Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

LastPass hacked Again

A

ajf.350d

macrumors regular
Nov 23, 2010
143
79
Worcestershire, UK
phillytim said:
Would you mind me asking - why aren't you all-in on Keychain OR Bitwarden? @ajf.350d

iCloud for Windows lets you access Keychain passwords while in a Windows web browser.

How do you segregate the use of Keychain and Bitwarden?
Click to expand...
Fair point, I probably ought to.
I couldn’t get iCloud passwords to work within the Windows app, and after various searches I’m not the only one.
So I had to switch to BitWarden for that part.
I’d already moved most stuff into Keychain though and it does work smoother with Apple, which is what I mainly use, so decided to just stick with the two.
I rarely add new accounts that need to be in both so, so far, it has worked OK.

Not ideal, but not unworkable for me at the moment.
If I had to use Windows again more often I would probably move everything into BitWarden though.
 
  • Like
Reactions: phillytim
SalisburySam

SalisburySam

macrumors 6502a
May 19, 2019
798
675
Salisbury, North Carolina
maflynn said:
I don't think I've had enough coffee this morning. You're saying version 7 is not subscription but you pay 34 dollars a year? I'm confused, that sounds awfully like a subscription.
Click to expand...
Well, when you look at it like that…. Yeah, could be called a subscription but it’s more like the historical process of requiring a payment for an upgrade to a new release vs. an update to a dot release. But OK, I like your thinking better.
 
  • Like
Reactions: maflynn
K

KaliYoni

macrumors 68000
Feb 19, 2016
1,726
3,804
Revelations about LastPass keep getting worse and worse. Some choice quotes from a recent article on Krebs on Security:

a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults[...]the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.

while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials that would satisfy the 12-character minimum.

Palant believes LastPass also failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years.

for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000[...]Palant said the 2018 change was in response to a security bug report he filed about some users having dangerously low iterations in their LastPass settings.

“Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration,” Palant wrote. “My test account is still at 5,000 iterations, as are the accounts of many other users who checked their LastPass settings. LastPass would know how many users are affected, but they aren’t telling that. In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.”

 
laptech

laptech

macrumors 68040
Apr 26, 2013
3,582
3,986
Earth
KaliYoni said:
Revelations about LastPass keep getting worse and worse. Some choice quotes from a recent article on Krebs on Security:

a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults[...]the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.

while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials that would satisfy the 12-character minimum.

Palant believes LastPass also failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years.

for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000[...]Palant said the 2018 change was in response to a security bug report he filed about some users having dangerously low iterations in their LastPass settings.

“Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration,” Palant wrote. “My test account is still at 5,000 iterations, as are the accounts of many other users who checked their LastPass settings. LastPass would know how many users are affected, but they aren’t telling that. In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.”

Click to expand...
I sense law suits coming from lastpass customers who have had their crypto accounts hacked and the currency stolen.
 
maflynn

maflynn

macrumors Haswell
Original poster
May 3, 2009
73,533
43,476
gwhizkids said:
I sense an impending bankruptcy.
Click to expand...
Nah, there's already a class action lawsuit and it will be settled at a dollar amount that will hurt but not kill lastpass and it will only benefit the lawyers.
 
Lioness~

Lioness~

macrumors 68030
Apr 26, 2017
2,978
3,717
Mars
Sure 1Password is subscription, but subscriptions are part of life now. We have to accept it, and chose what is worthwhile for us.

Security is super important, and it’s a great app, and worth it for me. Think it was on some discount a few yrs as well.
I have a bunch of subscriptions, and when I end one usually another one starts.
When I ditched Apple Music that I found overpriced for me, I started YouTube which is way more worth it in my opinion.
 
G

gregmac19

macrumors regular
Jul 28, 2016
198
146
Lioness~ said:
Sure 1Password is subscription, but subscriptions are part of life now. We have to accept it, and chose what is worthwhile for us.
Click to expand...
You don't need a subscription to have a secure password manager solution. I use Codebook, which does not offer subscriptions, and keep my password vault only on my computer and offline backups. This setup is at least as secure as anything else.

And I don’t feel I have to accept that software subscriptions are “part of life.” The only thing I have a subscription for is my secure email account.
 
