PSA - LastPass breach!

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
Topic Author
samsoes
Posts: 2802
Joined: Tue Mar 05, 2013 8:12 am
Location: Northeast Rat Race

PSA - LastPass breach!

Post by samsoes »

Passing this along as a PSA. Received it shortly before 9 p.m. EDT this evening.
Dear valued customer,

We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.

In response, we immediately initiated an investigation, deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.

Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We will continue to update our customers with the transparency they deserve.

We have set up a blog post dedicated to providing more information on this incident: https://blog.lastpass.com/2022/08/notic ... -incident/

We thank you for your patience as we work expeditiously to complete our investigation and regret any concerns this may have caused you.

Sincerely,
The Team at LastPass
I guess it's time to change my master password. (I am a Premium LP customer using Yubikey as my 2FA.) Any recommendations as to other actions LP customers should take?
"Happiness Is Not My Companion" - Gen. Gouverneur K. Warren. | (Avatar is the statue of Gen. Warren atop Little Round Top @ Gettysburg National Military Park.)
CFM300
Posts: 2541
Joined: Sat Oct 27, 2007 5:13 am

Re: PSA - LastPass breach!

Post by CFM300 »

samsoes wrote: Thu Aug 25, 2022 8:46 pm Any recommendations as to other actions LP customers should take?
From the FAQ that is linked in your original post:

"At this time, we don’t recommend any action on behalf of our users or administrators."

FAQs

1. Has my Master password or the Master Password of my users been compromised?

No. This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password. You can read about the technical implementation of Zero Knowledge here.

2. Has any data within my vault or my users’ vaults been compromised?

No. This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data. Our zero knowledge model ensures that only the customer has access to decrypt vault data.

3. Has any of my personal information or the personal information of my users been compromised?

No. Our investigation has shown no evidence of any unauthorized access to customer data in our production environment.

4. What should I do to protect myself and my vault data?

At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass which can be found here.
User avatar
Topic Author
samsoes
Posts: 2802
Joined: Tue Mar 05, 2013 8:12 am
Location: Northeast Rat Race

Re: PSA - LastPass breach!

Post by samsoes »

CFM300 wrote: Thu Aug 25, 2022 8:52 pm
samsoes wrote: Thu Aug 25, 2022 8:46 pm Any recommendations as to other actions LP customers should take?
From the FAQ that is linked in your original post:

"At this time, we don’t recommend any action on behalf of our users or administrators."

FAQs

1. Has my Master password or the Master Password of my users been compromised?

No. This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password. You can read about the technical implementation of Zero Knowledge here.

2. Has any data within my vault or my users’ vaults been compromised?

No. This incident occurred in our development environment. Our investigation has shown no evidence of any unauthorized access to encrypted vault data. Our zero knowledge model ensures that only the customer has access to decrypt vault data.

3. Has any of my personal information or the personal information of my users been compromised?

No. Our investigation has shown no evidence of any unauthorized access to customer data in our production environment.

4. What should I do to protect myself and my vault data?

At this time, we don’t recommend any action on behalf of our users or administrators. As always, we recommend that you follow our best practices around setup and configuration of LastPass which can be found here.
I view that as lawyer-induced damage control and don't trust it for a minute.
"Happiness Is Not My Companion" - Gen. Gouverneur K. Warren. | (Avatar is the statue of Gen. Warren atop Little Round Top @ Gettysburg National Military Park.)
RubyTuesday
Posts: 2241
Joined: Fri Oct 19, 2012 11:24 am

Re: PSA - LastPass breach!

Post by RubyTuesday »

IMO, this is why you use a system like this:

They don’t store your master password.

They support hardware based strong 2fa

They timely report on issues.
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
CFM300
Posts: 2541
Joined: Sat Oct 27, 2007 5:13 am

Re: PSA - LastPass breach!

Post by CFM300 »

samsoes wrote: Thu Aug 25, 2022 8:55 pm I view that as lawyer-induced damage control and don't trust it for a minute.
Oh. In that case I recommend that you switch to a different password manager that you do trust.
mptfan
Posts: 7217
Joined: Mon Mar 05, 2007 8:58 am

Re: PSA - LastPass breach!

