Lastpass needs to go out of business. They chose to not responsibly handle the data they had been trusted with. I hope they have legal consequences for it. Again, they chose to not be responsible with customers data

@hammerheadcorvette4

Жыл бұрын

They've been suspect since 2018. I honestly can't even trust people who recommend it. It's comes off as out of touch to me.

@vctrsigma

Жыл бұрын

Not that this would be consistent with how they have behaved so far, but hopefully they act responsibly and give ample notice such that they don't lock people out unexpectedly. I can't imagine everyone has multiple backups or local copies of their vaults or is familiar with how to use the offline login mode.

I also moved to 1Password after this last fiasco. The great thing about 1Password is that they make you generate a second key that's random on top of your master password. This second key works with your master password so it's strong by default. You don't have to enter in this secondary key every time, you just keep it somewhere safe for when you need to rebuild your local copy.

@mikemcaulay9507

Жыл бұрын

I still use their old “offline” version and manage distribution of the vault myself. I just can’t get passed how big and juicy a target a password company is. I’ve been programming about 30 years now, and if there’s one thing I’m certain of. People screw up. If it’s got to be somebody, I’d rather it be me. :D

@Tech-geeky

Жыл бұрын

How secure, is secure ? Extra features are good, but i usually find they just "get in the way' When you quickly want to do something, and your blocked... When you do it again, it becomes more irritating every time, to the extend you turn it "off". My Master Password is enough... as long as i don't loose it.. As a strict "my own" use, the first thing i did with Lastpass when i set it up years ago was to "disable" One-Time Password and Recovery key.. I handle my own security.. and ya,, i limit myself to (1 way in, 1 way out). but i like that better. I may be on the element of disaster.... 😆 but i'll deal with that when and if it comes.

Writing down your passwords on sticky notes doesn't seem so bad now.

@75jvs

Жыл бұрын

Literally my answer when someone tried to convince me using Lastpass lmao 🤣

@ryankitching5936

Жыл бұрын

Bro...I hear you !

@requiemforameme1

Жыл бұрын

It's not me being lazy to clean. It's password entropy.

@Tech-geeky

Жыл бұрын

😆 it could be when you loose it.

I too used to be a lastpass user but the way they have handled letting the public know about this was very poor.

@UToobSteak

Жыл бұрын

I agree. When they said customer info was safe, I gave them the benefit of the doubt. Since it has come out otherwise, I exported my vault to Bitwarden, and deleted my lastpass, even though my master password was 21 characters(capitals, lower case, numbers, and symbols)

My data has already been compromised, I started getting unauthorized ACH from my bank over the past weekend.

We are in process of getting pricing for one of our mid-size business clients, glad I got caught up on what all is going on through this video. The PR stunt was very shady on LastPass' part with the holidays.

@vctrsigma

Жыл бұрын

Not that I want to give them the benefit of the doubt, but the delay from announcement to report was similar to their past breaches (approx 6 weeks I think) and doesn't seem specifically timed. Their lack of transparency with the user impact details is terrible though.

@ITProTV great discussion. One thing that I have not seen mentioned in the comments or covered in the discussion is the LastPass feature which is enabled by default "Revert Master Password". This allows you to revert changes to your master password that were made in the last 30 days. I wonder if this data was also stolen ?

Thanks for the information!

This should be absolutely prosecuted. How is this not a complete violation and gross negligence? I should have dumped them after they were bought.

@christianbarnay2499

Жыл бұрын

I agree this should be prosecuted because it is a major violation of safety. But this event also revealed that bad practices are way older than the buy. Low iteration counts, never informing the users that standard recommendations have increased and they should strengthen their master password. All we discover today is that they provided bad security from day one while pretending they were always at a higher level than they actually were. The PR stunt didn't start just now. That's only its discovery that is recent.

@requiemforameme1

Жыл бұрын

The engineers over there must've had the dream job. I'd love to completely ignore every RFC and widescale update like TLS for the last five years. Like... what did they even do other than buy more storage space and hire more UI/UX folks? It sounds like the CTO should've grown a pair, as even a pair was more hashing iterations per user at launch...

