I just don't understand why there were unencrypted bits
That's just pointing out the target and saying: "here! Right here!"
Probably a mix of laziness and performance. Likely way easier to have unencrypted metadata and primary/foreign keys attached to encrypted blobs. That said - holy shit you're a security company, you make that trade for lower performance/higher security EVERY TIME.
hrm, so is Bitwarden the only other good solution? I'm a LastPass premium member, with it installed on my phone and multiple computers.
Feels like if I'm going to have to romp through and change passwords for 50+ sites, might as well switch to something better if it's out there.
Origin ID\ Steam ID: Warder45
0
Options
ShadowfireVermont, in the middle of nowhereRegistered Userregular
I really like it, been using it for a little over a year. It's a bit more clunky than LastPass, but not by much. Mostly that it doesn't always pop up the password entry thing every time, and that could also just be caused by some option I messed up on my phone.
I really like it, been using it for a little over a year. It's a bit more clunky than LastPass, but not by much. Mostly that it doesn't always pop up the password entry thing every time, and that could also just be caused by some option I messed up on my phone.
No I have the same thing. In my browser, it's amazing and works very well. On my phone, it's constantly locked even though I have a phone lock and it's the same fucking unlock methods. So I often have to unlock it, and then as I try to go back to whatever was needing my password, everything goes to shit and I have to start over.
ShadowfireVermont, in the middle of nowhereRegistered Userregular
That usually doesn't happen to me. On my phone browser (Firefox) I usually get the little BitWarden thing on my keyboard. It's more when I'm signing into an app, I might have to switch over to BitWarden and pull up the password myself.
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
I swapped over to 1Password a few years ago due to all the LastPass issues and while I can't say I'm 100% satisfied with it in terms of UIX, I can't fault the security or support as both have been stellar.
0
Options
ShadowfireVermont, in the middle of nowhereRegistered Userregular
I've been using Bitwarden for nearly 2 years and I like it. I think we changed when LastPass said they were getting rid of multi-device on the free plan. I think I had also had some reservations after they had been bought by Logmein (which was years before). We use the family account which gives you up to 6 accounts and a shared org you can drop passwords into.
+1 for Bitwarden. Some clunkiness on the phone but it works smoothly about 90% of the time. No issues on desktop Firefox but I do wish there was a way to have it login for me for non-browser desktop apps (Steam, EGS, Discord, etc)
I swapped over to 1Password a few years ago due to all the LastPass issues and while I can't say I'm 100% satisfied with it in terms of UIX, I can't fault the security or support as both have been stellar.
1Password is great. The implementation seems sound, and they’re not shy about talking about how and why it works the way it does. It’s also very easy to use.
The UI took a bit of a hit when they rebuilt the entire application from the ground up in 8.0 (I particularly miss the quick two-click “generate and save a password” function.), and the browser plug-in has some annoying quirks in Firefox. But it’s still reasonably comfy; I’d miss stuff like travel mode if I moved to bitwarden.
Anyone use Keeper Password Manager? PCMag has it as their top password manager. I think my plan tomorrow is to work on transferring away from LastPass. I don't mind paying, I'm already paying for LastPass.
It has an import feature that could make migrating much easier.
EDIT: Seems Bitwarden is the universal winner for the free tier. 1Password seems to be up there with Keeper.
T-Mobile has revealed the company’s second major breach in less than two years, admitting that a hacker was able to obtain customer data, including names, birth dates, and phone numbers, from 37 million accounts. The telecom giant said in a regulatory filing on Thursday that it currently believes the attacker first retrieved data around November 25th, 2022, through one of its APIs.
T-Mobile says it detected malicious activity on January 5th and that the attacker had access to the exploited API for over a month. The company says it traced the source of the malicious activity and fixed the API exploit within a day of the detection. T-Mobile says the API used by the hacker did not allow access to data that contained any social security numbers, credit card information, government ID numbers, passwords, PINs, or financial information.
0
Options
BlackDragon480Bluster KerfuffleMaster of Windy ImportRegistered Userregular
Nice, no wonder my number of scam calls has gone up nearly 700% over the last 5 weeks.
No matter where you go...there you are. ~ Buckaroo Banzai
+4
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
So I'm just curious what everyone's opinion here is on a certain scenario I always seem to run up against:
I frequently find myself in a situation where I'm looking at a piece of software like an indie game from itch.io, or a tool of some sort - And before I even let it on to my main system, I'll run the software past VirusTotal. And it'll come back with one or two hits from vendors, while the rest are green across the board.
