Lastpass customer vaults taken in last attack.

callthatgirl said:
@nlinecomputers considering how many online password keepers get hacked, breached and whatever, I'll stay with my risky ways.
Click to expand...
I use a text file too.
Considering the fact that I've never had a virus, don't install garbage software, don't use Google or Microsoft accounts or any social media except Signal and Steam and in over 20 years have never had a security problem, I think my .txt with random letters, numbers and symbols is fine.

Lastpass with all their "regular end user who has no security training is more secure than a company specialized in security is laughable" got hacked...I didnt.
You can keep your passwords wherever you like -Lastpass, first pass, second pass whatever...I'll pass.
 
GTP said:
Lastpass with all their "regular end user who has no security training is more secure than a company specialized in security is laughable" got hacked...I didnt.
Click to expand...

Yes, and you are not nearly as likely to.

What you're saying is the logical analog to, "I've never been mugged, but all those banks have been robbed." There's a good reason for that, and the biggest one being that you, the individual, are a very low value target.

Effort is expended where it might, note - might, result in a signifcant payoff.

And all of the above is not an attempt to make you, or anyone else, change whatever practices they choose. But it is a reality check and accurate risk analysis.

I'll gladly hand my password safe to anyone who wants it. They're not going to decrypt it with current technology.
 
I use and resell LastPass. It's solid. This is what Encryption is for. They can't do **** with it unless they have the master Password. Change it to something new and you are golden. I've looked into Bitwarden prior to this and it's cumbersome especially the fill process.. eesh. But ya. Not worried about it.
 
McFarland IT said:
Change it to something new and you are golden.
Click to expand...
No, that’s not the case here. The hackers have a copy of your vault. It’s sitting on their computer not a Lastpass server. Changing the master password will reencrypt ONLY ON THE LASTPASS SERVER. It doesn’t change what is required to decrypt the disconnected blob in possession of the hacker.
 
If you don’t want to risk using a online service. That’s okay. I get that. Not encrypting anything on your personal PC is stupid. “I’ve never got a virus. I'm not worried. I don’t visit questionable sitesl”. Really? Your visiting one now. There’s no certainty that a forum can keep bad guys out. Zero day attacks happen. Your antivirus is only as good as its latest definition file.

You encrypt key files on your devices just in case your defenses fail.

I speak from personal experience. I one time opened an infected phishing email. Why did I open it? A moment of simple inattention. My AV program Bitdefender didn’t flag the imbedded file. Only on activity did it shut it down. So I had damaged system files and got to submit a new virus to Bitdefender.

Lastpass’ defenses failed. But if you have a good master password the bad guys are not going to get your passwords. It’s not about where the file is stored it’s about how it’s encrypted. At the very least do what @Diggs is doing. An encrypted Word file.
 
Fred Claus said:
What do you all think of Bitwarden?
Click to expand...
I’m currently using Bitwarden. I stopped using Lastpass about 4 years ago when they had some issue with my account and was unable to access my vault and they couldn’t fix it. I moved to Dashlane at the time because Bitwarden didn’t have an android app. They do now so I moved earlier this year to them.

For security reasons open source really is the only way to go. You have multiple eyes both inside and outside of the organization looking at your code. They have independent 3rd party audits and reasonable prices, including a free version. You also can host the stack yourself and not use any third party services if that suits you.

I think it is the best online option out there.
 
I love my Bitwarden. Bitwarden uses 256bit AES-CBC on the vaults, and it's 100% of the vault I might add, this is the same stuff the US government uses for Top Secret data. The vulnerabilities with AES-CBC do not compromise confidentiality, but instead integrity. You mathematically have better odds of the vault being corrupted during use than someone actually gaining access.

The best quantum computer available would take 2.29*10^32 years to break AES. The universe is only about 1.38×10^10 years old. So given present technology breaking AES would require 200 times more time than the universe has existed. That's mathematically unbreakable, even if you had a botnet the size of every machine on the planet.
 
nlinecomputers said:
No, that’s not the case here. The hackers have a copy of your vault. It’s sitting on their computer not a Lastpass server. Changing the master password will reencrypt ONLY ON THE LASTPASS SERVER. It doesn’t change what is required to decrypt the disconnected blob in possession of the hacker.
Click to expand...
This is correct, and it means that all passwords stored on the afflicted vaults need changed too, just in case. The encryption will buy the time required to do this, it just needs doing.
 
Sky-Knight said:
I love my Bitwarden. Bitwarden uses 256bit AES-CBC on the vaults, and it's 100% of the vault I might add, this is the same stuff the US government uses for Top Secret data. The vulnerabilities with AES-CBC do not compromise confidentiality, but instead integrity. You mathematically have better odds of the vault being corrupted during use than someone actually gaining access.

