Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

LastPass Hacked for Second Time This Year

bradl said:
The issue isn't trusting a company with passwords, but is instead trusting that your passwords are safe/secure in the cloud. As we've seen multiple times with LastPass and Dashlane, putting one's passwords in the cloud for the sake of convenience is a major risk in itself, because you are not in control of if that service you are putting your trust in can be trusted to keep such sensitive data like your passwords and other PII data secure.

This is where something like the standalone versions of 1Password, Enpass, and the like are better than any cloud SaaS that hosts passwords. By keeping it standalone, your passwords don't leave your possession. You could keep them stored on your own device and sync them between your devices, and be done.

Up until I upgraded to my M1 Pro MBP, I used 1Password 6.x on my MBA, and kept them in sync between that Mac, my Ipad, and my iPhone. As 1Password went to a SaaS only, and only using subscriptions (read: dropped the standalone versions), plus leaving no upgrade path to 1Password 7 (which is a universal binary, not requiring Intel Support), I migrated over to Enpass. I keep my Passwords on my Mac, sync my vault between my Mac, iPad, iPhone, and PC, plus back up my vault to my NAS. That way nothing touches the cloud or anything outside of my network. This works doubly so because I keep more than just passwords in that vault: account numbers, PCI info, other PII info, the entire lot.

If others have that same type of data, and are storing that in the cloud, they are putting themselves at even further risk of identity theft because of breaches like this.

EDIT: Another issue from this is that if your data is in the cloud, should the authorities have to investigate you for anything, they don't have to get a warrant to get in possession of your vault. Since the SaaS is a 3rd party to the investigation of you, all that would be needed to get possession of your vault is a subpoena levied against that SaaS, and without your notification. Now, that doesn't mean they get access to the data in your vault, but that they can get your vault. That's a huge issue in itself, where a person would not be safe and secure in their possessions, because the vault wasn't in their possession to begin with (it is in possession of the SaaS company).

BL.
Click to expand...
Don’t know why all the people are saying cloud is not secure, your computer is.

Your computer = cloud.

Nobody here have an air gap system.

We are all connected to the internet.
= our computer can be hacked.

Beside that, where tf people backup their password?

On their external hard drive?
Good luck with thieves, flood, fire…

On the cloud? Lol.
 
TriBruin said:
Not much difference? If so, where can I get these features using iCloud:

  • Multiple vaults so I can separate personal from work passwords?
  • Ability to give family members access to certain passwords (like streaming services) while keeping other passwords only to myself
  • Ability to store sensitive documents, along with personal information (Drivers License numbers, SSNs, etc.)
  • Ability to fill MORE than just user name and password fields (At aa.com, I have to enter my number and last name to log in.)
  • Ability to recognize when a site uses SSO via Apple, Google, GitHub, etc. and remember that setting so the next time I go to that site it takes me direcly to the correct SSO login?
  • Save my SSH keys so I don't have to manually copy them to each computer I use?
If you have basic needs, sure iCloud works. But, the best Password managers do SO much more. People need to stop saying that Apple is "almost the same". They are not even in the same ballpark.
Click to expand...
Those are good points but I think you proved what I was saying. Most people are served well enough by iCloud Keychain/Passwords.
 
  • Like
Reactions: gund1234
sirozha said:
This is why I never use these 3rd-party services for password storage. It's literally giving the keys to the kingdom away to someone for safekeeping. The aftermath of this hack is profound. Even an email account compromised could result in tremendous financial losses. But, bank account names and numbers stolen in such a hack is tremendously disruptive to one's life even if the bank eventually agrees to reimburse for the hacked account, which I'm not exactly sure they are going to do because the hack occurred outside of their systems.

A hack like this should put this company out of business. I don't know who would continue entrusting them with passwords after this.
Click to expand...
Hein? Why tf would you give your master password to anybody?
 
  • Like
Reactions: Mr. Heckles
Flood4 said:
Don’t know why all the people are saying cloud is not secure, your computer is.

Your computer = cloud.
Click to expand...

My computer isn't not located in a public SaaS-based cloud, as everyone defines it. My computer is only on my personal network, and my vault never leaves my computer, with the exception of copying it to my own NAS, which is also on my personal network. It is not exposed to the Internet at all.

In fact, everything I am doing is INTRANET, not internet.

Flood4 said:
Nobody here have an air gap system.

We are all connected to the internet.
= our computer can be hacked.
Click to expand...

If you have services open that expose your computer to be hacked, yes, it can. But I don't, because of what I do for a living. See below for that.

Flood4 said:
Beside that, where tf people backup their password?
Click to expand...

With my backups, of course, but not on the drive containing the backups. I have specific instructions as to where it is and how to retrieve it. Something others should look into as well, instead of sacrificing safety and security of sensitive data for convenience.

Flood4 said:
On their external hard drive?
Good luck with thieves, flood, fire…
Click to expand...

You are under the assumption that one does not deal with Single points of failure.

I'm a Linux sysadmin, and by trade, have to be concerned with that. My vault is not only backed up to my NAS, but I also back up my NAS, and store that in multiple locations. So if something happens that is catastrophic (read: single point of failure), I have avenues to retrieve my backups from offsite, restore them, and I'm back in business. Perhaps you should look into the same.

Flood4 said:
On the cloud? Lol.
Click to expand...

My point stands.

BL.
 
  • Like
Reactions: MacHeritage
At the end of the day, what services like 1password sell is convenience.

I have over 200 accounts in said app. Thanks to 1password, most of them use a different, randomly-generated password. When my work accounts prompt me to change my password, it's a no-brainer to come up with a radically different one from 1password. While iCloud Keychain does the same thing, I find it annoying that it is not able to meet the criteria (eg: mix of symbols, numbers etc) that my work-related websites require. With 1password, I can have a memorable password for logging in to my work laptop, a 12-letter password meeting 4 different conditions for my work. When I went for my exam marking duties, I had to create a new account as part of marking moving online, so I generated one with 1password and synced it to my watch so I could refer to it from my wrist every time I needed to log in. I don't need to to think of a random hodgepodge of letters and numbers.

Because the reality is that most people don't comply with best practices when it comes to managing passwords because it is simply too much of a hassle. How many people reuse the same password across all their social media accounts, or add a number to their current existing password when it's time to change it to a new one?
 
  • Like
Reactions: montuori
Flood4 said:
You kind of forget your phone. It’s online all the time.
Click to expand...

You assume that the app is open all the time or transmits my entire vault to some cloud service anywhere.

It is not and does not.

Flood4 said:
If you are able to do it from offsite, others too.
Click to expand...

I do. And I am not the only one who can retrieve where it is located. But that line in the sand is being pushed further back here. You were worried about a single point of failure at one site, now you're worried about the site after that and the site after that.

What I do I back up my vaults to an external disk, and physically store that disk offsite, and in different sites. I pull them back every so often to update the vaults, then put them back offsite again. That way I'm covered; if my Mac crashes, I have my NAS and my PC. If my NAS dies, I rebuild the NAS and back up the vault to it again. The Single point of failure would be my house; if something happens to that, I go to my offsite backup, get that disk, and restore my vault from that. IF that particular site has a problem, I go to my secondary site and use that disk.

Absolutely no part of that backup or restore process touches the internet.

BL.
 
contacos said:
I never really understood what makes a password manager more secure when all they need is the master password to access any of your passwords from multiple platforms instead of „maybe“ gaining access to a single platforms password
Click to expand...

Think the hacker need access to your physical device also. So a password manager is quite secure and your life more easy.

Never used lastpass, but think it would be strange if a online hacker would ever get access to users passwords, maby they can get email adresses and those kind things..
 
people trusting one company with all their passwords is bad idea.
i use Apple products and i don't use KeyChain to store passwords, i think it is too risky.
and i use two factor authentication where ever possible.
 
Flood4 said:
Not sure to follow, beside the last point, who doesn’t need all the others?
Click to expand...
Most people, i don't even use iCloud/KeyChain to save passwords, i don't want to save all my passwords with one vendor saved in a cloud.
 
When it comes to data leaks I am a forgiving person. It’s not always preventable, most are caused by people being people. But if the company is hit twice in few months I would stay away for a long time. Honestly, I'm pretty sure I won't use LastPass products ever again.
 
TriBruin said:
Even if the hackers got a hold of password data, it is encrypted.
Click to expand...
The whole point of a password manager is that it generates random complex passwords for various services and then you access the entire database of your passwords with one encryption key (password) that you enter manually. Most people use a password that they can easily remember. Hence, this one password can usually be guessed by a dictionary attack.

So, if the user database of encrypted passwords has been stolen, the hackers will run an off-line dictionary attack against each user and will likely gain access to passwords of over 95% of users.
 
Really good look for a password company. That’s like going on a dating site as Medusa…
 
Abazigal said:
iCloud Keychain really needs its own standalone manager app, rather than being hidden in the settings app.
Click to expand...
iCloud Keychain has had its own app for a long time. It’s called Keychain. It’s on the Mac. If you are a Windows user, then by all means please use a third-party password manager.
 
sirozha said:
iCloud Keychain has had its own app for a long time. It’s called Keychain. It’s on the Mac. If you are a Windows user, then by all means please use a third-party password manager.
Click to expand...

I am predominantly iphone, ipad and windows work laptop at work, with Mac when working at home. Hence subscribed to 1password.
 
AdeFowler said:
I used 1Password for years. The introduction of yet another subscription service was the final straw. Since then I've been using the built in password manager along with secure notes in Notes. I also downloaded a free password generator.

For my very basic needs, it's more than sufficient, and it's essentially 'free'.

Caveat: I’m using a totally Apple setup.
Click to expand...
You know, the Keychain app on the Mac has a built-in password generator.
 
I have no regrets about moving from 1Password to a self-hosted Bitwarden solution about 3 years ago. Does the built in iCloud password manager use 2FA yet? I still think any password manager (allowing unique and complex password for all other online accounts) is better than no password manager, but I guess you also need to be careful about which one you use.
 
sirozha said:
The whole point of a password manager is that it generates random complex passwords for various services and then you access the entire database of your passwords with one encryption key (password) that you enter manually. Most people use a password that they can easily remember. Hence, this one password can usually be guessed by a dictionary attack.

So, if the user database of encrypted passwords has been stolen, the hackers will run an off-line dictionary attack against each user and will likely gain access to passwords of over 95% of users.
Click to expand...
I can't speak for other password manager, but 1Password use TWO pieces of information to encrypt the data. One is my password (which is only in three places, in 1password, on a piece of paper in my home, and in my mind) and a secret key. (two places, piece of paper and in 1password).

Even if a hacker were to get a hold of my encrypted blob and I was stupid enough to have a easily guessed password (I don't), the hackers STILL couldn't get my passwords without my secret key. To get the secret key, they would have to have physical access to my house and know where I store it.
 
  • Like
Reactions: montuori and ericwn
sirozha said:
iCloud Keychain has had its own app for a long time. It’s called Keychain. It’s on the Mac. If you are a Windows user, then by all means please use a third-party password manager.
Click to expand...
Keychain is password manager? Sure, and TextEdit is a word processor. Sure, it works, but only if you need basic functionality.

iCloud Keychain is fine IF you have VERY basic needs and never open any other application than Safari on your Mac. But, for many of us, we need something better.
 
  • Like
Reactions: Stella
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back