Lastpass breach included customers’ encrypted vaults

I prefer to pay someone else to be the expert than try to be it myself. The trick is in picking someone who is an expert. Not being an expert can make it hard to recognise experts, so it’s a tricky game.

5 Likes

That worked well for LastPass users. :grin:

which also stores all your data in the cloud, so it’s a matter of “when” not “if” they breach that.

There is no safe place in the cloud.

I see the people affected most were users that are still using weak/repeated passwords, they were just btrute forced and the hackers got access to their vaults.
Encryption helps keep it safe for a bit, but even that is a question of months or a few years until the protocol shows a bug, or they brute force the hash and then all the rest are vulnerable as well.

I may be very very old fashioned but I use Vaultwarden to self-host my passwords. Storing them on someone else’s computer is just way too risky.

2 Likes

LastPass has had a history of security breaches. As far as I know 1pass has not.

As somebody who is somewhat security and privacy minded, I’m a fan of 1pass. I tell friends and family to use 1pass for their password manager.

3 Likes

I’ve been happy with the Strongbox app on Mac and iPhone. I manually sync its database from Mac to iPhone via USB cable. I’ve not heard of Vaultwarden and did not consider it as one of the possibilities when I moved away from 1Password v7. But I like to be aware of what’s available so I’ll take a look. :slightly_smiling_face:

EDIT:

Looks like Vaultwarden is a varient of the Bitwarden open source software but implemented using the Rust platform. Cool.

Also, privacy guides is a good resource and has multiple options including 1pass

Will you share how you manage/save your passwords without a password manager?

I would like to find a better way than 1Password. I use that along with Keychain Access.

it is, I run it on a raspberry pi in a docker container, and it’s been rock solid for me for over a year now, no issues whatsoever.

2 Likes

Is there any reason to think KeyChain is any more secure than 1Password?

1 Like

I quickly glanced over the article that @ChrisUpchurch posted, but I thought this quote was interesting. I need to dig into this a little more, but found this interesting.

“ They should also make sure they’re using settings that exceed the LastPass default.** Those settings hash stored passwords using 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a hashing scheme that can make it infeasible to crack master passwords that are long, unique, and randomly generated. The 100,100 iterations is woefully short of the 310,000-iteration threshold that OWASP recommends for PBKDF2 in combination with the SHA256 hashing algorithm used by LastPass. LastPass customers can check the current number of PBKDF2 iterations for their accounts here.”

Thanks for that. I’ve updated my Bitwarden iterations to 310,000. I’m not sure what it means, except higher is better! :slight_smile:

pbkdf2 is an algorithm for turning your password into a cryptographic key. It should (and does) produce a highly random “strong” key from even a weak password. It’s also designed to be be deliberately time consuming to execute in order to counter password-guessing brute force attacks. The function is applied repeatedly (iterated) to increase the amount of time each password guess will take, so yeah, higher is indeed “better” :slight_smile:

Edit: I retyped pbkdf2 numerous times to try to thwart autocorrect and it still managed to get me :laughing:

3 Likes

For the curious, 1Password’s security model is meaningfully different than LastPass’ in ways that protect against scenarios like the unfortunate one discussed in this thread.

The security of most cloud-based password managers ensure that vault data on their servers is encrypted, which is great, but it’s solely encrypted using the account password, which is user-generated (vulnerable to weak password choice) and a singular point of failure (vulnerable to brute force attacks).

1Password’s security model relies on 2 separate encryption keys to safeguard your stuff: your account password, and your Secret Key. Neither is ever sent over the network to 1Password thanks to a third tactic (called SRP) that extends the industry-standard TLS protocol with yet another encryption key.

In short: there’s no single point of failure.

This is a large part of the reason that 1Password isn’t as big a target for hackers as you’d expect. That and the fact that 1Password undergoes consistent third-party security audits and offers the industry’s largest bug bounty to help ensure that any vulnerabilities are identified and dealt with long before they pose a threat to customer data.

Note: I work for 1Password so for obvious reasons I generally don’t participate in these threads. I don’t speak for the company and am not here on their behalf. Please remain skeptical of everything I (and anyone else) says and do your own research to make sure you’re comfortable with whatever solution you choose to use.

I’m only chiming in because I wouldn’t want folks to inadvertently put themselves in more danger as they react to this news. I think it’s important for everyone to do their due diligence and not judge all systems as identical and vulnerable to the same attacks just because they include a cloud component. :blush:

22 Likes

Thank you for sharing this Marius… and if my memory serves me well, Marius has been using 1Password well before working at 1Password

Independently, I did my research maybe five years when I was considering expanding 1Password to my family and my research found there was nothing better than 1Password for our family’s use case.

2 Likes

That’s right! I’ve been using 1Password for a little over 10 years now and have been working there for less than a fifth of that time.

I am definitely no expert in terms of cybersecurity

Just want to share something I read about Bitwarden that a number of people are using it

3 Likes

Thanks for sharing. I had manually increased my iterations in Bitwarden to 300,000 after the LastPass debacle. I may increase to 600,000 based on that advice.

I store passwords in both iCloud Keychain and Bitwarden. I’m tempted now just to use Apple’s solution alone and hope they’re protecting the passwords well within a closed ecosystem.

1 Like

Replying to myself, I see in the Bitwarden documentation:

Changing the iteration count will re-encrypt the protected symmetric key and update the authentication hash, much like a normal master password change, but will not rotate the symmetric encryption key so vault data will not be re-encrypted. See here for information on re-encrypting your data.

and

Rotating your encryption key is a potentially dangerous operation.

Do I need to re-encrypt my vault after changing the iteration count, or is changing the iteration count alone enough?

1Password recently also updated the number of PBKDF2 iterations (to 650,000):

But take notice: you have to to act yourself to get this higher number!