The best quantum computer available would take 2.29*10^32 years to break AES. The universe is only about 1.38×10^10 years old. So given present technology breaking AES would require 200 times more time than the universe has existed. That's mathematically unbreakable, even if you had a botnet the size of every machine on the planet.
Click to expand...
Lastpass uses the same technology so as long as you picked a unique and strong enough password your blob isn’t going to be decrypted. Lastpass didn’t encrypt all the data in its possession and they didn’t do enough to beef up security after the initial breach. Either they only got breached once and it has taken them this long to figure out what happened ( unacceptable) or they fail to rotate all credentials and allowed the bad guys back in (also unacceptable).

I moved to Bitwarden some time ago and glad I did. Lastpass is not the company that they were when founded. As usual some VC buys them out and makes cuts killing the product.
 
Sky-Knight said:
This is correct, and it means that all passwords stored on the afflicted vaults need changed too, just in case. The encryption will buy the time required to do this, it just needs doing.
Click to expand...

Sorry, but if the vault password was sufficiently secure to begin with, this is really gross overkill.

The probability of any access to a password vault that has a 10-character or greater password on it is, effectively, zero.

There's no point in using a password manager if:

1. Your master password is 1234, or anything similar.
2. Theft of the vault means changing possibly hundreds of passwords.

The whole point of a strong password and encryption is to avoid access if the vault itself is stolen. Changing every password contained in a stolen vault that has a password such as 1267Milicent2& (which would take approximately 200 million years of brute force to crack) is akin to using a sledge hammer to crack a peanut. It's just not necessary.
 
@britechguy @nlinecomputers both of you are missing a critical point here.

The password has nothing to do with the encryption. The password is used to generate a key that is used to unlock the encryption. The key generation process is yet another layer of math that presumably the attackers do not have. Now, in this case perhaps they do. But that key generation system should mean that encrypted blobs must be decrypted with the key itself, and that's 256bit long.

Good... luck...

However if you feel your human typed still short enough to not drive you mad password is strong enough, you're not. Not when you can steal access to half the Azure and Amazon fabrics to crack it. So yeah, you change all the passwords in the vault, because the password on the vault assuming the key generation process has also been compromised will not keep the attackers out for more than a few months. 14 characters of entropy that's also easily typed in simply will not withstand the assault much longer.
 
@Sky-Knight They're going after the easy targets. They're not going to devote much time to cracking each vault because they don't need to. It's all about maximizing the number of cracked vaults for how much time is spent. If they can crack 1% of the vaults by spending 2 hours or less on each one, that makes more sense than spending 100 days on each vault to crack the bottom 5%.
 
@Sky-Knight

I'm not willing to assume that the encryption can be broken. Neither does anyone in the security business seem to be willing to assume that, either. That's enough, way more than enough, for me to sleep easy.

Again, it comes down to an accurate risk analysis, and about the only risk is weak passwords on the vaults themselves, and one must have those passwords to decrypt them.

Let's not even get into how often these sorts of breaches are for "bragging rights" among a certain small group. If you were after high-value targets stealing some random collection of password vault files from who knows who is certainly not the approach to take.
 
Sky-Knight said:
@britechguy @nlinecomputers both of you are missing a critical point here.

The password has nothing to do with the encryption. The password is used to generate a key that is used to unlock the encryption. The key generation process is yet another layer of math that presumably the attackers do not have. Now, in this case perhaps they do. But that key generation system should mean that encrypted blobs must be decrypted with the key itself, and that's 256bit long.

Good... luck...

However if you feel your human typed still short enough to not drive you mad password is strong enough, you're not. Not when you can steal access to half the Azure and Amazon fabrics to crack it. So yeah, you change all the passwords in the vault, because the password on the vault assuming the key generation process has also been compromised will not keep the attackers out for more than a few months. 14 characters of entropy that's also easily typed in simply will not withstand the assault much longer.
Click to expand...
Depends if the salts were taken as well. They also need to know the exact number of rounds used. LP says they use 100,100 but I would bet that each vault has a random slight variation on that 100,083 for one 100,113 for next and so on.

Online services are expensive. Buying out 20 or so VM to crack a blob is going to cost $1000 per day. Can't see hackers doing that. Using crypto mining has hardware upfront costs and electric costs. If encrypted blobs were that easy to crack there be no point.
 
Sky-Knight said:
However if you feel your human typed still short enough to not drive you mad password is strong enough, you're not.
Click to expand...

I'm not what?

The fact that multiple password strength sites give figures from centuries to hundreds of centuries is more definitive than your opinion, by far.

I have no idea what your beliefs are based upon. I know what mine are.
 
You must log in or register to reply here.

Similar threads

nlinecomputers
LastPass: DevOps engineer hacked to steal password vault data in 2022 breach
Replies
10
Views
811
nlinecomputers
nlinecomputers
Porthos
A ransomware gang made $260,000 in 5 days using the 7zip utility
Replies
1
Views
882
Sky-Knight
Sky-Knight
S
Cisco PIX - Cannot Hit Mapped SSL From a device in outside interface's subnet
Replies
3
Views
2K
teksquad
T
Kitten Kong
  • Sticky
Questions and Answers relating to Microsoft Licencing Guidelines.
Replies
3
Views
12K
Rosco
Rosco
Back
Top