Lastpass customer vaults taken in last attack.

[timeshifter]

Thanks for posting that @nlinecomputers Steve Gibson is the reason I went with LastPass years ago. He's smart and ultra-paranoid and when he recommended LP back in the day it was quite an endorsement.

 

[Philippe]

Clients: What do you use for passwords
Me: Notepad

The end.

It reminds me of the way a client of mine manages his passwords.
1) he chooses a master password, let's say 12345
2) for each website, he will create a password which includes the master password.
e.g. for Technibble, it may be tech12345aa$$
3) he writes it down in his notepad this way: Technibble: tech*aa$$

This way, he only needs to memorize the master password and the fact that "*" means the master password...

 

[Archon Prime]

I just switched to BitWarden the other week from LP. Changed all "critical" site passwords just to save my ass. But yeah, this works alot better especially cross-platform with macOS and Windows since I use both.

 

[britechguy]

This way, he only needs to memorize the master password and the fact that "*" means the master password...

An almost exact reiteration of my frequently posted The Portmanteau Method of Creating Passwords.

And if you're smart about what you use, you get passwords that would take forever to break with currently available methods (all of 'em). It is easy to use "a system" to create passwords that are really memorable to you, the individual, and insanely strong at the same time.

 

[Sky-Knight]

It reminds me of the way a client of mine manages his passwords.
1) he chooses a master password, let's say 12345
2) for each website, he will create a password which includes the master password.
e.g. for Technibble, it may be tech12345aa$$
3) he writes it down in his notepad this way: Technibble: tech*aa$$

This way, he only needs to memorize the master password and the fact that "*" means the master password...

Password Tester | Test Your Password Strength | Bitwarden

Bitwarden offers the most trusted password tester tool to ensure your password strength will protect your online information. Completely free and easy to use.

bitwarden.com

tech*aa$$ takes 13 hours to defeat. Have fun with those bad habits! The longer one of tech12345aa$$ is 5 whole days.

If you want passwords that take time to break, you must have them at least 17 characters long. Passwords are just bad... we all need to stop using them. As GPU tech advances they keep needing to be LONGER! We've long since blown past the age of being able to be sane with passwords. The only way one can do it now is using a manager, and memorizing one stupid long password to use for it. Anything less is just not good enough, I'm sorry.

@McFarland IT Welcome to team Bitwarden! They've worked really well for me for years.

 

[callthatgirl]

I learned a trick on Tiktok, I love it.
3 security questions

Pick 3

What is the name of the town you were born
town

Your mothers maiden name
maiden

Your tv show
tv

 

[britechguy]

5 whole days.

Which is way, way, way longer than anyone is going to spend on any random password safe that likely contains nothing of use.

If you honestly believe that those who stole the recent batch of password vaults is going to dedicate the time needed to get into all of them I have some oceanfront property in Omaha for you to look at. [Lengths of 12 and 13, respectively.]

My password for my Microsoft Account would take 14 days to crack according to the Bitwarden site. The one on my password vault, which is easier to guess, in my personal opinion, is estimated to take 2 years. [Lengths of 12 and 13 characters, respectively.]

The death of the password has been predicted for decades now. Like Twain's death, those reports have been greatly exaggerated.

 

[timeshifter]

Password Tester | Test Your Password Strength | Bitwarden

Bitwarden offers the most trusted password tester tool to ensure your password strength will protect your online information. Completely free and easy to use.

bitwarden.com

Interesting. Been immersed in this subject today. I had been looking at entropy calculators and then played with this. I made a password with just numbers, but 21 digits, actually it was just three 7 digit phone numbers. Bitwarden said it would take centuries to crack. The entropy calculator at https://timcutting.co.uk/tools/password-entropy said "That'll do nicely!"

 

[Philippe]

tech*aa$$ takes 13 hours to defeat.

Not my point...
(tech*aa$$ -> no pun intended )

 

[nlinecomputers]

The problem with these password strength tools is that they are unrealistic. They can’t really take into account salting of hashes or the rounding of hashes, the re-encrypting of the hash 100,000 or more times. This makes your password a lot stronger.

They are also unrealistic as they assume only one processor is going to attack the blob. Rob’s @Sky-Knight point is that bot nets or mining rigs are going to leveraged in mass to attack your blob. This greatly reduces the time needed to crack them.

