Use a Password Mgr? Which One? Like It?

[RetMD21]

NYT article (not free, sorry) about the Last Pass debacle. https://www.nytimes.com/2023/01/05/technology/personaltech/lastpass-breach-password-safety.html
Various security experts think that the breach is more significant than last pass is saying. Even the disclosure of websites linked with each user is significant.

“It is very serious,” said Sinan Eren, an executive at Barracuda, a security firm. “I would consider all those managed passwords compromised.”

 

[Chuckanut]

NYT article (not free, sorry) about the Last Pass debacle. https://www.nytimes.com/2023/01/05/technology/personaltech/lastpass-breach-password-safety.html
Various security experts think that the breach is more significant than last pass is saying. Even the disclosure of websites linked with each user is significant.

“It is very serious,” said Sinan Eren, an executive at Barracuda, a security firm. “I would consider all those managed passwords compromised.”

The article is behind a paywall. Can you provide a few important quotes to make the point?

 

[tenant13]

NYT article (not free, sorry) about the Last Pass debacle. https://www.nytimes.com/2023/01/05/technology/personaltech/lastpass-breach-password-safety.html
Various security experts think that the breach is more significant than last pass is saying. Even the disclosure of websites linked with each user is significant.

“It is very serious,” said Sinan Eren, an executive at Barracuda, a security firm. “I would consider all those managed passwords compromised.”

It's serious in a sense that while everything that was stolen is encrypted, it will be forever available on the dark net. Quantum computing decryption is coming so in 10 years or so those encrypted databases might be accessible to patient hackers.

 

[jim584672]

It's serious in a sense that while everything that was stolen is encrypted, it will be forever available on the dark net. Quantum computing decryption is coming so in 10 years or so those encrypted databases might be accessible to patient hackers.

Probably not. AES128 and AES256 symmetric are super hard, even with quantum. Other public key systems may be more vulnerable but we are talking many many years not 10.

 

[Rianne]

Probably not. AES128 and AES256 symmetric are super hard, even with quantum. Other public key systems may be more vulnerable but we are talking many many years not 10.

So, you’re saying LastPass is reasonably safe for now? Something else crossed my mind. With Apple products, all are linked to each other. My six digit authorization codes go to three different devices. It’s convenient but can one of them be compromised because of that?

 

[jim584672]

So, you’re saying LastPass is reasonably safe for now? Something else crossed my mind. With Apple products, all are linked to each other. My six digit authorization codes go to three different devices. It’s convenient but can one of them be compromised because of that?

Can't say because it all depends on how they implemented the AES256 and the program in general. I put stuff in the cloud using AES256 on my machine and upload it. Since I know the password is very strong and the program I use is well trusted, so I don't worry about it as far as someone breaking the encryption.

 

[RetMD21]

Can't say because it all depends on how they implemented the AES256 and the program in general. I put stuff in the cloud using AES256 on my machine and upload it. Since I know the password is very strong and the program I use is well trusted, so I don't worry about it as far as someone breaking the encryption.

LastPass apparently beefed up their requirements for the master passwords a few years ago but idk if they applied it to legacy users.

The email, meta data, IP, and billing address were not apparently not encrypted and the concern is that knowing that and the websites that a user frequented could lead to targeted phishing attacks. My first indication that an email is phishing is it concerns an account with a firm I don't use or it comes in a language I don't speak.

 

[Gumby]

It's not as if anyone couldn't see this coming from a mile away.

 

[OldShooter]

It's not as if anyone couldn't see this coming from a mile away.

That's why I don't use a password manager, something I explained earlier in this thread. They are inevitably hacker magnets.

 

[Gumby]

That's why I don't use a password manager, something I explained earlier in this thread. They are inevitably hacker magnets.

I thought it was a bad idea the first time I ever heard of it. And this is exactly why.

 

[EQMAN]

I have used 1password for several years. Works great across multiple platforms. I use it on IOS, Windows, and Chromebook. When I travel you can disable it and that seems to work well also.

 

[Chuckanut]

Steve Gibson of the Security Now podcast spent virtually all of his podcast this week talking about the LastPass situation.

For those interested, here is the link to the podcast. If you don't want to spend two hours listening to it, I suggest listening to the last 37 minutes where he discusses alternatives to LastPass.

