Password Manager

Reply
Thread Tools
  #46  
Old 02-28-2025, 12:28 PM
bp243 bp243 is offline
Senior Member
Join Date: Mar 2020
Posts: 237
Thanks: 602
Thanked 125 Times in 65 Posts
Default

Quote:
Originally Posted by JoelJohnson View Post
I've been using LastPass for years. I know there was some press about a breach, but it never affected anyone.
Unfortunately, a friend who used Last Pass lost her entire bitcoin investment which was supposed to be 100% safe. Last Pass has been breached at least twice.
  #47  
Old 02-28-2025, 12:34 PM
Altavia Altavia is offline
Sage
Join Date: Jun 2019
Posts: 4,465
Thanks: 1,904
Thanked 3,426 Times in 1,633 Posts
Default

Quote:
Originally Posted by Bill14564 View Post
Not hacked by AI at all.

According to reporting, he downloaded an AI tool that happened to include malware. The malware stole information from his machine including his keystrokes as he typed his 1Password login and password. Once they had the 1Password login information they had all his other logins and passwords too.

Two quick takeaways: Be careful about what software you download and make use of 2FA.
Very sad story indeed, the malware provided the same access as of sitting at the computer. Several lessons to be learned.

Hackers stole this engineer's 1Password database. Could it happen to you? | ZDNET


"The WSJ article discusses 1Password at length, pointing out that the victim was using the password manager to store 2-factor authentication keys for many sites, and that he hadn't turned on 2-factor authentication for 1Password itself.

...


In this case, it's hard to assign any fault to the password manager. Bad guys had unrestricted access to his computer for five months!

The keyboard logger was capable of stealing every set of credentials he used during that time, even if the usernames and passwords were typed in manually. "
  #48  
Old 02-28-2025, 12:34 PM
bp243 bp243 is offline
Senior Member
Join Date: Mar 2020
Posts: 237
Thanks: 602
Thanked 125 Times in 65 Posts
Default

Quote:
Originally Posted by Stu from NYC View Post
Thinking about getting one so following
1Password is my password manager of choice and is often rated as #1. To my knowledge it's never been breached and is a dream to use if you access lots of websites. The backup team is very helpful should you have an issue, although all communication is done via email with their team.
  #49  
Old 02-28-2025, 01:06 PM
Arlington2 Arlington2 is offline
Senior Member
Join Date: Aug 2016
Posts: 194
Thanks: 1
Thanked 137 Times in 68 Posts
Default

Quote:
Originally Posted by Bill14564 View Post
I believe you mean a passkey (there's a difference).

Passkeys currently have some shortcomings in that they don't work across all devices or accounts and they are difficult to use without your specific device (though 2FA has the same limitation). Passkeys are a good idea but until they are a bit more universal I will stick with a password manager.
I guess I misspoke, it is passkey. I'm not an IT guru. Nevertheless, security experts are recommending using passkeys to counter the Astaroth Phishing Kit which is designed to bypass traditional 2FA in gmail, etc. as reported in Infosecurity Magazine and cybersecsentinel as well as other news outlets. The Astaroth kit is available on the dark web for $2K. Passkeys work on my PC and iPhone and I choose to use them. Of course the first line of defense is don't click on unknown links, but studies have shown user negligence is prevalent.
  #50  
Old 02-28-2025, 06:01 PM
Pamela1130 Pamela1130 is offline
Senior Member
Join Date: Jan 2022
Posts: 118
Thanks: 232
Thanked 35 Times in 30 Posts
Default

Quote:
Originally Posted by Michael G. View Post
Who uses them and which one do you use.
Do you feel their safe?
My DIL who worked at FB for ten years and now TikTok says everyone uses Last Pass. So I got it. It's cheap enough $36.00 year but you have to learn how to use it and there are You Tube Videos. But our computers also give us automatic generated passwords if you have a MAC.
  #51  
Old 02-28-2025, 07:10 PM
OrangeBlossomBaby OrangeBlossomBaby is offline
Sage
Join Date: Feb 2015
Posts: 10,183
Thanks: 8,171
Thanked 11,354 Times in 3,808 Posts
Default

Quote:
Originally Posted by Bill14564 View Post
Do you carry the thumb drive with you so that when you are sitting at the square and try to login to a site you have your passwords? Which slot do you use to insert the thumb drive in your phone?