@vctrsigma

Жыл бұрын

@@christianbarnay2499 iteration counts are a moving target, there were definitely times that they were meeting expectations. But there is no excuse for them to not keep their minimum count current with best practices and proactivly forcing adoption of those by users over time (at least client side whenever they re-authenticate). They absolutely failed to be good stewards of securing their customers' vault data.

@Tech-geeky

Жыл бұрын

They should.. These Vaults these days are stored in Amazon S3, or other, but are all U.S. Lastpass HQ is in U.S. so the laws could do it. Bitwarden is no different. I guess being 'offshore' would be 'more secure' as laws permitting. (and raise potentiality other issues....) or technically and physically not possible? I dunno. But its easier to 'just change password managers and forget' :P Accountability these days mean "absolutely nothing" when it comes to online. In the real world, we would understand that. Its not even like Lastpass would 'run'. They already publicly shown it was a breached and accepted the consequences.

Great content, exactly what I needed to know!

I ran my 12-character random LastPass master password which had 100100 iterations on my RTX4090 using one of the better open source password crackers and it cracked my LastPass password at the 63 hour mark. Complex master passwords are useless if the password vault gets stolen.

@adamcbuckley

Жыл бұрын

Which password cracker did you use?

@exidrial431

Жыл бұрын

Cool story, bro

Lastpass reported that the number of iterations is 100,100. But older accounts show only 5,000 and some report theirs defaulting to 1. The iterations don't change even after changing the master password. That needs to manually be changed.

"The real story here is how these guys are living millions of years." I nearly choked on my tea with laughter. Lots of other funny comments by all you guys as well. Thank you guys for being entertaining and funny enough to take the edge off this horrible story. Most entertaining IT show -- hands down. The rest bore me to tears. One of em even thinks loudly slurping coffee while appearing to be on a sugar high is entertaining.

There are a lot of channels trying to get my attention and time. You just got mine!

Awesome video. Thanks for breaking this down. I'm off to move this evening - Pour a glass of wine and start in.

"unless you live under a rock" or dgaf and never used password storage apps. never even heard of last pass and gave up on password apps back in the ICQ days...breaches and general security issues such as this one continues to prove that choice correct.

Hey @ITProTV, I don't know if you guys ever read comments but if you do... REGARDING REGENERATING OTP keys, here's another 'gotcha' you ALSO need to consider. As I've been going through the process of changing all my PW's and OTP secret keys, I've discovered ANOTHER vector for attacking your accts... Emergency Backup Codes, Acct Recovery Codes, and Application Specific Passwords (I save these values in the "Notes" field of my PW manager... so they're potentially compromised too). So in regards to this... when you enable OTP, most sites will give you a list of emergency 1-time use backup codes. Generally if you regenerate your master OTP seed key, this also has the effect of invalidating all previous Emergency Backup Codes. But this isn't always the case with "Acct Recovery Codes"! It depends on the service! ProtonMail is a good example of this.... Gmail is a good example of this... they issue OTP Backup Codes & Acct Recovery Codes separately. Bitwarden is also a good example of this!! When you disable & then re-enable OTP in Bitwarden, IT DOES NOT INVALIDATE the already created "Acct Recovery Code". The ONLY WAY to get a new Recovery Code from Bitwarden is to physically use the code by going though the actual recovery process! Just deactivating & reactivating OTP will not change the existing Recovery Code value. (See: bitwarden.com/help/two-step-recovery-code/ ). And don't forget to re-generate your App Specific PW's if you're using 3rd party clients like Thunderbird or you have an old XBox 360 that doesn't understand modern 2FA.

Just for more information on this topic - I just checked my email and found the 2018 email from Lastpass regarding the changes they made at that time. Below is the email text they sent me. So they did change the iteration count automatically on my account. Apparently many haven't researched this because it is widely misreported. I still have the emails. "Recent Upgrade We are notifying you of a routine security upgrade we recently made to all LastPass accounts. Specifically, we increased the default PBKDF2 iterations to 100,100. PBKDF2 is used to protect your master password in the unlikely event of a brute-force attack. We periodically make security upgrades, such as increasing PBKDF2 iterations, to ensure we're providing the best security for users. The update happened automatically upon login to your LastPass account. Because the upgrade requires a re-encryption of the vault, LastPass records the event as a password change in your account history, as seen below, though no master password changes have been made. Note that you will be required to log-in again on other devices where you use LastPass. Time of Change 2018-12-28 12:10:08" But I agree, it is time to move on, the new owners of Lastpass have mismanaged the company and caused it to be unsuccessful in it's core business.

