Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

maflynn

macrumors Haswell
Original poster
May 3, 2009
71,210
40,046
LastPass users: Your info and vault data is now in hackers’ hands

Password manager says breach it disclosed in August was much worse than thought.

The hits keep on coming for lastpass. The August hacking was worse then previously reported
Notice of Recent Security Incident

I've said this on a prior to the August hacking, in that LastPass' track record is so poor that it would be incredibly foolish to keep your data with them. They downplayed the issue in August and September but it looks like these "bad actors" have people's encrypted and unencrypted data.
 

russell_314

macrumors 603
Feb 10, 2019
5,247
7,464
USA
LastPass users: Your info and vault data is now in hackers’ hands



The hits keep on coming for lastpass. The August hacking was worse then previously reported
Notice of Recent Security Incident

I've said this on a prior to the August hacking, in that LastPass' track record is so poor that it would be incredibly foolish to keep your data with them. They downplayed the issue in August and September but it looks like these "bad actors" have people's encrypted and unencrypted data.
That's scary! I would never use LastPass after they had multiple data breaches and how they handled them. I've always worried a little about password managers because you're keeping all of your eggs in one basket. I use 1Password but I still worry a little bit.
 
  • Like
Reactions: PhoenixDown

AndyMacAndMic

macrumors 6502a
May 25, 2017
994
1,512
Western Europe
LastPass users: Your info and vault data is now in hackers’ hands



The hits keep on coming for lastpass. The August hacking was worse then previously reported
Notice of Recent Security Incident

I've said this on a prior to the August hacking, in that LastPass' track record is so poor that it would be incredibly foolish to keep your data with them. They downplayed the issue in August and September but it looks like these "bad actors" have people's encrypted and unencrypted data.

It never occurred to me that giving all your personal log in information to a big company getting targeted by all the hackers in the world all the time, because the whole world knows all log in info is kept there, is a risky thing to do!
 

ginkobiloba

macrumors 6502a
Jul 2, 2007
596
1,619
Paris
And that’s why i won’t use 1password‘s cloud service, even though they’re doing everything they can to force stand-alone users to move to it ( and it’s subscription model). I’m already looking for alternatives.
 
  • Like
Reactions: msackey and Blaine

maflynn

macrumors Haswell
Original poster
May 3, 2009
71,210
40,046
1password‘s cloud service,
Cloud based solutions, regardless of who you go to carry a measure of risk. I use bitwarden and my details are on the cloud but they audit their systems, the software is open source and if push comes to shove, you can self host. I have a measure of confidence. If I host on my own server, is that any safer? Apple's iCloud with their keychain offers a measure of confidence. I also have a measure of confidence with 1Password.

My problem with last pass is that this isn't the first time its happened. They seem to continually downplay the issues, but it keeps happening.
 

ericwn

macrumors G4
Apr 24, 2016
11,223
9,466
And that’s why i won’t use 1password‘s cloud service, even though they’re doing everything they can to force stand-alone users to move to it ( and its subscription model). I’m already looking for alternatives.
1Password data is however encrypted with two keys that only the end user knows so wether or not their data center is breached is not necessarily a problem.
 
  • Like
Reactions: kitKAC and chabig

circatee

macrumors 68020
Jul 18, 2020
2,127
1,479
Well, am certainly glad that I switched to 1Password, from LastPass, when I did.
 

Webcat86

macrumors regular
Jun 7, 2022
200
63
As I understand it, 1Password has a much stronger system.

And LastPass is also light years behind in terms of UX and UI.
 

southerndoc

Contributor
May 15, 2006
1,744
472
USA
Cloud based solutions, regardless of who you go to carry a measure of risk. I use bitwarden and my details are on the cloud but they audit their systems, the software is open source and if push comes to shove, you can self host. I have a measure of confidence. If I host on my own server, is that any safer? Apple's iCloud with their keychain offers a measure of confidence. I also have a measure of confidence with 1Password.

My problem with last pass is that this isn't the first time its happened. They seem to continually downplay the issues, but it keeps happening.
Open source doesn't in itself make things more secure. If anything, it allows users to look through source code to find vulnerabilities.