 

[britechguy]

They are also unrealistic as they assume only one processor is going to attack the blob. Rob’s @Sky-Knight point is that bot nets or mining rigs are going to leveraged in mass to attack your blob. This greatly reduces the time needed to crack them.

And, yet, there are not (yet) any reports of widespread successful cracking of these passwords/password vaults.

Most cyber crime, except for the very strategically targeted at very high-value targets, is the equivalent of "smash and grab." It's also very often about bragging rights among those who do this for fun rather than with any intent about using what's gotten.

I've personally been a part of two of the biggest data breaches in US history - Anthem and Equifax. With identity theft monitoring in place since very shortly after both, none of my information has ever shown up anywhere. The shelf-life of the stolen data as useful for anything was very short indeed, and that's when it was "right there for the thief to look at."

When I hear of all those LastPass vaults having been cracked, then I'll worry. I'm not losing sleep over it until then, and I doubt that I'll ever have any reason to worry.

Smash and grab isn't done for intense effort after the fact. And most of those vaults would have very low value if even only the passwords for banking and things like credit cards were to be changed. And anyone who's had one of these stolen should have done that for their actual high-value accounts anyway.

 

[nlinecomputers]

It’s gonna take a long while. The bad guys got the blobs. I assume that They didn’t get hash files. In a hash attack you punch in password, compute the hash and compare it to the stolen hash. If they match then you know you have the correct password. This situation has to attempt to fully decode the blob. To automate this they will have to build something that can parse the results Automatically each time they attempt it and decide that they have valid data and not gibberish.

 

[britechguy]

It’s gonna take a long while.

And any "high-value" information contained in them will have been changed long, long, long before they succeed. And it's also equally likely that nothing will happen, because if they can't get it quick, it's of almost no use.

If cyber-thieves cannot extract something of value very promptly, they move along to something else that's likely to yield results in the very short term. Cyber-crime, even including identity theft, has never been "a long game."

History bears this out again, and again, and again.

 

[nlinecomputers]

And any "high-value" information contained in them will have been changed long, long, long before they succeed. And it's also equally likely that nothing will happen, because if they can't get it quick, it's of almost no use.

If cyber-thieves cannot extract something of value very promptly, they move along to something else that's likely to yield results in the very short term. Cyber-crime, even including identity theft, has never been "a long game."

History bears this out again, and again, and again.

Exactly. This is WHY encryption, while not perfect, is in all most all cases, including this clusterfrak of a hack, is good enough

 

[britechguy]

@nlinecomputers

Knowing what's sufficient is how accurate risk assessments are made. Focus should be on the probable, not the remotely (often very, very remotely) possible when deciding level of risk and plans of action in light of actual risk.

Risk on this hack is, from a practical standpoint, very low indeed. Minimal actions are required to ensure one's safety, and in most cases I suspect that no action would be sufficient, but since changing passwords for high-value things like banking, credit cards, etc., is so easy, it should just be done. But changing all passwords, no.

 

[Sky-Knight]

Which is way, way, way longer than anyone is going to spend on any random password safe that likely contains nothing of use.

If you honestly believe that those who stole the recent batch of password vaults is going to dedicate the time needed to get into all of them I have some oceanfront property in Omaha for you to look at. [Lengths of 12 and 13, respectively.]

My password for my Microsoft Account would take 14 days to crack according to the Bitwarden site. The one on my password vault, which is easier to guess, in my personal opinion, is estimated to take 2 years. [Lengths of 12 and 13 characters, respectively.]

The death of the password has been predicted for decades now. Like Twain's death, those reports have been greatly exaggerated.

The problem is you're not looking forward. You're staring at your feet. It's too late to bring this issue up once it happens.

Microsoft, Amazon, and Google ALL have machine learning systems getting faster, cheaper, and easier to use by the day. ChatGPT keeps getting into the news because of the human things you can ask it, and the detailed and extremely rapid responses you get back. Though, at times inaccurate... but most of the time it works perfectly and that's good enough.

What does that mean? It means data mining technologies used by huge tech providers are now easily and readily available to normal people now. This means huge distributed, trusted, and decentralized systems can be tasked with working on those LastPass vaults, or whatever else anyone can come up with to have them work on. They only need to be right 1% of the time to do BILLIONS in damage, and since the process is fully automated (which it already is), it's only a matter of time before any individual person gets hit.

