Lastpass customer vaults taken in last attack.

nlinecomputers

Well-Known Member
Reaction score
8,595
Location
Midland TX
Not good. But as stated before encryption works. The whole point of encrypting the vaults is to protect against this very scenario.
This. Whoever stole the vaults is going to try to brute force the vaults. So long as you have a sufficiently long master password (mine is over 100 characters), they'll never get access to passwords in your vault. Unfortunately I'm sure many people used stupid passwords like Shadow1!. Their passwords are going to be compromised. I think LastPass only requires like 8 characters minimum for the master passwords. My master password is a paragraph from a book, including the punctuation and a 16 digit number at the end of it. They'll never get in even if they use a dictionary brute force attack due to the punctuation and the 16 digit number. The punctuation includes ."!?' and of course spaces.

@callthatgirl Do you have cloud backup? Does the .txt file with all your passwords get uploaded to the cloud with that backup? If so, I wouldn't feel too safe. Personally if I were to go the notepad route I'd put the file in the root of the C drive so my cloud backup wouldn't back it up. Then I'd put it on an flash drive (with a fingerprint reader so I could never forget the password) and put it in a safe deposit box in the bank and update it every now and then. I have no idea how I'd handle password management on my phone then though. I'd have to upload the sucker to the cloud if I wanted to access it from my phone, which would totally defeat the purpose of using a .txt file in the first place. How do you manage it?
 
@nlinecomputers every tech online cringes when I say I use notepad. I'm not worried about a virus getting in my computer, finding my notepad and stealing all my online logins. I have everything backed up so if my computer had ransomware, I could wipe my computer and be restore it. My important logins all have 2 step/MFA. So why is everyone worried about notepad?
 
I'm not worried about a virus getting in my computer, finding my notepad and stealing all my online logins. I have everything backed up so if my computer had ransomware,
Because not all ransomware just encrypts the data. Some ransomware ALSO uploads the data to hackers which they use to exploit or blackmail the end user. IT providers are targets because they often have client passwords as well as their own. Even if you don’t keep client passwords you are still a target because hackers don’t know that until they hack you. We cringe for a reason. What you are doing is incredibly risky.
 
@nlinecomputers considering how many online password keepers get hacked, breached and whatever, I'll stay with my risky ways.
KeePass is not online and keeps your passwords encrypted. The idea that a regular end user who has no security training is more secure than a company specialized in security is laughable. Where it’s stored isn’t the problem. The lack of encryption is.
 
My master password is a paragraph from a book, including the punctuation and a 16 digit number at the end of it.

Whatever floats your boat.

From my tutorial on passwords, and information taken from very reliable security-focused sources:
. . . via brute force 8 character passwords take 2 Hours to crack, 9 character passwords take 4 days to crack, 10 character passwords take 8 months to crack. So, as you can see just increasing a password length by a few characters makes a huge difference in how long it would take to crack them via brute force.

Going beyond 10 to 15 characters is really not going to gain you anything whatsoever. And those who stole these vaults are not going to spend 8 months plus trying to brute force master passwords on things of very uncertain value to them.
 
And those who stole these vaults are not going to spend 8 months plus trying to brute force master passwords on things of very uncertain value to them.
No, of course not. But they likely got millions of vaults. They'll probably devote a set amount of time to brute force each vault, like 2 hours or whatever. If they can't crack it by that time, they'll give up because it doesn't make sense to devote more compute resources when they can just move on to something else. But if even 1% of those million vaults used short/easily guessed passwords that can be brute forced in under 2 hours, the attack was worth the time and effort for them. Of course, they'll be trying to brute force many different vaults in parallel.

So, as you can see just increasing a password length by a few characters makes a huge difference in how long it would take to crack them via brute force.
Yeah, and we'll never need hard drives larger than 1GB. Technology continues to advance at a rapid pace. It's foolish to assume that compute power won't increase year over year, which makes it easier for passwords to be guessed with brute force. With quantum computing advancing every day, I doubt even my 100+ character password will be safe in a decade or so. Heck, even AES 256 itself will probably become compromised. It's no big deal to have a longer master password, especially if it's just a paragraph in a book + some characters that you memorize. I just keep a copy of the book on all my devices so I can copy/paste the passage and enter my 16 digit key manually. If someone got access to my computer/files and saw the PDF book they wouldn't think anything of it.
 


Not good. But as stated before encryption works. The whole point of encrypting the vaults is to protect against this very scenario.
What do you all think of Bitwarden?
 
Back
Top