LastPass Says Source Code Stolen in Data Breach

It could have been prevented by having a dedicated work development machine or virtual machine that didn't have the junk on it.

 

Yes exactly, if it was a business PC, it would have probably also been secured better. But I was of course talking about people who advice visitors on this forum that AV + safe computing habits is enough to stay safe and that extra protection tools are not needed. Fact of the matter is that many home users are now targets because of the shift to working from home and not all companies will supply work laptops to their employees.

 

Interesting, but it might as well have been a zero day, so then patching would not have helped. What would have helped is tools like anti-logger or anti-exploit. I also wonder on which platform this bug was abused, because Plex Media Server does not only run on Windows, but also on macOS.

 

Agreed, I was just quoting you to tie my post to the current conversation.

 

Yes I understand, and I also agreed with you that at the end of the day it's LastPass who was to blame. You can't expect all people to secure their home PC's like pro's. And most people probably think that Win Defender or XProtect will save them if they ever mess up, while that's clearly not the case, especially with more advanced attacks.

 

https://palant.info/2023/09/05/a-year-after-the-disastrous-breach-lastpass-has-not-improved/

It's a disaster. Everyone who is still using this service should get rid of it as fast as possible, IMO.

 

Thank you @summerheat Very impressive article about LastPass.

 

So they changed their name then? Usually you do that after the bankruptcy....

 

Had used LastPass in the past, not for quite a while, never again, happy with 1password.
Started check out Proton Pass, so far I'm liking it, may keep for a back up.

 

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

 

BTW, the latest news is that so far at least $35 million was stolen from crypto accounts because of this LastPass hack.

https://www.coindesk.com/business/2023/10/30/lastpass-hack-victims-lose-44m-in-a-single-day/

 

I'm sure glad I closed / deleted my account at LastPass in September. I've been using the paid version of RoboForm since September after dumping LastPass. I found that RoboForm works better than LastPass anyway. All accounts have new passwords on RoboForm. I don't believe LastPass will be in business too much longer.

 

I'm using it too and am very happy with it.

 

Yes, but the concept of password managers itself has always been strange to me. I mean when your password file is only stored locally it's no big problem, but what if someone logs into your online account by brute forcing your master password?

I never understood why protecting the master password with 2FA is often not mentioned, or am I missing something? Do you guys use this with RoboForm? And the third link really confused me, some people say that 2FA doesn't protect the password database at all.

https://www.stickypassword.com/help/protecting-your-data-with-two-factor-authentication-159
https://help.roboform.com/hc/en-us/...wo-Factor-Authentication-2FA-for-your-account
https://community.bitwarden.com/t/what-if-an-attacker-knows-the-master-password/30174/9

 

First that would mean that your master password sucked... Second, if one of these services didn't detect a brute force attack and disconnect it then they aren't worthy of any customers. I would think it far more likely they would exploit your local PC and steal the data from you.

 

I got this today in my email account. Looks like I forgot to unsubscribe to their offers after dumping LastPass. I'm unsubscribed now. See how many more emails I get from them now.

 

I think I got a few random emails from them after unsubscribing but mostly they have stopped.

 

Yes, but your master password needs to be something that you can remember easily right? And what are you saying, that you don't think 2FA is necessary to protect your online password database? But this is basically the reason why I never used a cloud based password manager. I'm not that worried about malware stealing my password database from my PC's. They are well protected.

 

No, if you can easily remember it then it will be too easy for someone else to exploit. 2FA is overrated. From what I've seen they are already working on 3FA. Ultimately all anyone needs to do is crack your email password. From there they lock you out and reset all of your other passwords. Your email password should probably be one of your most complex.

 

Well, that's true for passwords but not necessarily for passphrases. I recommend to use the diceware method. A passphrase with, say, 7 words is much easier to remember than a password with 14 or 15 ASCII characters and both are about equally strong.

That's easy to show:

Let's say that the complete ASCII character set incl. numbers and special characters consists by rule of thumb of about 80 characters. On the other hand, the standard diceware list has 7776 words.

Now let's assume that you choose a passphrase with 7 words from that list: There are obviously 7776⁷ word combinations. Roughly this is equivalent with 7776⁷ ~= (80²)⁷ = 80¹4. This means that a passphrase with 7 words is about as strong as a password with about 14 ASCII characters - but much easier to remember.

And the diceware list only has words with lower case letters. Add some capital letters or one or two numbers - and you'll get an even stronger passphrase.

EDIT: I suggest to also read this.

 

I don't disagree but usually when someone says "easy to remember" that isn't what they had in mind. I know I'm assuming but anyone I know with an "easy to remember" password uses their dog's name or their kid's birthday or something.

 

That's certainly true

 

I don't see how 2FA is overrated, but the problem is the design of authenticators, they don't communicate with the server directly, which means that it's not resistant to phishing. I believe the ultimate security are hardware devices like YubiKey and Google Titan for example. Without physical access to such a device you can't get access to any online account.

But about password managers, I never understood why they always advertised themselves as super handy and safe because you only need to remember one password. But what they don't tell you is with that one single password, hackers can get access to ALL of your accounts. So yes, 2FA is important.