Passwords are no longer a viable means of authentication. Something you know simply cannot be complex enough, and something you are is too easily compelled, so we're left with something you have.

And that is not Fort Knox, it's a regular dead bolt on the front door level security now.

And the most damning part? Capitalism is fueling this. Stopping it is like trying to stop the expansion of freedom itself, which doesn't go in great places historically. Money, Motive, and Opportunity is now in the hands of the lowest common denominator. Buckle... up...

In the meantime, if you use a password manager lengthen that master password to buy yourself more time. Lastpass's primary mistake was not enforcing proper password use on their clients. Bitwarden doesn't either! And the goalpost keeps moving.

 

[nlinecomputers]

The problem is you're not looking forward. You're staring at your feet. It's too late to bring this issue up once it happens.

Microsoft, Amazon, and Google ALL have machine learning systems getting faster, cheaper, and easier to use by the day. ChatGPT keeps getting into the news because of the human things you can ask it, and the detailed and extremely rapid responses you get back. Though, at times inaccurate... but most of the time it works perfectly and that's good enough.

What does that mean? It means data mining technologies used by huge tech providers are now easily and readily available to normal people now. This means huge distributed, trusted, and decentralized systems can be tasked with working on those LastPass vaults, or whatever else anyone can come up with to have them work on. They only need to be right 1% of the time to do BILLIONS in damage, and since the process is fully automated (which it already is), it's only a matter of time before any individual person gets hit.

Passwords are no longer a viable means of authentication. Something you know simply cannot be complex enough, and something you are is too easily compelled, so we're left with something you have.

And that is not Fort Knox, it's a regular dead bolt on the front door level security now.

And the most damning part? Capitalism is fueling this. Stopping it is like trying to stop the expansion of freedom itself, which doesn't go in great places historically. Money, Motive, and Opportunity is now in the hands of the lowest common denominator. Buckle... up...

In the meantime, if you use a password manager lengthen that master password to buy yourself more time. Lastpass's primary mistake was not enforcing proper password use on their clients. Bitwarden doesn't either! And the goalpost keeps moving.

I'm not convinced that we have reached the point of being able to affordably leverage enough CPUs to crack these passwords in a realistic amount of time. If that is the case the NO online password storage is safe because they all can be hacked and stolen. If 50 bits of entropy isn't enough then we are all probably screwed. I don't think we are at that point yet.

 

[nlinecomputers]

Passwords are no longer a viable means of authentication. Something you know simply cannot be complex enough, and something you are is too easily compelled, so we're left with something you have.

And that can't be applied to any stolen blob. Everything is password only at the root.

 

[Sky-Knight]

I'm not convinced that we have reached the point of being able to affordably leverage enough CPUs to crack these passwords in a realistic amount of time. If that is the case the NO online password storage is safe because they all can be hacked and stolen. If 50 bits of entropy isn't enough then we are all probably screwed. I don't think we are at that point yet.

Not CPUs... GPUs. A 3090 alone can beat a 7 character password in 15min. Let that sink in a bit... Machine Learning is kicking our collective butts on this one. (Many of the stolen lastpass vaults were encrypted with these crap passwords too!)

50 characters is plenty for protection (for now), but insane for users because they have to type that monster in every time they want to use it. Or, they weaken security via Pin or biomentric use for unlocks. Though that's still a preferable alternative, because the baseline encryption gets the required entropy.

I defer to Bitwarden's docs on this, because they're quite good: https://bitwarden.com/blog/picking-the-right-password-for-your-password-manager/

Also, those three word passphrases... they're one of the few ways to get the length you need without it being a memory problem. And people with stronger memories could probably do that alone on everything and not need a manager. I'm not so lucky.

But I too do not worry about strongly encrypted vaults, they'll be locked for decades at least and the data will be long stale by the time they're unlocked. Of course, we're only 1 undiscovered vulnerability in AES away from that changing. But it's easier to update an encryption algorithm in an app than it is to replace all those passwords. Which only brings more value to the vault as a service idea, assuming the company managing it is keeping up. Lastpass didn't, we'll see if Bitwarden does over the long haul.

 

[Diggs]

What I am I missing? Is there anything anywhere anymore that doesn't lock the account after 3-5 bad password tries? You can't hammer a server with millions of tries for 5 days. Those days are long gone I thought.