Obviously this feels like a false positive, but how can you ever really be sure? The number of times I've seen a developer say "Oh, it's a false positive, just disable your antivirus/make an exception" is pretty high, but I don't really know if that's enough to trust anything that pings a few positives on VT.
There's been more than one instance of keyloggers being floated in fangames, for example, where the devs claimed a false positive.
But is avoiding everything that has even one detection just an overreaction? I'm honestly not sure.
0
Options
ShadowfireVermont, in the middle of nowhereRegistered Userregular
If it's one or two, I'd probably assume false positive. Maybe wait a week and run it again?
How fucked is lastpass here? An employee with top level access got their password logged by a targeted attack on their home computer through plex being compromised.
How fucked is lastpass here? An employee with top level access got their password logged by a targeted attack on their home computer through plex being compromised.
Super fucked.
Also this is why you buy your employees some fucking computers.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
The article says
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
But I'm confused as to how MFA was defeated here. Unless they're using push notification MFA, in which case, yeah that's vulnerable as fuck.
That being said, this seems extremely bad. Like, turbo-fucked bad.
Moving forward, I would not recommend using Lastpass as the single point of failure for your security measures.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
But I'm confused as to how MFA was defeated here. Unless they're using push notification MFA, in which case, yeah that's vulnerable as fuck.
That being said, this seems extremely bad. Like, turbo-fucked bad.
Moving forward, I would not recommend using Lastpass as the single point of failure for your security measures.
The attacker didn't defeat MFA. The user logged into LP with their own password and completed the MFA prompt themselves. This allows access to the vault contents by the user. Because the user's account was compromised, the attacker could simply pull the contents of the vault at that point. This was not a technological failure in the software.
Just remember that half the people you meet are below average intelligence.
+2
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
But I'm confused as to how MFA was defeated here. Unless they're using push notification MFA, in which case, yeah that's vulnerable as fuck.
That being said, this seems extremely bad. Like, turbo-fucked bad.
Moving forward, I would not recommend using Lastpass as the single point of failure for your security measures.
The attacker didn't defeat MFA. The user logged into LP with their own password and completed the MFA prompt themselves. This allows access to the vault contents by the user. Because the user's account was compromised, the attacker could simply pull the contents of the vault at that point. This was not a technological failure in the software.
Ah, that makes more sense. I presumed the user was remoting into Lastpass servers, and the credentials were stolen. But the user authenticating, and then the attacker just using that session to plunder would absolutely do it, yeah.
hrm all the more reason to move over to Keeper sooner rather than later. Too bad, I like the improvements LastPass has done over the years.
Origin ID\ Steam ID: Warder45
0
Options
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
Or the attacker just stole the token…but that should be hardware locked. Could also have been running their own login at the same time on different hardware and sent their own MFA challenge first. Lotsa ways to do this.
The real question imho was why was the user allowed to store a critical password like that in a vault at all? Why was it even a password and not a biometrically secured certificate with its own physical hardware token?
Or the attacker just stole the token…but that should be hardware locked. Could also have been running their own login at the same time on different hardware and sent their own MFA challenge first. Lotsa ways to do this.
The real question imho was why was the user allowed to store a critical password like that in a vault at all? Why was it even a password and not a biometrically secured certificate with its own physical hardware token?
To me the obvious lack of security is the canary in the coalmine. I've long since migrated off of their platform and while Bitwarden remains a bit less usable (it doesn't recognize locations in my work network, for instance), I sleep better.
+4
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
Yup, I moved off of LastPass a few years ago to 1Password. It's generally not as straightforward to use but they also seem to have a much better handle on security and their approach to it.
Yup, I moved off of LastPass a few years ago to 1Password. It's generally not as straightforward to use but they also seem to have a much better handle on security and their approach to it.
Would you be willing to describe what you see as better from 1Password's method/design? (Not challenging, just interested in your take)
0
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
Yup, I moved off of LastPass a few years ago to 1Password. It's generally not as straightforward to use but they also seem to have a much better handle on security and their approach to it.