Post by mptfan »

samsoes wrote: Thu Aug 25, 2022 8:55 pm I view that as lawyer-induced damage control and don't trust it for a minute.
You trust a part of what they said but distrust another part? Interesting. I've done quite a bit of research about password managers, and I think the answers they provided in their FAQ are accurate.
User avatar
Topic Author
samsoes
Posts: 2802
Joined: Tue Mar 05, 2013 8:12 am
Location: Northeast Rat Race

Re: PSA - LastPass breach!

Post by samsoes »

mptfan wrote: Thu Aug 25, 2022 8:59 pm
samsoes wrote: Thu Aug 25, 2022 8:55 pm I view that as lawyer-induced damage control and don't trust it for a minute.
You trust a part of what they said but distrust another part? Interesting. I've done quite a bit of research about password managers, and I think the answers they provided in their FAQ are accurate.
I don't trust any of the assuaging. If it truly was a nothing burger, then there is no need for a notification. (When I was a developer for a large US financial market firm, developer accounts didn't have passwords.)

Has anyone else here received this email?
"Happiness Is Not My Companion" - Gen. Gouverneur K. Warren. | (Avatar is the statue of Gen. Warren atop Little Round Top @ Gettysburg National Military Park.)
CFM300
Posts: 2541
Joined: Sat Oct 27, 2007 5:13 am

Re: PSA - LastPass breach!

Post by CFM300 »

samsoes wrote: Thu Aug 25, 2022 9:03 pm Has anyone else here received this email?
I did, this morning.
quietseas
Posts: 901
Joined: Fri Dec 27, 2013 3:43 pm

Re: PSA - LastPass breach!

Post by quietseas »

samsoes wrote: Thu Aug 25, 2022 9:03 pm
mptfan wrote: Thu Aug 25, 2022 8:59 pm
samsoes wrote: Thu Aug 25, 2022 8:55 pm I view that as lawyer-induced damage control and don't trust it for a minute.
You trust a part of what they said but distrust another part? Interesting. I've done quite a bit of research about password managers, and I think the answers they provided in their FAQ are accurate.
I don't trust any of the assuaging. If it truly was a nothing burger, then there is no need for a notification. (When I was a developer for a large US financial market firm, developer accounts didn't have passwords.)

Has anyone else here received this email?
What you are missing is that they probably didn't need to make this notification (and your former employer probably would not have done so). They chose to do it. The fact that they DID disclose a nothing-burger should help build confidence that they will disclose a much more serious problem if there ever is one in the future.

The way the announcement is worded it very easily could have been an inside perpetrator (such as a former or now-former employee).
mptfan
Posts: 7217
Joined: Mon Mar 05, 2007 8:58 am

Re: PSA - LastPass breach!

Post by mptfan »

quietseas wrote: Thu Aug 25, 2022 9:09 pm What you are missing is that they probably didn't need to make this notification (and your former employer probably would not have done so). They chose to do it. The fact that they DID disclose a nothing-burger should help build confidence that they will disclose a much more serious problem if there ever is one in the future.
I agree with this.
CFM300
Posts: 2541
Joined: Sat Oct 27, 2007 5:13 am

Re: PSA - LastPass breach!

Post by CFM300 »

samsoes wrote: Thu Aug 25, 2022 8:55 pm I view that as lawyer-induced damage control and don't trust it for a minute.
If users needed to change their master password to protect their accounts, LastPass would have sent an urgent message recommending such. There's no "damage control" by telling people they don't need to take action, if in fact they do.
stocknoob4111
Posts: 3509
Joined: Sun Jan 07, 2018 11:52 am

Re: PSA - LastPass breach!

Post by stocknoob4111 »

security at most enterprises is a joke.. because the management hire clueless unskilled people
Invest4lt
Posts: 328
Joined: Sat Jul 15, 2017 12:25 pm

Re: PSA - LastPass breach!