@vctrsigma

Жыл бұрын

I recall that message, and took the opportunity to pick an even higher value for myself. But it definitely didn't get applied universally as they claimed. Which is a huge fail on their part, no matter the reason. I have seen second hand reports (not unlike this person) of people with much lower iteration values, and personally know someone that checked and theirs was only at 500. Iteration count is something the attackers will certainly have in the clear and can target those master passwords with the least protection.

I finally have had enough and completely closed my LastPass account and deleted all data. I had moved on some time ago after the last breech but had left the vault there just in case. I had already changed many of my passwords in the meantime. I knew deep down after LastPass had been purchased that it would likely go downhill.

SMH, FML and I'm SOL with last pass. And every other abbreviation the kids use. Horrible company ethics being shown by them. I'm out. Appreciate you sharing what to do and the alternate options.

Was a last pass user for 8 years, but no more. This was a complete mishandle on their part and lack of protecting their customers. I guess free accounts come with costs (probably only why passwords were encrypted and not usernames and URL’s, selling your data). Using Bitwarden now. Currently using their cloud service but potentially going to host my own personal instance.

I didn't realise there was an easy way to move data from one password manager to another. I've just spent 3 full days manually transferring accounts (and changing passwords) over from Lastpass to Bitwarden lol I've been a Lastpass user for near a decade and spent most of that time as a premium user. Really happy with Bitwarden though; they seem to offer more features even with the free version.

@InquisiitorWH44K

Жыл бұрын

Yeah, I've used LastPass for years. Moved on to another. Export was easy as was the Import. Emptied out my LastPass vault, and have almost finished changing the 80 or so passwords I had stored in LastPass. Most important to least. Pain in the butt but I needed to change a bunch of my passwords as they haven't been changed in a while.

@glennhanna244

Жыл бұрын

I've been happy since moving from Lastpass to Bitwarden a few years ago when Last Pass wanted to charge to access my passwords from a mobile device. Bitwarden's free addition does everything I need it to do, and I can use it on both PC and mobile. The only drawback is that there is an extra step or two to fill in name a PW fields that Lastpass didn't have to do. I think I was able to transfer passwords from LP to BW easily... I have thousands of accounts, I wasn't going to even attempt doing one at a time

@Bradiant

Жыл бұрын

A txt file on your desktop and note in your phone is 100x more secure than hosting your passwords on likely several servers across the globe where vulnerabilities arent patched in real time since they cant just take the site down for a day to update after its found out. They just keep it all up vulnerable and hope for a quick fix.

@theepicduck6922

Жыл бұрын

@Brad I'd try encrypting it if it's really important however otherwise if someone has access you've got bigger problems than people accessing your niche game site log-in.

Since the breach i've been getting phished on my gmail and live accounts pretty damn hard. hundred of emails a day. I'm done with LastPass.

Just a couple of quick points... 1) The username field *is* encrypted. So that's something, but still not great, and your comments about phishing still very much apply. 2) Lastpass have confirmed (to customers who send in a support request) that the data was stolen on Sept 22, 2022. This was all customer vaults. Hope that helps!

@joen0411

Жыл бұрын

One of the reports I can run as admin is login activity, the report includes url and username to the site a user logs onto. If username info is encrypted, how can this info be in the report? Lastpass has that data stored somewhere that is not encrypted.

@An.Individual

Жыл бұрын

But what are the dates on the stolen backups?

@vctrsigma

Жыл бұрын

The stolen vault data was backups, which could have been from months or years ago depending on how they handle them. It could have been anything from the day before to all their regular backups across all time.

I have been a long time user of Lastpass and this has me worried. Not all my passwords are strong, some are weak for useless sites I don't really care about. But with the stolen vault and unencrypted data, does this mean the hacker could easily figure out my Master Key when they brute force into the sites with weak passwords? And then with the Master Key unlock everything else.

A breach in a "security" program should put them out of business. Why should anyone use LastPass now?

