LastPass password manager hacked-

World’s Most Popular Password Manager Says It Was Hacked-

Via Bloomburg

https://www.bloomberg.com/news/arti...t-popular-password-manager-says-it-was-hacked

OM

"

The company doesn’t believe any passwords were taken as part of the breach and users shouldn’t have to take action to secure their accounts, according to a blog post on Thursday. "

Click to expand...

Just to be on the safe side I would change my password...

I keep a list of my passwords for various sites in a secure physical location here, not on some cloud based server which can be hacked.

I like Safe In Cloud. It syncs to all my devices, but they don't keep any of my data on their servers. Instead, my data is stored in my Google drive as an encrypted file, and it gets decrypted only on my local devices.

Hilarious. I stopped using LastPass in 2010 the 2nd major time it was hacked. It proceeded to be breached at least 5 more times since then. When will people learn this company is not doing much to protect your passwords?

Their Wiki page has a whole section devoted to security breaches - https://en.wikipedia.org/wiki/LastPass

STOP USING LAST PASS.

While the number of hacks of LastPass is a concern (and of course they will be a target for hackers), they operate on a "trust no one" model. This means that even LastPass does not hold any of your passwords, including your master p/w.

This is good and bad. The bad is that if you forget your master password, even LastPass can't retrieve it. Unless you created some onetime passwords, which LastPass recommends, you are SOL and your password store will be unrecoverable.

The good is a case like this - hackers don't have access to your master password through LastPass, let alone your own passwords stored within.

I have no affiliation with LastPass other than being a user. Frankly, while password managers are the best way of maintaining unique and random passwords for everything, they all could be a target of a hack. The fact that LastPass uses a trust no one model adds to its security for me. There are probably others doing the same, but none of them are 100% immune to clever hackers finding a way in.

caz

czawade said:

While the number of hacks of LastPass is a concern (and of course they will be a target for hackers), they operate on a "trust no one" model. This means that even LastPass does not hold any of your passwords, including your master p/w.

This is good and bad. The bad is that if you forget your master password, even LastPass can't retrieve it. Unless you created some onetime passwords, which LastPass recommends, you are SOL and your password store will be unrecoverable.

The good is a case like this - hackers don't have access to your master password through LastPass, let alone your own passwords stored within.

I have no affiliation with LastPass other than being a user. Frankly, while password managers are the best way of maintaining unique and random passwords for everything, they all could be a target of a hack. The fact that LastPass uses a trust no one model adds to its security for me. There are probably others doing the same, but none of them are 100% immune to clever hackers finding a way in.

caz

Click to expand...

I'm of the mindset the only way my pwd's get hacked is if someone breaks into my house. Unlikely at best it's broken into, even more unlikely they'd be able to unlock the safe, even more unlikely they'd find the list under the carpet of one of the shelves./

I trust no one with my passwords/acct log in's

czawade said:

While the number of hacks of LastPass is a concern (and of course they will be a target for hackers), they operate on a "trust no one" model. This means that even LastPass does not hold any of your passwords, including your master p/w.

This is good and bad. The bad is that if you forget your master password, even LastPass can't retrieve it. Unless you created some onetime passwords, which LastPass recommends, you are SOL and your password store will be unrecoverable.

The good is a case like this - hackers don't have access to your master password through LastPass, let alone your own passwords stored within.

I have no affiliation with LastPass other than being a user. Frankly, while password managers are the best way of maintaining unique and random passwords for everything, they all could be a target of a hack. The fact that LastPass uses a trust no one model adds to its security for me. There are probably others doing the same, but none of them are 100% immune to clever hackers finding a way in.

caz

Click to expand...

I’ll approach this in a different way. While no method is 100% secure, there are other password companies out there that don’t get hacked every 12 months. That was my point.

LastPass users: Your info and password vault data are now in hackers’ hands
Password manager says breach it disclosed in August was much worse than thought.

https://arstechnica.com/information...ned-vault-data-and-a-wealth-of-customer-info/

I just received an offer to sign up for LastPass.

I think I will Pass.

OM

Note: the following is only for computer geeks like me. All others ignore as it will sound like gibberish.