Post by Invest4lt »

mptfan wrote: Thu Aug 25, 2022 9:14 pm
quietseas wrote: Thu Aug 25, 2022 9:09 pm What you are missing is that they probably didn't need to make this notification (and your former employer probably would not have done so). They chose to do it. The fact that they DID disclose a nothing-burger should help build confidence that they will disclose a much more serious problem if there ever is one in the future.
I agree with this.
This, exactly. As I see it, the OPs concern serves FUD without warrant since things are being stated or implied without any basis. As said, this appears to be a big “nothing burger.”
"People sometimes fail to live because they are always preparing to live." - Alan Watts
User avatar
ram
Posts: 2281
Joined: Tue Jan 01, 2008 9:47 pm
Location: Midwest

Re: PSA - LastPass breach!

Post by ram »

I recd the same Email today
Ram
User avatar
StevieG72
Posts: 2214
Joined: Wed Feb 05, 2014 8:00 pm

Re: PSA - LastPass breach!

Post by StevieG72 »

Does a nothing burger come with fries?
Fools think their own way is right, but the wise listen to others.
mptfan
Posts: 7217
Joined: Mon Mar 05, 2007 8:58 am

Re: PSA - LastPass breach!

Post by mptfan »

StevieG72 wrote: Thu Aug 25, 2022 9:48 pm Does a nothing burger come with fries?
It comes with nothing fries.
User avatar
squirrel1963
Posts: 1253
Joined: Wed Jun 21, 2017 10:12 am
Location: Portland OR area

Re: PSA - LastPass breach!

Post by squirrel1963 »

RubyTuesday wrote: Thu Aug 25, 2022 8:56 pm IMO, this is why you use a system like this:

They don’t store your master password.

They support hardware based strong 2fa

They timely report on issues.
I agree.
I used both Lastpass and 1password in Corp settings and in general much prefer Lastpass.
And I much prefer Lastpass because it provides for 2FA unlike an offline password manager which by definition cannot.
LMP | Liability Matching Portfolio | safe portfolio: TIPS ladder + I-bonds + Treasuries | risky portfolio: US stocks / US REIT / International stocks
User avatar
plutoblackhole
Posts: 180
Joined: Sat Feb 20, 2021 6:40 pm
Location: Kuiper Belt

Re: PSA - LastPass breach!

Post by plutoblackhole »

squirrel1963 wrote: Thu Aug 25, 2022 10:06 pm
RubyTuesday wrote: Thu Aug 25, 2022 8:56 pm IMO, this is why you use a system like this:

They don’t store your master password.

They support hardware based strong 2fa

They timely report on issues.
I agree.
I used both Lastpass and 1password in Corp settings and in general much prefer Lastpass.
And I much prefer Lastpass because it provides for 2FA unlike an offline password manager which by definition cannot.
Time-based One-time Passwords (TOTP) don’t require an Internet connection of any sort to function, so nothing stops an offline password manager from providing 2FA codes. Whether it’s a good idea to merge 2FA and your password manager is another question.
German Expat
Moderator
Posts: 961
Joined: Fri Oct 16, 2009 10:49 pm

Re: PSA - LastPass breach!

Post by German Expat »

Whoever stole their code probably threatened to go public if they don’t pay up. So they had to go public.

As long as nobody inserted malicious code via the dev login that was hijacked and this code made it into production things should be safe. The company is able to figure this out and I assume it did not happen so your passwords and master are ok as long as they are not blatantly lying (doubt this very much).
quietseas
Posts: 901
Joined: Fri Dec 27, 2013 3:43 pm

Re: PSA - LastPass breach!

Post by quietseas »

German Expat wrote: Fri Aug 26, 2022 9:08 am Whoever stole their code probably threatened to go public if they don’t pay up. So they had to go public.
Yes, that's another possibility.
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: PSA - LastPass breach!

Post by telemark »

The main risk I see here is that, with the source code, the thieves could build and distribute their own functioning copy of the LastPass client, along with whatever malicious additions they chose to include. So the actionable part would be to double-check where you are downloading your updates from.

Somehow I had gotten the idea that LastPass was already open source, but obviously that isn't the case.
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: PSA - LastPass breach!

Post by rebellovw »

Not sure the point of this thread or “service “ since LP has notified its user base of the issue which is the absolute point of a security system that is always being attacked for weaknesses.
HawkeyePierce
Posts: 2351
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: PSA - LastPass breach!

Post by HawkeyePierce »

telemark wrote: Fri Aug 26, 2022 9:46 am The main risk I see here is that, with the source code, the thieves could build and distribute their own functioning copy of the LastPass client, along with whatever malicious additions they chose to include. So the actionable part would be to double-check where you are downloading your updates from.

Somehow I had gotten the idea that LastPass was already open source, but obviously that isn't the case.
Given the rise of code signing, this is not much of an risk.

Overall this whole event is a non-issue.
User avatar
Blues
Posts: 2501
Joined: Wed Dec 10, 2008 10:58 am
Location: Blue Ridge Mtns

Re: PSA - LastPass breach!

Post by Blues »

I still have confidence that LP is safe and secure...but I changed my master password anyway...just as I do with other important sites when they have experienced any security related issues.

Necessary? Maybe not. But...along with 2FA, it's comforting.
Uncle Morris
Posts: 197
Joined: Sun Jul 12, 2020 8:13 pm

Re: PSA - LastPass breach!

Post by Uncle Morris »

So, techies on this forum, what might the bad guys do with stolen source code and the other proprietary information they took?
User avatar
Pete12
Posts: 607
Joined: Tue Jun 28, 2016 3:17 pm

Re: PSA - LastPass breach!

Post by Pete12 »

This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
homebuyer6426
Posts: 1830
Joined: Tue Feb 07, 2017 8:08 am

Re: PSA - LastPass breach!

Post by homebuyer6426 »

Uncle Morris wrote: Fri Aug 26, 2022 12:15 pm So, techies on this forum, what might the bad guys do with stolen source code and the other proprietary information they took?
The bad guys will search the code for vulnerabilities they could exploit to gain access. They may or may not find them. Think of it like a team of commandos stealing a map of a military base they're planning to attack.
45% Total Stock Market | 52% Consumer Staples | 3% Short Term Reserves
User avatar
mmse
Posts: 122
Joined: Sun Mar 01, 2015 11:18 am
Location: California

Re: PSA - LastPass breach!

Post by mmse »

HawkeyePierce wrote: Fri Aug 26, 2022 10:44 am
telemark wrote: Fri Aug 26, 2022 9:46 am The main risk I see here is that, with the source code, the thieves could build and distribute their own functioning copy of the LastPass client, along with whatever malicious additions they chose to include.
Given the rise of code signing, this is not much of an risk.
So if an intruder impersonated a developer and submitted some malicious code changes for integration, test and release, the release engineer or the automated process will happily sign the release that passed all the test. How does code signing help here?

See SolarWinds example:
https://krebsonsecurity.com/2021/01/sol ... it-others/
User avatar
Toons
Posts: 14467
Joined: Fri Nov 21, 2008 9:20 am
Location: Hills of Tennessee

Re: PSA - LastPass breach!

Post by Toons »

Do Not Fret
:happy
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: PSA - LastPass breach!

Post by rebellovw »

Pete12 wrote: Fri Aug 26, 2022 12:20 pm This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
It's not just about passwords and having access - it is about having complicated - hard to figure out/hack passwords (even usernames - I use LP for Username and PW) - and different passwords for all your accounts - and having a system that detects bad passwords and breaches (ex darkweb password leaks.)

A Password Manager is an essential piece for strong security - no Security Expert will deny this.
tarheel91
Posts: 198
Joined: Sat Jul 15, 2017 11:27 pm

Re: PSA - LastPass breach!

Post by tarheel91 »

There are about 3-4 financial accounts I want to protect. I put them on a local keepass(xc) db. Not a big deal maintaining or backing them them up. I don't put these few accounts on cloud services like Lastpass no matter how assuring they are. The rest of my passwords are on Lastpass (including gmail). And I'm going to take a serious look at migrating, after this breach.

Maybe I'm naive about online security. If you think Lastpass is being truthful/trustful and want to trust them ... its your game.
quietseas
Posts: 901
Joined: Fri Dec 27, 2013 3:43 pm

Re: PSA - LastPass breach!

Post by quietseas »

tarheel91 wrote: Fri Aug 26, 2022 12:48 pm There are about 3-4 financial accounts I want to protect. I put them on a local keepass(xc) db. Not a big deal maintaining or backing them them up. I don't put these few accounts on cloud services like Lastpass no matter how assuring they are. The rest of my passwords are on Lastpass (including gmail). And I'm going to take a serious look at migrating, after this breach.
Do you think other password manager developers are disclosing every breach or compromise to their customers?
tarheel91
Posts: 198
Joined: Sat Jul 15, 2017 11:27 pm

Re: PSA - LastPass breach!

Post by tarheel91 »

quietseas wrote: Fri Aug 26, 2022 1:19 pm
tarheel91 wrote: Fri Aug 26, 2022 12:48 pm There are about 3-4 financial accounts I want to protect. I put them on a local keepass(xc) db. Not a big deal maintaining or backing them them up. I don't put these few accounts on cloud services like Lastpass no matter how assuring they are. The rest of my passwords are on Lastpass (including gmail). And I'm going to take a serious look at migrating, after this breach.
Do you think other password manager developers are disclosing every breach or compromise to their customers?
The distinct difference I was trying to point out is that trusting financial accounts with an online password manager like Lastpass is a risk.

Anything 'online' is vulnerable.

For the moment, I'm comfortable with keeping 3-4 important financial accounts within my control, with a local keepass db.

Ofcourse, it doesn't protect against everything, like ACATS fraud and stuff.

Best we can do is to close as many holes.
McDougal
Posts: 557
Joined: Tue Feb 27, 2018 2:42 pm
Location: Atlanta

Re: PSA - LastPass breach!

Post by McDougal »

Pete12 wrote: Fri Aug 26, 2022 12:20 pm This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
Hopefully you'll be able to still read your own handwriting as you get older. I know mine is now harder to read - and I'm a pharmacist!
khh
Posts: 343
Joined: Sat Dec 27, 2008 9:31 pm

Re: PSA - LastPass breach!

Post by khh »

Pete12 wrote: Fri Aug 26, 2022 12:20 pm This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
Same. I write them down on an old Palm Tungsten with no internet connection.
schmitz
Posts: 343
Joined: Thu Sep 01, 2011 5:21 pm

Re: PSA - LastPass breach!

Post by schmitz »

Pete12 wrote: Fri Aug 26, 2022 12:20 pm This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
What if the notebook gets destroyed?
Florida Orange
Posts: 1166
Joined: Thu Jun 16, 2022 2:22 pm

Re: PSA - LastPass breach!

Post by Florida Orange »

LastPass has a history of being very open about any security problems. I don't think it's more serious than they're telling us.
User avatar
tuningfork
Posts: 885
Joined: Wed Oct 30, 2013 8:30 pm

Re: PSA - LastPass breach!

Post by tuningfork »

Lastpass was just one of over a hundred sites affected by a recent breach at Twilio. Authy, Doordash, and Signal are some others you may have heard of. You can read more about it here: https://arstechnica.com/information-tec ... s-growing/

From the article:
If there's a lesson in this whole mess, it's that not all 2FA is equal. One-time passwords sent by SMS or generated by authenticator apps are as phishable as passwords are, and that's what allowed the threat actors to bypass this last form of defense against account takeovers.

One company that was targeted but didn't fall victim was Cloudflare. The reason: Cloudflare employees relied on 2FA that used physical keys such as Yubikeys, which can't be phished. Companies spouting the tired mantra that they take security seriously shouldn't be taken seriously unless physical key-based 2FA is a staple of their digital hygiene.
quietseas
Posts: 901
Joined: Fri Dec 27, 2013 3:43 pm

Re: PSA - LastPass breach!

Post by quietseas »

tuningfork wrote: Fri Aug 26, 2022 6:51 pm Lastpass was just one of over a hundred sites affected by a recent breach at Twilio. Authy, Doordash, and Signal are some others you may have heard of. You can read more about it here: https://arstechnica.com/information-tec ... s-growing/

From the article:
If there's a lesson in this whole mess, it's that not all 2FA is equal. One-time passwords sent by SMS or generated by authenticator apps are as phishable as passwords are, and that's what allowed the threat actors to bypass this last form of defense against account takeovers.

One company that was targeted but didn't fall victim was Cloudflare. The reason: Cloudflare employees relied on 2FA that used physical keys such as Yubikeys, which can't be phished. Companies spouting the tired mantra that they take security seriously shouldn't be taken seriously unless physical key-based 2FA is a staple of their digital hygiene.
This is the same breach Lastpass sent the email out about. From the linked article:
LastPass said the same threat actor used data taken from Twilio to gain unauthorized access through a single compromised developer account to portions of the password manager's development environment. From there, the phishers "took portions of source code and some proprietary LastPass technical information." LastPass said that master passwords, encrypted passwords and other data stored in customer accounts, and customers' personal information weren't affected. While the LastPass data known to be obtained isn't especially sensitive, any breach involving a major password management provider is serious, given the wealth of data it stores.
Pacific
Posts: 1609
Joined: Tue Mar 06, 2007 7:19 pm
Location: Lost in the middle of the Pacific

Re: PSA - LastPass breach!

Post by Pacific »

samsoes wrote: Thu Aug 25, 2022 9:03 pm
mptfan wrote: Thu Aug 25, 2022 8:59 pm
samsoes wrote: Thu Aug 25, 2022 8:55 pm I view that as lawyer-induced damage control and don't trust it for a minute.
You trust a part of what they said but distrust another part? Interesting. I've done quite a bit of research about password managers, and I think the answers they provided in their FAQ are accurate.
I don't trust any of the assuaging. If it truly was a nothing burger, then there is no need for a notification. (When I was a developer for a large US financial market firm, developer accounts didn't have passwords.)

Has anyone else here received this email?
Yes. Last night.
I view that as lawyer-induced damage control and don't trust it for a minute.
Seems to me that the easiest thing for LP to do was to tell everyone to change their MPW and all other PWs, but it didn't. Therefore, I am inclined to trust its answers. If its answers are not correct, it is putting itself even more at risk.
WGP3
Posts: 30
Joined: Sat Sep 12, 2020 11:58 am

Re: PSA - LastPass breach!

Post by WGP3 »

Pete12 wrote: Fri Aug 26, 2022 12:20 pm This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
I can appreciate that analog approach. Am curious though - do you have to carry the notebook around with you wherever you go?
User avatar
Watty
Posts: 28859
Joined: Wed Oct 10, 2007 3:55 pm

Re: PSA - LastPass breach!

Post by Watty »

Pete12 wrote: Fri Aug 26, 2022 12:20 pm This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
+1

I have not dug into it but I would have to wonder if your password manager was compromised if a financial institution would cover any loss.

I keep mine in an encrypted USB thumb drive and as an additional measure for some accounts I only record a clue to jog my memory about what some of the passwords are.

Frankly most passwords are so easy to reset(and likely too easy) that if I forget one it can be reset in a minute or two so I don't worry about keeping track of them much.
Uncle Morris wrote: Fri Aug 26, 2022 12:15 pm So, techies on this forum, what might the bad guys do with stolen source code and the other proprietary information they took?
Retired computer programmer here, but I always worked on unrelated business system so I am not a security guru.

One way that I can see where having the source code could be useful to a bad guy is that they ever got access to your system through something like a virus or malware then they might be able to replace or modify the actual password manager software with their version which would capture all your password information.
tarheel91
Posts: 198
Joined: Sat Jul 15, 2017 11:27 pm

Re: PSA - LastPass breach!

Post by tarheel91 »

Pacific wrote: Fri Aug 26, 2022 7:01 pm If its answers are not correct, it is putting itself even more at risk.
Interesting perspective. Puts itself at risk (even more as you put it) or puts you at risk?
tarheel91
Posts: 198
Joined: Sat Jul 15, 2017 11:27 pm

Re: PSA - LastPass breach!

Post by tarheel91 »

fact of the matter is guys ... there has been a breach at Lastpass.

Whether its in the dev environment or staging or production is logistical. There has been a breach. It wouldn't have come out otherwise.

change your master password, people. Especially if you have your financial stuff in there.
Pacific
Posts: 1609
Joined: Tue Mar 06, 2007 7:19 pm
Location: Lost in the middle of the Pacific

Re: PSA - LastPass breach!

Post by Pacific »

tarheel91 wrote: Fri Aug 26, 2022 9:42 pm
Pacific wrote: Fri Aug 26, 2022 7:01 pm If its answers are not correct, it is putting itself even more at risk.
Interesting perspective. Puts itself at risk (even more as you put it) or puts you at risk?
Liability wise, puts LP itself more at risk, I would think:

Hey, Judge, LP notified me of the breach, so I went to their site to see if I should change my MPW, but LP told me no need to do so!
User avatar
Pete12
Posts: 607
Joined: Tue Jun 28, 2016 3:17 pm

Re: PSA - LastPass breach!

Post by Pete12 »

schmitz wrote: Fri Aug 26, 2022 3:51 pm
Pete12 wrote: Fri Aug 26, 2022 12:20 pm This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
What if the notebook gets destroyed?
I would have to spend an afternoon resetting all my passwords. For me, it’s a risk I am prepared to take.
User avatar
Pete12
Posts: 607
Joined: Tue Jun 28, 2016 3:17 pm

Re: PSA - LastPass breach!

Post by Pete12 »

WGP3 wrote: Fri Aug 26, 2022 8:57 pm
Pete12 wrote: Fri Aug 26, 2022 12:20 pm This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
I can appreciate that analog approach. Am curious though - do you have to carry the notebook around with you wherever you go?
I only bring the notebook with me if I am going out of town for a few days or more. Otherwise it stays in my fireproof safe at home.
ThankYouJack
Posts: 5704
Joined: Wed Oct 08, 2014 7:27 pm

Re: PSA - LastPass breach!

Post by ThankYouJack »

Pete12 wrote: Fri Aug 26, 2022 12:20 pm This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
Do you save passwords in your browser? Or every time you need to login to a site, do you have to go into your safe, get your notebook, find your password and type it into your phone or computer?
User avatar
Pete12
Posts: 607
Joined: Tue Jun 28, 2016 3:17 pm

Re: PSA - LastPass breach!

Post by Pete12 »

ThankYouJack wrote: Sat Aug 27, 2022 8:07 am
Pete12 wrote: Fri Aug 26, 2022 12:20 pm This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
Do you save passwords in your browser? Or every time you need to login to a site, do you have to go into your safe, get your notebook, find your password and type it into your phone or computer?
I do not save passwords on the computer browser. I have memorized most of my passwords for sites I use every day.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: PSA - LastPass breach!

Post by anon_investor »

Pete12 wrote: Sat Aug 27, 2022 8:29 am
ThankYouJack wrote: Sat Aug 27, 2022 8:07 am
Pete12 wrote: Fri Aug 26, 2022 12:20 pm This I why I don't use password managers... just another thing that could be hacked. I use a good old fashioned notebook where my passwords are written down in my terrible handwriting that no-one else can read. This may be heresy to some here but it works for me!
Do you save passwords in your browser? Or every time you need to login to a site, do you have to go into your safe, get your notebook, find your password and type it into your phone or computer?
I do not save passwords on the computer browser. I have memorized most of my passwords for sites I use every day.
Why not use an offline password manager like keepass?
Post Reply