[bp243]

Quote:

Originally Posted by JoelJohnson

I've been using LastPass for years. I know there was some press about a breach, but it never affected anyone.

Unfortunately, a friend who used Last Pass lost her entire bitcoin investment which was supposed to be 100% safe. Last Pass has been breached at least twice.

[Altavia]

Quote:

Originally Posted by Bill14564

Not hacked by AI at all.

According to reporting, he downloaded an AI tool that happened to include malware. The malware stole information from his machine including his keystrokes as he typed his 1Password login and password. Once they had the 1Password login information they had all his other logins and passwords too.

Two quick takeaways: Be careful about what software you download and make use of 2FA.

Very sad story indeed, the malware provided the same access as of sitting at the computer. Several lessons to be learned.

Hackers stole this engineer's 1Password database. Could it happen to you? | ZDNET


"The WSJ article discusses 1Password at length, pointing out that the victim was using the password manager to store 2-factor authentication keys for many sites, and that he hadn't turned on 2-factor authentication for 1Password itself.

...


In this case, it's hard to assign any fault to the password manager. Bad guys had unrestricted access to his computer for five months!

The keyboard logger was capable of stealing every set of credentials he used during that time, even if the usernames and passwords were typed in manually. "

[bp243]

Quote:

Originally Posted by Stu from NYC

Thinking about getting one so following

1Password is my password manager of choice and is often rated as #1. To my knowledge it's never been breached and is a dream to use if you access lots of websites. The backup team is very helpful should you have an issue, although all communication is done via email with their team.

[Arlington2]

Quote:

Originally Posted by Bill14564

I believe you mean a passkey (there's a difference).

Passkeys currently have some shortcomings in that they don't work across all devices or accounts and they are difficult to use without your specific device (though 2FA has the same limitation). Passkeys are a good idea but until they are a bit more universal I will stick with a password manager.

I guess I misspoke, it is passkey. I'm not an IT guru. Nevertheless, security experts are recommending using passkeys to counter the Astaroth Phishing Kit which is designed to bypass traditional 2FA in gmail, etc. as reported in Infosecurity Magazine and cybersecsentinel as well as other news outlets. The Astaroth kit is available on the dark web for $2K. Passkeys work on my PC and iPhone and I choose to use them. Of course the first line of defense is don't click on unknown links, but studies have shown user negligence is prevalent.

[Pamela1130]

Quote:

Originally Posted by Michael G.

Who uses them and which one do you use.
Do you feel their safe?

My DIL who worked at FB for ten years and now TikTok says everyone uses Last Pass. So I got it. It's cheap enough $36.00 year but you have to learn how to use it and there are You Tube Videos. But our computers also give us automatic generated passwords if you have a MAC.

[OrangeBlossomBaby]

Quote:

Originally Posted by Bill14564

Do you carry the thumb drive with you so that when you are sitting at the square and try to login to a site you have your passwords? Which slot do you use to insert the thumb drive in your phone?

When you need to change your password the password manager inserts your old password - that's what a password manager does. When you are asked for a new password, most of the password managers will offer to generate one for you. When you hit the submit button the password manager will ask if you want to update your stored password.

I don't use my phone to access websites. I have some shopping apps, and the passwords are encrypted and saved, and the phone doesn't display anything without my fingerprint or face to unlock it first. I also sometimes use my kindle app to read on my phone if I'm out to lunch by myself.

I don't have banking apps on my phone, and my "wallet" is also encrypted and requires biometrics to use.

The thumb drive goes with me when I take my laptop to my dad's house. If I'm taking my tablet instead I port just a dozen lines of data to a temporary spreadsheet on a micro SD card and take that - and then I delete it when I get home.

[Ramblnman]

Quote:

Originally Posted by villagetinker

I do not trust anything that is online (aka cloud) storage, and I do not like local storage on my PC, so I have my own secret way of storing passwords which I will not give out on an open forum. There are ways to keep your passwords safe I have over 100 currently.

