More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

        • treadful@lemmy.zip
          link
          fedilink
          English
          arrow-up
          34
          ·
          1 year ago

          KeepassXC (desktop)/KeePassDX(mobile) on top of something like Syncthing or Nextcloud.

          • OberonSwanson@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Thanks for the suggestion, I’ll try checking out both options. Unfortunately, I have an iPhone, so sadly there’s no KeepassDX. 🤔

            • treadful@lemmy.zip
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              I think there’s probably a Keepass compatible iPhone app out there but I haven’t vetted it. Worth looking for though.

        • hobbit@lemm.ee
          link
          fedilink
          English
          arrow-up
          27
          ·
          edit-2
          1 year ago

          Vaultwarden is what I use: https://github.com/dani-garcia/vaultwarden/

          Their wiki is pretty good assuming you’re comfortable with Docker.

          Back before I self-hosted, KeePassXC for desktop and Keepass2Android for mobile (along with Synching to sync the database) got the job done.

          • OberonSwanson@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            Interesting, I’ll check it out, as it looks like it’ll cover what I need. Hopefully it’s simple enough, as always having an iPhone makes things more complicated lol.

            • hobbit@lemm.ee
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              I host for my family which has a mix of Android and iPhone. So far, no complaints about Bitwarden on iOS. Hopefully it works out for you. If self hosting becomes a problem, I think premium is only $10/year and family is up to 6 people at $40/year.

        • Potatos_are_not_friends@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          ·
          1 year ago

          It doesn’t have to be difficult.

          1. Download keepass to your computer.

          2. Keep the save file on a USB or private cloud backup.

          3. Done!

          As you get more comfortable with it, you’ll start using it in more complex ways. Like having a phone app, connected to a self hosted network. But keep it simple for now.

        • whileloop@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          edit-2
          1 year ago

          If you wanna use KeePass, you just have to store your database in some secure location. It can be on your local drive or in the cloud, any location you trust really.

          • Nighed@sffa.community
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            You can set the encryption strength though, so I guess you could set it high and could even have it untrusted.

            Mine takes a while to open on my phone because of that

      • Ado@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        2
        ·
        1 year ago

        Self-hosted with yubikey 2fa. Even Santa Claus can’t see my info 😎

          • Ado@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            I started out with the Yubikey, which was such a relief all by itself. Even if you have my password, you need my physical USB key to plug in or NFC confirm for the 2fa. I did later move to self-hosting, but I def have a backup of a backup for that since space is cheap-ish.

          • olympicyes@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Not sure about that software specifically but most yubikey 2FA implementations allow you to set up more than one key. That way you don’t lose access if you lose your key. I personally have three keys.

    • ramble81@lemm.ee
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      So what makes Bitwarden better than LastPass if you’re using Bitwarden’s hosted option (I know you can keep it locally).

      • PM_Your_Nudes_Please@lemmy.world
        link
        fedilink
        English
        arrow-up
        24
        ·
        1 year ago

        From what I remember (take this with a grain of salt since it’s all from when the big LastPass breach happened,) LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes, images, etc) were unencrypted. So even without cracking any vaults, hackers got access to gigantic lists of usernames and their associated email addresses. That’s valuable in and of itself, because it allows them to spear-phish those users.

        For example, you may not fall for a regular phishing scam. But you may fall for it if the email has your username and recovery info in it. Because they know every email you’ve used to sign up for something and all of your different usernames that you used on that site, so they can craft convincing phishing emails that are specifically tailored to you.

        It also allows them to search for specific users. Maybe there is a user on a crypto forum who is particularly noteworthy. Their username is already known on the site, and hackers are able to cross-reference that with the list of known usernames/emails and see if that user’s vault was part of the breach. If it was, they can focus on breaching that one user’s vault, instead of aimlessly trying random vaults.

        • can@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          1
          ·
          1 year ago

          That’s valuable in and of itself, because it allows them to spear-phish those users.

          I’m sorry, this is the first time I’m hearing the term spear-phish and I love it. It’s hilarious.

          • PM_Your_Nudes_Please@lemmy.world
            link
            fedilink
            English
            arrow-up
            9
            ·
            1 year ago

            It refers to targeting phishing attacks. With traditional phishing, scammers simply cast an ultra wide net and catch whichever one’s happen to respond. They don’t really care who it is, because they’re playing a numbers game. Even if only 0.1% of people respond, sending out a thousand phishing emails means you still got a response.

