LastPass users: Your info and vault data is now in hackers’ hands
arstechnica.comThere ought to be some kind of legal sanction against companies that try to hide the seriousness of data breaches.
I read the customer update, and the severity of this breach is hidden deep in the statement and skimmed over.
Basically: LastPass just shared which sites you have logins for with the attacker. This could be sold or released to the entire world. They claim the usernames are encrypted fields but often the usernames can also be in the URLs saved along with the site.
I really don’t understand why they didn’t just encrypt the whole records.
The convenience of offering to re-login if your session is expired and you hit a site where you use it?
That could have been cached locally on your machine, separate from your vault.
This is only tangentially related but I just noticed that lastpass reactivated an account I closed 3 years ago and began billing me two years ago. I just caught the second charge and when I confronted them, they said they can only refund within 30 days!
So check your statements and see. I'm curious to know how many more people this has happened to.
This makes me wish 1Password still allowed self-hosted and self-synced password vaults.
A no-cloud password manager: https://www.pwsafe.org/
With a whole host of alternate, compatible, implementations:
https://www.pwsafe.org/relatedprojects.shtml
Allowing for self-hosting (and in a few instances, some 'syncing').
What password manager does?
I believe Keypass uses local password vaults. I don't use it personally, but I have heard many people use a combination of KeePass and Syncthing to sync their passwords across multiple devices.
Example article: https://dev.to/rusty_sys_dev/switching-to-keepass-and-syncth...
I wouldn't recommend Keypass to my non-technical family and friends, but if you love the command line it might be what you are looking for
Bitwarden offers both a hosted and self-hosting option. Though their code is open source unlike LastPass and 1Password.
It works great but you'll need a reverse proxy with TLS + a domain if you want to use the android app.
Self signed certs don't play nicely with the app.
Setting up a reverse proxy + TLS is not that hard. Buying a domain + paying the 10€ per year license (If you go with the official server rather than vaultwarden) is still cheaper than paying for Lastpass / 1Password / Dashlane for the same time. As long as you are willing to maintain it that's pretty reasonable.
The only thing that makes me mad in bitwarden's official client is that you STILL can't remap your keys. I still have the old habbit of Ctrl+L from Keeweb to go to the search bar. On Bitwarden it locks your vault...
Consider using ZeroTier or any WireGuard based SDN instead, for remote access to self hosted services.
Keepass2 is a piece of cake. Apps on desktop and mobile, keys stored in dropbox or whatever.
This title is so manipulative and misleading. The attacker stole a mountain of AES encrypted blobs, so unless this threat actor has broken AES already, it'll probably be decades before they'll be able to peer into your secrets.
Incorrect. It turns out your "vault" is comprised of unencrypted and encrypted fields. Unencrypted fields include URLs. If the attacker publishes this data, or sells it to somebody who does, this will be Ashley Madison x100.
And "unencrypted data, such as website URLs" which really should be enumerated in full.
It looks like the only relevant data that was unencrypted are the URLs [0]. I'm guessing that was some sort of design decision they made for the browser extension to be able to see if you had a password for that site.
If anything, apart from leaking the domain, which could still be a privacy issue, they should have at least sanitized the URLs to remove usernames or tokens if they were going to automatically save those URLs to the vault. I can guess that not doing so allowed their auto-login function to work on some websites by saving the login URL endpoint, but all I'd really want is the vault to keep the sanitized domain.
[0]: https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass...
I used LassPass up until a few years ago. I've received three separate password reset emails this week for accounts I seldom use and haven't visited in months.
Someone is out there using whatever data or metadata was unencrypted.