More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists
Bitwarden or keepass ftw
KeepassXC (desktop)/KeePassDX(mobile) on top of something like Syncthing or Nextcloud.
Vaultwarden is what I use: https://github.com/dani-garcia/vaultwarden/
Their wiki is pretty good assuming you’re comfortable with Docker.
Back before I self-hosted, KeePassXC for desktop and Keepass2Android for mobile (along with Synching to sync the database) got the job done.
It doesn’t have to be difficult.
-
Download keepass to your computer.
-
Keep the save file on a USB or private cloud backup.
-
Done!
As you get more comfortable with it, you’ll start using it in more complex ways. Like having a phone app, connected to a self hosted network. But keep it simple for now.
If you wanna use KeePass, you just have to store your database in some secure location. It can be on your local drive or in the cloud, any location you trust really.
So what makes Bitwarden better than LastPass if you’re using Bitwarden’s hosted option (I know you can keep it locally).
From what I remember (take this with a grain of salt since it’s all from when the big LastPass breach happened,) LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes, images, etc) were unencrypted. So even without cracking any vaults, hackers got access to gigantic lists of usernames and their associated email addresses. That’s valuable in and of itself, because it allows them to spear-phish those users.
For example, you may not fall for a regular phishing scam. But you may fall for it if the email has your username and recovery info in it. Because they know every email you’ve used to sign up for something and all of your different usernames that you used on that site, so they can craft convincing phishing emails that are specifically tailored to you.
It also allows them to search for specific users. Maybe there is a user on a crypto forum who is particularly noteworthy. Their username is already known on the site, and hackers are able to cross-reference that with the list of known usernames/emails and see if that user’s vault was part of the breach. If it was, they can focus on breaching that one user’s vault, instead of aimlessly trying random vaults.
That’s valuable in and of itself, because it allows them to spear-phish those users.
I’m sorry, this is the first time I’m hearing the term spear-phish and I love it. It’s hilarious.
LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes
Wait a moment… now I wonder how many people kept their crypto wallet recovery word lists as notes instead of as passwords.
I’m not 100% but I think Bitwarden actual encrypt the entire ‘password object’. So the url, username, password, and any notes. Lastpass didn’t/doesn’t encrypt the url so if anyone gets access to the vault, they have a list of websites where the person will have an account and can more accurately send phishing emails.
There’s no such thing as an impenetrable password manager. I keep my most secure passwords in my head, and so should everyone.
Even if the software were perfect, people aren’t. Anyone can be fooled under the right circumstances. It’s better to expose one service than all of them at once.