Would you be willing to describe what you see as better from 1Password's method/design? (Not challenging, just interested in your take)
A few bullets:
End-to-end encryption (before it was popular)
All your data is encrypted by you ("client-side encryption") via a Secret Key and password that only you know, then it is sent to them where it is further encrypted again, so they never have anything on their servers that anyone would find useful even if they were hacked or there was a malicious system admin, and 1Password can't reverse-engineer your data even if they wanted to. (https://blog.1password.com/what-the-secret-key-does/)
They even think about stuff like how to securely store/fetch icons just so people can't see what sites you're visiting based on graphical data (as opposed to Lastpass, which stored your websites in raw text format on their servers)
Features like Travel Mode (https://support.1password.com/travel-mode/) which help to prevent a scenario like a customs agent forcing you to use your fingerprint to unlock your vault and access your passwords
There's no such thing as a perfect password manager, but if I'm going to be paying for something I'd want that money to go towards a team and product that clearly care as much about my security and privacy as the 1Password team do.
You might have convinced me to swing that way vs keeper. Keeper was slightly higher with PCMag, but then I’d imagine that’s in superfluous ways vs more secure.
Origin ID\ Steam ID: Warder45
0
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
You might have convinced me to swing that way vs keeper. Keeper was slightly higher with PCMag, but then I’d imagine that’s in superfluous ways vs more secure.
Honestly at this point nearly anything is better than LastPass. They have lost all credibility to anyone who is serious about security.
And if you don't want to pay monthly for 1Password, there are/were ways of at least getting a one-machine license still (unless they patched it out, it's been awhile since I last got mine). You have to download their local PC client and in there should be an option to get a one-time, one machine license that last in perpetuity for that 1Password version. You can still get free android/ipad apps to access your keychain of course as long as you host it through Dropbox or another cloud service they support.
I don't mind paying. Maybe it's age, but I'd rather use a service with a solid business model via payment vs a service whose numbers are mostly free users, forcing them to find alternative funding options.
Origin ID\ Steam ID: Warder45
+3
Options
jungleroomxIt's never too many graves, it's always not enough shovelsRegistered Userregular
Yeah I pay for the basic tier of Bitwarden.
I can use it on my phone, at work, and at home and it's made my life a lot easier.
bitwarden's a lot cheaper than 1password when we're talking annual subcriptions here (actually looks like they have slightly better feature support as well; yubikey support? that's handy)
I wish I could find an actual review of Keeper. Every one I find seems to just be some blogger that says things like "super secure" without any validation as to why haha.
Origin ID\ Steam ID: Warder45
0
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
I don't mind paying. Maybe it's age, but I'd rather use a service with a solid business model via payment vs a service whose numbers are mostly free users, forcing them to find alternative funding options.
Folks with significant others, how do you handle your password manager? The one thing Keeper seems to have over 1Password is an inheritance feature. So if I kick it, my wife will gain access, saving her a massive amount of time trying to get control over bank accounts, credit cards, etc. Sharing the password via memory is probably out since it's mostly my stuff and she would never log in. The family plans seem to be more just a discount on multiple accounts, didn't see anything about it working for my scenario. I mean I could write the master password down and put it in our safe or something.
I've been a bit morbid lately as I've hit my 40's, starting to make sure things are ok for my family if I pass. It's probably a small thing, but just weighing my options.
Origin ID\ Steam ID: Warder45
0
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
edited March 2023
1Password has family plans that can grant you access to others' vaults. I use this to manage my mother's passwords.
They also have an Emergency Kit form that basically has you write down your password and secret key so that someone else can access your account if necessary.
I'm not sure how Keeper is able to validate whether someone has died or not, and I'm not sure I'd trust a password manager that could somehow grant someone access to my account upon my death. This implies a level of functionality or knowledge they shouldn't be capable of in a zero-knowledge, secure environment.
1Password has family plans that can grant you access to others' vaults. I use this to manage my mother's passwords.
They also have an Emergency Kit form that basically has you write down your password and secret key so that someone else can access your account if necessary.
I'm not sure how Keeper is able to validate whether someone has died or not, and I'm not sure I'd trust a password manager that could somehow grant someone access to my account upon my death. This implies a level of functionality or knowledge they shouldn't be capable of in a zero-knowledge, secure environment.
Yeah, if a password manager provider can grant access to anyone without you being involved, do not use them. This is different from a service that has shared access, such that multiple logins can have access to the same password vault. In that case, all shared access is set up by you ahead of time. But a secure service shouldn't be capable of adding such access after your death, or even be able to reset your login password for you.
But making a hardcopy of your master password and keeping it in a safe or safety deposit box is always a good idea. Not only for after your death, but simply in case it ever gets forgotten.
Just remember that half the people you meet are below average intelligence.
Posts
Probably a mix of laziness and performance. Likely way easier to have unencrypted metadata and primary/foreign keys attached to encrypted blobs. That said - holy shit you're a security company, you make that trade for lower performance/higher security EVERY TIME.
Feels like if I'm going to have to romp through and change passwords for 50+ sites, might as well switch to something better if it's out there.
No I have the same thing. In my browser, it's amazing and works very well. On my phone, it's constantly locked even though I have a phone lock and it's the same fucking unlock methods. So I often have to unlock it, and then as I try to go back to whatever was needing my password, everything goes to shit and I have to start over.
I'm not sure. It supports biometrics on Android (face unlock on my pixel, fingerprint on Samsung), but I don't know about the Apple side.
1Password is great. The implementation seems sound, and they’re not shy about talking about how and why it works the way it does. It’s also very easy to use.
The UI took a bit of a hit when they rebuilt the entire application from the ground up in 8.0 (I particularly miss the quick two-click “generate and save a password” function.), and the browser plug-in has some annoying quirks in Firefox. But it’s still reasonably comfy; I’d miss stuff like travel mode if I moved to bitwarden.
It has an import feature that could make migrating much easier.
EDIT: Seems Bitwarden is the universal winner for the free tier. 1Password seems to be up there with Keeper.
~ Buckaroo Banzai
I frequently find myself in a situation where I'm looking at a piece of software like an indie game from itch.io, or a tool of some sort - And before I even let it on to my main system, I'll run the software past VirusTotal. And it'll come back with one or two hits from vendors, while the rest are green across the board.
Obviously this feels like a false positive, but how can you ever really be sure? The number of times I've seen a developer say "Oh, it's a false positive, just disable your antivirus/make an exception" is pretty high, but I don't really know if that's enough to trust anything that pings a few positives on VT.
There's been more than one instance of keyloggers being floated in fangames, for example, where the devs claimed a false positive.
But is avoiding everything that has even one detection just an overreaction? I'm honestly not sure.
How fucked is lastpass here? An employee with top level access got their password logged by a targeted attack on their home computer through plex being compromised.
Super fucked.
Also this is why you buy your employees some fucking computers.
But I'm confused as to how MFA was defeated here. Unless they're using push notification MFA, in which case, yeah that's vulnerable as fuck.
That being said, this seems extremely bad. Like, turbo-fucked bad.
Moving forward, I would not recommend using Lastpass as the single point of failure for your security measures.
The attacker didn't defeat MFA. The user logged into LP with their own password and completed the MFA prompt themselves. This allows access to the vault contents by the user. Because the user's account was compromised, the attacker could simply pull the contents of the vault at that point. This was not a technological failure in the software.
Ah, that makes more sense. I presumed the user was remoting into Lastpass servers, and the credentials were stolen. But the user authenticating, and then the attacker just using that session to plunder would absolutely do it, yeah.
The real question imho was why was the user allowed to store a critical password like that in a vault at all? Why was it even a password and not a biometrically secured certificate with its own physical hardware token?
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
To me the obvious lack of security is the canary in the coalmine. I've long since migrated off of their platform and while Bitwarden remains a bit less usable (it doesn't recognize locations in my work network, for instance), I sleep better.
Would you be willing to describe what you see as better from 1Password's method/design? (Not challenging, just interested in your take)
A few bullets:
There's no such thing as a perfect password manager, but if I'm going to be paying for something I'd want that money to go towards a team and product that clearly care as much about my security and privacy as the 1Password team do.
Honestly at this point nearly anything is better than LastPass. They have lost all credibility to anyone who is serious about security.
I can use it on my phone, at work, and at home and it's made my life a lot easier.
If it's free, you are the product being sold.
I've been a bit morbid lately as I've hit my 40's, starting to make sure things are ok for my family if I pass. It's probably a small thing, but just weighing my options.
They also have an Emergency Kit form that basically has you write down your password and secret key so that someone else can access your account if necessary.
I'm not sure how Keeper is able to validate whether someone has died or not, and I'm not sure I'd trust a password manager that could somehow grant someone access to my account upon my death. This implies a level of functionality or knowledge they shouldn't be capable of in a zero-knowledge, secure environment.
If you have a pro account through your employer, 1Password also gives you a free family plan.
Yeah, if a password manager provider can grant access to anyone without you being involved, do not use them. This is different from a service that has shared access, such that multiple logins can have access to the same password vault. In that case, all shared access is set up by you ahead of time. But a secure service shouldn't be capable of adding such access after your death, or even be able to reset your login password for you.
But making a hardcopy of your master password and keeping it in a safe or safety deposit box is always a good idea. Not only for after your death, but simply in case it ever gets forgotten.