When you need to change your password the password manager inserts your old password - that's what a password manager does. When you are asked for a new password, most of the password managers will offer to generate one for you. When you hit the submit button the password manager will ask if you want to update your stored password.
I don't use my phone to access websites. I have some shopping apps, and the passwords are encrypted and saved, and the phone doesn't display anything without my fingerprint or face to unlock it first. I also sometimes use my kindle app to read on my phone if I'm out to lunch by myself.

I don't have banking apps on my phone, and my "wallet" is also encrypted and requires biometrics to use.

The thumb drive goes with me when I take my laptop to my dad's house. If I'm taking my tablet instead I port just a dozen lines of data to a temporary spreadsheet on a micro SD card and take that - and then I delete it when I get home.
  #52  
Old 02-28-2025, 07:25 PM
Ramblnman Ramblnman is online now
Member
Join Date: Oct 2023
Posts: 31
Thanks: 22
Thanked 6 Times in 5 Posts
Default

Quote:
Originally Posted by villagetinker View Post
I do not trust anything that is online (aka cloud) storage, and I do not like local storage on my PC, so I have my own secret way of storing passwords which I will not give out on an open forum. There are ways to keep your passwords safe I have over 100 currently.
I completely agree and have my own method of managing passwords as well
  #53  
Old 03-01-2025, 09:09 AM
bp243 bp243 is offline
Senior Member
Join Date: Mar 2020
Posts: 237
Thanks: 602
Thanked 125 Times in 65 Posts
Default

Quote:
Originally Posted by OrangeBlossomBaby View Post
I keep all my passwords on a spreadsheet on a thumb drive. There are several apps and accounts that require me to change the password every 90 days. I don't know how these password managers handle that. If you get one that says you have to change it, it requires that you manually enter the current password. If you don't know what it is - you're outta luck.
1Password is named that because you have ONE Password to get into your master listing where you can change anything or occasionally copy and paste a password.
  #54  
Old 03-01-2025, 09:30 AM
RoseyRed RoseyRed is offline
Senior Member
Join Date: Jul 2024
Posts: 144
Thanks: 738
Thanked 66 Times in 45 Posts
Default

Quote:
Originally Posted by Cuervo View Post
This issue has been addressed before in a different manner and as a previous poster stated I also do not trust putting anything on the internet no matter how secure they claim to be. If the manager site is hacked, they will have access to all your information. What I don't understand is why you just don't keep all your passwords in an address book that you only have access to.

The last time I suggested that someone said what if someone breaks into your house and finds the book. If that is your worry put it in a place where no one will look. But let be realistic if someone breaks into your house, they're not going to waste their time looking for a book they don't even know exists. They're going for cash and jewelry.

If you don't think a hackers can't break into a password manager, a hacker from North Korea just got away with over a billion in bite coin.
Very good point! I have been in IT for yrs and see more and more how online products are advertised as the best thing since sliced bread and the employees within the companies see all the failure points (areas for improvement). There are pros and cons to both electronic/physical methods of PW storage. The difficult part is there are NO guarantees, so that leaves the question of what has the least amount of risk? Which method does one feel the most comfortable?
  #55  
Old 03-01-2025, 10:04 AM
ElDiabloJoe ElDiabloJoe is offline
Gold member
Join Date: Aug 2021
Posts: 1,372
Thanks: 101
Thanked 1,496 Times in 579 Posts
Default