When i was in a financial company we would install a separate line for their business-only computer. They could not connect any other computer to that router and that router only connected to our site. We knew if that was violated and we fired people for that. That was years ago. WTF, Lastpass.

We use Keeper Security for our password vault. They are pretty hardened and encrypt each record on top of the vault.

I switched to Bitwarden as well. Easy Pezy. And updated all my passwords. Pain in butt. Silver lining in all these … I moved to Brave browser too. No more chrome or Edge for me.

Good to know.

Hi, great show and I feel have a much better understanding of the whole situation 👍 One question, I am not really sure about how the number of iterations and length the the master password influence each other. My LastPass password is a total mix of letters, numbers and special characters and 15 characters long. Everywhere you look they‘d say, that my vault should be pretty secure, however as a long time LastPass user of course I have also those 5.000 iterations. Should my vault still be pretty safe (for now) thanks to the 15 characters long master password or is it also weakened too much because of the only 5.000 iterations? Thanks!

@fearless6947

Жыл бұрын

@Jo Blow you didn't answer his question

@Itprotv... What about last pass customers who has strong 12. Character passwords and two factor authentication for a master password? Are those customers with this type of setup need to reset everything and leave last pass as well???? with this type of setup

I get that the Notes field is encrypted, but what about other fields in the records? For example, if you "Add Payment Card", you get prompted to enter "Name on Card", "Type", "Number", "Security Code", etc, etc. Are they all considered Notes? Lastpass had lots of different types of items and it's really unclear which fields in these other records were encrypted

Does OnePassword encrypt everything on their platform? I switched to them after the LastPass breach but never considered that only certain things can be encrypted.

So odd they only encrypt the password and notes fields this also means your credit card and bank of account details are also not encrypted either.

Do we have insights if Lastpass Authenticator is affected too? How is it protected and should we update all 2FA enrolments

You got my subscription after watching this. Bad news is that I have 1,177 passwords in Lastpass! Auch. I am moving back to RoboForm for now and also bought a YubiKey 5 hardware security key and going through my high value logins changing every password and setting up either hardware key or TOTP as 2FA security.

Great video to inform me of what actually happened, thank you. So pissed it's a paid service and have screwed us with this breach. Question is what is even stopping this happening on BitWarden or any other one if I move there?

If you get phishing first you are unlucky, but if you get the second times, shame on you!

I have been using LP for years. I cannot log in to my account because every time I log in they stop me and send me a email saying somebody using my password has been stoppedl it's me.

Their is a GIT script that someone made available long before this happened that you can use to try to write a program to bruit decrypt a vault. I used the GIT script without a password on my vault to see that the password cards Notes column was encrypted. They were not very good about telling us what was encrypted.

After listening to Security Now. I did the javascript thing to pull my vault down on an old LastPass account I don't use. I put a fake Google entry in it. Then I de-obfuscated anything hex with some python.... Nowhere in there appears to be the username field. All other fields are gibberish that start with "!", presumably from the CBC encryption right? So I'm not sure it is accurate to say the attacker has all our usernames. Am I missing something? I've only found URLs and domains that were plain text. I'd rather have the whole thing encrypted like in Bitwarden, but still...

My iterations was set to 5000!!! I've been a LastPass Premium user since it was $12 per year. I've already stopped using them but that's too late now. LastPass should really tell us more information.

Thank you for the video gentlemen! One question I am curious about is the MFA. My LastPass account has MFA enabled using the Microsoft Authenticator. If they were to guess my master password somehow, would they still need my authenticator to get into my vault in the copy they obtained?

@codex3191

Жыл бұрын

No. MFA is irrelevant as they have your vault.

@bigjonradio

Жыл бұрын

@@codex3191 yep. specifically the database. I've read a number of places that MFA will unfortunately not help in this scenario.

What is your take on RoboForm password manager?

I used LastPass Pro for over 10 years and was very happy with it. After this breach I switched to BitWarden and am now happy with that. I will never go back,

Famous last words of people that pretend to know, but really don’t: “I was under the impression…”. DONT BE! Ensure you truly know it!

Wow! I just tried to remove my credit card information from their website, and found it to be not possible. I will cancel their service as soon as I have recovered all my data and set up another password manager. And I found that the iteration count (I have been a paid subscriber since 2016, and a free user for a few years before that) was set to 5000.