            But with spear phishing, it’s a targeted attack. They’ll call you at your desk with a spoofed work number, and pretend to be the CEO’s assistant. The CEO needs you to go buy gift cards for a big sales event coming up. Don’t worry, it can all be expensed later, but he needs the cards now and doesn’t have time to deal with vendors and purchase orders. And now you’re reading gift card numbers to a scammer, because they knew enough about your workplace to be able to reasonably impersonate the CEO’s assistant.

            It can also be used to refer to targeted attacks against company leaders or notable figures. Maybe someone has a fat crypto wallet, so someone targets them. Or maybe they try to trick the CEO into giving away a trade secret. Regardless of the reasons, the attack is still the same basic principle; Find a target, meticulously research them enough to be able to fool them, then attack. Most people will be good at avoiding regular phishing. But very few people are prepared for a coordinated and laser-guided spear phishing attack.

        • jarfil@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          edit-2
          1 year ago

          LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes

          Wait a moment… now I wonder how many people kept their crypto wallet recovery word lists as notes instead of as passwords.

      • DrCake@lemmy.world
        link
        fedilink
        English
        arrow-up
        22
        ·
        1 year ago

        I’m not 100% but I think Bitwarden actual encrypt the entire ‘password object’. So the url, username, password, and any notes. Lastpass didn’t/doesn’t encrypt the url so if anyone gets access to the vault, they have a list of websites where the person will have an account and can more accurately send phishing emails.

        • Fushuan [he/him]@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          It encrypts the entire vault iirc, not the objects themselves. The only thing a breach cound gain access to is the encrypted vault, the hashed master password and the master email.

    • Lucidlethargy@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      7
      ·
      1 year ago

      There’s no such thing as an impenetrable password manager. I keep my most secure passwords in my head, and so should everyone.

      Even if the software were perfect, people aren’t. Anyone can be fooled under the right circumstances. It’s better to expose one service than all of them at once.

  • merc@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    160
    arrow-down
    7
    ·
    1 year ago

    Nearly every victim was a LastPass user.

    But every victim was a cryptocurrency user.

    • GreenBottles@lemmy.world
      link
      fedilink
      English
      arrow-up
      20
      arrow-down
      1
      ·
      1 year ago

      I’d be willing to bet that people store their key phrases in the notes section in LastPass which was not encrypted at rest

      • CoderKat@lemm.ee
        link
        fedilink
        English
        arrow-up
        13
        ·
        edit-2
        1 year ago

        I’m sure they were encrypted. But attackers have the vaults and many people have bad passwords. Brute forcing these days is less about trying every combination and more about trying all known leaked passwords, because people reuse passwords like crazy and also just aren’t as original as they think.

        If you have millions of password vaults, I’m sure you can crack open a small number. And the ones you can crack are probably the most likely to not be following best practices, meaning it’s more likely they haven’t changed their passwords since the breach was announced a while back and they probably are less likely to have 2FA. 150 victims is such a tiny number for how many vaults were stolen when LastPass got compromised.

      • hatchling@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        This is incorrect information. Notes are encrypted, just not their “type”. Unfortunately the most direct source for this is a reddit link, but here it is anyway.

    • LufyCZ@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      12
      ·
      1 year ago

      This doesn’t say anything about crypto.

      It says everything about the users themselves.

    • hansl@lemmy.ml
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      36
      ·
      1 year ago

      I also heard every victim were addicted to water…

  • SeducingCamel@lemm.ee
    link
    fedilink
    English
    arrow-up
    96
    ·
    1 year ago

    Switched to bitwarden as soon as they tried to charge a sub for multiple devices, I see that was the right choice

    • ultratiem@lemmy.ca
      link
      fedilink
      English
      arrow-up
      29
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Are you not worried your vault is still on their servers? I feel most companies don’t delete shit. Most have ways to get around it saying they keep some info for taxes, accounting, etc.

      I wouldn’t sleep well knowing my passwords were on there at any given time.

      • learningduck@programming.dev
        link
        fedilink
        English
        arrow-up
        27
        arrow-down
        4
        ·
        1 year ago

        You can host a bitwarden vault yourself. They open sourced and audited. So, trustworthy that there’s no back door somewhere to some degree.

      • SatyrSack@lemmy.one
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 year ago

        So just change whatever passwords you had saved to LastPass. That would mitigate any issues, right?

        • CoderKat@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          1 year ago

          Pretty much. Though also any security questions or other private info you have saved, some of which is much more annoying to protect.

