LastPass Hacked for Second Time This Year

[Mr. Heckles]

So, your point about the 1Password weakness has been raised on the 1Password forums. A member of their security team did respond. Basically they said "Trust Apple".

https://1password.community/discussion/comment/590911#Comment_590911




Yeah, that's something that 1Password post did suggest. I've decide to leave mine on, but only because I do have a number of carefully secured devices that are consulted whenever unrecognized access to my iCloud account is attempted.



Good point. The forum post made that point "If an attacker managed to breach iCloud and acquire your Secret Key, they would still need a copy of your encrypted data itself, as well as your Master Password in order to decrypt it."

But, 1Password is no longer as rock solid as I thought, unless I turn off iCloud keychain.

I figured this out when I restored an iPhone once. I was also told I needed keychain for HomeKit, but all is fine.

Now with iCloud, a person would need your Apple ID password, the Apple 2FA, your master password for 1password and then 2FA again (if you have it set up for 1Password). So, it would be a lot to go though to get to your passwords on 1Password.

 

[bradl]

How can confirm that the built-in password manager is more secure? Please provide links to third party audits and security documents that compare iCloud to other password managers.

Also, just to be clear, the LastPass hack was against their customer database. Even if the hackers got a hold of password data, it is encrypted.

This is the equivalent of saying "Even if burglars got the address to my house, they can't get in because the doors are locked."

The issue here is that they shouldn't even be getting to anyone's vaults to begin with, and even if they did get to your vault, the fact that they have your vault should have you presuming that your data is compromised. You don't wait until they have your passwords before you panic. If they have your vault, you should already be doing everything you can to protect yourself, and not rely on their encryption. Who is to say that those that have your vault don't already have the means (or will figure out the means) to hack that encryption? You can't assume that they don't, which is the problem.

BL.

 

[bsolar]

This is the equivalent of saying "Even if burglars got the address to my house, they can't get in because the doors are locked."

Which is kinda true if your doors and windows are designed to be burglar-proof. It might require an unreasonable long time for burglars to defeat them, which is exactly how encryption works.

The issue here is that they shouldn't even be getting to anyone's vaults to begin with, and even if they did get to your vault, the fact that they have your vault should have you presuming that your data is compromised.

If you cannot assume the encryption is secure you should not use a cloud-based password manager service in the first place since you cannot assume a hostile entity is unable to intercept and decrypt the vault information as it's transmitted from your device to the cloud server.

What you can assume is that an attacker can now more easily try to brute-force the encryption, but this still might require a long or even still unreasonable time to crack.

There is a chance that the encryption itself turns out to be breakable, but this should not be the assumption for well researched encryption technology currently understood to be secure.

 

[owaint]

Care to share that shortcut???

I have one but it fails for me.

I just use this link opening command:

 

[macintologist]

Do you find you often need to comment on products you don’t use?

I am just providing a public service by publicly acknowledging and supporting the viewpoint that people might have if they are reading this that maybe they should just use iCloud for free.

 

[Mr. Heckles]

I am just providing a public service by publicly acknowledging and supporting the viewpoint that people might have if they are reading this that maybe they should just use iCloud for free.

Because iCloud works so well on Linux and Android (And sucks in Windows.)

 

[ericwn]

I am just providing a public service by publicly acknowledging and supporting the viewpoint that people might have if they are reading this that maybe they should just use iCloud for free.

Well researched and well elaborated then!

 

[bsolar]

I am just providing a public service by publicly acknowledging and supporting the viewpoint that people might have if they are reading this that maybe they should just use iCloud for free.

Other password managers can also have a free tier: e.g. Bitwarden has a free tier with all features a typical private user needs.

The big advantage of iCloud is its out-of-the-box integration with Apple products. Its drawback is of course the other side of the medal: lack of integration with non-Apple products.

 

[Mr. Heckles]

Other password managers can also have a free tier: e.g. Bitwarden has a free tier with all features a typical private user needs.

The big advantage of iCloud is its out-of-the-box integration with Apple products. Its drawback is of course the other side of the medal: lack of integration with non-Apple products.

A girl I work with, her daughter got locked out of her Apple ID... and she’s now locked out of her passwords also.

 

[BigDO]

This is why I use BitWarden for years.

I’ve also switched to Bitwarden when last pass killed the free tier.

I can’t remember if I deleted the account or just exported the passwords - I hope that this breach doesn’t compromise my security.

 

[_Spinn_]

People should just move to Bitwarden.

 

[Apple_Robert]

Use double blind passwords. That way if someone got a hold of your vault, it would still be useless to them.

 

[bradl]

People should just move to Bitwarden.

The reason I haven't is because

1. I don't want my passwords or any other sensitive data stored in the cloud. That effectively reproduces the same situation that LasPass just got hacked from, twice.
2. While I am a Linux sysadmin, I am done with maintaining my own Linux server at home along with its own Docker container to run my own server. If I happen to be out somewhere and want or need to sync my passwords, that would mean exposing that server to the Internet, which goes back to recreating the same problem LastPass has.

I prefer having standalone clients and standalone vaults so that someone has to physically be in possession of my device to even have a chance at getting to my vault. If they don't have that, then I'm secure in my possessions, as well as my Constitutionally-protected 4th Amendment right.

Cloud-based SaaS providers can not offer that.

BL.

 

[grad]

No, it’s much safer to use the same password everywhere.

Maybe it is (lol).

Jokes aside, it's much safer to NOT give away your passwordS to cloud companies. There ARE multiplatform password managers around that can work locally on computers and there ARE sync methods that can work on LAN.

 

[ericwn]

Maybe it is (lol).

Jokes aside, it's much safer to NOT give away your passwordS to cloud companies. There ARE multiplatform password managers around that can work locally on computers and there ARE sync methods that can work on LAN.

I’m not really concerned about cloud storage if I and only I hold the only two keys to decrypt the data.

 

[grad]

The reason I haven't is because

1. I don't want my passwords or any other sensitive data stored in the cloud. That effectively reproduces the same situation that LasPass just got hacked from, twice.
2. While I am a Linux sysadmin, I am done with maintaining my own Linux server at home along with its own Docker container to run my own server. If I happen to be out somewhere and want or need to sync my passwords, that would mean exposing that server to the Internet, which goes back to recreating the same problem LastPass has.

I prefer having standalone clients and standalone vaults so that someone has to physically be in possession of my device to even have a chance at getting to my vault. If they don't have that, then I'm secure in my possessions, as well as my Constitutionally-protected 4th Amendment right.

Cloud-based SaaS providers can not offer that.

BL.

I generally agree, but regarding the 2nd reason, there is no need to expose your own server for syncing. Passwords are personal and there is no need to access them simultaneously from different places and they are not supposed to change every day either. You can keep the dbs locally on every device and sync only when you return home.

 

[TriBruin]

Maybe it is (lol).

Jokes aside, it's much safer to NOT give away your passwordS to cloud companies. There ARE multiplatform password managers around that can work locally on computers and there ARE sync methods that can work on LAN.

You know what is safer, disconnecting your computer from the Internet? But, I assume that is not convenient.

I am much less likely to get in a car accident if I stay at home every day. But, we always must weigh safety versus productivity. Having my data in the cloud allows me to access my data anywhere I want and not worry that I won't have the data when I need it.

Also, I don't just put my data in the cloud, I have read the security document that 1Password publishes and understand their security design. Everyone's risk tolerance is different, so maybe you aren't comfortable. That's fine.

But, how do you know that someone has installed a trojan on your computer to read your password data? Are you sure? What about your NAS, if you store your data there? Are you sure there isn't an undiscovered flaw that is exposing the local data to the internet?

 

[TriBruin]

I generally agree, but regarding the 2nd reason, there is no need to expose your own server for syncing. Passwords are personal and there is no need to access them simultaneously from different places and they are not supposed to change every day either. You can keep the dbs locally on every device and sync only when you return home.

That is a pretty absolute statement. I would suggest that you don't know EVERYONE's situation and limit your statements to what applies to you.

 

[grad]

That is a pretty absolute statement. I would suggest that you don't know EVERYONE's situation and limit your statements to what applies to you.

Please provide some real-world examples before you blame others for absolutism.

 

[TriBruin]

Please provide some real-world examples before you blame others for absolutism.

Sure,

• I am at work and I have changed my work account password. But, my iPhone still has my old password to access my email. Because my password is sync'd between my computer and my, I can quickly and easily update my email password on my phone. (Sure, the alternative is to type my password by reading it from my computer screen, but, as I take security seriously, typing a 15 random character password is PITA.)
• I change my password to my favorite streaming service, I want to my sure my son, who lives 1500 miles away, can login. I guess I could call him and read it over the phone. But, it sure it is easier to have my son just open his copy of the password manager and use the new password
• I have an local administrator account on the computers I manage. Password is rotated every 30 days, or whenever we are concerned the password has been compromised. Update the password, save it in our secure vault, and make sure that only those who are authorized to see the password have access. Updates are immediate.

 

[grad]

You know what is safer, disconnecting your computer from the Internet? But, I assume that is not convenient.

I am much less likely to get in a car accident if I stay at home every day. But, we always must weigh safety versus productivity. Having my data in the cloud allows me to access my data anywhere I want and not worry that I won't have the data when I need it.

Also, I don't just put my data in the cloud, I have read the security document that 1Password publishes and understand their security design. Everyone's risk tolerance is different, so maybe you aren't comfortable. That's fine.

But, how do you know that someone has installed a trojan on your computer to read your password data? Are you sure? What about your NAS, if you store your data there? Are you sure there isn't an undiscovered flaw that is exposing the local data to the internet?

If you trust WAN more than you trust LAN then the game is lost.

Maybe you do trust the bank for your money because there are no options. I like to believe that for passwords managing and data syncing there are. I know that it is not practical to carry all your data on every device in case you might need it sometimes. If you constantly need to access a great amount of specific private and confidential data from different devices and locations then you might need to reconsider some of your daily life/work routines.

 

[TriBruin]

If you trust WAN more than you trust LAN then the game is lost.

Where did I say that? Wait, I never said that! Please read my posts again.

You know what is more secure than a LAN? An air-gapped computer. You know what is even more secure? A college ruled notebook with all my passwords written down and stored in a locked safe in my house.

Security and convenience is always a balancing act. We all have a certain level of risk tolerance, obviously your is higher than mine. But, again because I choose to educate myself, I am confident that the difference between your security and mine is small enough (FOR ME) to accept the add risks

Maybe you do trust the bank for your money because there are no options. I like to believe that for passwords managing and data syncing there are. I know that it is not practical to carry all your data on every device in case you might need it sometimes. If you constantly need to access a great amount of specific private and confidential data from different devices and locations then you might need to reconsider some of your daily life/work routines.

Since you don't anything about I don't think you are in position to judge my life routines.

 

[grad]

I am at work and I have changed my work account password. But, my iPhone still has my old password to access my email. Because my password is sync'd between my computer and my, I can quickly and easily update my email password on my phone. (Sure, the alternative is to type my password by reading it from my computer screen, but, as I take security seriously, typing a 15 random character password is PITA.)

You don't always need a server to do the syncing. For local password managers it might be as simple as sending the updated password db file to your other device (and no, sending does not exclusively mean Internet or Bluetooth).

I change my password to my favorite streaming service, I want to my sure my son, who lives 1500 miles away, can login. I guess I could call him and read it over the phone. But, it sure it is easier to have my son just open his copy of the password manager and use the new password

I could go with "A secret that is known by two people is no longer a secret" but I won't. Is there a reason you needed to change your password ? (don't tell me that you forgot it ). Anyway, password sharing and viewing from different locations was supposed to be illegal for many services (which I hated it as I was often on the move, visiting different countries), then many companies came up with family plans etc.

I have an local administrator account on the computers I manage. Password is rotated every 30 days, or whenever we are concerned the password has been compromised. Update the password, save it in our secure vault, and make sure that only those who are authorized to see the password have access. Updates are immediate.

I do not see why the secure vault needs to be on the cloud ?

 

[grad]

You know what is more secure than a LAN? An air-gapped computer. You know what is even more secure? A college ruled notebook with all my passwords written down and stored in a locked safe in my house.

Don't try to tin-foil me.

 

[TriBruin]

I do not see why the secure vault needs to be on the cloud ?

And I have told you why I do. I have REPEATED stated that I understand others have different levels of risk tolerance. Yet, you seem hell-bent on telling me that I am wrong.

At this point, let's agree that we are different. Can you do that?