About six months ago I investigated how to host my own secure password manager free of any monthly charges and with minimum investment in hardware and have been very happy with the results. This project would only be for those who are computer literate with some proficiency with Docker and Linux and some hardware skills as well.

I had already learned how to set up a Raspberry Pi with Docker in order to run my own Unbound DNS server (forwarding to Cloudflare) and a PiHole network wide ad blocker. At the time I chose to use the Pi Zero 2 W (wireless only) because Pi supplies were quite limited due to supply chain issues. They have since recovered so many of the other models are now available and the new 5 was just announced. PiHole does a great job of blocking most ads on every device on your local network when set up in conjunction with your router/DHCP server. Besides the benefit of not being bothered with pesky advertising and thus not tracked web pages also load faster since those graphics/videos don’t load. Running your own Unbound DNS server with local cache also speeds up your DNS queries. Most of this project is outlined at the following links and is a combination of the two. Build your secure Pi first but do not install PiHole. Then install Docker and Portainer to help manage Docker containers. Then install Unbound and PiHole containers and configure.

https://thesmashy.medium.com/building-a-pihole-for-privacy-and-performance-f762dbcb66e5

https://homenetworkguy.com/how-to/install-pihole-on-raspberry-pi-with-docker-and-portainer/

Since I already had this infrastructure running it wasn’t too difficult to add the Vaultwarden container to my Pi which is where you host your own secure password manager. I chose it because it supports the use of YubiKey hardware devices and makes use of the popular free Bitwarden clients on all your devices that need password provided access (Windows, most browsers, Android and iOS). When outside your private home network you connect via VPN to your router (I prefer ASUS running Merlin firmware) to access your password vault. All communication is heavily encrypted and is as safe as it gets and only in your possession. The following links were helpful.

https://medium.com/codex/complete-self-hosted-bitwarden-for-raspberry-pi-24b59c3b02df

https://github.com/dani-garcia/vaultwarden

If you enjoy a challenge with very beneficial results at a very low price point you might want to consider something similar.

Apple password manager for me. Works great. OS native.

kbasa said:

Apple password manager for me. Works great. OS native.

Click to expand...

Yep if you only have that ecosystem to support and don’t need any of the advanced features (password sharing with the wife for example) that a rich password manager offers it can satisfy your needs.

I have resisted getting locked into one ecosystem especially since my IT career dictated that I would need to support all of them. Thus I have an Android phone, iPadOS tablet, Windows and Linux desktops and laptops.

brownie0486 said:

I keep a list of my passwords for various sites in a secure physical location here, not on some cloud based server which can be hacked.

Click to expand...

Likewise.

“Quote Originally Posted by brownie0486

I keep a list of my passwords for various sites in a secure physical location here, not on some cloud based server which can be hacked.”

Paul_F said:

Likewise.

Click to expand...

That is exactly what this solution does for you. Likewise it gives you access to it from anywhere in the world.

I also encourage you to have a backup in a separate secure location in case of fire or other disaster.

I ran across this guy’s explanation of password manager vaults and he does a very good job of covering all the bases in easy to understand language. If you still practice dangerous password habits I encourage you to give it a read.

https://noseynick.net/vault.html

Nice that members are keeping up with this.

Recent announcement of the most common passwords were-

People also ask
What are the 10 most common passwords?
Top 10 Most Common Passwords 2023 (Is Yours on the List?)
Top 10 most common passwords
Password.
123456.
123456789.
12345678.
1234567.
Password1.
12345.
1234567890.
1234567890
1234
Qwerty123

Best to a avoid methinks.

Be careful out there.

OM

Any decent free password cracking program will find those before you can blink.

mikegalbicka said:

I ran across this guy’s explanation of password manager vaults and he does a very good job of covering all the bases in easy to understand language. If you still practice dangerous password habits I encourage you to give it a read.

https://noseynick.net/vault.html

Click to expand...

The iOS password manager is pretty decent. The ability to require biometrics to gain access is a pretty solid step up from having to recall a master password. I played with LastPass, but the MacOS password vault is pretty well integrated into the OS. I like that if you have old passwords, it'll tell you that they're either easy to hack or have appeared in a data leak. That's gold.