LastPass will probably up its game. I'm sure a lot of people will cancel their subscriptions over this. Fewer subscribers and beefing up their security will make it even more secure. The likelihood of a threat actor getting usernames and passwords without the master password is pretty remote. A brute force attack on 256-bit AES would take >1 billion billion years with most supercomputers. Is it possible? Yes, anything is possible. Is it likely? Highly unlikely that they will get raw data. Despite this, I changed ALL of my website passwords after resetting my master password and upping my PBKDF2 to 310,000 as recommended by OWASP.
 

maflynn

macrumors Haswell
Original poster
May 3, 2009
71,210
40,046
Open source doesn't in itself make things more secure. If anything, it allows users to look through source code to find vulnerabilities.
I'm of the opinion is that more eyes on the source code, allow the closure of those vulnerability. The conventional wisdom in the security sector is secretive policies are more risky then peer review policies.
 

maflynn

macrumors Haswell
Original poster
May 3, 2009
71,210
40,046
Well, am certainly glad that I switched to 1Password, from LastPass, when I did.
While the latest upgrade, and changes that Agilebits made has turned off some users. I think 1PAssword is a solid product and the risk is lower then LastPass. I will say like BitWarden the risk is still there but if companies do their due diligence and make security their priority unlike what lastpass has been doing, then I think its an acceptable risk

For current and prior lastpass users - I think its in their best interest to start changing their passwords, particularly for their credit cards and banks. Just to be safe.
 
  • Like
Reactions: VineRider

KaliYoni

macrumors 65816
Feb 19, 2016
1,122
2,502
For anybody interested, this is another good overview of this latest breach plus some suggested actions:
 
  • Like
Reactions: VineRider

msackey

macrumors 65816
Oct 8, 2020
1,142
1,184
1Password data is however encrypted with two keys that only the end user knows so wether or not their data center is breached is not necessarily a problem.

I’m a 1Password user so it surprised me to hear that the data is encrypted by two keys. I only have one. Or am I not understanding? Or is what you say only applicable to those who use 1Password’s cloud server?

I use 1Password7 and my vault is not on 1Password servers but on other cloud servers.
 

VineRider

macrumors 65816
May 24, 2018
1,169
949
For anybody interested, this is another good overview of this latest breach plus some suggested actions:
Good article. Thanks for sharing this….
 

VineRider

macrumors 65816
May 24, 2018
1,169
949
I’m a 1Password user so it surprised me to hear that the data is encrypted by two keys. I only have one. Or am I not understanding? Or is what you say only applicable to those who use 1Password’s cloud server?

I use 1Password7 and my vault is not on 1Password servers but on other cloud servers.
Do you have a secret key in addition to your master password? Those are used to create the encryption keys.
 
  • Like
Reactions: ericwn

ericwn

macrumors G4
Apr 24, 2016
11,223
9,466
I’m a 1Password user so it surprised me to hear that the data is encrypted by two keys. I only have one. Or am I not understanding? Or is what you say only applicable to those who use 1Password’s cloud server?

I use 1Password7 and my vault is not on 1Password servers but on other cloud servers.
Not sure how their legacy systems work but any user with a cloud subscription has their data secured by their account pw and their unique secret key.
 

msackey

macrumors 65816
Oct 8, 2020
1,142
1,184
In addition, you can enable 2-factor authentication with 1Password to make it even more secure...

Yeah that sounds like those who use the 1Password cloud service, which is practically anyone who has a subscription. I don’t have one. I have a one time license for up to 1Password 7.x
 

Fishrrman

macrumors Penryn
Feb 20, 2009
25,817
10,668
I've never used a software "app" to control passwords.

Instead, I created a simple database (using the free "iData").
Currently at over 130 entries.

On my MacBook Pro, I created a small encrypted disk image that requires a password to open.
I store my password database in the disk image.

When I need to check a password (and it seems that as I get older, I'm checking it a LOT), I just mount the disk image with the password. Then "it's all there".

When done, just dismount the disk image again.
 
  • Like
Reactions: rhett7660

Nozuka

macrumors 68040
Jul 3, 2012
3,195
5,285
I don't mind using a cloud password manager for convenience, since most of the logins are just not important to me, just a necessity.
And the few that are important are all MFA protected. (just don't store 1 time keys with that same provider ;) )
But that is obviously a decision everyone has to make for themselves.


I've always wanted to try out 1password, but was always too lazy, because when you switch provider you should also change all the important passwords afterwards, since your data will likely still remain at the other provider, even if you delete your account. It is very unlikely that you will also get removed from their backups, for example.

But after this hack, i would have changed the passwords anyway, so this was a perfect opportunity.
And i have to say: thank god it happened! 1password integration on both iOS and MacOS is so much better.

Migration was also very easy... just export on LastPass and import on 1password.
 

Fishrrman

macrumors Penryn
Feb 20, 2009
25,817
10,668
HDFan asked:
"How do you get your passwords on an iPhone, iPad?"

I don't own any iOS devices.
In fact, I'm one of the few people you'll ever meet who has never owned a smartphone of any kind, and never will.
Look at the avatar, that should tell you about me...
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.