No argument there. I was replying (somewhat tongue-in-cheek) to what I perceived as a claim that all Americans were high-enough value targets to justify the time and expense required to force-decrypt their stolen LastPass data. Clearly, all the unencrypted data will likely be put to nefarious ends, including spamming the email addresses.
Yes, no need to brute force anything to entice a bank or other organization to change your password (âI forgot it, thank you.â) and access your account without your knowledge.
My favorite story about hacking a bank account is an anecdote I read online. The commenter said:
My wife did not trust online banking to be secure, so she did not set up online access to her account. Unfortunately someone at the bank noticed and set it up for her. That person then emptied her account. (This is a failure of banking process controls.)
When the bank investigated the event, they discovered what had happened and made good on the loss. (No guarantee that they would do that without litigation!)
The point is that when someone knows something about you, for example, your email address, your phone number, etc., your identity may be compromised in some way, and your password security may be insufficient. (There arenât that many banks to try with your identity!)
You might want to use separate and not your best-known email addresses for important sites, and so forth. Phone numbers are often used for 2FA, which makes them a target, too.
Passkeys will be much better than passwords.
2 Likes
Yup, for most folks, their email address is 50% of their log-in credentials. No need to make it easy for crooks. That is why I have a unique address for every account via IronVest (formerly Abine Blur). Now Apple is offering them too. But some short-sighted websites, like National Geographic and id.me (even from their client, Apple), wonât accept obscured addresses. Just as some banks (PNC) donât implement time-based one-time passcodes (ToTPs); theyâre begging for trouble!
My employer gave us LastPass because the cost to license (Edu license) 1Password was double. It was recommended âweâ, the IT of departments, put our admin pwds on LP so that if âweâ left our positions, it could be migrated, etc. Rationally, I feel, if one of âweâ left a position, that a drawn out but compensation assignment would be to reset each machine admin password âanywayâ as policy. So, I used LP for just any testing, certification or other related sites that wouldnât compromise my use. Personally, I use 1Password but not on latest since Agilebits went subscription-only model.
One thing, I never receive an email or notice from LastPass or my employer on this latest issue.
Iâll just get some âhereâs 6 months of ID protectionsâ emails thoughâŚblah blah
Today a post from PeterG_1P of 1Password confirms that they encrypt everything:
https://1password.community/discussion/136336/is-1password-preparing-a-report-on-lessons-from-the-lastpass-breach#latest
[Edit: Just for the record, the post was actually yesterday, Dec. 29, 2022.]
1 Like
There is a ton of talk in many forums about people switching away from LassPass. What are they switching to? The top 2 that I have heard are 1Password and Bitwarden. Iâm going to mention Enpass.
I have used 1Password for over 10 years. Itâs been really wonderful and (until recently) Iâve recommended it thousands of times. OTOH Iâm still using 1P v6 because I use & need some of the secure features that 1P has eliminated in v8. Such as using multiple cloud services to share multiple secure vaults with multiple people. To each their own. I am strongly opposed to any password manager that requires you to store your data on their cloud server as 1P now does.
BitWarden is open source and there is a free version that can sync and has Mac, Windows, Linux, iOS & Android apps. Many people will do better with the paid version though. But BitWarden requires your data to be hosted in their cloud. Well, almost. Bitwarden offers a self-hosting, self-installed server for Linux & Windows, but it is very non-trivial to set that up. Definitely not a drag & drop Mac-style install. So realistically, if youâre using BitWarden then your data will be in their cloud server.
For those of us who are squeemish about trusting any password manager which requires a built-in cloud storage - then I have only seen one viable password manager since 1Password v6. (1P v8 & up does not allow you to not use their 1P cloud).
EnPass.io is a password manager that does not require a cloud server. You can very securely do WiFi sync that never leaves your local area. It does however also support (but not require) your choice of cloud service, including DropBox, iCloud, Google, etc. Iâm not an expert on this app, but in a few days of trying it out, it looks pretty good. Clearly they have seen and used other password managers & learned from that. If youâve been using 1Password, youâll feel mostly at home, sort of like moving to a different apartment in the same neighborhood.
Of note EnPass has a âpay onceâ model, as well as a subscription, Your choice. Your secret data is never on their servers. Enpass also has browser plugins, mobile iOS & Android app, etc.
BTW: Iâm not a paid shill and & barely have used Enpass, but ever since AgileBits ended the option of locally stored 1Password data, I have been looking for another secure home for my private data.
As an IT professional, I have responsibility for several thousand passwords, and I never ever want to be responsible for a data breach. Perhaps my criteria for security is different.
2 Likes
Iâve used LastPass since sometime in the early 'aughts, and currently have it installed on multiple macs/devices.The TidBits article was much clearer about practical implications of the breach(es), and what to do first. I now have 3 questionsâdoes anyone have more input?
-
My PW iterations were set to 5000, so I tried updating to 100100 as per LPâs instructions. BUT the update process failed after about 5 minutes, just saying it âcouldnât complete; try again laterâ. Suggestions, anyone? Are their servers overloaded? Or is this something trickier?
-
Assuming the iterations-updating process works for the machine Iâm on, do I then need to quit and restart LP on the machines I didnât use to update the iterations? Or, maybe, do I need to do that first, before doing the update process?
-
Does anyone have additional info on whether the âNotesâ section of the password entries (NOT the âSecure Notesâ entries) is encrypted?
ThanksâŚ
LastPass has not responded to my questions asking what is encrypted.
Nevertheless, this post lends credence to the belief that the notes portion of a Password Item is encrypted; scroll down to the section titled âStructures of some types of composite data blocks.â
DaveâŚEnpass is currently the leader for me if when 1Password v7 quits working. I like the DropBox sync and dislike the subscription requirementâŚplus I want the ability to my own backups. The security with Bitwarden is probably a little better with the fingerprint phrase and the reencryption on their servers of the already encrypted on your device vaultâŚbut with 100,000 rounds of encryption then as long as one has a long password on both Enpass and Dropbox itâs really good enoughâŚas Enpass only uses the cloud for sync and decryption is only on device.
My wider family say this to me: âthey are not interested in little old me and wonât spend the timeâ. While the value of your data may not be great, I know some of theirs is.
One response is that they (the thieves or the people they sold your data to) donât spend the time, they just throw your data at bots and get on and do other stuff. If the bots turn up something interesting, even mildly profitableâŚwoohoo!
Rob
This is why I have never used a password manager.
Absolutely correct. Which is why itâs important to know how theyâve encrypted your data and who holds the key.
If the service provider doesnât have the key and it is known to be strong (long bit-length and either randomly-generated or generated from a strong passphrase), then any attack will require brute-force, which will take too much time for them to bother with.
Bots or not, they wonât want to spend a long time (probably not even on the order of hours) trying to crack a strong key when they could instead spend that time attacking hundreds of other accounts, some of which will have a weak key that they can quickly crack.
Itâs like the old joke. I donât need to be faster than the lion. I only need to be faster than you.
Granted. But I was specifically referring to the effort/cost to force-decrypt my data. Of course the bad guys have âbotsâ to do this, but my point is that a big enough âbotâ to do the job would cost many orders of magnitude more money than the perps could reasonably expect to recoup from me, and it would still take more time to complete than they could reasonably expect to live.
As mentioned on another thread, Iâve been trialing Enpass for about a week now. So far, I like it. Iâm using the iCloud sync option, and once I got the vault locking interval down to something that works for me, itâs only slightly annoying (but much more so than LastPass) when you need to unlock. To their credit (and another differentiator from LP), they default to locking the vault very quickly, and you need to dial that back to the level that makes sense for you. So far, +1 for Enpass.
2 Likes
Thatâs troubling. Just try again, perhaps from another device, and see what happens. I was set to 100,100, but for giggles, I tried changing it to 333,000. That succeeded but a day later when I went in, I was dismayed to see it was set to 333 instead. I changed it again to 200,000, and confirmed after the fact that that stuck
I think you will need log in again on each device, which will do the update. I canât quite say for sure because Iâve been doing a bunch of things, but I definitely had to fuss with LastPass on multiple devices.
LastPass PR hasnât replied to me about that either.
LastPass says nothing about having to change the PBKDF2 iterations on each device.
As I understand it, every encrypted portion of the Vault must be re-encrypted when the number of iterations is changed. And obviously, the resulting Vault is then incompatible with every copy of the previous Vault. So, those old copies of the Vault must be replaced with the new one.
Iâd guessâbut have not verifiedâthat simply logging out of a device and then logging back in would replace the old Vault with the new one (downloaded from LastPassâ server). If so, then there is no reason to change the number of iterations on each device. You just have to log out of each device and log back in to synchronize the Vaults on all your devices (with one re-encrypted with the new number of iterations).
As I understand how LastPass uses PBKDF2, increasing the number of iterations has no effect on the stolen Vault.
Yes, but if you are going to continue using LastPass, itâs an important thing to change ASAP.
Yep, thatâs my understanding as well. I donât think there was any suggestion that youâd need to change the setting on every deviceâitâs an account setting, not a device setting.
I use the older, less common, but functional PasswordWallet app. My only frustration with it is that syncing between devices doesnât stay up-to-date automatically. So sometimes on my my iPhone and need to manually do a sync to get the latest password. But it works, and itâs not subscription based. Arenât the others subscription based now?