TL;DR: Last Pass is broken. All passwords at the time of the breach were taken. They also got internal secrets from a laptop and can now probably throw computational power at anything they want to decrypt.
Switch. Do not use. Change everything you have if you were using it. Treat everything as breached.
Not breached: my post-its :grillman:
No kidding. I mean the other biggest losers are not just lastpass, but the supposed security experts that non-stopped plugged password managers as practically THE solution to password security for the average joe and now they are non-ironically saying that maybe physically writing your passwords in a piece of paper wasn’t that bad of an idea after all. Extreme loser shit. I mean I still use password managers, but I know the risks, the master password is beefy, some important passwords like my g account are 100% commited to memory and now I’m wary of recommending passwords managers. When I think of my boomer parents who can’t grasp the importance of, like, keeping their devices up to date through no fault of their own, I realize that we are truly living in a digital hellscape of our own making.
Imagine using password managers
This message was brought to you by muscle memory.
Don’t remember your password? your fingers do.
Only if you re-use passwords which is probably the worst thing you can do. No amount of muscle memory is going to help you remember a unique, randomly generated password like 72^@Bjh81N5QmEN6 for every single website.
I use private browsing by default. I have to enter log ins every session.
You need to be able to access randomly generated passwords (which all your passwords should be) from any device. Password managers lose a lot of usefulness if they aren’t online.
I was under the impression that lastpass was storing passwords encrypted and even when you use their website without the browser extension it decrypts locally.
That’s what Bitwarden claims as well and seems to be standard across the different services.
If someone breaches it, they get everything.
IMO they are great if you control them yourself and take reasonable precautions, which means not using any public website password managers.
You can self-host bitwarden, for example. Or use a 100% local one. If you do host something like bitwarden, it’s now on you to make sure it’s up to date and following best practices, which is pretty annoying.
That’s not quite true of stuff like lastpass or Bitwarden (self hosted or as a service).
What people get (and got, when they breached lastpass) is a bunch of encrypted data that still needs the master password to unlock once decrypted.
If it’s really worrisome, pair the master pass phrase with a hardware token and be done.
LMFAO. Keepass gang says winning.
I switched to Bitwarden a while ago, but I never cleared my LastPass vault, so I still have to deal with this :sadness:
passwordstore.org gang for linux ubernerds
The data accessed from those backups included system configuration data, API secrets, third-party integration secrets
It’s almost as if security should be publicly audited and based on well known encryption methods and not obscurity
The whole thing is a complete and total disaster. If you click through to the page about what was taken it’s basically fucking everything. They must be treated as completely insecure, all secrets stolen, someone out there very probably has the ability to just access anything they want if they know what to do with it.
It’s the worst breach I think I have ever seen.
I’ll never use a password manager. Random password generator and notepad stays winning
Yes it’s a boomer way to do things but I don’t care
An unencrypted passwords.txt file sitting on your desktop is probably more secure than anything put in “the cloud”.
The cloud is just someone else’s computer, that’s what I’ve always thought
