LastPass Password Manager - Time to move on?

womble12345

400ixl said:

womble12345 said:

k_man said:

It could be done against any system, once an offline copy of the data has been obtained.
This bypasses any 2FA, auto lockout protection etc.

Are you saying that even if I have had LastPass 2FA turned on for years that now these files are available for all on the dark web that the hackers just need to guess the passphrase to get access to all my passwords?

"Just" makes it sound simple. Provided your master password was complex and followed good practice that "just" should be measured in years of focussed attempts to crack with todays compute power.

If the master password is simple to dictionary attack, then you should be concerned and be starting to change the passwords on accounts, prioritising those which could have a financial consequence. After setting a new secure master password of course.

Thanks, yes hopefully my passphrase isnt that easy to crack.

razord

There's a good blog post from a security researcher here on why LastPass have been so bad in this breach: https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

k_man

goodValue said:

As regards using your own file for storing passwords, I know my own situation will be different to the majority of users.
It would be one file, on one device (laptop).
Each password would be copied/pasted when needed.
Does this still fall foul of issues of keeping up to date/security/losing file that were mentioned?

This has some pluses:
Reduces likelihood of password reuse

Allows use of strong unique passwords (depending how they are being generated)

But:
If your laptop fails, you lose all login details*
You don't have details when not at your laptop

If your laptop is compromised with malware, then all your details are easy accessible to hackers
As above if your laptop is stolen.

*If you have backups of the password file, then these become vulnerable. But no offline attack is required as the unencrypted notepad file is already instantly accessible.

The strong encryption (albeit LastPass' was poor compared other password managers) buys you time after a breach to take action, while the offline attacks take place (which will take months per database/user in most cases)
A breach of your notepad is an emergency immediately.

Miser1964 said:

Anything that reduces the risk from using the same password over and over is worth considering.

If you only use one PC at home, then having a password notebook is an option as it can't be hacked.

Another option to create reasonable passwords is to generate from a process such as combining -

Non dictionary root, i.e. "99FG*haA" which you can write down and keep in wallet as it's hard to remember. 

Memorable, hard to find online addition, i.e. favourite colour "Green"

Unique element - 1st, 3rd and 4th letter of website name, i.e. "aaz" for Amazon 

giving "99FG*haAGreenaaz" as strong, unique password you can regenerate using the process.

Clever Fox Password Book Spiral – Mini Internet Address & Password Organizer with Laminated Alphabetical Tabs – Small Password Keeper Journal – Hardcover, Pocket Size, 12x14.5cm (Mystic Blue) : Amazon.co.uk: Stationery & Office Supplies

As discussed in previous threads, pattern based unique passwords are better than very obvious or reused passwords, but barely.

Any password generation system that means breach of one password makes working out others easier, is a bad system

km1500

k_man said:

Dictionary attacks very rarely use multiple words (due to the extra processing required).
So while you are correct, in that a single word, even if very long, is not a good password

E.g.
supercalifragilisticexpialidocious

While long, is a single word, and will be found in a dictionary attack.

word1word2word3word4

Is very unlikely to be found in an automated attack, unless

It has been used before, been leaked, and is now in one of the dictionaries used.
The attacker knows the password is 4 words, and the source word list, and the source word list is small.

ETA: for most passwords, this is moot anyway, as long random unique multi character non memorable passwords should be used, and stored in a password manager.

Long, multi word or phrase based (including nonsense words, and non consistent joining characters for extra strength) should only be for the 3 or 4 passwords that need to be remembered 

Just found this which seems to imply a password made up of three random words (like @olinda99 said) would only take 6 hours to crack using offline method

https://www.pentestpartners.com/security-blog/three-word-passwords/#:~:text=Cracking characteristics,that's an extra 6 hours.

k_man

km1500 said:

k_man said:

Dictionary attacks very rarely use multiple words (due to the extra processing required).
So while you are correct, in that a single word, even if very long, is not a good password

E.g.
supercalifragilisticexpialidocious

While long, is a single word, and will be found in a dictionary attack.

word1word2word3word4

Is very unlikely to be found in an automated attack, unless

It has been used before, been leaked, and is now in one of the dictionaries used.
The attacker knows the password is 4 words, and the source word list, and the source word list is small.

ETA: for most passwords, this is moot anyway, as long random unique multi character non memorable passwords should be used, and stored in a password manager.

Long, multi word or phrase based (including nonsense words, and non consistent joining characters for extra strength) should only be for the 3 or 4 passwords that need to be remembered 

Just found this which seems to imply a password made up of three random words (like @olinda99 said) would only take 6 hours to crack using offline method

https://www.pentestpartners.com/security-blog/three-word-passwords/#:~:text=Cracking characteristics,that's an extra 6 hours.

The article relates to NTLM password hashes, and the writer's setup can brute force 20 billion passwords a second.

NTLM hashes allow multiple passwords to be attacked at the same time, so in their test all 3 word passwords would be discovered in around 5 days (their specific example was found in 6 hours).

However, most password managers (and secure systems) use additional salting, meaning only one user's password can be attempted at a time. And due to multiple iterations of  hashing these can only be attempted at a few tens of thousands of passwords a second.
Or, hundreds of thousands of times slower, and for only one password at a time.

If users really can remember multiple truly random and unique multi character passwords, then they should use them.
The rest of us will remember a few long word or phrase based passwords, and let the password manager manage all the long unique (unmemorable) ones.
And rely on strong encryption to give us time to address any breaches.

400ixl

goodValue said:

As regards using your own file for storing passwords, I know my own situation will be different to the majority of users.
It would be one file, on one device (laptop).
Each password would be copied/pasted when needed.
Does this still fall foul of issues of keeping up to date/security/losing file that were mentioned?

There is a far higher chance of a file on a PC being compromised and hacked than there is of a password vault with a strong master password being accessed. Other risks such a malware and ransomware are a risk to locally stored files.

You would be more secure using a password manager which stored the wallet locally at the very least, Again, with a strong master password.