LastPass Hack: The CRUCIAL Problem No One Is Talking About
HTML-код
- Опубликовано: 27 сен 2024
- Sign up for DeleteMe! Use the coupon code SNUBS for 20% off any consumer plans! Linky: www.JoinDelete... * (coupon code automatically applied at checkout)
LastPass admitted to getting hacked a couple of months ago, and we're just now learning more details about what was breached. Password Managers are often targeted in hacks but in my opinion, LastPass is downplaying a crucial problem that can affect users.
My fav password managers for 2023:
25% off 1Password: www.jdoqocy.co... *
30% off Roboform: www.kqzyfj.com... *
Dashlane: www.dashlane.com/
Bitwarden: bitwarden.com/
Keeper: www.keepersecu...
What Is A Password Manager And Should You Trust Them? - • What Is A Password Man...
LINKS:
blog.lastpass....
support.lastpa...
support.lastpa...
www.goto.com/b...
blog.gaborszat...
capec.mitre.or...
cwe.mitre.org/...
FTC: Links marked with * are affiliate links, which means I make a small commission off any sales.
Becoming a Morse Code Member by checking out the perks linked here!:
/ @shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUBSCRIBE! 🌸 www.youtube.com...
TWITTER 🌸 / snubs
Patreon 🌸 / shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUPPORT MY WORK
Patreon 💛 / shannonmorse
Buy Me a Coffee 💛 www.buymeacoff...
Shop 💛 snubsie.com/shop
TeeSpring 💛 teespring.com/...
Coupon Codes 💛 snubsie.com/su...
Tech I Use & Recommend 💛 kit.co/Shannon...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
FOLLOW THE SOCIALS THINGS
Twitter 🌸 / snubs
Instagram 🌸 / snubs
RUclips 🌸 www.youtube.com...
Website 🌸 www.shannonrmor...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
TECH I USE AND RECOMMEND
My Kits, Builds, and Must Haves ✨ kit.co/Shannon...
My Amazon Influencer Page ✨ www.amazon.com...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
MY OTHER SHOWS
ThreatWire 🌙 www.youtube.com...
Sailor Snubs 🌙 www.youtube.co...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
GET IN TOUCH
Mail ✈
snubsie.com/co...
Email for Business and Sponsorship Inquiries ✈ Shannon@ShannonRMorse.com
My Media Kit ✈ snubsie.com/wo...
Sponsor This Channel ✈ snubsie.com/sh...
Music from 🎵 Epidemic Sound: www.epidemicso...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
😍 FTC DISCLAIMER 😍
Affiliate links listed above allow me to receive a small commission. Any sponsorships for videos are noted in video and listed in descriptions. Any products provided as gifts are listed above. Thank you for your support!
Comment section code of conduct policy:
Constructive feedback is appreciated, but please leave unproductive, divisive and harmful conversation at the door. Hateful comments are not tolerated, and these kinds of messages will be automatically removed. Thank you for making this community a welcoming experience for all viewers :)
snubsie.com/co...
I switched from LastPass to Bitwarden when the hack happened, and actually find BW to be superior. And FWIW, I'm in the infosec business. I'd become anxious about LP after its aquisition by LogMeIn (which didn't have a stellar security record). Wish I'd acted sooner.
How would you consider BW to be superior? I use the LastPass Family subscription but with an over 20 character master PW. Would be interested to know if other options might be better and or cheaper.
@@jeepfanatik1304 Depends which paid services you need. I'm using BitWarden for free and it does everything LastPass used to do before they removed the option for free accounts across multiple devices. The company also seems a whole lot less shady in general, which is nice.
@@jeepfanatik1304 I'm not in infosec but I know enough to be dangerous... BW is arguably "superior" as a product since it is open source and has been independently audited. But BW is also faster performing and its default settings give you a stronger starting point. We LP refugees with long MPs are likely fine against brute force, but I went through and changed all 500+ passwords anyway... which sucks. This did allow me to increase the security at each site (add new MFA or use generated passphrases for site "security questions" answers) and remove sites that no longer exist or are not needed. It is laborious to do but seems worth it in the long run.
Bitwarden is only superior if you are self hosting. If you don't have the means to self host it, then 1Password would be best.
Same, I moved myself and my clients away from LP to BW after their 1st hack.
An updated password manager video would be awesome. As well as how to make the process of migrating easier. Right now the challenge is momentum - it’s hard to just get started.
I feel this tweet in my soul. It's so hard to get started!
@@ShannonMorse YEP
@@ShannonMorse Agreed... but I would argue it might even be harder to SWITCH!?!?!?!?! I run Lastpass with a long (23?) master... now I gotta change?
Google switch from LastPass to bitwarden, super easy with export / import. Steve Gibson (IT guru) talks about how easy this is in his podcast.
@@pauldamian2988 super easy to switch to bitwarden. Export your LastPass file and import it, boom. Took me like 10 minutes. It has much better field support, and auto fill on Android and web support, too. Works a bit better overall I've found
There’s also an additional problem you didn’t mention - LastPass not updating customers’ hash iteration value. They changed the default to 100,000+ iterations, but people who created accounts a decade ago had iteration counts of 5000, or even *1* for early accounts, and LastPass *did not upgrade customer accounts* according to their own security standards. This means these passwords are *way* more brute-forcible. It’s really bad…
This is one of the big factors that has lead me to dump LastPass. I paid LastPass, because they seemed to be making good decisions about security. I wanted to not have to be a fulltime security person. I wanted to farm that out to LastPass. At the time I did this, about a decade ago, LastPass seemed to be doing a great job. The issue, is that LastPass appears to have gotten lazy. They filed to increase the PBKDF2 hash iterations... actually they did so for new customers... but not those of us who had been singing their praises and been longtime customers! This tells me the problem is not really the hackers, it is that I no longer trust LastPass to make good decisions about my Vault and what is secure. Add to that the info that URL's were not encrypted, even though all LastPass marketing talks about how customer vaults are encrypted, never seeming to mention that important data like URL's is not... Yeah, Bye Bye LastPass. They've made business decisions that are not in the favor of my account being secure, so I am making a business decision that will not be in favor of their business goals. I'm gone, Won't be seeing you even again LastPass. You've shown how quickly you decide to do what is easy rather than what is best! Why would I continue with a password management company that has proven I cannot trust them!
And this is the reason that I’m considering moving after being a customer for over a decade. They need to have done a better job of communicating those updated security settings to their users when they changed their best practices. Like, if I have two sites using the same password in my vault, it’ll yell at me every time I open my browser and click to fill a password, but not once did that same popup mechanism ever tell me that, “hey, you’re using an outdated security setting for your vault, and if you don’t udpate it to the modern recommended setting, you’re putting the security of your entire vault at risk.”
Everything else I can forgive because they can happen to any organization, but that one was a seriously dropped ball.
If 5000 used to be adequate but not now, how long before 100K+ won't be adequate? 5 years? 2 years? Lastpass''s dodge about 'generally available cracking tools' -- that's generally available now. What will be 'generally available' in two years? Time flies.
@@bassmaiasa1312 Since OWASP is already recommending 310,000 iterations, what LastPass is doing right now is inadequate. LastPass is not keeping up. That LastPass was not actively alerting users who had iterations set below 100,000 is pure ineptitude on LastPass.
@@bassmaiasa1312 100k is no longer considered adequate, OWASP recently changed the recommendation from 310k to 600k PBKDF2 iterations. But encryption in general is a rat race, we encrypt things to be currently unbreakable but computers in the future may be able to break it with ease. Thus what you're really doing with encryption is buying time that when an adversary finally breaks into the vault, the treasure within is no longer useful.
Great breakdown. I hadn't considered the Session ID issue in the URL until your video. As much as I loved Lastpass, this breach was the last straw for me.
Hardware 2FA needs to be a universal option.
Everywhere should use them, and free. Obscured a security product makes you pay to be the most secure
My suggestion, no matter where you record your passwords, is to use and store a partial passwords, but to have a secret code, e.g., three ending characters you add to every password. And never record that secret code anywhere except maybe on the side of your bottom dresser drawer. That way if your UN/PW is hacked you're safe because the hacker has only a partial password. Also protected if you have a written list.
Wow cool idea!
The same 3 characters (e.g. 123) for every password or different?
Lastpass does have the OPT/recover in case you forget your Master Password.. Call me a goof, but the first thing i do when setting up plugin, is turning OFF these things..
I manage my *own* security.. (... which could become a problem in later years)
Great info, Shannon. Thank you!
Thank you for explaining this in detail, I know nothing about security, more of an hardware guy. So this thought me a lot. Session hijack achievement unlocked.
@ShannonMorse Snubs, a critical data point so far not disclosed by Lastpass/Logmein is the date range for the backup data stolen. This could be critical information for people who deleted their Lastpass vault before this latest breach. Dependingg on the when the stolen backup was performed, customers who deleted their Lastpass vaults six, twelve, maybe even 24-months before this breach might still be at risk! --bump
The backups were from September 22nd 2022 as a LP user mentioned on another podcast . The LP user asked LP and that is what they told him.
@@GregM which podcast?
@@GregM Yeah, but who can trust the LP employee to know or tell the absolute truth.
Seems excessive. Those session ID's have expired a long time ago. Hackers can only access 'active' session id's. A session expires either when logging out, or timing out (set on the servers). A PC restart will kill every active session, or closing all tabs and clearing browser cache, or inactivity. Also avoid using / checking a box that says 'stay logged in', this extends the session timeout to days or weeks before it expires (generally not found on sites with payment portals). Some sites will also dynamically change and update your session id seamlessly as you browse, you will notice this if you open tabs from the site you are logged in, and when you go back to the tabs you are met with a login page or it shows you logged out (as guest or whatever), those tabs never updated to the new session id and have reverted to the default page.
And some are active for years. It's far better to be vigilant than sorry
@@TheErador Sockets yes, sessions no (at least none I have ever come across, feel free to give an example), they will be terminated either client side or server side (whichever activates first). Idle sessions not closed are more like placeholders, they are deactivated when referenced again and a new active session is created.
I've been using KeyPass...Yes, it means having a OneDrive/Thumb Drive/DropBox/GoogleDrive etc. to store the PW Database, and yes it leaves a "potential" security hole, but what doesn't??? I used to just carry it on my thumbdrive but my old employer then disabled all access to USB ports for memory storage (intellectual property theft deterrent). Is it perfect? Nope...but I've yet to hear a big "OMG KEYPASS HAS BEEN HACKED" yet.
Right! And they have to download your database, which is stored locally.
We all keep hoping along from one lily-pad to another like a bloody frog in a swamp, export/importing as we go..That's fun.... anyway.
Say NO to EVERY password manager!
You do know there are old people with difficulty remembering their names, let alone passwords? Writing it down in that 3 ring binder beside your computer with the label PASSSWORDS, is safe until you're robbed like my in-laws. Then you've handed them the keys to the kingdom.
Look at my shocked face that a password company isnt secure... 😐
5:43 now I don’t know if you talk about this yet… but another nugget here is LastPass (at least up until the hack happened) did not require strong passwords. I think my old account had like a 8 character password that can be hacked in under a minute.
Again very bad :/
Shannon says leave Last Pass. Done!
I love tripe too! Big thumbs up for that last session info. Going through the log-ins exported from Chrome to 1pass I noticed these weird looking URLs? with a bunch of extra nonsense. I'm deleteing those too. Thanks. ( I doubt that making a mistake will lock me out of anything important).
Affected users should always presume security hacks on their password manager vendor was worse than initially thought - on principle. Thanks for this useful information.
*_TRUST !!_*
The thing is the fact that they got the backup of the Vault means they can apply multiple different computers to try and crack the thing instead of over a single line
That wouldn't help as much as you think. The longer the password the difficulty increases exponentially. A 10 character password would take a few years to brute force. 12 characters 30K years. They could toss the entire computing power of the world at a vault secured with 13 characters. They would all be dead before even putting a dent in the possible combinations.
I'm glad I moved to Bitwarden before that happened based on your password manager recommended video.
Great choice 😊
You should still double check your passwords. Even if you deleted your LP account, considering everything we've seen I wouldn't be surprised if it turns out LP have a very lax attitude regarding GDPR / Data Protection for backups.
@@cinnamon4183 excellent idea
we really need to go passwordless. I like the direction Microsoft has went with their accounts.
So Microsoft uses their auth app instead of a password right? What happens if you lose your phone? How are you going to re-authenticate on a new device?
@@michaell1603 you have more than just the Auth app configured. I use three methods for account access
I was just commenting on Gary's video about how part of the reason I haven't committed to using a password manager is that I'm in a constant state of concern that the password manager service will get hacked.
Then use a open source local password manager like Keepass and have absolute control over your vault.
@@AJ-po6up fair point. I've been considering it.
There are local only password managers. That would solve your problem there. Bit warden has that ability I believe, but also KeePass
keepass or other local hosted ones work just never loose the database
Where is the outrage? Reminds me of the Catholic Church scandal. Why are we not hearing from the CEO of last pass? What is the company doing about it? Where is their response?
All that being good, but doi you really think people will be anymore safer if they hear from a CEO? Its done, and no amount of hearing from an expert is gonna change that, because they can't.
No amount of "sorry stories" from a CEO is gonna get back whats now public... And you only get [1] chance. By definition, users make THAT happen when we *decide* to engage in cloud services for convenience. That's why I will always say "no matter who people try and blame, it still always comes back to the user"
I'm not saying they asked for this to happen, but its not like they thought about it either.
When I used the "Analyze Lastpass" powershell script, I noticed that some of my unencrypted URL's were password reset URL's with long reset tokens. 🤦. They didn't seems to work anymore, but that's still really bad. I didn't realized that when I'd do a password reset and the Lastpass extension would prompt me "would you like to update the password for this site?" it was also changing the URL and saving the reset token in plain text.
Yup!!! I noticed that too
HOLY CRAP! I remember Shannon from watching TWIT before Leo became super annoying (among other things). Thank you for starting your own channel so your voice is heard...
🫢🫢🫢
I use password management software that keeps my passwords on my local computer. I don't think that I am perfectly safe, but I am a small target
That thing about session IDs is a great shout, and I need to check mine. I am not a fan of LP linking the session to the password anyway as it doesn't always recognise. I am one of those people who tries not to save and autofill passwords - in other words I log in anew each time - which can be a pain in the arse but surely that has to be more secure!?
The problem is that you have hundred of passwords, you have to go through every website and change the password which is a tedious process
That is a big problem. The only thing worse I could imagine is having the password database stolen and in the hands of bad actors.
That t-shirt is amazing, really cool hair match👍😆
In terms of 2FA I don't really like the hardware keys because it depends a little too much on the OS. I prefer the authentication apps on separate devices that are not connected to the internet. It's a bit more universal, and you can still write your key down on a paper and wipe your device add it back later.
Hey there! What do you mean by the hardware keys are dependent on the OS?
@@flynntsang Hardware keys are physical and require a physical receptor to identify and validate, they can cause compatibility issues if the software being authenticated is multi-OS and multi-device. For example, if you use a password manager that requires 2FA on multiple devices, such as Windows, Mac, Linux, Android, and iPhone, it may not be easy to register one hardware key for all devices. And what happens when you upgrade your devices in the future? Will they always be compatible with your current hardware key?
On the other hand, an authentication software key is just data that can be used for any and all human inputs. Additionally, you can write down the key on paper and delete the app for increased security, only adding it when you need to use it.
I'm not saying that hardware keys aren't useful, I have one myself. However, I think it's important to consider the downsides before making a decision, as it's more of a situational choice.
@@flynntsang For an OS to do anything it requires a driver to translate the messages the device is sending. There is no universal 2FA key that is recognized by every OS. There is also not even a universal 2FA key standard established on the internet. For example FIDO2 has a lot of promise... but hardly anyone uses the standard. The few sites that do have 2FA use OTP, which is very outdated and insecure at this point.
I guess the session hijacking was the scariest part of this breach. IMHO, I thought that Lastpass could have been more transparent (especially in August when they sent their first notification) about what was taken and the scope of the breach instead of, as you mentioned, letting users know that it was worse than they originally stated in subsequent communications. I previously thought that session hijacking was called browser hijacking. Still, a Web search on that term just returned good but usual advice about running an antivirus, firewall, VPN, and keeping your OS and software up-to-date. I have heard that session hijacking has gotten so sophisticated that hackers will set up a browser to look like your browser to Websites including fake IP addresses from your location.
It's unfortunate - what really sucks is that for my job, I have to use a password manager that the company approves. LastPass is one of them, and I've been using them for almost 2 years! =(
😯
I have a lot of close friends who are in the same boat.
This is a big issue for businesses, other competitors in the password manager market should focus on the migration from LastPass and make it as easy as possible, while maintaining the same policies and settings from LastPass.
😆 opps... that's a bad boss. There's still noting wrong but we all egt scared the moment someone has a proprietary source code.
I think the biggest thing is users just have to start accepting breaches will always happen, no matter how great of a security model we have... There is such a thing as "security is good enough for the individual"
"She KNOWS it's a MultiPass" :) (I just now noticed your "Multi Pass" in the background
Password vaults should never be stored on cloud.