Disclosure: Bit Warden is a sponsor of various shows on the TWIT network that produces Security Now.

How LastPass failed, Steve's next password manager, how to protect yourself
Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 21:30 UTC.

https://twit.tv/shows/security-now/episodes/904?autostart=false

There is also a written transcript but it is not available yet.

 

[MuirWannabe]

That's why I don't use a password manager, something I explained earlier in this thread. They are inevitably hacker magnets.

I do currently use LastPass. From what I’ve read thus far I’m not terribly concerned about the recent hack issue.

However, in keeping an open mind, I’m interested in other alternatives that are viable. What do you use and what features does it provide?

Features of LastPass I love:
- passwords available to me anywhere and anytime. All my passwords for everything. And as we all know, that’s a lot of passwords.
- ability to store non password data in a secure place
- auto fill of passwords on websites

Another totally secure solution (if such a thing exists), providing these features and more would peak my interest.

I can’t imagine DW & I not having access to all our passwords at a moment’s notice. That would be a non-starter.

 

[Alex The Great]

I use Bitwarden. No problems so far.

 

[gauss]

...
Another totally secure solution (if such a thing exists), providing these features and more would peak my interest.

I can’t imagine DW & I not having access to all our passwords at a moment’s notice. That would be a non-starter.

You might want to investigate the trend towards Passkeys. This is the industry term for passwordless login that is being rolled out this year.

A friend of mine mentioned them to me while I was licking my wounds about the damage the LastPass breach and response has done to me.

Not totally secure, but it does mitigate many of the risks of passwords to the masses. It is also quite convenient. May be the only choice too in the not too distant fututure.

 

[braumeister]

You might want to investigate the trend towards Passkeys. This is the industry term for passwordless login that is being rolled out this year.

A friend of mine mentioned them to me while I was licking my wounds about the damage the LastPass breach and response has done to me.

Not totally secure, but it does mitigate many of the risks of passwords to the masses. It is also quite convenient. May be the only choice too in the not too distant fututure.

Very promising, but not many places support passkeys yet.

 

[MuirWannabe]

Very promising, but not many places support passkeys yet.

Agree, not helpful at this time.

 

[MuirWannabe]

I use Bitwarden. No problems so far.

If the general complaint about password managers is they are an obvious target for hacking and therefore dangerous, what makes Bitwarden defeat that concern?

 

[OldShooter]

... However, in keeping an open mind, I’m interested in other alternatives that are viable. What do you use and what features does it provide? ...

Well, I start with the observation that protecting my passwords against exhaustive attacks is unnecessary. At most sites, only a very limited number of tries are permitted before the account is locked. Further, the vast majority of successful attacks are from phishing, where the victim voluntarily provides his password. Finally, I am not an attractive enough target to justify the cost and time it would take a bad guy to make an individual attack. IMO the popular fashion for complex passwords, upper/lower case, numbers, special characters and minimum lengths is a defense against attacks that will never be made against me.

Yes, I too have a lot of passwords but very few of them have any importance. For unimportant passwords I use a very simple algorithm involving the site name. For sites that won't accept my simple password I use something more complex and permit my browser to save it. Unimportant sites include forums, weather and news sites, etc. -- places where a bad guy would find no benefit from succeeding in an effort to impersonate me.

So in the end I have well under ten passwords, all financially oriented, that I have to remember and even these are based on an algorithm. Of course, I do not permit browsers to memorize user names or passwords for these sites. I also minimize any traces of these sites on my phone contact list, phone browser bookmarks, and of course never load financial apps on my phone or tablet.

I am far more worried about someone sending a successful phishing expedition email to DW even though she is very careful. I am careful to, but someday might make a mistake. So I worry a little bit about that too.

The thing that makes any password manager so attractive is that a successful exploit could expose passwords and personal information of literally millions of users. That is a prize worth pursuing and at that point the complexity of those exposed passwords is irrelevant. The question of whether a popular password manager can be trusted has been answered by the LastPass exploit and the revelation that much of each user's information was being stored there as clear text.

