Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

LastPass Hacked for Second Time This Year

sirozha said:
I would need proof before I admitted it.
Click to expand...
I'm on the same page. Ending a snarky comment with "LOL" suggests much younger.

I think one of your positions is that 1Password is no more secure than iCloud keychain, since 1Password keeps the account key in the keychain. I don't draw that conclusion for two reasons.

1 - The Keychain entry for 1Password's account key (secret key) has the comment:
1Password Touch ID and Apple Watch Unlock Key

Your account key is encrypted by the Secure Enclave and then saved in this item. Learn more about the security of using Touch ID or Apple Watch to unlock 1Password: https://support.1password.com/touch-id-apple-watch-security-mac/

This key is stored in a format that Keychain Access doesn’t understand, so you won’t be able to reveal its password.
Click to expand...

This does suggest more security than what is suggested by the simple statement "1Password keeps the account key in Keychain".

2 - 1Password's security hinges on more than just the account key (as @Mr. Heckles reminded me). I picture myself hanging from a cliff's edge with my three arms.

- my baby arm - That's my confidence that 1Password's enterprise practices adequately safeguard my vault.

- my regular arm - That's the security of my well chosen master password which only exists in my mind.

- my arm on steroids - That's the the account key.

The fact that the account key is in my iCloud Keychain does weaken that third arm, but I really can't say by how much.

On the other hand, iCloud's security is based on AppleID and a password. I believe that if you know those two, you can recover your Keychain. It may be that if you don't have any old devices or access to the recovery email or phone number, it would require a call to Apple. But, that seems comparatively weak thanks to social engineering tricks.

Please correct me if someone knows that it is impossible to recover my iCloud account with JUST my AppleID and password.

So, three arms versus one, while hanging from a cliff's edge. And then there's trust in the software. Apple has proven to me time and again that it writes buggy software. I have no evidence that 1Password does. I trust 1Password's competence and reliability in this arena more than I do Apple's. But, that's just my gut talking.
 
  • Like
Reactions: Mr. Heckles
svenmany said:
On the other hand, iCloud's security is based on AppleID and a password. I believe that if you know those two, you can recover your Keychain
Click to expand...
It's not exactly the case. You also have to authorize the iCloud login on a different device via a push notification to your other devices to authorize the login. It's a 2FA that doesn't use SMS - I don't remember if there is a way to bypass the 2FA push notification request. There may be a way to fall back to SMS (I'm not sure about it right now).

iCloud has a native mechanism to distribute the master encryption key among all devices belonging to the same user, whereas 1Password relies on iCloud for this capability. 1Password claims they don't store the master encryption key in their cloud because (and this is the whole point) they store this master encryption key in iCloud keychain, relying on iCloud and its security to carry their weight.
 
Last edited:
  • Like
Reactions: killawat
bsolar said:
Other password managers can also have a free tier: e.g. Bitwarden has a free tier with all features a typical private user needs.

The big advantage of iCloud is its out-of-the-box integration with Apple products. Its drawback is of course the other side of the medal: lack of integration with non-Apple products.
Click to expand...
And that disadvantage is something that fortunately I don't need and don't care about.
 
sirozha said:
iCloud has a native mechanism to distribute the master encryption key among all devices belonging to the same user, whereas 1Password relies on iCloud for this capability. 1Password claims they don't store the master encryption key in their cloud because (and this is the whole point) they store this master encryption key in iCloud keychain, relying on iCloud and its security to carry their weight.
Click to expand...

It doesn't have to be that way with 1Password and it used to not be. They used to ask you to print out the recovery information which could be used to recreate the account key. In fact, I just rebuilt my Windows machine and I set it all up manually using that information.

I submitted a feature request to the 1Password forums asking that storing the key in the Keychain be optional. I'm not sure why they are forcing that.
 
macintologist said:
And that disadvantage is something that fortunately I don't need and don't care about.
Click to expand...

You can definitely ignore that disadvantage if it's irrelevant for you personal situation, but you cannot ignore it if you want to give others a fair and informative suggestion about which password manager is best for them to use.
 
NightOne said:
Apparently you are too young to remember how long LOL has actually been around. LOL
Click to expand...

Probably older than you. I was working on Sun workstations in the 80's.

And yeah, I could end that sentence with "LOL", but I'm not really laughing. I tend to not laugh at people or chuckle when I think I'm being clever.
 
svenmany said:
Probably older than you. I was working on Sun workstations in the 80's.

And yeah, I could end that sentence with "LOL", but I'm not really laughing. I tend to not laugh at people or chuckle when I think I'm being clever.
Click to expand...