What about the "Master Password Reminder" is that encrypted?

I am a little confused about a couple of your side comments. You mention the source code has been stolen allowing the attackers to use brute force against the vault and it would allow them to spoof the site. All good so far. Then one of you mentioned moving to bitwarden, which is open source. Surely open source gives hackers the same advantage as stolen source code. Do I misunderstand open source?

The got breached twice through the same social engineering channel, I know people say there's no point shutting the barn door after the horse has bolted but not getting management to have a serious talk with their employees is just stupid.

I’ve always felt incredibly uncomfortable with any password service saving my passwords to their servers. I bought a lifetime license from 1Password ages ago and I haven’t upgraded to their newer (online) client. I manage distribution of my fully encrypted vault myself to at least try to avoid the problem that comes with creating a stockpile of millions of users passwords together. I also don’t enable the browser plugins. Yes, it’s kind of a pain, but I don’t end up with urls being associated with my credentials. I also have two vaults. One that I’m willing to use other online storage services to share my passwords across my numerous devices. But then there is the serious stuff. That vault never gets backed up online. I have it on external storage which I only access directly from there. I don’t copy it to my local drive. 1Password makes it pretty easy to point to different locations for your vaults so I don’t find it too onerous. When it comes to password security, a bit of paranoia seems warranted. I also have a hard and fast rule to never click links in emails. If there is an offer, for example, I always go out to that company’s website directly. I’ve seen too many people have major issues over the years and it’s left me more than a little paranoid. Hehe …

According to lastpass's press release, usernames are encrypted. Is that not correct?

been a customer over 7 years. jumped ship yesterday, cant believe they are still charging this much with issues. reset 30 otp's using yubikey... huge pain to set it up on 2 keys but worth it

Oh. So I need to go elsewhere for a password manager. Changed the passwords for my most important accounts but changed those using lastpass; not sure if I should've now. Hadn't given a thought to the authenticator maybe being a bit iffy. So after watching this (and reading and watching other stuff before I got here), go with a different password manager and change all passwords. Was hoping to avoid all that but seems like, nope!

Wait...PEOPLE PUT THEIR PASSWORDS IN SOFTWARE THAT IS NETWORK AWARE?!? AND ACTUALLY INTENTIONALLY PUT THEIR PASSWORDS ON OTHER PEOPLES' COMPUTERS?!?!? What did you _think_ was going to happen??

New company name is LostPass.

I know one last pass account set to 500 and another at 10,000 iterations. Shame on them for not bumping up the early users. We have left LP and will never look back.

Considering the price of $51cdn /year lastpass now charges I expected better security and total encryption of my vault. Have now removed auto renew and will be going to bitwarden and will gladly pay the $10US/year for the extra features even if they offer a free version. In the end I'm still a winner.

I deleted my lastpass account and switched to bitwarden a month ago due to this. So I can not go back and check the advanced settings you mentioned. However I did look for reset in the exported data and I found 3 and one was a bank that I use. Thankfully it had expired and no longer works. The other 2 are not important. Also I spent several days trying to change all my passwords that were in the vault. Starting with all the banks that I use. I had over 300 passwords. I found some sites that make it very difficult to change passwords. Also I like that bitwarden has more features and it cheaper. Also I could never get yubico to work with lastpass and it works just fine with bitwarden.

LastPass - we don't know who Last has access to your Passwords...

Is it safe to move from LastPass to other companies? i mean since LastPass learned their lesson the hardway and made some changes to make their product more secure. I feel if I move to a new password manager company then they might get the same breach and won't be ready for it... idk I would like to get some thoughts on this from others. Thanks

@christopherlawley1842

Жыл бұрын

I've been using 1password for some years. You can import p/w from Last Pass but as the chaps say here, you should change them. I imagine other systems will do the same

That right there is *exactly* why I don't trust third parties with my password information. Since 2008 I've been using Password Safe (Bruce Schneier was famously involved in its creation) and I haven't lost a password since. The trouble is to maintain a consistent database across computers, but really, that's my only issue with that. I carry a USB stick around with a copy, and on most machines my database is used in read-only mode. Some scripts to copy the DB back and forth, and that's how I have been using it for years now.