  • Like
Reactions: AZhappyjack
chrono1081

chrono1081

macrumors G3
Jan 26, 2008
8,463
4,184
Isla Nublar
mailbuoy said:
I have become less confident with Apple Keychain since reading about the iPhone vulnerabilities.

www.macrumors.com

Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a...
www.macrumors.com www.macrumors.com

"To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain."

It seems that the more secure approach is to use a password manager that has a different passcode than the one that accesses the iPhone, and to not store sensitive info in Apple Keychain on the iPhone.
Click to expand...

It doesn't mean you shouldn't trust it. If someone has your password for anything yes, they can do damage. This is why you use stuff like FaceID (where you actively have to look at your phone to unlock it) in a public place and mind your surroundings, also set a password with more complexity.

Not trusting keychain because someone watched you type your password on your phone and stole it is akin to not trusting ATMs because someone watched you type your pin in and stole your card.
 
  • Like
Reactions: AL2TEACH and rhett7660
Lioness~

Lioness~

macrumors 68030
Apr 26, 2017
2,978
3,717
Mars
gregmac19 said:
You don't need a subscription to have a secure password manager solution. I use Codebook, which does not offer subscriptions, and keep my password vault only on my computer and offline backups. This setup is at least as secure as anything else.

And I don’t feel I have to accept that software subscriptions are “part of life.” The only thing I have a subscription for is my secure email account.
Click to expand...

Each to their own - what saves time and is secure for me is worth money too 😉
Having an app that I can trust and provide what I pay for and are dedicated to their work, is definitively worth it to me.
 
  • Like
Reactions: 370zulu
mailbuoy

mailbuoy

macrumors regular
Jan 16, 2014
105
55
Davidsonville, MD
chrono1081 said:
It doesn't mean you shouldn't trust it. If someone has your password for anything yes, they can do damage. This is why you use stuff like FaceID (where you actively have to look at your phone to unlock it) in a public place and mind your surroundings, also set a password with more complexity.

Not trusting keychain because someone watched you type your password on your phone and stole it is akin to not trusting ATMs because someone watched you type your pin in and stole your card.
Click to expand...
I don't disagree that the risk of loosing your iPhone and its PIN/passcode is controllable. However, in the worst case scenario, your iPhone plus your phone PIN/passcode can lead to being locked out of your phone, iCloud account and every account for which you have a password in keychain; potentially it could lead to identity theft depending on what info you have in your phone.

In your ATM example the risk is limited - most likely nothing, if you report the card's compromise to your bank.
 
maflynn

maflynn

macrumors Haswell
Original poster
May 3, 2009
73,533
43,476
dwfaust said:
Isn't that true of all class action suits? Class members get a pittance and the lawyers cash in.
Click to expand...
Yes, that's my point. Most class action suits do very little to make the injured party whole again.
 
SalisburySam

SalisburySam

macrumors 6502a
May 19, 2019
798
675
Salisbury, North Carolina
To actually be made whole, an injured party must skip the class action and sue directly, win, and then be granted enough compensation to overcome the perceived loss, and have the ability to actually collect. And do it again should the defendant appeal. And possibly again. While all this goes on, the injured is also likely paying their lawyer(s) out of pocket as otherwise they’re doing a lot of work for free. And this could easily take years. Given this, the class action is attractive.

Class action suits serve two purposes: changing defendant behavior by making it very expensive for a company to continue that behavior, and ensuring great wealth for the lawyer team should they win. There is little-to-no benefit for any injured individual beyond a token “thanks for playing” and MAYBE a tiny (think well under $100) cash settlement. Members of the class (the victims) aggregate themselves because there is no downside, a very tiny upside, they don’t have to do anything, they don’t have to pay lawyers, and they MIGHT be able to altruistically alter a market-offending behavior.
 
370zulu

370zulu

macrumors 6502
Nov 4, 2014
344
293
Lioness~ said:
Each to their own - what saves time and is secure for me is worth money too 😉
Having an app that I can trust and provide what I pay for and are dedicated to their work, is definitively worth it to me.
Click to expand...
Absolutely true!

Bitwarden Premium sub with Yubikeys here. Very inexpensive overall. Gives me peace of mind.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom