LastPass Data Breach - Password Security 101
HTML-код
- Опубликовано: 26 дек 2022
- In this episode of CyberTalk, I discuss the latest LastPass data breach (December 2022) and outline a failsafe password management policy for you, your family, and or your business.
The following is a set of password security and management guidelines you should follow:
1. Generate secure, random, and complex passwords.
2. Use a new and unique password for every account.
3. Store your passwords with an offline password management database/vault like KeePass.
4. Take regular backups of your password database/vault and store them in a secure location (preferably only known to you).
5. Regularly change your passwords.
6. Develop a password handover contingency plan in the event of your death or incapacitation.
7. Remember, online platforms and solutions can go out of business or may not necessarily practice what they preach.
8. Regularly check websites like haveibeenpwned.com to check if your email was part of a data breach.
8. Finally, take control of your own security, know where you stand, and understand the risks involved in giving someone or a company your valuable personal information.
Have You Been Pwned?: haveibeenpwned.com/
KeePass: keepass.info/
//PLATFORMS
BLOG ►► bit.ly/3qjvSjK
FORUM ►► bit.ly/39r2kcY
ACADEMY ►► bit.ly/39CuORr
//SOCIAL NETWORKS
TWITTER ►► bit.ly/3sNKXfq
DISCORD ►► bit.ly/3hkIDsK
INSTAGRAM ►► bit.ly/3sP1Syh
LINKEDIN ►► bit.ly/360qwlN
PATREON ►► bit.ly/365iDLK
MERCHANDISE ►► bit.ly/3c2jDEn
//BOOKS
Privilege Escalation Techniques ►► amzn.to/3ylCl33
Docker Security Essentials (FREE) ►► bit.ly/3pDcFuA
//SUPPORT THE CHANNEL
NordVPN Affiliate Link (73% Off) ►► bit.ly/3DEPbu5
Get $100 In Free Linode Credit ►► bit.ly/39mrvRM
Get started with Intigriti: go.intigriti.com/hackersploit
//CYBERTALK PODCAST
Spotify ►► spoti.fi/3lP65jv
Apple Podcasts ►► apple.co/3GsIPQo
//WE VALUE YOUR FEEDBACK
We hope you enjoyed the video and found value in the content. We value your feedback, If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms.
//THANK YOU!
Thanks for watching!
Благодарю за просмотр!
Kiitos katsomisesta
Danke fürs Zuschauen!
感谢您观看
Merci d'avoir regardé
Obrigado por assistir
دیکھنے کے لیے شکریہ
देखने के लिए धन्यवाद
Grazie per la visione
Gracias por ver
شكرا للمشاهدة
-----------------------------------------------------------------------------------
#cybersecurity #databreach #lastpass Наука
The point of a password manager is to be able to use strong, unique passwords for the hundreds of sites you visit. And if you are like the typical user, you will be accessing those sites from multiple devices including phones, work computers, home computers, tablets, etc. The only way to use a password manager like KeepPass across all those devices is storing your vault in the cloud or your own server. And then you are back to the same problem: your data is centralized and open to hacking. Except that you likely won't even know about it if it is hacked. The other alternative is to only keep the vault on one machine, but this will lead to the original problem where people will memorize weak, non-unique passwords. So there must be a compromise. I think it is more secure to use an online password manager even with its problems. Probably using LastPass, even with its unforgivable flaws is far more secure than going back to weak passwords.
I’ve been using LastPass purely for the convenience- time to make a change. Thanks for a great post, never too old to learn😊
Password managers removing local/native clients, and syncing them, has been their worst decision ever. By storing passwords in their system they’ve massively increased risk and they’ve proven they’re incompetent at doing the ONE thing they’re paid for.
They are trying to print money by pushing their “that’s why we have to be subscription based”, or at least that’s what I’m getting from a lot of these programs. Not just password managers. Biggest example here being Adobe.
I really appreciate the work you are doing right now
Awesome documentation and tools to share. Great work!!! Thank you for taking the time to share this knowledge 🙏
glad to see you back again ...
Wealth of honest information. Thank you.
I've been waiting for this to happen. Its a hackers paradise, a website that stores the passwords to every single site their user has visited and made an account on. I'm suprised this hasn't happened sooner.
Love how you show an independent version!
Started using lastpass when heard about password managers 2-3 years back, then switched to bitwarden.
But after this long video I think keypass is the way to go,
Yeah a little cumbersome, but worth it for my own security
You can always look into hosting your bitwarden locally or on your own server, if you want as well. That's what I have been working on.
@@RuxUnderscore Since I am already using bitwarden, will try that too.
Thank you for your suggestion buddy 😊😊
Cool! Downloaded the portable version, seems simple enough, but look at all those plugins!
Good stuff, as I explain to my clients you have to think of convenience and security as opposite sides of a see-saw. If something is extremely convenient then security is most likely at risk and high-level security is usually quite inconvenient to the average person.
I remember McAfee used to offer an offline password manager, not sure if they still do.
Wow brilliant impartial advice thank you
Thanks for this video and contributing to this important topic.
I do have few point to make:
- overall message is rather confusing and leaves a feeling of distrust in cloud services like password managers
- so called normal users prefer simplicity and convenience over security and Keepass will not find a broader adoption within that audience, especially considering vast majority use mobile smart devices
- many companies adopted cloud first/mobile first approach and mandate specific password managers , some are adopting passwordless solutions
-last but not least, security community should verify last pass zero trust architecture which should give assurance security of personal keys to individual users
Same sentiments about this video. It is not the right message.
Excellent! 😎
password managers are still the way to go for 99% of people + 2fa of course
I really much appreciate your teachings but i have a question on how securely can one secure a flash drive after putting an encrypted database of passwords.
I knew this would eventually happen. That’s why I never considered using lastpast.
That's why I'm an oldschool and keep my most important passwords in a notebook. There is nothing on 100% in this world, not even remotely close to 100% even.
@@user-zg2bx4oz2p still better than someone else getting their hands on it.
Can someone please clarify why is it such a bad idea to store ENCRYPTED password databank on a cloud? Again I emphasis ENCRYPTED (with something strong like AES256, where a strong (master) passphrase is stored only in your head).
The vibe I got from this video is that by doing so you are somehow trusting the cloud service provider, but provided that you encrypt the file yourself with some open source software like KeePassXC or GNU Privacy Guard (GPG) and only then upload it to the cloud, I don't see how that's trusting the cloud service provider. Heck, even if they leak it, the file is completely useless without the decryption passphrase which only I know.
My master password is a combination of a word I know + a complex static password generated by my yubikeys (programmed the same in all of them). What is your opinion on this approach? Would you consider the use of the yubikeys for this purpose unsafe?
Sounds kinda like double binding passwords using 2 separate managers/2fa
Can you do a breakdown on the Haver cyber attack?
I found a pm called Enpass. It’s local with an option to sync to a 3rd party cloud service that you host or choose. It also has a browser extension for convenience. Has anyone used it before or do they recommend something else let me know.
I'm a long-time LastPass user, and it's been good for me in that my wife and I have phones and browsers that can all use it, so I need a solution that is convenient or else she will just go back to using the same passwords for everything, and it took forever to get her using LastPass consistently. Is Bitwarden a good alternative, or is there something else I can use?
Sir, please can you make a video on cobalt strike 🙏
Use keepassxc is the updated improved version of the normal keepass.
Never been using password manager. But, i do save it on my local computer. encryped and hidden(possible to access if someone gains access to PC or wifi network). But then even if that is somehow found. it gives only passwords, there are no username or which website this password belongs to. that information is linked on an email provider and only i can map the passwords to the user and website.Most important website has 2FA with my mobile. I have same passwords with thousands of website. but all those thousands of website doesnt have any sensitive data and dont mind it being hacked. And yeah, i saw that password in so many breaches. its fun to look at. anyone can login to any of those accounts, but none has any personal information that links to me. One main thing is i am not an important person/person of interest for hackers. If thats the case, they would be watching all my actions to identify a single misinformation or accidental drop of information to link and find information about me.. Stay away from internet if you want something to be secure.
Waiting fr the web app pentesting vedios
Same
13:40 I think they use services such as darkowl or haveibeenpwned to check your email addresses dumped in breaches.
It's actually useful and It did prompt me when one of my accounts were involved in a data breach dump.
I'm guessing its an automated process.
Yep, it's pretty simple to automate a script to try password and email combos. I recommend everyone to subscribe to HIBP so they're notified when a breach occurs.
I stopped using last pass a while back bitwarden is so much better
Yeah 100%
Self hosting KeePass is a bad idea for 99% of users. You think that is safer for common non tech users then using Bitwarden? Eventualy the non convenience will push then to reusing passwords or using bad passwords. Even if service like Bitwarden gets hacked its not like they have a quantum computer that breaks all the encrypted vaults. Its more plausible that your house burns down or lightning strike ruins your computer and backups of your local selfhosted solution.
Not the mention the possibility that its far more likely that your computer gets hacked then some service like Bitwarden/LastPass,… just use 2FA or Yubico keys for those 5 REALLY IMPORTANT accounts that would spell problems if compromised.
I got upset now,, because I didn't put subtitles on this video.. because I follow your channel here in Brazil!!!! 🇧🇷
We are working on adding subtitles to our videos, as you know, it can be quite lengthy and complex for longer videos.
Bro I just installed it and set up some accounts
If LastPass don't know your password and your Vault is encrypted with your password, how when resetting a forgotten password, do they then access/unencrypt and recrypt your 'Vault' using your new password?
You can't reset the master password. If you forget it and don't have a recovery One Time Password, you lose access for your vault.
@@TwskiTV ah ok thanks….makes sense. Just wonder how it might work in the corporate world too. Must be some additional keys in their too as you can reset passwords etc for normal user accounts.
Too cumbersome. I’ve tried to get normal users to use KeePass, but they never stick with it because it isn’t convenient
try keepass XC
can refer best authentication app ?
I think generally, password managers are just a pain on the long run. A research I did earlier this month shows that keepass have been abused to dump passwords severally using the tool Poshkpbrute.
I think like you said, using a removable storage might help though
Yeah, my Keepass vault password is 37 characters long. Good luck cracking it with cracking software.
@@neuideas I'm using it are you saying is it safe enough it don't have access to internet though
@@RadiantEchoes Keepass is very secure if you have control of the vault, and have a strong password. You can also, upon vault creation, insist on cranking up the hashing iterations, making brute-forcing even the simplest passwords very time consuming.
I withdraw my comment, I did look it up, but I wanted to address the poster below rather than deleting my comment. I did have a misunderstanding of zero knowledge, but instead of trying to explain it, you pulled a Linux answer and basically said to read the documentation. I dislike those kinds of answers, and that is what scares a lot of new users away from Linux.
This channel have excellent videos but presentation is very weak I watched lot of videos in this channel. subject wise very good but particularly explaining the topic is very poor who want to watch your videos they are all learners you have to explain the topic clearly easily understandable way
Thanks bro gua udah pindah ke yg warna biru thanks warga +62 yg kocak awowowk
please make video active DIRECTORY
Especially AD enemuration, Attacking Ad auth technology..
ruclips.net/p/PLBf0hzazHTGPTPemna-KfS9zEx5TL6MGg
هل يوجد ترجمة لفديوهاتك؟؟ للعربية
😂😂😂😂
@@tiom28x 😒😒
@@user-fi5qj5ce6q 😂😂😂😂
I never used lastpass 😊
Me too
Haha
smh
never trusted password managers why put a target on your head? Everything can be hacked anyways
So you just use the same password everywhere?
I still trust them
Everything can be hacked anyways is an unproductive outlook and simply isn’t true
Okay so what's your solution? How do you remember hundreds of strong, unique passwords?
For everyone interested in these topics, DO NOT TRUST IN PASSWORD MANAGERS!!! gattdammit... I've been saying this since 2008, new technology, new vulnerabilities. Memorize your passwords, get your xit together! Train your people how to create complex passwords!
And then where do you save it? Hahhaha memorizing 100 of passwords on your brain short term memory good luck.
I've like 500+ pswds in lp, how do I remember all those and make sure all are unique? 🫠
Let's be real here. If the cloud is not a safe place then businesses would not be in the cloud. Do we know how cloud providers protects your resources? So to say don't us clouds is being an alarmist. Rather than that, tell people to practice defense in depth instead.
I use keepassxc
The above name was able to fix mine.
You can subscribe to HaveIBeenPwned for free and get an email if you were in a breach so you don't need to check it regularly
The above name was able to fix mine.