          Though one annoying thing is that even if you change everything, what they find might help them social engineer an attack.

          I second Bitwarden, BTW. Best password manager I’ve used.

        • ultratiem@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Just. It’s not an insurmountable problem, but I wouldn’t be happy changing the login details, one by one, on the some 80 websites I have in my vault.

          Not to mention if you’re using an email anonymizer, you’ll have to regenerate new emails for them all too. I guess you could do it on demand, but knowing my batch of emails in floating around the dark web doesn’t sit well with me. Worse yet if it’s your actual email, then they have that now.

      • qaz@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        It’s e2e and the code to do so is opensource, and you can always host Vaultwarden yourself.

    • sealhaslupus@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      same here. nuked my lastpass account and switched everything over to bitwarden. their paid offering was worse from the competition and now i’m very glad i moved from them

  • LemmyFeed@lemmy.world
    link
    fedilink
    English
    arrow-up
    81
    arrow-down
    5
    ·
    1 year ago

    These guys saved their seed phrases to LastPass, not just account passwords. You can’t just change your seeds without moving funds to a new wallet.

    The main lesson here is never store your seeds in digital form, ever. Write it down by hand on paper at creation and then take additional efforts to safeguard it.

    • DrRatso@lemmy.ml
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      I just store recovery phrases of all kinds on an encrypted USB stick (which is obviously only connected to my PC when I need to put a new one in or use it (which so far has happened never)), I feel like that is secure enough for me, although if I could laminate at home I might print and make small cards in a separate a card wallet. Any other way I feel like I would eventually lose them, the particular USB drive ive had for over 15 years, it is 512 MB lol.

      • pedro@lemm.ee
        link
        fedilink
        English
        arrow-up
        36
        ·
        1 year ago

        USB sticks are not very reliable and can become totally unreadable randomly. I hope you at least have a few backups of it

        • douglasg14b@lemmy.world
          link
          fedilink
          English
          arrow-up
          16
          arrow-down
          1
          ·
          edit-2
          1 year ago

          Yeah, they are horribly unreliable.

          I got myself 5 sticks, put the same data on all 5.

          1st was dead within a month. 2nd & 3rd both dead in 4m, 4th dead in 6m. The 5th is still alive 3 years later.

          It’s a shit lottery, don’t play it, modern flash drives are absolutely garbage. Yet I still have a whole pile of 1,2, 4 GB flash drives from over a decade ago and they all still work.

          • jarfil@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Old flash drives used to be all SLC.

            Newer ones, use the cheapest tech for the same capacity, with QLC being about 16 times less reliable than SLC.

        • Aux@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          2
          ·
          1 year ago

          USB sticks can be very different. I would recommend using small M.2 SSD in a stick enclosure.

      • hihellobyeoh@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I would duplicate to at least 2 sticks, and also a written form that you keep stored with important documents, like a safe with your SSN, birth certificate, etc.

      • deafboy@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        For any significant amount of money, the seed should never even touch a PC. No USBs, no printers.

    • aesthelete@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      1 year ago

      I wrote my seed information down for my poop coin wallet directly on Charmin double ply and then promptly wiped my ass with it and flushed.

      All my apes gone!

  • saltynuts420@lemm.ee
    link
    fedilink
    English
    arrow-up
    61
    arrow-down
    4
    ·
    1 year ago

    instead of using a password manager managed by a PRIVATE ENTITY people should start using bitwarden … its opensource, free and much more secure and reliable

    • forbiddenlake@lemmy.world
      link
      fedilink
      English
      arrow-up
      20
      ·
      1 year ago

      But who is running the bitwarden server? Bitwarden the private company.

      I self host vault warden, but it’s really not something everyone can do.

    • yetAnotherUser@lemmy.ca
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      1
      ·
      1 year ago

      I personally use KeepassXD on my phone, although it hasn’t had a security audit. There is also KeepassXC for desktop, which has had an audit

    • PlexSheep@feddit.de
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 year ago

      I prefer local password managers. Synchronisation is achieved with a syncing service of our choice.

      • anyhow2503@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        That’s pretty much what Bitwarden does at its core. It will only synchronize the encrypted password vault and each client keeps an offline copy of it.

