Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

LastPass hacked Again

The only password managers I trust are Apple Keychain and the Google chrome password manager.

Do I trust either with my personal privacy? No.

But I do do trust them with security.

Apple keychain is still the biggest thing keeping me locked in to iOS devices.
 
  • Like
  • Haha
  • Love
Reactions: celaurie, johannnn, jeastwood1975 and 4 others
Lihp8270 said:
The only password managers I trust are Apple Keychain and the Google chrome password manager.
Click to expand...
In all honesty I think using google is probably not a good idea.

I use Bitwarden. Its an open source so there's many eyes looking for vulnerabilities. End to end encryption and if you so choose, you can self host the vault (or what ever term they use).

In this day and age, a password manager is the right way to go, but you need to use one that has a proven track record. LastPass' track record is proven - proven to be hackable, and they continue to have non-authorized access into their systems.

I think companies like apple and google that offer password management as an ancillary service is generally weaker because its not their main focus - more so for google simply because their whole business model is collecting, and selling your data to the highest bidder.
 
  • Like
  • Love
Reactions: phillytim, arkitect, navaira and 3 others
What is scary about this one is that the hackers targeted a high level employee that had access, and installed keyloggers onto their work laptop. So its less about weak systems and more about human engineering (if you want to call it that)
 
Lihp8270 said:
The only password managers I trust are Apple Keychain

Apple keychain is still the biggest thing keeping me locked in to iOS devices.
Click to expand...
I have become less confident with Apple Keychain since reading about the iPhone vulnerabilities.

www.macrumors.com

Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a...
www.macrumors.com www.macrumors.com

"To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain."

It seems that the more secure approach is to use a password manager that has a different passcode than the one that accesses the iPhone, and to not store sensitive info in Apple Keychain on the iPhone.
 
  • Like
Reactions: anynamethatstarts, arkitect and chabig
It was a sophisticated specific direct attack on a very specific employee within the company, information of which probably obtained from the first hack of the company. The hack compromising streaming service Plex implies to me that the hacker knew the employee used Plex and thus inserted malware into Plex that would end up on the employee's computer. How would the employee know that Plex had been compromised? The only thing I can fault the company or the employee on is what happened to security on the employee's computer? Why was a computer used to access company systems and other secure areas being used for potentially personal use (using Plex). Did the employee use their own personal computer to login to the companies secure areas and if so why? Surely the first hack should have put a number of security protocols and procedures in place. If not, why not.

As Plex was being used I am sensing that the employee was using Plex (watching something) whilst doing company work (logged into company account). If so this should have never been allowed to happen because of the high access level and security level the employee had within company. It was a huge security flaw which will now probably cost the company alot.
 
  • Like
Reactions: gwhizkids, navaira, PhoenixDown and 1 other person
Major ITSEC fail by both employer and employee.

1. Was this a company issued computer? If so, why was employee using it for personal use to access Plex?
2. Employee likely had a public facing Plex server.

Regardless, sound like grounds for immediate dismissal.
 
Last edited:
AlixSPQR said:
Why? Any specific reason? Or is it just ”evil corporation”?
Click to expand...
Why? simply because they make much of their money by selling user data. I'd rather use a company who's focus is user privacy and security then a company whole business model is collecting and selling user data. I don't feel that they would take enough precautions to protect my passwords especially when user privacy is the opposite of their priorities
 
  • Like
Reactions: anynamethatstarts, navaira, Tdude96 and 5 others
KeePass keeps my passwords in a locally encrypted file which is easy to store in (and synchronize from) a place to which only I have access. If you store your data on other people's computers, you probably should not worry too much about other people looking into your data - after all, this is exactly what will happen.
 
  • Like
Reactions: dduraznito and piattj
it wasnt me said:
Just to put this point into relation: The X11 server, obviously Open Source, had had a security vulnerability for 23 years.
Click to expand...
Oh I know, but open source has more opportunities for many varied and skill people to find stuff - its no gaurentee but many security experts tend to think open access to how security applications work can only strengthen them
 
  • Like
Reactions: it wasnt me
maflynn said:
Why? simply because they make much of their money by selling user data. I'd rather use a company who's focus is user privacy and security then a company whole business model is collecting and selling user data. I don't feel that they would take enough precautions to protect my passwords especially when user privacy is the opposite of their priorities
Click to expand...
Feel free! But that doesn't mean Google's password manager isn't secure if you use on-device encryption. Then Google can't access any of the information. But I suppose you don't trust that.
 
  • Like
Reactions: arkitect
iCloud Keychain is a really convenient solution IMO, and it's worked extremely well for me.

Though I guess if you want to be really secure from any malicious online activity, you can just write your passwords on a paper notebook or something. It'll be 100% secure from even the most skilled hackers, but not from, say, accidentally spilling your coffee onto paper. 😅
 
  • Haha
Reactions: Lioness~
maflynn said:
Why? simply because they make much of their money by selling user data. I'd rather use a company who's focus is user privacy and security then a company whole business model is collecting and selling user data. I don't feel that they would take enough precautions to protect my passwords especially when user privacy is the opposite of their priorities
Click to expand...
The two things are unrelated. They sell what they are allowed to sell, doesn’t mean they can’t protect what they need to protect if it benefits their business. It’s a large company.
 
  • Like
  • Haha
Reactions: G5isAlive, arkitect, Pierre535 and 3 others
maflynn said:
I'm entitled to my opinion (as you are yours), and I personally don't think its a good idea. We all have to make decisions that work best of each of us, and one size doesn't fit all
Click to expand...
Yes, of course, but there is a difference in "I don't trust them” and ”they have flaw X in their solution”. That's why I asked.
 
Any company promising security will NOT keep the keys, that should be something ONLY YOU KNOW. It should all be end-to-end encrypted, not stored in an Amazon account that any yahoo corporate stooge could lose control over after a drunken night at a Marriott.
 
maflynn said:
What is scary about this one is that the hackers targeted a high level employee that had access, and installed keyloggers onto their work laptop. So its less about weak systems and more about human engineering (if you want to call it that)
Click to expand...
This happens even at Apple and Google, no one is safe from social engineered hacking. There are also internal rogue actors who will take a pay cut to “leak” stuff, much of which is difficult to prove in a court.

I wouldn’t put Apple above Google however, Apple have not only had many security exploits, they had ones Google advised them to fix but didn’t want to in a quick manner so Google leaked them to force Apple to fix them - Google has been quite vocal about Apples lacking. I’d say Google probably take it more seriously than most because they sell user data :).

For completeness, the only Google product I use is the Nest, so no way biased towards any particular company.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back