New password manager vid would be great. Ill be moving away from Lastpass soon ;)
Great information! You gave me more to think about on this hack.
I just left those fools. They are not doing what's necessary to resolve the problem. They''re going to get hacked again. Love the mononoke shirt btw. Forest spirit ftw.
I stopped using LP since the 1st hack years ago....
Honestly, the app stores should start pulling software that has had a breach until a quality external audit had been passed.. it protects clients in many ways...
People complain when something gets taken down "as is", accidentally or deliberate, and you want then to wait longer? Good luck to you sir... Everything is a balance, unfortunately.
@@Tech-geeky most people don't have a clue re modern digital security and how to keep themselves safe. Like a parent, you sometimes need to do what is best for them, and ignore their dislikes.
Also, it's not like every 10th app is going to suddenly get taken away. It's probably 1 in every 1k apps.
Wow you got 700 subs in 2 days? Your Subscribers counter is doing its thing !
Yup lol 👍
Excellent video. None of this is going to make sense until password manager companies are reasonably, legally liable for the damages they cause by screw ups like this.
Not just password managers. The whole tech industry is basically an organized cybercrime family.
Password manager companies could never afford the insurance to back that liability!
@@andyburns wow, so true! ... Things that make you go, "hmmm..."
I use the hell out of KeepassXC/DX on Linux and Droid.
Thanks, Shannon~
"The source code was leaked"
WHY THE HELL IS SOMETHING THAT HAS TO BE AS SECURE AS A PASSWORD MANAGER CLOSED SOURCE??????
Now I know why I got an explosion of spam using my real name to my non-named email. I also got a text notification to my cell phone that I had spent $360 on an armoire...
Great video!! This is my ultimate issue with cloud password managers… lots of eggs in one basket. I’m not inherently opposed to the idea but I don’t believe in putting too much information in one place or tied to one account.. keep yourself wide. I also don’t save my login info anywhere and use yubikey 2FA for my most secure accounts!
I was looking forward to this one, thanks
Hope you enjoyed it!
What if the password site gets hacked?
Password Savers defeat the purpose of having a password in the first place.
Or self-host PW manager with the likes of KeePass and such
Session hijacking can be greatly reduced by monitoring when the session is and making the date and time part of the session ID.
Switched to locally hosted bitwarden
not a lastpass user, but any recommended way or tips to change 200+ passwords quicker? just curious
It is a world of hurt and pain. I had a few techniques to minimize dupes when exporting from various pw managers to 1Password, like using spreadsheet text functions to extract domain names in URLs and then sorting by the domain name to find dupes. That way I had fewer to import. But the actual process is painful, painful, painful. My only tip is in 1Password you can create different vaults. As you verify a password, move it to a "clean" vault.
oh. indeed, pain it is. i created folders in keepass to do the same thing you mentioned.
This video sounds like a sales pitch for delete me.
I love Princess Mononoke. One of my few remaining DVDs.
Can you link your roundup of password managers?
Awesome video Shannon. Just heads up, you missed the embed for the "Watch this about Yubikeys" etc. Love your content. Have an awesome day.
I fell asleep I'll add it in this morning 😅
@@ShannonMorse no probs. I don't blame you. Great video though. Re last pass, we use it in our business but looking to move to something else. We do understand however that our data is safe because we are federated. Would you agree?
How many breaches does this make now, a 100?? 🙄
Talk about the new breach from yesterday
Rainbow list with a Decrypt bot can get in. its just going to be a mater of time. so yes change all your passwords you had on last pass. once there in there in. they will get your master pass and will unlock all your data.
I can't understand why people opt in to save their passwords on third party entities.
I would love to see a video about local solutions that I could use as to not have to use a cloud service. And as @Esper Wyrenth said if you could show the process of migrating everything that would be great. May would also be a good video idea to show the best ways to secure multiple accounts for different uses, such as having multiple emails for different things or any other good practices that would come along with that.
KeePassXC is one of the best local PW managers.
SplashID… been around forever and can be completely non-cloud. Very basic but if you want all the “features” you have to deal with this risk.
For most people it's really overkill to not use a cloud service, provided it's like Bitwarden that only store encrypted data and that your master password is complex (at least 14 random characters including symbols). A local only solution is potentially more secure but it's also waaaay more difficult to manage.
@@davidriosg I'm okay with the management honestly. I care more about the security than having to keep up with it. I'll look at bitwarden though and see what it is about.
How do you switch and take all your information without you without exposure?
I switched from last pass years ago because they wouldn’t let me log in for a whole day
Do any password managers have a way to auto-rotate all your passwords? Then set up a scheduled rotation once a year?
Fwiw sessions almost always expire after a short period of time.. often 20mins.. almost always in less than a couple of days.. not 100% but anyway . I haven't seen lastpass put any querystring part of the url into the vault... Anybody else.?
Yeesh… Such a train wreck 🤦♂️
So I use a 60 character password for LastPass, do you think I'm OK?
I also purposely stripped URLs down to the main domain name as I've had issues with it not auto populating or filling in because the site has changed the sub directories. Either way I'm planning to move and I'm a paying customer.
I’ve always been saying password managers are just a beacon for hackers
last pass is proprietary, theres no reason to use it as a password manager
I’m not sure why people are on the bitwarden wagon. If they get the encrypted database, we are all still in the same boat - the only thing that stands between the data and the hackers is a password. 1Password solved this issue with having the recovery key. Why are more password managers not using this?
Are there any password managers that auto change your current passwords for each site?
while this would be awesome, i think this would be rather hard, since the process of changing passwords differ a lot between different sites and would be difficult to automate (and of course, only doing it in the password manager would just lock you out of your accounts :P)
I know LastPass gave you the option to choose "change all passwords" and the platform would TRY to do it for you. But it sucked and didn't work well.
I have switched from Lastpass to Bitwarden when the first breach was announced. Do anyone have a recommendation on a MFA app that would be a good replacement for Lastpass Auth or Authy?
Believe it or not, Bitwarden itself will do MFA for you. You just have to add the shared secret to the site like you would a password, and it'll generate codes for you, and even let you copy them like you can the username or password. It's putting all the eggs in one basket, which may or may not be a good idea, but it does do it.
Aegis Authenticator is great if you'd rather not do what Trevor mentioned! I enjoy it because it can do automatic encrypted backups.
@@ken-rx6hb That actually does sound like a darn good feature! I'll have to check it out for the couple of MFA's I'd like to keep outside of Bitwarden
+1 to Aegis, is really good check it out.
Could you post a link to the original review please ?
would making your own password server be better at this point ?
What is better password manager or usb key like yubi key?
I use LastPass with 2fa. Wouldn't the 2fa further protect the encrypted data, even if they could brute force the master password?
I don't believe so. 2FA proects against logging into the LastPass website/services. If hackers have the vault it's just the encryption keeping it safe.
Maybe you could start by explaining what last pass is.
You must be new here 😊 I've talked about LastPass in previous videos! It's a password manager. If you don't know what a password manager is, I would recommend checking out my previous videos where I break down "what is a password manager"
Ditched them :P Thanks Shannon !
Great info. Also... I want that shirt
I got it from Hot Topic a while back!
I bet the hacker is a nice person who just learned his skills from some RUclips channel for “education purpose” 🙄
I'm sorry, that's what they call a zero knowledge architecture? lmao
Down with last pass, got rid of my account
SO SOOO many young people I've discussed this with are hostile to the very concept that these sorts of services can be compromised. They are utterly certain they can't be pwned.
Hi I'm from Malaysia to see your video👋🏻🇲🇾😊
Hello 😊
@@ShannonMorse Hello 😊
Cool sponsor, bro.
Nice video Shanon
This is good info, but I am not sure why this means you should switch from LastPass to some other software. Just because there is a single data breach, it doesn't mean that it's going to happen again, just like it doesn't mean that other password managers cannot have a data breach in the future. Like, I really don't see a fundamental reason one would have for switching away from any password manager in case of a breach like this. Changing your passwords? Sure. But switching away?
Can't have a data breach if all of your data is stored locally. Well you can, but it's a bit more difficult.
Because they are at the Pinnacle of the security environment. Because they are trusted, completely, to be better. Not just better-the best. Better than say a Home Depot. Their one, single, solitary, goal in life is security. Home Depot's goal is to sell screwdrivers. If they mess up on security.... Well that's disappointing but they're a hardware store after all. If the bar for LastPass is nearly as low. Well, it's your data. But last pass is fort knox. They hold the keys to your digital kingdom.
@@joshuapk9808 If the reason to switch from LP is because it is an online password manager, than this has nothing to do with the breach. That's not what the video says.
@@mschwage LastPass, unlike those other solutions that are far less known, is used by millions upon millions of people. The fact that there was just one breach is, honestly, very impressive.
It's not argument against using them. if anything, it's an argument for sticking with them. Because I don't think that it is reasonable to assume that a password manager used by millions of people is only acceptable if there are literally no breaches of security ever. This would be a very unreasonable and unrealistic requirement.
Could they have handled this situation better? Sure. But is it an argument to switch away? I don't think so.
And even what you say about fort knox - this argument has nothing to do with the breach. It's an argument you can make even before any breach. So, again, I ask - why should one switch from LastPass in light of the breach?
And the way I would answer my own question is that there are no reasons to switch away that weren't true before the breach.
@@LouigiVerona Forgive me, I remain less than impressed. But you are correct, there no reasons to switch away after the breach that weren't true before the breach. Which is why, after witnessing one too many data breaches across the tech landscape, years prior to this event, I had the following heart-to-heart with myself: "Yo, self?" "Yeah" "You see this landscape of technologies that are littered with the corpses of breached data security solutions/protocols/methodologies?" "You mean, the ones that were described as Sooper Seekrit Secure? The ones once trusted by millions of people?" "Yeah, those." "I see that landscape, yes." "So... how do you feel about leaving your most absolutely precious secrets in the hands of a company probably not very different from any of them?" "...ehm, not so good, I guess?" "Right, how about we change that, eh mate?" And I did. And I dodged the whole friggin issue.
In this case, I hate being right. And I feel bad for the poor millions that continue to put their faith in LastPass. Especially after the milquetoast response from the company, which should know better. No, my secrets are safer elsewhere, as are yours. But if you and the multitude continue to have faith and trust in that company... well, may God have mercy on your souls and on your various bank, credit, and other assorted personal accounts.
mschwage out. Best of luck to you.
Foolish people rely on password managers, The intelligent ones make use of mnenomics. Passwords can be a simple function of 4 parameters that are public and that you don't need to memorize, for example.
I stopped using them when the went from free to paid >:(
I'm unable to join the discord from the link provided in the membership tab, invitation is expired :(
Thanks for bringing that to my attention! Which membership did you join? YT, BuyMeaCoffee or Patreon?
@@ShannonMorse through YT
IMO that hack was an inside job.
*No effidence?*
where did you get your t-shirt from?
Hot Topic!
@@ShannonMorse thankyou
Interested, please.
When everyone and their cousin told me to use LastPass... I refused because I don't trust anyone who claims they can keep my password secure behind a password.
Thanks for the video. 73
Yubikey's worry me. Life events happen. You loose a key. Ok you got a backup in the safe. Your good. What if you have a house fire not all devices are safe even in a safe from smoke and just pure heat that is created. So now you have to keep a yubikey off site. But how do you keep it in sync? All these thoughts to ensure I have a way to recover should something drastic happen have prevented me from taking plunge. Everyone says get a yubikey. But they don't cover all the what if scenarios.
You don't have to "keep it in sync". Once it's set up on a website as a backup, it's done. You can then log into said website anytime with any of your yubikeys.
@@ShannonMorse I mean having one Yubikey is a risk. How do keep it backed up and one offsite You loose the key your screwed so thats high risk. Now if you back it up locally you to another key you lower the risk. You are however open to theft, fires etc even if in safe. So you have to keep one offsite.
House keys worry me. What if I'm away from home and I drop it down an open sewer grate? I could make up other scenarios but yes keys are keys like any other key. We've been using them for millennia. Now they just have little copper traces on them, and chips inside. I carry my yubikey on my key ring, along with my house key. I have it in a little leather pouch, lassoed to it so it won't fall out.
@@mschwage so you have just 1? They are tech gear and cable of failing then what.
@@thestreamreader no I have 2, kept at different addresses.
The first and biggest problem is trust them to store your passwords. In the cloud. Never.
wtf is this pleb stuff? a pwd vault? imagine trusting a pwd lol
Seems like a bit of a nothing burger to me. The session ID would have to still be active for it to matter at all. So you have to be worrying about someone getting into your account on a website that still has your session active since you created the login. And you have to have created that login before the LastPass breach... in August 2022. Any website that stores the session ID in the query string and keeps it active for over 6 months isn't taking security seriously anyway and this won't be the route taken when someone hacks into that account.
Exactly, how does this not come up in the video?
I dumped LastPass with their last price hike of 30%. Went with Bitwarden and choose to pay $10/yr for all the same features.
👏👏👏