really strong master password (which I changed yet again) I don't like the fact that a lot of the metadata included in the vaults that were stolen were in fact not encrypted. So the assumption is, they do have my name email address, URLs etc. and for me, it's the straw breaking the proverbial camel's back.
Smilingreen
Known around here
I store my passwords on the inside of the cookie jar in the pantry. When I need a password, it gives me a good excuse to grab a cookie while I got the lid opened...........such genius.....
BORIStheBLADE
Getting comfortable
Smilingreen
Known around here
I never have grasped the concept of why you would want to put valuable or irreplaceable data, out on a remote server, in gawd knows what country, for gawd knows who to have access to it. Home built NAS out of an old PC with some WD RED drives in it has been my data storage for years. It doesn't have access to the internet. Has worked flawlessly and no one knows what it is just by looking at it.
BORIStheBLADE
Getting comfortable
I use the program called SafeinCloud. Password Manager SafeInCloud for Android, iOS, Windows, and Mac It puts a encrypted database on my google drive then I sync my laptop and devices to it. You can also host the file on your own server at home, but I've never done it. I've been looking for another program like it, but haven't found anything that works so easily.