LastPass Hack: The CRUCIAL Problem No One Is Talking About

How would you consider BW to be superior? I use the LastPass Family subscription but with an over 20 character master PW. Would be interested to know if other options might be better and or cheaper.

@@jeepfanatik1304 Depends which paid services you need. I'm using BitWarden for free and it does everything LastPass used to do before they removed the option for free accounts across multiple devices. The company also seems a whole lot less shady in general, which is nice.

@@jeepfanatik1304 I'm not in infosec but I know enough to be dangerous... BW is arguably "superior" as a product since it is open source and has been independently audited. But BW is also faster performing and its default settings give you a stronger starting point. We LP refugees with long MPs are likely fine against brute force, but I went through and changed all 500+ passwords anyway... which sucks. This did allow me to increase the security at each site (add new MFA or use generated passphrases for site "security questions" answers) and remove sites that no longer exist or are not needed. It is laborious to do but seems worth it in the long run.

Bitwarden is only superior if you are self hosting. If you don't have the means to self host it, then 1Password would be best.

Same, I moved myself and my clients away from LP to BW after their 1st hack.

I feel this tweet in my soul. It's so hard to get started!

@@ShannonMorse YEP

@@ShannonMorse Agreed... but I would argue it might even be harder to SWITCH!?!?!?!?! I run Lastpass with a long (23?) master... now I gotta change?

Google switch from LastPass to bitwarden, super easy with export / import. Steve Gibson (IT guru) talks about how easy this is in his podcast.

@@pauldamian2988 super easy to switch to bitwarden. Export your LastPass file and import it, boom. Took me like 10 minutes. It has much better field support, and auto fill on Android and web support, too. Works a bit better overall I've found

This is one of the big factors that has lead me to dump LastPass. I paid LastPass, because they seemed to be making good decisions about security. I wanted to not have to be a fulltime security person. I wanted to farm that out to LastPass. At the time I did this, about a decade ago, LastPass seemed to be doing a great job. The issue, is that LastPass appears to have gotten lazy. They filed to increase the PBKDF2 hash iterations... actually they did so for new customers... but not those of us who had been singing their praises and been longtime customers! This tells me the problem is not really the hackers, it is that I no longer trust LastPass to make good decisions about my Vault and what is secure. Add to that the info that URL's were not encrypted, even though all LastPass marketing talks about how customer vaults are encrypted, never seeming to mention that important data like URL's is not... Yeah, Bye Bye LastPass. They've made business decisions that are not in the favor of my account being secure, so I am making a business decision that will not be in favor of their business goals. I'm gone, Won't be seeing you even again LastPass. You've shown how quickly you decide to do what is easy rather than what is best! Why would I continue with a password management company that has proven I cannot trust them!

And this is the reason that I’m considering moving after being a customer for over a decade. They need to have done a better job of communicating those updated security settings to their users when they changed their best practices. Like, if I have two sites using the same password in my vault, it’ll yell at me every time I open my browser and click to fill a password, but not once did that same popup mechanism ever tell me that, “hey, you’re using an outdated security setting for your vault, and if you don’t udpate it to the modern recommended setting, you’re putting the security of your entire vault at risk.”
Everything else I can forgive because they can happen to any organization, but that one was a seriously dropped ball.

If 5000 used to be adequate but not now, how long before 100K+ won't be adequate? 5 years? 2 years? Lastpass''s dodge about 'generally available cracking tools' -- that's generally available now. What will be 'generally available' in two years? Time flies.

@@bassmaiasa1312 Since OWASP is already recommending 310,000 iterations, what LastPass is doing right now is inadequate. LastPass is not keeping up. That LastPass was not actively alerting users who had iterations set below 100,000 is pure ineptitude on LastPass.

@@bassmaiasa1312 100k is no longer considered adequate, OWASP recently changed the recommendation from 310k to 600k PBKDF2 iterations. But encryption in general is a rat race, we encrypt things to be currently unbreakable but computers in the future may be able to break it with ease. Thus what you're really doing with encryption is buying time that when an adversary finally breaks into the vault, the treasure within is no longer useful.

Everywhere should use them, and free. Obscured a security product makes you pay to be the most secure

Wow cool idea!

The same 3 characters (e.g. 123) for every password or different?

Lastpass does have the OPT/recover in case you forget your Master Password.. Call me a goof, but the first thing i do when setting up plugin, is turning OFF these things..
I manage my *own* security.. (... which could become a problem in later years)

The backups were from September 22nd 2022 as a LP user mentioned on another podcast . The LP user asked LP and that is what they told him.

@@GregM which podcast?

​@@GregM Yeah, but who can trust the LP employee to know or tell the absolute truth.

And some are active for years. It's far better to be vigilant than sorry

@@TheErador Sockets yes, sessions no (at least none I have ever come across, feel free to give an example), they will be terminated either client side or server side (whichever activates first). Idle sessions not closed are more like placeholders, they are deactivated when referenced again and a new active session is created.

Right! And they have to download your database, which is stored locally.

We all keep hoping along from one lily-pad to another like a bloody frog in a swamp, export/importing as we go..That's fun.... anyway.

You do know there are old people with difficulty remembering their names, let alone passwords? Writing it down in that 3 ring binder beside your computer with the label PASSSWORDS, is safe until you're robbed like my in-laws. Then you've handed them the keys to the kingdom.

That wouldn't help as much as you think. The longer the password the difficulty increases exponentially. A 10 character password would take a few years to brute force. 12 characters 30K years. They could toss the entire computing power of the world at a vault secured with 13 characters. They would all be dead before even putting a dent in the possible combinations.

Great choice 😊

You should still double check your passwords. Even if you deleted your LP account, considering everything we've seen I wouldn't be surprised if it turns out LP have a very lax attitude regarding GDPR / Data Protection for backups.

@@cinnamon4183 excellent idea

So Microsoft uses their auth app instead of a password right? What happens if you lose your phone? How are you going to re-authenticate on a new device?

@@michaell1603 you have more than just the Auth app configured. I use three methods for account access

Then use a open source local password manager like Keepass and have absolute control over your vault.

@@AJ-po6up fair point. I've been considering it.

There are local only password managers. That would solve your problem there. Bit warden has that ability I believe, but also KeePass

keepass or other local hosted ones work just never loose the database

All that being good, but doi you really think people will be anymore safer if they hear from a CEO? Its done, and no amount of hearing from an expert is gonna change that, because they can't.
No amount of "sorry stories" from a CEO is gonna get back whats now public... And you only get [1] chance. By definition, users make THAT happen when we *decide* to engage in cloud services for convenience. That's why I will always say "no matter who people try and blame, it still always comes back to the user"
I'm not saying they asked for this to happen, but its not like they thought about it either.

Yup!!! I noticed that too

🫢🫢🫢

That is a big problem. The only thing worse I could imagine is having the password database stolen and in the hands of bad actors.

Hey there! What do you mean by the hardware keys are dependent on the OS?

@@flynntsang Hardware keys are physical and require a physical receptor to identify and validate, they can cause compatibility issues if the software being authenticated is multi-OS and multi-device. For example, if you use a password manager that requires 2FA on multiple devices, such as Windows, Mac, Linux, Android, and iPhone, it may not be easy to register one hardware key for all devices. And what happens when you upgrade your devices in the future? Will they always be compatible with your current hardware key?
On the other hand, an authentication software key is just data that can be used for any and all human inputs. Additionally, you can write down the key on paper and delete the app for increased security, only adding it when you need to use it.
I'm not saying that hardware keys aren't useful, I have one myself. However, I think it's important to consider the downsides before making a decision, as it's more of a situational choice.

​@@flynntsang For an OS to do anything it requires a driver to translate the messages the device is sending. There is no universal 2FA key that is recognized by every OS. There is also not even a universal 2FA key standard established on the internet. For example FIDO2 has a lot of promise... but hardly anyone uses the standard. The few sites that do have 2FA use OTP, which is very outdated and insecure at this point.

😯

I have a lot of close friends who are in the same boat.

This is a big issue for businesses, other competitors in the password manager market should focus on the migration from LastPass and make it as easy as possible, while maintaining the same policies and settings from LastPass.

😆 opps... that's a bad boss. There's still noting wrong but we all egt scared the moment someone has a proprietary source code.
I think the biggest thing is users just have to start accepting breaches will always happen, no matter how great of a security model we have... There is such a thing as "security is good enough for the individual"

People complain when something gets taken down "as is", accidentally or deliberate, and you want then to wait longer? Good luck to you sir... Everything is a balance, unfortunately.

@@Tech-geeky most people don't have a clue re modern digital security and how to keep themselves safe. Like a parent, you sometimes need to do what is best for them, and ignore their dislikes.
Also, it's not like every 10th app is going to suddenly get taken away. It's probably 1 in every 1k apps.

Yup lol 👍

Not just password managers. The whole tech industry is basically an organized cybercrime family.

Password manager companies could never afford the insurance to back that liability!

@@andyburns wow, so true! ... Things that make you go, "hmmm..."

Hope you enjoyed it!

It is a world of hurt and pain. I had a few techniques to minimize dupes when exporting from various pw managers to 1Password, like using spreadsheet text functions to extract domain names in URLs and then sorting by the domain name to find dupes. That way I had fewer to import. But the actual process is painful, painful, painful. My only tip is in 1Password you can create different vaults. As you verify a password, move it to a "clean" vault.

oh. indeed, pain it is. i created folders in keepass to do the same thing you mentioned.

I fell asleep I'll add it in this morning 😅

@@ShannonMorse no probs. I don't blame you. Great video though. Re last pass, we use it in our business but looking to move to something else. We do understand however that our data is safe because we are federated. Would you agree?

KeePassXC is one of the best local PW managers.

SplashID… been around forever and can be completely non-cloud. Very basic but if you want all the “features” you have to deal with this risk.

For most people it's really overkill to not use a cloud service, provided it's like Bitwarden that only store encrypted data and that your master password is complex (at least 14 random characters including symbols). A local only solution is potentially more secure but it's also waaaay more difficult to manage.

@@davidriosg I'm okay with the management honestly. I care more about the security than having to keep up with it. I'll look at bitwarden though and see what it is about.

while this would be awesome, i think this would be rather hard, since the process of changing passwords differ a lot between different sites and would be difficult to automate (and of course, only doing it in the password manager would just lock you out of your accounts :P)

I know LastPass gave you the option to choose "change all passwords" and the platform would TRY to do it for you. But it sucked and didn't work well.

Believe it or not, Bitwarden itself will do MFA for you. You just have to add the shared secret to the site like you would a password, and it'll generate codes for you, and even let you copy them like you can the username or password. It's putting all the eggs in one basket, which may or may not be a good idea, but it does do it.

Aegis Authenticator is great if you'd rather not do what Trevor mentioned! I enjoy it because it can do automatic encrypted backups.

@@ken-rx6hb That actually does sound like a darn good feature! I'll have to check it out for the couple of MFA's I'd like to keep outside of Bitwarden

+1 to Aegis, is really good check it out.

I don't believe so. 2FA proects against logging into the LastPass website/services. If hackers have the vault it's just the encryption keeping it safe.

You must be new here 😊 I've talked about LastPass in previous videos! It's a password manager. If you don't know what a password manager is, I would recommend checking out my previous videos where I break down "what is a password manager"

I got it from Hot Topic a while back!

Hello 😊

@@ShannonMorse Hello 😊

Can't have a data breach if all of your data is stored locally. Well you can, but it's a bit more difficult.

Because they are at the Pinnacle of the security environment. Because they are trusted, completely, to be better. Not just better-the best. Better than say a Home Depot. Their one, single, solitary, goal in life is security. Home Depot's goal is to sell screwdrivers. If they mess up on security.... Well that's disappointing but they're a hardware store after all. If the bar for LastPass is nearly as low. Well, it's your data. But last pass is fort knox. They hold the keys to your digital kingdom.

@@joshuapk9808 If the reason to switch from LP is because it is an online password manager, than this has nothing to do with the breach. That's not what the video says.

@@mschwage LastPass, unlike those other solutions that are far less known, is used by millions upon millions of people. The fact that there was just one breach is, honestly, very impressive.
It's not argument against using them. if anything, it's an argument for sticking with them. Because I don't think that it is reasonable to assume that a password manager used by millions of people is only acceptable if there are literally no breaches of security ever. This would be a very unreasonable and unrealistic requirement.
Could they have handled this situation better? Sure. But is it an argument to switch away? I don't think so.
And even what you say about fort knox - this argument has nothing to do with the breach. It's an argument you can make even before any breach. So, again, I ask - why should one switch from LastPass in light of the breach?
And the way I would answer my own question is that there are no reasons to switch away that weren't true before the breach.

@@LouigiVerona Forgive me, I remain less than impressed. But you are correct, there no reasons to switch away after the breach that weren't true before the breach. Which is why, after witnessing one too many data breaches across the tech landscape, years prior to this event, I had the following heart-to-heart with myself: "Yo, self?" "Yeah" "You see this landscape of technologies that are littered with the corpses of breached data security solutions/protocols/methodologies?" "You mean, the ones that were described as Sooper Seekrit Secure? The ones once trusted by millions of people?" "Yeah, those." "I see that landscape, yes." "So... how do you feel about leaving your most absolutely precious secrets in the hands of a company probably not very different from any of them?" "...ehm, not so good, I guess?" "Right, how about we change that, eh mate?" And I did. And I dodged the whole friggin issue.
In this case, I hate being right. And I feel bad for the poor millions that continue to put their faith in LastPass. Especially after the milquetoast response from the company, which should know better. No, my secrets are safer elsewhere, as are yours. But if you and the multitude continue to have faith and trust in that company... well, may God have mercy on your souls and on your various bank, credit, and other assorted personal accounts.
mschwage out. Best of luck to you.

Thanks for bringing that to my attention! Which membership did you join? YT, BuyMeaCoffee or Patreon?

@@ShannonMorse through YT

Hot Topic!

@@ShannonMorse thankyou

You don't have to "keep it in sync". Once it's set up on a website as a backup, it's done. You can then log into said website anytime with any of your yubikeys.

@@ShannonMorse I mean having one Yubikey is a risk. How do keep it backed up and one offsite You loose the key your screwed so thats high risk. Now if you back it up locally you to another key you lower the risk. You are however open to theft, fires etc even if in safe. So you have to keep one offsite.

House keys worry me. What if I'm away from home and I drop it down an open sewer grate? I could make up other scenarios but yes keys are keys like any other key. We've been using them for millennia. Now they just have little copper traces on them, and chips inside. I carry my yubikey on my key ring, along with my house key. I have it in a little leather pouch, lassoed to it so it won't fall out.

@@mschwage so you have just 1? They are tech gear and cable of failing then what.

@@thestreamreader no I have 2, kept at different addresses.

Exactly, how does this not come up in the video?

👏👏👏