LastPass security breach - how to proceed?

[fwafwow]

Password strength calculators are mediocre.

I figured that a difference between 1,000 and some decillion of years had me second guessing all estimates.

A password of 0plm(OKN8ijb&UHV will show as strong on many, but is really incredibly bad. However, if your password was randomly generated, they are probably decent.

I don't doubt the first sentence, but do you mind explaining why? As for the random vs. other options, several sources seemed pretty insistent that length - even if words (but ideally not necessarily easy dictionary search words) only are used - could end up making for a lot of complexity/time for a brute force attack.

Major browsers are not a secure way to store passwords. There may be a browser that is, but it is not any of the common ones.

That was my thought too.

For rabbit holes, you should look into the weakness of USB. Basically, if a USB device has been plugged into any machine that is not secure, it has the potential to compromise everything on your device. USB charging station can be rigged to exploit devices plugged into them as well. Stuxnet exploited the weakness of USB and was able to destroy an Iranian nuclear enrichment facility, which was more secure than most of us could be if we tried. The weakest link in a secure system is the human.

Great reminder. USBs have been forbidden in my industry for some time, so I was at least aware of the risk, but it's good to remember, especially in charging.

Also, pick up the book Sandworm if you have time.

Inbound!

 

[tony]

The podcast was a good and bad recommendation. Good in that the guy knows what he's talking about and there is a recent podcast that seems pretty on point (not about LastPass specifically, but on 2FA and password managers generally). It's bad in that it has caused me to open another rabbit hole - whether to use a hardware token or some other separate way to protect my email PW.... Is there a name for being addicted to rabbit holes?

Bazzelle is paranoid to a point about privacy and he talks about all the time in some past podcasts. He turns off his phone a few blocks from his home and puts it in a faraday bag. He also does consulting concerning domestic violence, use to be in law enforcement. Recommends the google phone and a different OS for better security.
Some very interesting information in his casts.

 

[Marbles]

I don't doubt the first sentence, but do you mind explaining why? As for the random vs. other options, several sources seemed pretty insistent that length - even if words (but ideally not necessarily easy dictionary search words) only are used - could end up making for a lot of complexity/time for a brute force attack.

Look at your keyboard, start with 0 and run down the first row of letters, now go back to the number 9 and repeat while holding the shift key down, then move to the number 8 and repeat, then to 7 and hold down the shift key.

Rather than being based on words, it is based on a key pattern for memory. A good brute force attack starts with combinations people can easily remember, not at random. This would include character clusters that match to words as well as salted words and a database of known passwords.

A more detailed explanation https://blog.1password.com/not-in-a-million-years/

Sandworm a great book, I hope you enjoy it as much as I did.

 

[fwafwow]

Look at your keyboard, start with 0 and run down the first row of letters, now go back to the number 9 and repeat while holding the shift key down, then move to the number 8 and repeat, then to 7 and hold down the shift key.

Doh!

Rather than being based on words, it is based on a key pattern for memory. A good brute force attack starts with combinations people can easily remember, not at random. This would include character clusters that match to words as well as salted words and a database of known passwords.

A more detailed explanation https://blog.1password.com/not-in-a-million-years/

Sandworm a great book, I hope you enjoy it as much as I did.

 

[thegrouse]

Funny I am reading Sandworm now

 

[fwafwow]

FWIW - I ended up comparing Bitwarden and NordPass. Although BW sounded better on paper to me, it was a bit clunky in operation, so I went with NordPass.

 

[Hoofing It]

I've been using BitWarden ever since LastPass changed their pricing model. It encrypts a lot of the data that was leaked by LastPass (it's open-source, so if you know enough about code to read it you can check yourself) and if you really don't trust companies' infrastructure there's a self-host solution.

 

[fwafwow]

I've been using BitWarden ever since LastPass changed their pricing model. It encrypts a lot of the data that was leaked by LastPass (it's open-source, so if you know enough about code to read it you can check yourself) and if you really don't trust companies' infrastructure there's a self-host solution.