 

[MuirWannabe]

Well, I start with the observation that protecting my passwords against exhaustive attacks is unnecessary. At most sites, only a very limited number of tries are permitted before the account is locked. Further, the vast majority of successful attacks are from phishing, where the victim voluntarily provides his password. Finally, I am not an attractive enough target to justify the cost and time it would take a bad guy to make an individual attack. IMO the popular fashion for complex passwords, upper/lower case, numbers, special characters and minimum lengths is a defense against attacks that will never be made against me.

Yes, I too have a lot of passwords but very few of them have any importance. For unimportant passwords I use a very simple algorithm involving the site name. For sites that won't accept my simple password I use something more complex and permit my browser to save it. Unimportant sites include forums, weather and news sites, etc. -- places where a bad guy would find no benefit from succeeding in an effort to impersonate me.

So in the end I have well under ten passwords, all financially oriented, that I have to remember and even these are based on an algorithm. Of course, I do not permit browsers to memorize user names or passwords for these sites. I also minimize any traces of these sites on my phone contact list, phone browser bookmarks, and of course never load financial apps on my phone or tablet.

I am far more worried about someone sending a successful phishing expedition email to DW even though she is very careful. I am careful to, but someday might make a mistake. So I worry a little bit about that too.

The thing that makes any password manager so attractive is that a successful exploit could expose passwords and personal information of literally millions of users. That is a prize worth pursuing and at that point the complexity of those exposed passwords is irrelevant. The question of whether a popular password manager can be trusted has been answered by the LastPass exploit and the revelation that much of each user's information was being stored there as clear text.

Thanks oldshooter. Although I frequently value your advice on this forum, I think I’ll just disagree on this one. I don’t think the breach was significant at LastPass. I’ve certainly not had any issues arise from it or any other breach. So, I don’t have a lack of trust with them….yet.

If I can correctly paraphrase your solution, you basically don’t much care or worry about all your non financial passwords. And you have a self encryption algorithm in your head you use to remember your roughly 10 financial passwords.

That’s just not acceptable to me. I do care about most of my non financial passwords. Just as an example, I don’t particularly want a hacker to obtain access to any of my social media accounts and start posting inappropriate things under my name. Plus, as I get older, I don’t know if I trust myself to remember a self imposed password algorithm. And I sure don’t want to put that on DW.

So, I guess I’m just saying I’ll take the risk with LastPass for now. It might be a mistake but I’m not hearing solutions that offer decent features that are bulletproof. There is risk in everything.

Thanks for replying to me.

 

[OldShooter]

... So, I guess I’m just saying I’ll take the risk with LastPass for now. It might be a mistake but I’m not hearing solutions that offer decent features that are bulletproof. There is risk in everything. ...

I certainly wouldn't be one to say you're making a mistake. Your tradeoffs are different and lead you to a different approach than mine. I was just answering your question and telling you what I do.

 

[tulak]

I left Lastpass because of their poor business practices. I don’t need to pay a company to be monetized.

But for overall security, I’m not too worried. For sites that I care about, even if someone was to get my password, they wouldn’t be able to login due to 2FA and I’d get notified for an unknown/new login attempt.

It’s a bummer that Lastpass is handling this situation poorly, but I’m not surprised. I feel like they’ve gone downhill ever since they were bought out by a private equity firm. Luckily there are plenty of other options out there.

 

[Chuckanut]

More news regarding LastPass:

https://arstechnica.com/information...yees-home-computer-and-stole-corporate-vault/

LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

The backup data contained both unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-filled data, which had an additional layer of encryption using 256-bit AES. The new details explain how the threat actor obtained the S3 encryption keys.

 

[Trooper]

Ugh. I really have gotten used to LastPass and don't want to switch but looks like it's time.

 

[RetiredAt55.5]

another cautionary tale for password manager users

Posted January 27 2023 on the tomsguide website:

https://www.tomsguide.com/news/hackers-are-using-fake-google-ads-to-steal-bitwarden-password-vaults-how-to-stay-safe

Hackers are once again abusing Google Ads to take unsuspecting users to phishing sites but this time, they have their sights set on Bitwarden and other password managers.

As OldShooter pointed out, password managers by their very nature are an enticing target.

As bank robber Willie Sutton famously pointed out, he robbed banks because "that's where the money is".