LastPass master password security?

[Lsbcal]

If I enter my master password while on an insecure network is it seen by a snooper?

I would think that it is not transmitted and just local to my device.

 

[Rianne]

I use LastPass. Do you mean an unsecured network like a hotel room or Starbucks? I only sign in when I know the network is secure. Isn't it encrypted? LastPass had some hacking issues but because of that, I think it makes them more secure.

 

[easysurfer]

Can't say for sure, but I'd guess would be about as secure as entering a password or typing anything else in a hotel with no password for the wifi connection.

Probably most people nearby aren't snooping but if someone who knows how to snoop may be able to see what you are typing.

As I said, just a guess.

 

[grasshopper]

I turn off wifi and use my cell connection if/when I use passwords period.

 

[qwerty3656]

My understanding is the Lock symbol next to the URL is supposed to mean the login is secure - if anyone knows differently, please let us know

 

[CaptTom]

Wouldn't they use SSL? I assume it would be safe.

I use an app which keeps the passwords local and encrypted, so I don't worry about it.

 

[Gotadimple]

I use a VPN app when I am using unsecured wifi. This includes places like Starbucks - especially if I can't get cell service.

 

[MuirWannabe]

I turn off wifi and use my cell connection if/when I use passwords period.

This is what I do when on an unsecure network like a hotel wifi.

 

[easysurfer]

At hotels when possible I use my travel router. That way even if the hotel wifi has no password, the access is via my router's password.

 

[GalaxyBoy]

My understanding is the Lock symbol next to the URL is supposed to mean the login is secure - if anyone knows differently, please let us know

According to the FTC, this is correct.

https://consumer.ftc.gov/articles/are-public-wi-fi-networks-safe-what-you-need-know

A recent article in the Washington Post says the same thing (probably behind a paywall)

https://www.washingtonpost.com/technology/2022/09/26/public-wifi-privacy/

To see what potential hackers could see on a shared network, we invited professionals from cybersecurity company Avast to “compromise” my home network (all with my consent). We logged onto the same network at the same time, just like we would at a coffee shop, to see how much data a bad actor with a few free tools could learn about an unassuming WiFi user.

What we found might be a relief for the coffee shop crowd.

After a few minutes clicking around my finance, work, streaming and social media accounts, Avast’s team could see the sites I’d visited (though not what I’d done there), the time of day and the specific device I used (in this case, a MacBook Pro). It’s not nothing, but it wouldn’t do hackers much good if they were looking to rip me off.

.

But:

Still, for the rest of us, public WiFi networks aren’t totally threat-free. Mom-and-pop shops are unlikely to keep up with necessary WiFi maintenance such as firmware updates and strong passwords…

 

[audreyh1]

I pretty much just use my cellphone data connection (via hotspot) whenever I’m away from home.

 

[Sunset]

My understanding is the Lock symbol next to the URL is supposed to mean the login is secure - if anyone knows differently, please let us know

+1
It means that the site is an https:// site, using encryption between your browser and the site.
In general it means its secure.

A sniffer will know which sites you went to, ie a bank or brokerage, as the encryption can only be done after you have connected.

 

[Trooper]

LastPass has a "One Time Password" (OTC) facility whereby you can create one or more master passwords before you travel or use a public computer. The passwords expire upon 1st use.

Details here:
https://support.lastpass.com/help/use-temporary-one-time-passwords-lp030002

 

[Lsbcal]

LastPass has a "One Time Password" (OTC) facility whereby you can create one or more master passwords before you travel or use a public computer. The passwords expire upon 1st use.

Details here:
https://support.lastpass.com/help/use-temporary-one-time-passwords-lp030002

I will have to look into that. Thanks

 

[Lsbcal]

I only have 3G cellular in Death Valley plus unsecured wifi. Hence the query. Apparently I can make calls but no cellular data.

LastPass app on my cell phone I am guessing does not transmit the master password over the network. But not sure about that one.

BTW it’s beautiful around here.

 

[audreyh1]

I only have 3G cellular in Death Valley plus unsecured wifi.

BTW it’s beautiful around here.

Where are you staying in Death Valley?

 

[Lsbcal]

We’re at Stovepipe Wells.

 

[Lsbcal]

I talked to Lastpass support. I did not get a direct reply to my question but they said that since I had multifactor authentication set up, I should be protected should someone get the master password.

 

[Chuckanut]

We’re at Stovepipe Wells.

The lodge has good Wi-Fi near the main office, the bar, and the restaurant.

Tip: Gas is much cheaper at Stovepipe Wells than at Furnace Creek.

 

[DayDreaming]

"The master passwords are never sent to LastPass." so they are not transmitted over any connection.

https://support.lastpass.com/help/how-is-lastpass-safe-lp010089

 

[Lsbcal]

Thanks for that link DayDreaming. There is more detail in it than I have seen before ��

 

[Chuckanut]

Krebs On Security has reported that the bad guys who exfiltrated encrypted user data bases from LastPass in November of 2022 may have started cracking some of the passwords.

https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.

Bax said the only obvious commonality between the victims who agreed to be interviewed was that they had stored the seed phrases for their cryptocurrency wallets in LastPass.

IMO, if you used Lastpass as your password manager any time in 2022 or earlier you should at the very least change your passwords on every financial account you have if you have not done so since the breach in November of 2022. Also, if you have not activated 2FA ( two factor authentication) on accounts where it is available, do so ASAP. And change the password on any email account you use with these financial institutions.

 

[Gotadimple]

In reading this article it seems the research done has found that any accounts that were breached were those of users who are involved with trading cryptocurrencies.

"Bax told KrebsOnSecuirty. “I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.” The emphasis is this quote is mine.

 

[Katsmeow]

I switched from LastPass to 1Password a couple of years ago. I would never type my master password on a public network.

I pretty much just use my cellphone data connection (via hotspot) whenever I’m away from home.

This is what we do. I think those hotel Wi-Fi networks or the ones at doctors, etc. are not very secure. So, I do not use them. I can use my phone as a mobile hotspot and so use that cellular connection any time I am not at home. Works fine.