I know. But when I compared them side-by-side, the BW extension was not consistent and often didn't pick up changes to my PWs on various sites. I know that the use of an extension might be less safe, but for me, the ease of use offset the tradeoffs.

 

[TheCougar]

LastPass had a security breach and the details keep getting worse. For those who use a password manager, what are you doing?

Here are my current thoughts/plans:

1. Change my Master PW - but this is of limited value
2. Change the PWs on all of my financial accounts (done)
3. Changing all of my other PWs - but that is a bit of a pain in the arse (even using LP) - and for non-financial accounts, I'm not quite as worried

Going forward, I'm debating whether to

1. switch to an alternative for LastPass (Bitwarden and 1Password are mentioned a lot)
2. switch to one of the above, but use it only for my most sensitive (financial) accounts and keep it off the cloud
3. switch to multiple PW managers and divide at least the financial access between/among them
4. go back to paper - and keep a duplicate somewhere - at least for the most important accounts (which is safe, or safer, from hacking but a complete pain)

How is this the first time I’m hearing about this??? Thank you!

FWIW - I ended up comparing Bitwarden and NordPass. Although BW sounded better on paper to me, it was a bit clunky in operation, so I went with NordPass.

is there a way to transfer my passwords from LastPass to Nordpass (or any other)?

 

[fwafwow]

How is this the first time I’m hearing about this??? Thank you!

is there a way to transfer my passwords from LastPass to Nordpass (or any other)?

My pleasure! Yes, I know it's possible with Bitwarden and NordPass, and I expect most others. You export to a CSV file and then import that file. It seemed to work pretty seamlessly for me.

 

[wingmaster]

The podcast was a good and bad recommendation. Good in that the guy knows what he's talking about and there is a recent podcast that seems pretty on point (not about LastPass specifically, but on 2FA and password managers generally). It's bad in that it has caused me to open another rabbit hole - whether to use a hardware token or some other separate way to protect my email PW.... Is there a name for being addicted to rabbit holes?

Never thought I'd run into Bazzell's name on Rokslide, but I've read all his books, listened to all his podcasts, and implemented all his suggestions over the past 5 years. The answer to your question is yes: A hardware token is a no-brainer, and it is convenient. Plenty of government agencies and big tech companies use it, and to my knowledge they have never been compromised. It is a cinch for me to login to websites that support hardware tokens because all I have to do is touch the key. I add my YubiKeys to every website that supports it. Hot tip: Rokslide added hardware token support last year.

Regarding password managers, I would opt for one that supports hardware token support, since if anything deserves MFA it's definitely your password manager. I use KeepassXC (also Bazzell's recommendation), it's free and I've never had a problem with it. I know Bitwarden supports it but you need to pay for their premium version. I'm not sure what other password managers support it, but I'd avoid cloud-based password managers if you can avoid it. I believe that's how LastPass was compromised. The only way my password manager would be compromised is if they got my keepass file, had my hardware token, and knew my password. Internet security has come a long way -- if you're getting hacked in 2023, you're doing it wrong.

 

[TheCougar]

My pleasure! Yes, I know it's possible with Bitwarden and NordPass, and I expect most others. You export to a CSV file and then import that file. It seemed to work pretty seamlessly for me.

Good to know. The breach is bad enough, but I went back and checked - I haven’t had a notification or email or any disclosures of a breach from them. That’s unconscionable. They are dead to me.

 

[fwafwow]

Never thought I'd run into Bazzell's name on Rokslide, but I've read all his books, listened to all his podcasts, and implemented all his suggestions over the past 5 years. The answer to your question is yes: A hardware token is a no-brainer, and it is convenient. Plenty of government agencies and big tech companies use it, and to my knowledge they have never been compromised. It is a cinch for me to login to websites that support hardware tokens because all I have to do is touch the key. I add my YubiKeys to every website that supports it. Hot tip: Rokslide added hardware token support last year.