I was programming in IBM 360 assembler and Fortran in the 80s.
 
NightOne said:
I was programming in IBM 360 assembler and Fortran in the 80s.
Click to expand...

Fortran in the 70's for me. I mentioned the 80's because that's when I started reading newsgroups and getting exposure to how people behave online.

OK. You've convinced me you're old. :)
 
  • Haha
Reactions: NightOne
svenmany said:
Fortran in the 70's for me. I mentioned the 80's because that's when I started reading newsgroups and getting exposure to how people behave online.

OK. You've convinced me you're old. :)
Click to expand...

You will all have me bowing in deference if you were one of the computers (read: ladies/mathemiticians) who computed Alan Shepherd's re-entry angle from his first flight in space that was referenced in Hidden Figures.

😁

BL.
 
  • Haha
Reactions: NightOne
bradl said:
You will all have me bowing in deference if you were one of the computers (read: ladies/mathemiticians) who computed Alan Shepherd's re-entry angle from his first flight in space that was referenced in Hidden Figures.

😁

BL.
Click to expand...

LOL

Sorry, I wish. Though, I was a mathematician (in the 80's, not the 60's). I would LOVE to have someone bow to me in deference, but I think I have to do something significant and time is running out. OR...

Do you take PayPal?
 
  • Haha
Reactions: MacHeritage
LastPass has now reported that hackers did get their hands on customer backup vaults. If the hackers are able to guess or brute force the customer vaults, a lot of people are going to be in bad trouble.

9to5mac.com

LastPass security breach update: Customer password vaults were obtained - 9to5Mac

LastPass is back today with its latest statement on the damage of its security breach. While the scope of the...
9to5mac.com 9to5mac.com

blog.lastpass.com

Security Incident December 2022 Update - LastPass - The LastPass Blog

Please refer to the latest article for updated information.nbs[..]
blog.lastpass.com blog.lastpass.com
 
Apple_Robert said:
LastPass has now reported that hackers did get their hands on customer backup vaults. If the hackers are able to guess or brute force the customer vaults, a lot of people are going to be in bad trouble.

9to5mac.com

LastPass security breach update: Customer password vaults were obtained - 9to5Mac

LastPass is back today with its latest statement on the damage of its security breach. While the scope of the...
9to5mac.com 9to5mac.com

blog.lastpass.com

Security Incident December 2022 Update - LastPass - The LastPass Blog

Please refer to the latest article for updated information.nbs[..]
blog.lastpass.com blog.lastpass.com
Click to expand...

And that is the entire problem. The very fact that they have customer vaults is a serious breech and why people should not feel safe or secure in the false belief that because a malicious user has their vault that their data is safe.

BL.
 
  • Like
Reactions: Apple_Robert
bradl said:
And that is the entire problem. The very fact that they have customer vaults is a serious breech and why people should not feel safe or secure in the false belief that because a malicious user has their vault that their data is safe.

BL.
Click to expand...
Absolutely correct. This is a horrible situation for a lot of people who are probably not tech savvy to begin with. Your warning should be heeded by all regardless of password manager used.
 
  • Like
Reactions: MacHeritage
Apple_Robert said:
Absolutely correct. This is a horrible situation for a lot of people who are probably not tech savvy to begin with. Your warning should be heeded by all regardless of password manager used.
Click to expand...

I could count the times I posted that same warning in this and other threads about this issue and was countered with the "it won't matter because they need to crack my vault to get to my data!"...

Now, those hackers have the vault.

BL.
 
bradl said:
I could count the times I posted that same warning in this and other threads about this issue and was countered with the "it won't matter because they need to crack my vault to get to my data!"...

Now, those hackers have the vault.

BL.
Click to expand...
1Password subs are a huge target, in my opinion.

I am not big on lawsuits but, I think LastPass needs to be sued by its users.
 
  • Like
Reactions: phillytim and bradl
As I remember, someone said "Those who live in the cloud, will die in the cloud."

Oh, yeah. That was me. Eventually someone is going to take down a major cloud provider and with it the livelyhood of tens of thousands of businesses. But heck, it beats the heck out of having your own hardware and having to pay some geek to keep it safe, right? After all, we already have a notice ready to post - "We take our customers security seriously and are continually working to enhance our..." Ad infinitum BS.
 
  • Like
Reactions: MacHeritage and bradl
Man, that is bad news for those who used LastPass. I can just imagine the target that is on 1Password's online users. Someone will be trying to find a way, I am sure. Image having your CreditCard or other financial details on LastPass when this hack happened. That would be such a headache, just thinking about what you would need to do now. :shudder:

Offline storage is the best place for passwords and any important information.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back