    • itsdavetho@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      How does bitwarden encrypt their passwords? Im just realising that since it works on both my laptop and phone with no configuration it can’t be overly nuanced

      • tony@lemmy.hoyle.me.uk
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        1
        ·
        1 year ago

        It’s encrypted on the client and bitwarden themselves can’t decrypt it (we assume, but there have been audits that seemed to confirm that).

        If you want to you can just run your own server then they can’t see the traffic at all.

        • RealHonest@lemmy.one
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          16
          ·
          1 year ago

          Who’s we? You probably mean you assume. Bitwarden is open source so an assumption need not be made.

          • Mananasi@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            There’s an assumption that the code you see is the code running on their server. And on top of that there’s lots of other software running on their servers.

    • IverCoder@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Private entities are more reliable for personal data than companies whose stocks have gone public.

  • sonnenzeit@feddit.de
    link
    fedilink
    English
    arrow-up
    48
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Man am I glad that I picked KeypassXC as my password manager some years ago. Super safe, easy to use, costs nothing, not dependant on internet/cloud, can export data to another app at any time, transparent because open source.

    I’m using Syncthing to synchronize across devices which arguably took some fiddling to set up but I only had to fiddle once and haven’t touched the configuration since; it just works automagically in the background.

      • PlexSheep@feddit.de
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        It’s a pretty common setup to be clear, easy setup, works like a charm.

        Just keep in mind that it’s not a backup solution, my Homeserver does that for me.

      • TitanLaGrange@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        Nothing major as far as I can tell. Here’s an overview via SuperUser. KeePassXC might be a better option for some use cases if you’re mostly not on Windows as it does not require .NET. Note that “KeePassXC does not support plugins at the moment and probably never will”, but it does have built-in support for some things you might want a plugin for in KeePass2.

          • PlexSheep@feddit.de
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            They say that but I can’t help but feel it sucks on Linux. Especially their GUI Apps.

          • TitanLaGrange@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            It does indeed. My job includes writing and deploying .NET apps on multiple platforms, and it works fine for me.

            But some people prefer not to use .NET when comparable native options are available, so they might prefer KeePassXC.

  • dangblingus@lemmy.world
    link
    fedilink
    English
    arrow-up
    52
    arrow-down
    10
    ·
    1 year ago

    Pro Tip: You don’t need to give a private company all of your passwords. That literally defeats the purpose of having passwords.

    • Asafum@feddit.nl
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      7
      ·
      1 year ago

      A-fucking-men… but I was always given shit for saying this.

      Anything can be hacked or stolen, I don’t trust any company to secure my information. :/

      • TwilightVulpine@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        5
        ·
        1 year ago

        I keep thinking of the people who make their passwords garbled random text impossible to memorize but then they trust an online service to keep it safe and private. When breaches happen, maybe even a post-it note at home would have been more secure.

          • Soggy@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            7
            ·
            1 year ago

            Unique passwords for every single account is an over-abundance of caution. Sensitive accounts: financials, medical, email, yes those should all be insulated from single-source failures. Your xbox live, netflix, and instagram are probably fine as a universal “entertainment” password.

    • RIP_Apollo@feddit.ch
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      1 year ago

      Except you’re giving your passwords in an encrypted format. So if the company is trustworthy, it’s safe to let them store your passwords because it’s encrypted in such a way that even the company who own the password manager couldn’t access your passwords even if they wanted to.

      (Note the caveat of “IF the company is trustworthy”, which rules out Lastpass)

      Now I accept that there are legitimate arguments against storing passwords in the cloud via a password manager… so in that case, you may wish to use a local password manager (like Keepass) instead. But realistically, a typical person isn’t capable of memorising lots of unique, secure passwords… so the passwords need to be written down or stored in a password manager, just to avoid weak passwords or password reuse.

  • kadu@lemmy.world
    link
    fedilink
    English
    arrow-up
    42
    arrow-down
    9
    ·
    1 year ago

    I know Lemmy’s classic “Google bad” but you know what? Google’s password manager and authenticators never lost my passwords, never charged a subscription, didn’t require me to invest money and effort into self hosting, never leaked, never disappeared, and always worked perfectly on any device within seconds of logging into my account.

      • Psythik@lemm.ee
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        1
        ·
        1 year ago

        “Probably”? It’s the best! I never have to worry about memorizing 500 different passwords cause Firefox automatically syncs my passwords across every device I use without me even having to think about it.

        • Fushuan [he/him]@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          eh, it doesn’t work for credentials of phone apps, bitwarden does and you can access those passwords if you log in into the web version if you are on an unknown pc.