@Tech-geeky

Жыл бұрын

I guess more people must trust technology nowadays... If they were like me and thought "trust comes first and if you trust, you are also hoping everything in minimized in an attack," then everyone would be out of business 😆 (not the best view), but for me, "trust" or "not trusting" always takes priority. It works for me because i'm the only one info can come from.. If i don't tell companies, they can beg all they like,, and i'll still say "no"... So in a way, i feel that is better, but as 'unique' You trust/share, you pay the consequences if something happens. These days, this only increases, never decreases. And to me, its the exact opposite of what privacy should be and security. No one will educate themselves, so we all must get others to store it for us. Convenience, syncing , and trust are the spear-head in all of this. I choose neither one, unless i want to personally.

To correct some misinformation here… while it is true Site URLs for your LastPass entries are stored by LastPass in the clear, other data elements for LastPass entries are encrypted in the vault, such as Usernames, passwords, site/item names, notes, and other fields.

@joen0411

Жыл бұрын

One of the reports I can run as admin is login activity, the report includes url and username to the site a user logs onto. If username info is encrypted, how can this info be in the report? Lastpass has that data stored somewhere that is not encrypted.

That was my weekend. Resetting all my passwords 🤦‍♂️

I have contacted lastpass and asked them too cancel my subscription, but they are refusing to reply.

What about 2FA on the LastPass vault? Duo, Yubikey, etc… does this impact the ability to brute force the vault? I haven’t seen anything on this topic.

@ericfielding2540

Жыл бұрын

I don’t think the 2FA gives any extra protection if the hackers have your vault and the LastPass source. The 2FA only applies when you open your vault in the app.

The most insane fact to me is that they held end user data in essentially plaintext. I've worked as an engineer for monopoly-level enterprise software companies, and even our monthly transactional log access for a dying B2B product with *no* end-user data was more protected and hashed than this. Like, this could be a super softball interview question for any SWE I've interviewed (and there were tons of bad ones)... "Should you hash end-user data in your SoR for a B2C service?" It's not even a fucking question... JFC.

The bottom line...the breach does not directly give the hackers access to your passwords.

Back when I had to decide on a password manager years ago I legit looked at LastPass and was skiddish about them, this validates my choice of DashLane for sure. No issues or breaches, quick and fast, I've always recommended them to everybody

@rogergeyer9851

Жыл бұрын

Eduardo: And how do you know you weren't just lucky, or that they have been honest about any breaches?

Man Bitwarden must be getting slammed with business right now. Who's guessing hackers are already targeting them next?

I think I already know the answer - which is ah crap, my vault is still susceptible. If I use a 2FA h/w key during logon with my master p/w, is my vault still susceptible or is it protected?

@jmd1980

Жыл бұрын

They won't be able to access the vault even if they guess your master pass, which if it's unique and strong would be near impossible anyways (I guess those are 2 big iffs though). Seems like what you need to worry about more is them now trying to brute force any important accounts they now know you have. So again if those passwords are each unique and strong, and you're using MFA then you're OK. In the end people should be following the basic recommended security practices. Which is why you have a password manager in the first place. So if you were doing that then I'm not worried.

It's scary how misinterpreted some of the presenters of this show is using anything less then 12 characters is ridiculous especially with the low interactions last pass used.

I use Lasspass and never knew this 😢

I wish that they would have discussed MFA and if that helps with this breach.

@brokenjac

Жыл бұрын

MFA is used during account login. It wouldn't factor in here because the hackers aren't having to log in to get to your vault. They already possess the actual encrypted vault. They can just read everything in your vault once they crack the master password that decrypts it.

ummm about that @4:46 "I have a master password and LastPass never sees it" how come then, than me being super admin in our enterprise account, I can delete a user and have their vault contents transfered over to another account (unencrypted, obviously)

Just switched to Bitwarden quick import. Now to change all passwords and I'm good hopefully. But you still are affected. I think I already have some phishing emails on my inbox lol, didn't know that lastpass was the cause of that lol.. Anyone knows how to remedy this other than creating new mail?

Probably time to find another password manager? Yes, I am moving to Bitwarden!

17:28 “They didn't go back and correct anybody who already had a password [with fewer than 12 characters]”. Correct me if I'm wrong, but how can you infer the length of your password from the hash (of your password)?