Regarding password managers, I would opt for one that supports hardware token support, since if anything deserves MFA it's definitely your password manager. I use KeepassXC (also Bazzell's recommendation), it's free and I've never had a problem with it. I know Bitwarden supports it but you need to pay for their premium version. I'm not sure what other password managers support it, but I'd avoid cloud-based password managers if you can avoid it. I believe that's how LastPass was compromised. The only way my password manager would be compromised is if they got my keepass file, had my hardware token, and knew my password. Internet security has come a long way -- if you're getting hacked in 2023, you're doing it wrong.

Thx. I looked into the hardware token and decided it was overkill for me. Even Google argued against their own product unless the user is (from memory) a government employee, reporter or other person who is likely to be specifically targeted or otherwise at risk. YMMV

 

[TheCougar]

Thx. I looked into the hardware token and decided it was overkill for me. Even Google argued against their own product unless the user is (from memory) a government employee, reporter or other person who is likely to be specifically targeted or otherwise at risk. YMMV

 

[fwafwow]

 

[fwafwow]

Thx. I looked into the hardware token and decided it was overkill for me. Even Google argued against their own product unless the user is (from memory) a government employee, reporter or other person who is likely to be specifically targeted or otherwise at risk. YMMV

For those who may be following, or come across this in the future:

• I changed my mind about the hardware token and I am now using 3 of the YubiKeys (and I started a separate thread on that topic - which I will also update).
• I'm thinking about using the Google Advance Protection program, and maybe eventually parting ways (or diverting from) Gmail and other Google products
• NordPass continues to have a great user experience, but:
  • I'm thinking of taking all of my financial account logins off of NordPass and moving to KeePassXC and maybe Strongbox
  • The NordPass doesn't work very well (as of now) with the YubiKey
• I've deleted all of my financial apps from my phone

Many thanks for the RS member who has been chiming in from a position of knowledge to this guy who knows nothing in getting me to the above!

 

[Marbles]

@fwafwow Well, I have been chewing over using a hard key, and now I blame you for the money I just spent on two Yubikeys.

I've also been debating on changing my VPN service, so I blame you for that money spent too

I ended up staying with my current password manager and antivirus, but because of you I spent time researching and blame you for that as well.

Seriously though, thanks.

 

[Szwampdonkey]

I use an algorithm to create unique passwords. The reminder for those passwords is on a password protected file on my computer. Good luck figuring out my passwords.

 

[fwafwow]

@fwafwow Well, I have been chewing over using a hard key, and now I blame you for the money I just spent on two Yubikeys.

I've also been debating on changing my VPN service, so I blame you for that money spent too

I ended up staying with my current password manager and antivirus, but because of you I spent time researching and blame you for that as well.

Seriously though, thanks.

I’m now going to have to look into a VPN, as I rarely use one. And I’m also digging into firewalls. I’m in a rabbit hole of rabbit holes.

Another member is to blame - as he started me down these paths! Whatever you do, do NOT visit this website - https://inteltechniques.com/.

 

[Marbles]

I’m now going to have to look into a VPN, as I rarely use one. And I’m also digging into firewalls. I’m in a rabbit hole of rabbit holes.

Another member is to blame - as he started me down these paths! Whatever you do, do NOT visit this website - https://inteltechniques.com/.

My main use of a VPN is when I'm on untrusted networks (though I have used it a few time to see content that was unavailable in my geographic area). I had used PIA (Privat Internet Access) for years, but have not been happy with it the past two years as it really slowed the connection down. I just switched to ExpressVPN, wich is more than double the price, but in tests only slows a connection by about 2%. It also checks the right boxes on security and jurisdiction.

For antivirus and firewall I stuck with Norton 360. I think Bitdefender is slightly better, but I can consistently find a one year subscription to Norton 360 for $30 vs $99 for Bitdefender Total Security (though bitdefenders entry offer is $35).

Both of those have VPNs and password managers. Norton's password manager is pretty basic and not worth using. I would consider using Bitdefender's, but they don't have a way to securely share some passwords with my wife and not others, so for me it is not a great option.

If techy or motivated, use OpenBSD as your OS. I had difficulty keeping basic things working on an easier version on Linux and gave up, so never trid Unix and OpenBSD. That was about 10 years ago though, might be better now.