Quote:
Originally Posted by Ramblnman View Post
I completely agree and have my own method of managing passwords as well
I assume you mean something far more robust than writing them down on a sheet of paper and putting it under the keyboard or in an adjacent drawer.
__________________
Chino 1960's to 1976, Torrance, CA 1976-1983, 87-91, 94-98 / Frederick Co., MD 1983-1987/ Valencia, CA 1991-1994/ Brea, CA 1998-2002/ Dana Point, CA 2002-2019/ Knoxville, TN 2019-Current/ FL 2022-Current
  #56  
Old 03-01-2025, 11:02 AM
RoseyRed RoseyRed is offline
Senior Member
Join Date: Jul 2024
Posts: 144
Thanks: 738
Thanked 66 Times in 45 Posts
Default

Quote:
Originally Posted by jimkerr View Post
This is terrible advice. I’ve been in the IT industry for many years. Last pass used to be a password manager I used until their security breaches.


I assume you’re referring to the "LastPass security breach." LastPass, a widely used password manager, experienced significant security incidents, with the most notable and impactful occurring in 2022. Because of this, I don’t trust him anymore. Here are the details.

The LastPass security breach unfolded in multiple stages throughout 2022, with the company disclosing critical updates over several months. It began in August 2022 when LastPass announced that an unauthorized party had accessed portions of its development environment, stealing source code and proprietary technical information. At the time, the company assured users that no customer data or encrypted password vaults were compromised, and the breach was contained within the development environment, which was separate from production systems holding sensitive user data.

However, the situation escalated in November 2022 when LastPass revealed a second related incident. Using information stolen in the August breach, the attacker gained access to a third-party cloud storage service that LastPass used to store backups of customer data. By December 22, 2022, the company confirmed that this breach was far more severe than initially suggested. The attacker had copied a backup of customer vault data, which included both unencrypted data—such as website URLs—and encrypted sensitive fields, like usernames, passwords, secure notes, and form-filled data. Additionally, basic account information such as names, email addresses, billing addresses, phone numbers, and IP addresses was stolen. The encrypted data was protected by 256-bit AES encryption and could only be decrypted with each user’s unique master password, which LastPass does not store or have access to due to its zero-knowledge architecture.

Further details emerged in March 2023, when LastPass provided a comprehensive update. The attacker had targeted a senior DevOps engineer’s home computer, exploiting a vulnerability in third-party media software (suspected to be Plex) to install keylogger malware. This allowed the attacker to capture the engineer’s master password after they authenticated with multi-factor authentication (MFA), granting access to the engineer’s corporate LastPass vault. From there, the attacker obtained decryption keys for the cloud storage backups, enabling them to access and exfiltrate the sensitive customer data. This incident highlighted a sophisticated, multi-step attack that leveraged both the initial breach and social engineering tactics.

The fallout from this breach has been significant and ongoing. While LastPass maintained that users with strong, unique master passwords adhering to its defaults (at least 12 characters and 100,100 iterations of PBKDF2 hashing) were secure—claiming it would take millions of years to crack such passwords with current technology—experts raised concerns. If users had weak or reused master passwords, especially from prior breaches available on the dark web, their vaults could be vulnerable to brute-force attacks. This led to widespread recommendations for users to change all passwords stored in LastPass and consider switching to alternative password managers like 1Password or Bitwarden, which have not reported similar breaches.

The breach’s impact extended beyond immediate data loss. In late 2024, reports surfaced linking the stolen LastPass data to cryptocurrency thefts. Blockchain investigators, such as ZachXBT, claimed that hackers using the 2022 breach data stole millions in crypto assets, with over $5 million reportedly taken in December 2024 alone and a total exceeding $12 million across multiple incidents. These attacks targeted users who had stored crypto seed phrases or keys in their LastPass vaults, exploiting the encrypted data once decrypted with compromised master passwords.

