We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
LastPass Password Manager - Time to move on?
Comments
-
Are you saying that even if I have had LastPass 2FA turned on for years that now these files are available for all on the dark web that the hackers just need to guess the passphrase to get access to all my passwords?k_man said:
It could be done against any system, once an offline copy of the data has been obtained.
This bypasses any 2FA, auto lockout protection etc.0 -
I'm not saying, but yes. 2FA etc only protects access to your account on LastPass's servers. Once that data is copied elsewhere then these protections don't apply. It should be said, however, that as long as your master password is decently complicated then gaining access to your data is a bit harder than "just need to guess the passphrase".womble12345 said:
Are you saying that even if I have had LastPass 2FA turned on for years that now these files are available for all on the dark web that the hackers just need to guess the passphrase to get access to all my passwords?k_man said:
It could be done against any system, once an offline copy of the data has been obtained.
This bypasses any 2FA, auto lockout protection etc.
This is why this breach is so serious. There is little point in changing your master password at LastPass (though I would and have done), what needs to be changed are the passwords contained therein.2 -
IMHO as well as renewing passwords on critical accounts, enable MFA/2FA on all accounts that offer this.0
-
"Just" makes it sound simple. Provided your master password was complex and followed good practice that "just" should be measured in years of focussed attempts to crack with todays compute power.womble12345 said:
Are you saying that even if I have had LastPass 2FA turned on for years that now these files are available for all on the dark web that the hackers just need to guess the passphrase to get access to all my passwords?k_man said:
It could be done against any system, once an offline copy of the data has been obtained.
This bypasses any 2FA, auto lockout protection etc.
If the master password is simple to dictionary attack, then you should be concerned and be starting to change the passwords on accounts, prioritising those which could have a financial consequence. After setting a new secure master password of course.0 -
While this breach is a serious one, the risk of offline attack to a password vault already existed, and is not specific to LastPass or another other cloud based password manager.flaneurs_lobster said:
I'm not saying, but yes. 2FA etc only protects access to your account on LastPass's servers. Once that data is copied elsewhere then these protections don't apply. It should be said, however, that as long as your master password is decently complicated then gaining access to your data is a bit harder than "just need to guess the passphrase".womble12345 said:
Are you saying that even if I have had LastPass 2FA turned on for years that now these files are available for all on the dark web that the hackers just need to guess the passphrase to get access to all my passwords?k_man said:
It could be done against any system, once an offline copy of the data has been obtained.
This bypasses any 2FA, auto lockout protection etc.
This is why this breach is so serious. There is little point in changing your master password at LastPass (though I would and have done), what needs to be changed are the passwords contained therein.
Any vault or encrypted file is already vulnerable from:A compromised PCA compromised mobile deviceA compromise of the cloud storage providerA compromise of the transit networkOther compromises I haven't listed
IMO this breach doesn't really identify LastPass (or other cloud providers of Password managers) as bad/not-to-be-used, but just highlights, that while Password Managers are the best option for most users, they need to be used correctly, and aren't a security magic bullet.
But the general model is not broken, just Lastpass' implementing wasn't as good as it could have been
It is a good reminder to get used to the process of mass password (and other saved information) changes*
Fortunately, this can be done semi automatically for many passwords, via some password managers.
*Note password change not rotation, as the latter implies cycling/reuse.0 -
The LastPass security problem mentioned means that a user is not directly in control of their own security.
Would it not be better to have your own Notepad file, with a strong password for each of your online accounts?
0 -
No. Are you going to carry that notebook around with you everywhere? The risk of losing that is far far higher than anyone cracking a good master password on a password vault.goodValue said:The LastPass security problem mentioned means that a user is not directly in control of their own security.
Would it not be better to have your own Notepad file, with a strong password for each of your online accounts?0 -
Where do you keep that notepad file? On multiple devices in multiple locations and/or in the cloud for extra security?? How do you keep them up to date?goodValue said:The LastPass security problem mentioned means that a user is not directly in control of their own security.
Would it not be better to have your own Notepad file, with a strong password for each of your online accounts?
Also, are the various passwords in it ones you can easily retype when needed, so not as secure as they could be?I’m a Forum Ambassador and I support the Forum Team on the In My Home MoneySaving, Energy and Techie Stuff boards. If you need any help on these boards, do let me know. Please note that Ambassadors are not moderators. Any posts you spot in breach of the Forum Rules should be reported via the report button, or by emailing forumteam@moneysavingexpert.com.
All views are my own and not the official line of MoneySavingExpert.
0 -
Anything that reduces the risk from using the same password over and over is worth considering.
If you only use one PC at home, then having a password notebook is an option as it can't be hacked.
Another option to create reasonable passwords is to generate from a process such as combining -
Non dictionary root, i.e. "99FG*haA" which you can write down and keep in wallet as it's hard to remember.
Memorable, hard to find online addition, i.e. favourite colour "Green"
Unique element - 1st, 3rd and 4th letter of website name, i.e. "aaz" for Amazon
giving "99FG*haAGreenaaz" as strong, unique password you can regenerate using the process.
Clever Fox Password Book Spiral – Mini Internet Address & Password Organizer with Laminated Alphabetical Tabs – Small Password Keeper Journal – Hardcover, Pocket Size, 12x14.5cm (Mystic Blue) : Amazon.co.uk: Stationery & Office Supplies
0 -
As regards using your own file for storing passwords, I know my own situation will be different to the majority of users.
It would be one file, on one device (laptop).
Each password would be copied/pasted when needed.
Does this still fall foul of issues of keeping up to date/security/losing file that were mentioned?
0
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.8K Banking & Borrowing
- 253.9K Reduce Debt & Boost Income
- 454.7K Spending & Discounts
- 245.9K Work, Benefits & Business
- 602K Mortgages, Homes & Bills
- 177.8K Life & Family
- 259.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards