LastPass hacked Again

[ajf.350d]

Deleted my Lastpass account beginning of the year and moved to Keychain, and Bitwarden, as I use Windows occasionally.
Makes me wonder if this is someone internal though?

I also blame to a degree the amount of passwords people need to keep these days.
why do I need to create an account on every website, just to buy any random thing on the internet?
Banks are getting bad as well. I have 4 different pieces of info I need to keep safe for various different logins, for ONE account!
All this tends to drive the use of passwords safes in my mind, which makes them bigger targets.

 

[maflynn]

Deleted my Lastpass account beginning of the year

I think many people are fleeing LastPass and I think this latest revelation, this will continue the negative subscriber slide.

 

[robertosh]

I self host a password manager at home, as I was not trusting anyone. In any case, it's also not a perfect solution so just try to keep your important credentials under 2FA (2 factor authentication) when available.

 

[AF_APPLETALK]

I found out that I still have my OLD last pass account. Deleting the contents, and then the account.

BitWarden finally had their first slip up last year, but they have been solid and are a fraction of the price of LastPass. I find myself slowly migrating back to iCloud Keychain. Passkeys are going to make password managers obsolete eventually. Matter of time.

I want to add that this is as embarrassing for Plex as it is for LastPass. They didn't specify where Plex server was running though. He wasn't running it on the same computer he was working off of, I hope?!

 

[BellSystem]

In all honesty I think using google is probably not a good idea.

I use Bitwarden. It’s an open source so there's many eyes looking for vulnerabilities. End to end encryption and if you so choose, you can self host the vault (or what ever term they use).

LOL. Just because it’s open source doesn’t mean it’s secure. The “many eyes” argument is weak because most of the eyes have no idea what they are looking at. It is in nobody’s best interest keep it secure because nobody is paid to do that. You are making the assumption that everyone involved is a security expert and that is a risky assumption. Security is more than understanding code. You as the non-programmer have zero ways to be assured anything open source is secure. Then if there was a problem with the code…who is going to fix it and when? You? Me? Who? What’s the time frame? Who’s testing it? I’m sure Google will be quicker to resolve a security issue than a bunch of internet randos.

I think companies like apple and google that offer password management as an ancillary service is generally weaker because its not their main focus

This is another weak argument. You assume they will be lax with security because it’s not their main focus. The reality is they have a vested interest to keep their entire infrastructure secure. This product has be reviewed and kept secure to protect their more core assets. They also probably have more people involved than some random people on the internet.

You and everyone else really need to dump the idea that open source = more secure because “everyone is looking at the code”. You don’t know who is looking at the code and when. You don’t know the level of competence of the people involved or who is involved. It is nobody’s job to insure that bitwarden is secure. Am I saying it’s not…no. But you are running under a false sense of security.

I don’t care who uses what and why. But you shouldn’t trick yourself into thinking open source = security. Nor should you make grand assumptions about a company’s focus on security because of your opinion.

 

[KaliYoni]

I'd say that Apple is better than Google on privacy but the two companies are at the same level for security. Both have ample resources available for protecting data. If there is a meaningful security difference, I'd say GOOG might have an advantage over AAPL because of AAPL's secretive and "insanely" compartmentalized internal culture and organization.

Small companies, in contrast, carry privacy and security risks of their own. Some important risks are extensive outsourcing of hosting and coding, small and often stretched-to-the-max engineering teams, and how user information is handled if a company is involved in a merger, acquisition, or, often worst from a user perspective, bought by a private equity firm.

Personally, I would be comfortable storing non-critical, non-highly confidential website passwords in Chrome's password manager if I used Chrome. But anything I want to keep closely held is kept out of the cloud and is kept away from applications and log-in services made by GOOG, Meta, and other surveillance economy companies as much as possible.

 

[svenmany]

What is scary about this one is that the hackers targeted a high level employee that had access, and installed keyloggers onto their work laptop. So its less about weak systems and more about human engineering (if you want to call it that)

And, that high level employee was allowed to install personal software on their work machine. That machine should have been locked down.

 

[KaliYoni]

Just because it’s open source doesn’t mean it’s secure...

Yes. For example:

Open source software security vulnerabilities exist for over four years before detection

GitHub research suggests there is a need to reduce the time between bug detection and fixes.

www.zdnet.com

----------
ETA: another vulnerability of the open source model is that low level, "boring" functions do not attract much attention or updates from coders. Plus there are no clear lines of responsibility or accountability. For example, if I recall correctly (I can't search for the specifics right now), there was a web-wide security problem that escaped detection for years because it was tied to a flaw in a time of day lookup routine that nobody had any interest in reviewing...including the person who originally wrote the code.

 

[dewalt]

The issue with using icloud now is that any user who spies on your passcode, can snatch your phone and get full access. I prefer using a standalone password manager.

 

[Danfango]

I work in fintech. If this was us we'd be fined millions.

I suspect LastPass will get away with it and attract many customers with crappy YouTube sponsorships and advertising.

 

[KaliYoni]

I work in fintech. If this was us we'd be fined millions.

I suspect LastPass will get away with it and attract many customers with crappy YouTube sponsorships and advertising.

Just want to add that only fintech firms subject to compliance and regulatory supervision would be fined millions...frontier stuff, such as cryptocurrencies, and what I call Loophole Fintech (for example, payday lending and quasi-banks that operate as money transfer services) use a better-to-ask-for-forgiveness-than-ask-for-permission strategy that relies on loose regulation run by local governments or on the complete absence of regulation.

 

[Analog Kid]

The issue with using icloud now is that any user who spies on your passcode, can snatch your phone and get full access. I prefer using a standalone password manager.

FaceID?

 

[Michael Scrip]

I switched to BitWarden after the last time LastPass had trouble.

I'm happy now.

 

[Danfango]

Just want to add that only fintech firms subject to compliance and regulatory supervision would be fined millions...frontier stuff, such as cryptocurrencies, and what I call Loophole Fintech (for example, payday lending and quasi-banks that operate as money transfer services) use a better-to-ask-for-forgiveness-than-ask-for-permission strategy that relies on loose regulation run by local governments or on the complete absence of regulation.

Correct-ish. I work in a regulated fintech.

But it depends on the regulatory area you're in. For example even basic retail or facilitation, which is not regulated, can be fined big money: https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf

 

[gregmac19]

Why? Any specific reason? Or is it just ”evil corporation”?

I’d call any company willing to censor for the repressive authoritarian Chinese regime an “evil corporation.” For many reasons, I don’t trust Google, and out of principle try not to use any of their products.

I use Codebook as it appears to me that Zetetic knows what they are doing, and I prefer to support small firms over large corporations.

 

[imanidiot]

Chaos reigns...

 

[Mebsat]

LOL. Just because it’s open source doesn’t mean it’s secure. The “many eyes” argument is weak because most of the eyes have no idea what they are looking at. It is in nobody’s best interest keep it secure because nobody is paid to do that. You are making the assumption that everyone involved is a security expert and that is a risky assumption. Security is more than understanding code. You as the non-programmer have zero ways to be assured anything open source is secure. Then if there was a problem with the code…who is going to fix it and when? You? Me? Who? What’s the time frame? Who’s testing it? I’m sure Google will be quicker to resolve a security issue than a bunch of internet randos.

This is another weak argument. You assume they will be lax with security because it’s not their main focus. The reality is they have a vested interest to keep their entire infrastructure secure. This product has be reviewed and kept secure to protect their more core assets. They also probably have more people involved than some random people on the internet.

You and everyone else really need to dump the idea that open source = more secure because “everyone is looking at the code”. You don’t know who is looking at the code and when. You don’t know the level of competence of the people involved or who is involved. It is nobody’s job to insure that bitwarden is secure. Am I saying it’s not…no. But you are running under a false sense of security.

I don’t care who uses what and why. But you shouldn’t trick yourself into thinking open source = security. Nor should you make grand assumptions about a company’s focus on security because of your opinion.

I agree with your arguments against trusting something just because it's open source, but they are straw man arguments.

BitWarden is a commercial enterprise that open sources its code. One reason for this is to show there are no hidden endpoints and also to encourage the community to search for vulnerabilities.

But it's not like they don't have engineers who are working on the product. It is, in fact, many people's job to ensure BitWarden is secure. Their actual job. You could even be one of them:

Careers with Bitwarden | Bitwarden

Join our international team and make the online world safer for all of us.

bitwarden.com

Some of us like the code we use to manage our passwords to be reviewable. That doesn't mean we use it solely because it is an open source project. That is a bonus.

 

[AL2TEACH]

user who spies on your passcode,

Being aware of one's surrounding really should fix that one or use touch/Face ID.

 

[BellSystem]

I agree with your arguments against trusting something just because it's open source, but they are straw man arguments.

BitWarden is a commercial enterprise that open sources its code. One reason for this is to show there are no hidden endpoints and also to encourage the community to search for vulnerabilities.

But it's not like they don't have engineers who are working on the product. It is, in fact, many people's job to ensure BitWarden is secure. Their actual job. You could even be one of them:

Careers with Bitwarden | Bitwarden

Join our international team and make the online world safer for all of us.

bitwarden.com

Some of us like the code we use to manage our passwords to be reviewable. That doesn't mean we use it solely because it is an open source project. That is a bonus.

If they are a commercial enterprise then that was the argument OP should make. Not, it’s open source so it’s more secure than Google. But then one could argue so was LastPass….and circular argument lol. Moral of the story…assume nothing is 100% safe and plan accordingly.

 

[Lioness~]

I have been using 1Password since 2013. I thought about switching to LastPass a couple times. Glad I didn’t.

Long time 1P user too, but I was not happy when they went subscription. But given the lower cost of it the 4th first years, I am ok with it for now. I much rather be safe than sorry.
See how much Apple's own service has evolved at the time when 1P want to almost double the cost for the subscription for me?

 

[Lihp8270]

I have become less confident with Apple Keychain since reading about the iPhone vulnerabilities.

Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a...

www.macrumors.com

"To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain."

It seems that the more secure approach is to use a password manager that has a different passcode than the one that accesses the iPhone, and to not store sensitive info in Apple Keychain on the iPhone.

Tbf. That is true of all password managers.

They’re convenient but if somebody knows the master they know everything.

Everybody has to find what their level of acceptable risk vs convenience is.

 

[Ethosik]

Tbf. That is true of all password managers.

They’re convenient but if somebody knows the master they know everything.

Everybody has to find what their level of acceptable risk vs convenience is.

That’s why I like 1Password. You also need a secret key along with your password.

 

[mailbuoy]

Tbf. That is true of all password managers.

They’re convenient but if somebody knows the master they know everything.

Everybody has to find what their level of acceptable risk vs convenience is.

There is a significant difference. If a thief has access inside your iPhone he has access to Keychain and all that is in it. If you use a different password manager (with a passcode different from the iPhone passcode) the thief does not have access to your secure data.

 

[maflynn]

I switched to BitWarden

I've been using BitWarden for a little while now (like 2 years maybe longer I forget) and I'm generally happy with them

 

[MisterSavage]

Oh I know, but open source has more opportunities for many varied and skill people to find stuff - its no gaurentee but many security experts tend to think open access to how security applications work can only strengthen them

Agreed. Plus an X11's server's sole function isn't to secure your passwords.

LOL. Just because it’s open source doesn’t mean it’s secure. The “many eyes” argument is weak because most of the eyes have no idea what they are looking at. It is in nobody’s best interest keep it secure because nobody is paid to do that. You are making the assumption that everyone involved is a security expert and that is a risky assumption. Security is more than understanding code. You as the non-programmer have zero ways to be assured anything open source is secure. Then if there was a problem with the code…who is going to fix it and when? You? Me? Who? What’s the time frame? Who’s testing it? I’m sure Google will be quicker to resolve a security issue than a bunch of internet randos.

You do realize that those randos contribute new features to Bitwarden? You see it happening all the time on the Github repository and Bitwarden community forums. Also, you really think if the community alerts the team to a security issue that BW will put it on the community to fix it rapidly?