                • Fushuan [he/him]@lemm.ee
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  1 year ago

                  Then it should for all, cool. I still prefer bitwarden becaue I can store credit card info, generic secure notes, and I’m able to access it from anywhere, useful when logging in into my email from my mother’s PC and such, but it’s cool that it is integrated with the keyboard engine too.

    • Anonymousllama@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      ·
      1 year ago

      I’d be worried about losing access to the entirety of your passwords if Google up and decides that one day your account is suspended. There’s been a few reports historically where someone gets their Gmail account suspended for some mistaken reason and all their associated access gets pulled (e.g. from drive, sheets, etc)

      • kadu@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        That’s what happened to me once due to Bitwarden - it lost all my 2FA codes. It was an absolute pain getting access back to all accounts.

        My Google account has been rock solid from the day I created it as a child to today, even though my needs and their services changed dramatically over the years.

        Most of the issues with people claiming their accounts got locked up “for some unknown error” are actually hosting and sharing copyrighted material, like creating public Google Drive links to a movie or sharing a game ROM via Gmail.

        • Terrasque@infosec.pub
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          I got a Google account that was shut down after some spammer started using that email as the sender address (sometimes called a Joe job). I somehow got in contact with an employee (friend of a friend) that checked on the account and verified it wasn’t my fault and reopened it, but a week later it got closed automatically again, with no easy way to reopen it.

          The backscatter was hundreds of emails per day, so the email part of the account was useless anyway, but I used it for other things.

          So it can happen at no fault on your own, and impossible to do anything about.

        • Tibert@compuverse.uk
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          Bitwarden offers an encrypted backup…

          Google has maybe a plain text export.

          Bitwarden has run flawless for me for multiple years.

        • jarfil@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          My Google account has been rock solid from the day I created it as a child

          Hopefully you were of legal age to accept the Terms of Service, otherwise it might’ve been an irregular account all this time.

            • jarfil@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              If it was, and you haven’t accepted the ToS as of legal age, then you might want to make a new one.

              Google is getting ready to purge inactive accounts starting next year, and it wouldn’t be the first time when a service purged irregular accounts many years after the fact, so… better safe than sorry.

    • Tibert@compuverse.uk
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      3
      ·
      1 year ago

      Google only just recently introduced encrypted passwords… Before they were stored in plain text on your computer… Tho I’m not even sure how that encryption even works.

      So… It may not have leaked yet (or maybe it has but Google suppresses everything, who knows) but I wouldn’t trust it to keep something safe.

      • kadu@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        That’s not correct. You could encrypt password on Chrome for a long while, and before that, they were stored using your operating system’s keychain. If you distrust your own OS, that’s probably something you’d need to fix before even talking about password managers.

        • Tibert@compuverse.uk
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          There nothing to fix in an OS. Windows and chrome have vulnerabilities which are unfixable by regular people. What about malware? What about other people knowing the password to your pc?

          It’s impossible to trust an OS to not get hacked, because it’s always the hackers or OS running behind the other.

          • jarfil@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            1 year ago

            You can replace the OS with one you trust more. Can also replace the browser, and “irregular people” can fix stuff in OpenSource OSs and browsers. Malware is easy to avoid, just don’t execute random stuff. Other people knowing the password to your PC, is up to you.

            Hackers generally don’t hack OSs, users are much easier to hack.

            • Tibert@compuverse.uk
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              And what is your point?

              That everyone should change to some Linux distro? First of all Linux is not immune, it only lacks interest from hackers. The second it’s not adapted to everyone. Even I who likes open source and learning new stuff is too annoyed by Linux because of compatibility reasons (mostly gaming).

              Just don’t execute random stuff? Wake up, or I’ll use only chrome and nothing else on my pc. You want open source you must execute random stuff.

              And people cannot be at their 100% at all time. There is a possible chance that some, even trained user, slips and executes some malware. In that case, antimalware come into play, but it’s not always the case. Companies still get hacked with ransomwares and data extractors.

              And your solution to the issue is just replacing the browser, like it would make a difference? At that point just use another password manager online…

              • jarfil@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                1 year ago

                My point is you start by using whichever OS you trust most: there is Windows, Mac OS, Chrome OS, Android, a bunch of Linux distros, BSD… your choice.

                If you don’t trust any OS… sorry, you’re SOL. Plug the thing off and smash it with a hammer, then dump into salt water to be safe.

                You want open source you must execute random stuff

                There are large OpenSource projects with security audits and security testing. There are random open and closed source projects with zero oversight by anyone.

                Execute the former, not the latter.

                people cannot be at their 100% at all time.

                Executable signing, anti-malware systems, and people running tests to rubber-stamp stuff exist (like distro repos, or app stores). Use those.

                Companies still get hacked with ransomwares and data extractors.

                In most cases by hacking people, not software. Follow the above rules, don’t trust that your CEO’s nephew needs remote access to your PC… tell your coworkers not to trust that either… … yeah, well, that’s impossible, it takes only one to ransomware everyone… but you can keep yourself safe 🤷

                Replacing the browser is optional, goes with the same trust issues as the OS.

    • sab@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      3
      ·
      1 year ago

      …so far.

      For those that don’t mind self-hosting, which can be as easy as just running syncthing or resilio sync on your NAS, I can really recommend keepass.

      • NevermindNoMind@lemmy.world
        link
        fedilink
        English
        arrow-up
        13
        ·
        1 year ago

        Me with interest, but no technical knowledge reading your comment:

        which can be as easy as

        :-)

        running syncthing or resilio sync on your NAS

        :-(

        I didn’t understand any of those words

        • Jerkface@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          edit - nevermind I can’t even format a comment, let alone self host a… Thingie. What the other guy said.

        • sab@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          A NAS is a home storage server, like Synology that you can use to store images, videos and backups, etc on so you can access them from any computer or device in your home. With a couple of clicks, they can easily run applications like Syncthing or Resilio Sync, which are kinda like Dropbox, except you don’t have to pay Dropbox, you’ll just be storing the files on your own service.

          If that’s too much to handle, you can still just store your Keepass file in Dropbox, so that it’s available on all your devices. But in the end you’ll still be storing your personal data on someone else’s harddisk.

          So in short, is at easy as using a prefab service? No, you’ll have to invest some time, money, and knowledge yourself. But in the end, your data is not gathered in silo together with countless other users, which makes it a lot less attractive for hackers to try and steal it.

      • kadu@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        1
        ·
        1 year ago

        so far

        Yeah, that’s true for literally everything.

        Your self hosting setup never failed I guess… So far!

        • diffusive@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          ·
          1 year ago

          Self hosting is less appealing for criminals, though. Especially if the protocol is “vanilla” like ssh.

          When you hack LastPass you know what you’ll find, millions of passwords. When you hack a dude ssh you have one chance over one million that there is one dude password wallet.

          It doesn’t make financial sense to hack self hosting (unless it’s specific server software)

          • ribboo@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            edit-2
            1 year ago

            There are plenty of use cases for going after self hosters. Bot farms are basically made up of “regular” computers infected with malware.

            While you’re at it and have access to tens of thousands computers, also grabbing their passwords is just a nice bonus.

            If anything, it doesn’t make financial sense not to do it. You’re right in that self hosters themselves are not the target per se. but they are targeted for other reasons, and that’s where it ends up becoming problematic.

            • diffusive@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              You need to aumatize any operation… It’s not conceivable that an human look at every device for stuff to steal. It would be even more expensive.

              Generally all these bit malware do is 1) using a vulnerability to replicate themselves 2) mine crypto or other kind of crap. Sometimes (1) involves also stealing ssh keys but it’s not the goal, it the mean.

              Self hosting password/code/photos/whatever niches you are almost guaranteed that no human will look at hit because the amount of IoT/Routers/etc with nothing valuable beyond themselves generally composes the majority of these compromised bots

              This is just the economic incentive

    • Rai@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      As a non-Google user, Lemmy is only “Chrome bad”. They’re “Android is the only way”

      • Tibert@compuverse.uk
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        1 year ago

        Well chrome = bad. Just look at all the anti-competition things they are implementing just because they are the leaders on the market.

        Now they are blocking cookies, it’s great isn’t it? NO! now they are targeting you through your browser history while blocking competition.

        Manifest V3 introduced by Google, that’s amazing, now ad blockers won’t be able to update their list individually. It’s amazing isn’t it? Being able to hinder the adblockers when your revenues comes from ads.

  • Professor_Piddles@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    33
    arrow-down
    1
    ·
    1 year ago

    Any obvious holes in keeping a text file on my laptop that I encrypt when not using it? Using ccrypt on linux.

    I do not want my passwords - even encrypted - on the cloud or at the mercy of a 3rd party in any fashion.

    • Rootiest@lemm.ee
      link
      fedilink
      English
      arrow-up
      29
      arrow-down
      2
      ·
      edit-2
      1 year ago

      Use KeePass.

      My concern with using a text file is you have to defrost it to use it and whenever it’s not encrypted it’s potentially exposed. You are also vulnerable to keyloggers or clipboard captures

      KeePass works entirely locally, no cloud. And it’s far more secure/functional than a text file.

      I personally use KeePass, secured with a master password + YubiKey.

      Then I sync the database between devices using SyncThing over a Tailscale network.

      KeePass keeps the data secure at rest and transferring is always done P2P over SSL and always inside a WireGuard network so even on public networks it’s protected.

      You could just as easily leave out the Tailscale/SyncThing and just manually transfer your database using hardware air-gapped solutions instead but I am confident in the security of this solution for myself. Even if the database was intercepted during transit it’s useless without the combined password/hardware key.

      • lazynooblet@lazysoci.al
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Absolutely, Keepass is a great alternative to cloud managed password managers.

        You are also vulnerable to keyloggers or clipboard captures

        Keepass (and most password managers) are vulnerable to this as well.

        • Rootiest@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Keepass (and most password managers) are vulnerable to this as well.

          Not if you use the browser extension

          Plus it does automatically clear the clipboard after a short time which isn’t perfect but it’s still an improvement over using a text file

        • jarfil@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          True, but KeePass has some countermeasures, like wiping the clipboard after some time, sending the password directly to a browser extension, or entering the master password on a “secure desktop” (technically not all that secure, but more secure than the lack of it).

        • Rootiest@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          Having a recovery process for the YubiKey would really just be a potential security hole.

          Ideally you have a backup clone of the key in case yours is lost/broken.

          Keeping a recovery seed or backup password instead would be inherently less secure as the YubiKey uses an HMAC challenge-response key for KeePass rather than a static password/key file.

          A static password or key would be a better target for hackers as it would be easier to crack so having that option would lower your overall security.

          Also worth noting that the way KeePassXC handles the HMAC challenge-response is different from how KeeChallenge does it.

          In KeeChallenge the HMAC secret is used to encrypt the database, which requires storing the encrypted secret in a separate file.

          In KeePassXC the database’s seed is used as the challenge and the response is used to encrypt the database.

          The benefit to the KeePassXC method is two-fold:

          • It’s less vulnerable as the HMAC secret never leaves the YubiKey or get stored in a file.

          • It increases security because the challenge-response changes every time you save the database (changing its seed)

          • Professor_Piddles@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Thank you for your detailed responses - I’m going to look into KeePass and maybe a Yubikey after reading your description of how it works. I hadn’t considered a Yubikey before mostly because I’m prone to lose things, but also because my encrypted file password is >12 characters and a fairly random mix of lower and uppercase letters, numbers and special characters.

        • PlexSheep@feddit.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          There is no recovery if you have a single hardware token in use only. But that’s a structional issue with your concept.

          Instead, it is recommended to have two (or more) identical Hardware Tokens to replace one that dies.

          It is also smart to keep the seeds for things like 2fa in some secure backup with schizophrenic paranoia proof Security measures.

    • ThetaDev@lemm.ee
      link
      fedilink
      English
      arrow-up
      15
      ·
      edit-2
      1 year ago

      Yes, if you write the decrypted file to disk, it could be recovered. Deleting files only removes the file system entries - it does not wipe the content.

      Use a local password manager. KeePass (use the KeePassXC variant on Linux) is the most popular choice. If you prefer a command line tool, pass (passwordstore.org) is an option.

    • trevor@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      Why not use KeePass then? It’s entirely local and you don’t have to risk running your own encryption solution.

    • vector_zero@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      1 year ago

      All it takes is a malicious program accessing your clipboard or running commands to find your password file while your machine is booted and decrypted.

      • time_lord@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        If something happens to your SSD, you lose all access to everything. And SSDs can die without warning, and be un-recoverable.

    • chicken@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      If we’re talking crypto keys like in the article, that would be an improvement over storing them in the cloud, but it’s still vulnerable to malware/keyloggers. Ideally you should use a dedicated hardware wallet and/or write it down physically and have some form of offline signing setup.

  • RBWells@lemmy.world
    link
    fedilink
    English
    arrow-up
    30
    arrow-down
    1
    ·
    1 year ago

    That’s an average of over 200k each. I’m wondering how they managed to target people with so much money.

  • eran_morad@lemmy.world
    link
    fedilink
    English
    arrow-up
    29
    arrow-down
    1
    ·
    1 year ago

    migrated my shit out of lastpass like 10 years ago or whenever it was bought by logmein. douches.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    17
    ·
    1 year ago

    This is the best summary I could come up with:


    Cybersecurity blogger Brian Krebs reports that several researchers have identified a “highly reliable set of clues” that seemingly connect over 150 victims of crypto theft with the LastPass service.

    Taylor Monahan, lead product manager at crypto wallet company MetaMask and one of the key researchers investigating the attacks, concluded that the common thread connecting the victims was that they’d previously used LastPass to store their “seed phrase” — a private digital key that’s required to access cryptocurrency investments.

    These keys are often stored on encrypted services like password managers to prevent bad actors from gaining access to crypto wallets.

    We have reached out to LastPass to confirm if any of the stolen password vaults have been cracked and will update this story if we hear back.

    Researcher Nick Bax, director of analytics at crypto wallet recovery company Unciphered, also reviewed the theft data and agreed with Monahan’s conclusions in an interview with KrebsOnSecurity:

    “I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”


    The original article contains 363 words, the summary contains 196 words. Saved 46%. I’m a bot and I’m open source!

    • smolyeet@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      ·
      1 year ago

      The idea is fine. Still trusting lastpass was the bad idea. Others have much better implementations to protector your vault and don’t drop the ball on security time after time.

      • serratur@lemmy.wtf
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        1 year ago

        They might have better implementation, but that only means it will take longer time before a data breach happens, it doesn’t stop them.

        • Fisch@lemmy.ml
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 year ago

          A data breach isn’t an issue by itself. It’s only an issue if it’s possible to decrypt your passwords.

    • Blackmist@feddit.uk
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 year ago

      It’s OK as long as you’re the only one with the key to it.

      If your storage provider can decrypt it, so can anybody who hacks them or works for them.

      Sometimes these are the same people.

      • evranch@lemmy.ca
        link
        fedilink
        English
        arrow-up
        15
        arrow-down
        1
        ·
        1 year ago

        I use Syncthing to keep my Keepass files synchronized on my devices. All the benefits of cloud storage, but my password file never leaves my control.

          • evranch@lemmy.ca
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Personally I don’t like to rely on anyone’s cloud services for mission critical applications like password storage, since they have a history of being discontinued without notice.

            I do trust Mozilla a lot more than Google, though.

            With Syncthing at least if the discovery servers go down you still have a local copy as well as off-site backups, and can easily migrate to some other sync solution as your password manager is not tied to your browser.

            • PlexSheep@feddit.de
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I would argue that email is similarly as critical, yet Selfhosting email is a bad idea practically and from a security standpoint. Your argument does not apply in general.

  • z00s@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    arrow-down
    2
    ·
    1 year ago

    I mean, they’ve had more than long enough to change passwords.

    Nobody is after your password for the Moravian rug weaving forum but in this day and age it’s on you, if you know there’s a breach and you don’t change your banking / crypto passwords.

  • Honytawk@lemmy.zip
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    5
    ·
    1 year ago

    I don’t understand saving your passwords to the cloud in the first place

    It is like storing all the passwords in one convenient place that can be accessed from any location on the planet, making it the most convenient and juicy target for hackers.

    Even encrypted, it just doesn’t make sense.

    • thbb@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      1 year ago

      At one of my clients, a large institution, they go further: you’re not allowed to use the local browser’s password manager. And still have to abide by the usual password rules: rotate every 3 months, complex passwords, etc.

      As a result, users store a plain text file on their desktop (some go as far as printing it), that conveniently allows them to retrieve their passwords.

      Too much security kills security.

      • Karyoplasma@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        16
        ·
        1 year ago

        Forcing a password change after a period of time has shown to make people gravitate towards the simplest passwords that are still within the policy or other, even less secure, solutions. That’s why security standards nowadays advise to not implement forced password changes.

        • Sarsoar@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          My last job got around the “make people gravitate towards the simplest passwords” issue by giving you a list of 10 randomly generated strings you could pick. ( you could refresh the list a few times though)

          So what happened anyways, like the person you are replying to said, is we had passwords written everywhere. One guy kept a sticky not on the back of his badge (which got turned around alot so he would walk around with his password showing), another kept it on a sticky under his keyboard, and just in general we would find passwords written everywhere.