I completely agree and have my own method of managing passwords as well

[bp243]

Quote:

Originally Posted by OrangeBlossomBaby

I keep all my passwords on a spreadsheet on a thumb drive. There are several apps and accounts that require me to change the password every 90 days. I don't know how these password managers handle that. If you get one that says you have to change it, it requires that you manually enter the current password. If you don't know what it is - you're outta luck.

1Password is named that because you have ONE Password to get into your master listing where you can change anything or occasionally copy and paste a password.

[RoseyRed]

Quote:

Originally Posted by Cuervo

This issue has been addressed before in a different manner and as a previous poster stated I also do not trust putting anything on the internet no matter how secure they claim to be. If the manager site is hacked, they will have access to all your information. What I don't understand is why you just don't keep all your passwords in an address book that you only have access to.

The last time I suggested that someone said what if someone breaks into your house and finds the book. If that is your worry put it in a place where no one will look. But let be realistic if someone breaks into your house, they're not going to waste their time looking for a book they don't even know exists. They're going for cash and jewelry.

If you don't think a hackers can't break into a password manager, a hacker from North Korea just got away with over a billion in bite coin.

Very good point! I have been in IT for yrs and see more and more how online products are advertised as the best thing since sliced bread and the employees within the companies see all the failure points (areas for improvement). There are pros and cons to both electronic/physical methods of PW storage. The difficult part is there are NO guarantees, so that leaves the question of what has the least amount of risk? Which method does one feel the most comfortable?

[ElDiabloJoe]

Quote:

Originally Posted by Ramblnman

I completely agree and have my own method of managing passwords as well

I assume you mean something far more robust than writing them down on a sheet of paper and putting it under the keyboard or in an adjacent drawer.

[RoseyRed]

Quote:

Originally Posted by jimkerr

This is terrible advice. I’ve been in the IT industry for many years. Last pass used to be a password manager I used until their security breaches.


I assume you’re referring to the "LastPass security breach." LastPass, a widely used password manager, experienced significant security incidents, with the most notable and impactful occurring in 2022. Because of this, I don’t trust him anymore. Here are the details.

The LastPass security breach unfolded in multiple stages throughout 2022, with the company disclosing critical updates over several months. It began in August 2022 when LastPass announced that an unauthorized party had accessed portions of its development environment, stealing source code and proprietary technical information. At the time, the company assured users that no customer data or encrypted password vaults were compromised, and the breach was contained within the development environment, which was separate from production systems holding sensitive user data.

However, the situation escalated in November 2022 when LastPass revealed a second related incident. Using information stolen in the August breach, the attacker gained access to a third-party cloud storage service that LastPass used to store backups of customer data. By December 22, 2022, the company confirmed that this breach was far more severe than initially suggested. The attacker had copied a backup of customer vault data, which included both unencrypted data—such as website URLs—and encrypted sensitive fields, like usernames, passwords, secure notes, and form-filled data. Additionally, basic account information such as names, email addresses, billing addresses, phone numbers, and IP addresses was stolen. The encrypted data was protected by 256-bit AES encryption and could only be decrypted with each user’s unique master password, which LastPass does not store or have access to due to its zero-knowledge architecture.

Further details emerged in March 2023, when LastPass provided a comprehensive update. The attacker had targeted a senior DevOps engineer’s home computer, exploiting a vulnerability in third-party media software (suspected to be Plex) to install keylogger malware. This allowed the attacker to capture the engineer’s master password after they authenticated with multi-factor authentication (MFA), granting access to the engineer’s corporate LastPass vault. From there, the attacker obtained decryption keys for the cloud storage backups, enabling them to access and exfiltrate the sensitive customer data. This incident highlighted a sophisticated, multi-step attack that leveraged both the initial breach and social engineering tactics.

The fallout from this breach has been significant and ongoing. While LastPass maintained that users with strong, unique master passwords adhering to its defaults (at least 12 characters and 100,100 iterations of PBKDF2 hashing) were secure—claiming it would take millions of years to crack such passwords with current technology—experts raised concerns. If users had weak or reused master passwords, especially from prior breaches available on the dark web, their vaults could be vulnerable to brute-force attacks. This led to widespread recommendations for users to change all passwords stored in LastPass and consider switching to alternative password managers like 1Password or Bitwarden, which have not reported similar breaches.

The breach’s impact extended beyond immediate data loss. In late 2024, reports surfaced linking the stolen LastPass data to cryptocurrency thefts. Blockchain investigators, such as ZachXBT, claimed that hackers using the 2022 breach data stole millions in crypto assets, with over $5 million reportedly taken in December 2024 alone and a total exceeding $12 million across multiple incidents. These attacks targeted users who had stored crypto seed phrases or keys in their LastPass vaults, exploiting the encrypted data once decrypted with compromised master passwords.

LastPass responded by enhancing security measures, including rebuilding its development environment, rotating credentials, and enforcing stricter master password requirements (e.g., a 12-character minimum for all users by January 2024). The company also spun off from its parent company, GoTo, in 2024, aiming to rebuild trust under new leadership. However, its handling of the breach—marked by delayed and piecemeal disclosures—drew criticism from users and security experts, damaging its reputation. Many questioned the company’s transparency and its ability to protect sensitive data, especially given prior incidents in 2011, 2015, and earlier in 2022.

In summary, the LastPass security breach of 2022 was a complex, multi-phase attack that compromised user data through a combination of stolen source code, cloud storage access, and a targeted keylogger attack on an employee. While encrypted data remained secure for users with strong master passwords, the breach exposed vulnerabilities in LastPass’s infrastructure and response strategy, leading to long-term consequences like crypto thefts and a loss of user trust. If you’re a LastPass user, it’s wise to ensure your master password is robust, rotate sensitive credentials, and monitor for any suspicious activity.

This brings to light the need for multiple layers of security! Not just a PW mgr, but 2FA, credit freeze, virus protection, and constant PW changes along with many others to make it not worth it to the hacker for the timed needed to get through to your valuable data! It's not IF your hacked ... It's WHEN!!!

[RoseyRed]

Quote:

Originally Posted by TheWatcher

2-factor verification or FIDO passkey is the answer here for your high security sites like your finances. Enable 2-factor verification in google, too.

Use different email account and computer for finances/high security.

Use of password manager is personnal preference, use answers given prior to help choose one and use their password generator to get secure random passwords.

Nothing is totally secure. But you can be sufficiently safe for now if you are careful. Just do not make obvious security mistakes.

I have heard it suggested to use an entirely different computer (Chromebook due to being harder to hack) and email address.

[GoldenBoy]

Quote:

Originally Posted by RoseyRed

This brings to light the need for multiple layers of security! Not just a PW mgr, but 2FA, credit freeze, virus protection, and constant PW changes along with many others to make it not worth it to the hacker for the timed needed to get through to your valuable data! It's not IF your hacked ... It's WHEN!!!

Govt databases have become suspect with the activity of the hoard buzzing around CMS, IRS, and VA looking for savings. I suspect all of this activity has made our data less than secure and individuals can do nothing to protect themselves as long as there is virtually no accountability for data security.

[Sportster]

I use KeyPassXC (not KeyPass). Decent user interface, very easy to use, local file storage, no ads or account required and best of all opensource so its free. You have control of the encrypted password file and a copy can be kept offsite like where you keep backups, or with a family member (heirs). More than just passwords can be saved too (account numbers, critical info etc.).

[OrangeBlossomBaby]

Quote:

Originally Posted by bp243

1Password is named that because you have ONE Password to get into your master listing where you can change anything or occasionally copy and paste a password.

Google already does that. You log into Google and you have access to your master list. If you don't log in, you don't have access.