@ericfielding2540

Жыл бұрын

The LastPass app has to know how long your password is. It could tell you to update it.

My lastpass master password is 63 characters of all-charset gibberish. How long is that taking to brute force? Oh and I changed it anyways in response to this.

Last year I lost my Master Password for my LastPass account. I could not retrieve it! Tried many times! Then on Jan 3rd 2023 I was dinged on my credit card for this year! They provide NO WAY to unsubscribe or reverse the charge of $36! The only way for me to get out of this situation was to ask my credit card company for a refund. I am DONE with LastPass!

Got bought by a VC and went bad right after that. Seems to be a pattern when these companies sell out.

I bet the entire encryption was for Phase 2 of the project. The infamous never happening Phase 2 because funds ran out.

If you reset your master password now, is LastPass now encrypting everything in your vault including urls etc? Have they made this change

@An.Individual

Жыл бұрын

no they are not. Also we don't know why.

@markentwistle2158

Жыл бұрын

As far as I understand it, only the URL’s are stored in the clear. All other fields for LastPass entries (e.g. site name, username, notes, etc.) are encrypted in the vault.

@bigjonradio

Жыл бұрын

@@An.Individual LastPass have gone massively radio silent. Also if you take a look at their forum there is pretty infrequent responses from the LP guys. Even some chatter that the LP support team are contradicting the PR statement.

So do they have access to user's hashed passwords? This makes them subject to a birthday hack.

3:07 Anyone taking LastPass seriously has absolutely given them a pass since the big issues they had since 2018. BItWarden or Keepass is the absolute way to go.

The guy in the middle could totally play freddy krueger

Security rule number 1. Your passwords are yours only. Never ever put them in the hands of someone else. Either in clear or in whatever obfuscated or encrypted form. You can use a password manager. But all copies of your vault should be only accessible to you. No copies on an external server controlled by an external entity.

@ITProTV Not making any excuses AT ALL for LP. However, just to point out, customers' login user names ARE encrypted. You keep saying hackers will know your user names. This is not true.

they should have been testified before the gov! This is BSSS!

People like to reassure themselves by saying it would take millions of years to crack a password. Maybe for one computer. What if you have millions of computers working on it for a year? Hmmmm....

Just came across you guys....ahhh..breath of fresh air. When I go to my Bro's house it's ESPN on 24/7 at his house. Ya'll the nerd equivalent of ESPN.

I know this is dubious logic at best, but you have to assume LP will learn from this mistake. Other services will potentially have their own flaws that are yet to be exploited?

They want to blame customers and 2 of their employees were duped. What kind of security company is this?

A data breach wasn't the thought in the front of my mind when I initially made the decision to never ever use ANY online password manager service, such as LastPass. My thoughts were along the lines of catastrophic data loss, like what happened with ma.gnolia, or discontinuance of services, as has happened with so many other online services. Because I don't want to end up high & dry without my passwords, because some fool company doesn't know what they are doing, I have stuck with KeePass for all this time, and I feel that I made the right decision, many times over, for many reasons, including security. KeePass really does keep your ass safe. (as long as you make it a habit to keep your data properly and securely backed up)

@Super-360

Жыл бұрын

Yep just switched from using chrome and firefox to store all my passwords for as long as I can remember to keepass xc for added security after all this online hacking stuff offline password manager is the way to go. I setup sync thing and google drive to sync my kbdx file across my pc to phone and tablet no issues what so ever and the advantages keepass xc has over browsers is simply amazing to me.

Wouldn't trust anybody but myself to secure my passwords! This is just another case of convenience and laziness over real security! Plus you don't need to sign up too everything you see!

Synology has a similar solution now; anyone using it and care to share their opinion about it. Thanks.

Partial encryption removes zero knowledge and zero trust.

One of my lastpass accounts was set to 10,000 iterations😔😔😭😭😭😭😭😭

I dumped these guys for BitWarden a couple of years ago. I was annoyed. I had to frequently uninstall/reinstall the program because I couldn't access my vault. To me, that says poor coding and poor coding allows breaches. BitWarden is absolutely awesome and no more near heart attacks. I am not at all surprised that this happened. I'm only surprised that it took this long.