LastPass responded by enhancing security measures, including rebuilding its development environment, rotating credentials, and enforcing stricter master password requirements (e.g., a 12-character minimum for all users by January 2024). The company also spun off from its parent company, GoTo, in 2024, aiming to rebuild trust under new leadership. However, its handling of the breach—marked by delayed and piecemeal disclosures—drew criticism from users and security experts, damaging its reputation. Many questioned the company’s transparency and its ability to protect sensitive data, especially given prior incidents in 2011, 2015, and earlier in 2022.

In summary, the LastPass security breach of 2022 was a complex, multi-phase attack that compromised user data through a combination of stolen source code, cloud storage access, and a targeted keylogger attack on an employee. While encrypted data remained secure for users with strong master passwords, the breach exposed vulnerabilities in LastPass’s infrastructure and response strategy, leading to long-term consequences like crypto thefts and a loss of user trust. If you’re a LastPass user, it’s wise to ensure your master password is robust, rotate sensitive credentials, and monitor for any suspicious activity.
This brings to light the need for multiple layers of security! Not just a PW mgr, but 2FA, credit freeze, virus protection, and constant PW changes along with many others to make it not worth it to the hacker for the timed needed to get through to your valuable data! It's not IF your hacked ... It's WHEN!!!
  #57  
Old 03-01-2025, 11:08 AM
RoseyRed RoseyRed is offline
Senior Member
Join Date: Jul 2024
Posts: 144
Thanks: 738
Thanked 66 Times in 45 Posts
Default

Quote:
Originally Posted by TheWatcher View Post
2-factor verification or FIDO passkey is the answer here for your high security sites like your finances. Enable 2-factor verification in google, too.

Use different email account and computer for finances/high security.

Use of password manager is personnal preference, use answers given prior to help choose one and use their password generator to get secure random passwords.

Nothing is totally secure. But you can be sufficiently safe for now if you are careful. Just do not make obvious security mistakes.
I have heard it suggested to use an entirely different computer (Chromebook due to being harder to hack) and email address.
  #58  
Old 03-01-2025, 03:37 PM
GoldenBoy GoldenBoy is offline
Member
Join Date: Mar 2020
Location: near Lopez CC
Posts: 74
Thanks: 5
Thanked 30 Times in 17 Posts
Default

Quote:
Originally Posted by RoseyRed View Post
This brings to light the need for multiple layers of security! Not just a PW mgr, but 2FA, credit freeze, virus protection, and constant PW changes along with many others to make it not worth it to the hacker for the timed needed to get through to your valuable data! It's not IF your hacked ... It's WHEN!!!
Govt databases have become suspect with the activity of the hoard buzzing around CMS, IRS, and VA looking for savings. I suspect all of this activity has made our data less than secure and individuals can do nothing to protect themselves as long as there is virtually no accountability for data security.
__________________
When this Pandemic is over, I might still want you to stay away.
  #59  
Old 03-01-2025, 03:56 PM
Sportster Sportster is offline
Junior Member
Join Date: Mar 2021
Posts: 20
Thanks: 0
Thanked 24 Times in 7 Posts
Default

I use KeyPassXC (not KeyPass). Decent user interface, very easy to use, local file storage, no ads or account required and best of all opensource so its free. You have control of the encrypted password file and a copy can be kept offsite like where you keep backups, or with a family member (heirs). More than just passwords can be saved too (account numbers, critical info etc.).
  #60  
Old 03-01-2025, 05:51 PM
OrangeBlossomBaby OrangeBlossomBaby is offline
Sage
Join Date: Feb 2015
Posts: 10,183
Thanks: 8,171
Thanked 11,354 Times in 3,808 Posts
Default

Quote:
Originally Posted by bp243 View Post
1Password is named that because you have ONE Password to get into your master listing where you can change anything or occasionally copy and paste a password.
Google already does that. You log into Google and you have access to your master list. If you don't log in, you don't have access.
Reply

Tags
password, manager, feel, safe


You are viewing a new design of the TOTV site. Click here to revert to the old version.

All times are GMT -5. The time now is 08:06 PM.