More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists
Bitwarden or keepass ftw
KeepassXC (desktop)/KeePassDX(mobile) on top of something like Syncthing or Nextcloud.
Vaultwarden is what I use: https://github.com/dani-garcia/vaultwarden/
Their wiki is pretty good assuming you’re comfortable with Docker.
Back before I self-hosted, KeePassXC for desktop and Keepass2Android for mobile (along with Synching to sync the database) got the job done.
It doesn’t have to be difficult.
-
Download keepass to your computer.
-
Keep the save file on a USB or private cloud backup.
-
Done!
As you get more comfortable with it, you’ll start using it in more complex ways. Like having a phone app, connected to a self hosted network. But keep it simple for now.
If you wanna use KeePass, you just have to store your database in some secure location. It can be on your local drive or in the cloud, any location you trust really.
So what makes Bitwarden better than LastPass if you’re using Bitwarden’s hosted option (I know you can keep it locally).
From what I remember (take this with a grain of salt since it’s all from when the big LastPass breach happened,) LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes, images, etc) were unencrypted. So even without cracking any vaults, hackers got access to gigantic lists of usernames and their associated email addresses. That’s valuable in and of itself, because it allows them to spear-phish those users.
For example, you may not fall for a regular phishing scam. But you may fall for it if the email has your username and recovery info in it. Because they know every email you’ve used to sign up for something and all of your different usernames that you used on that site, so they can craft convincing phishing emails that are specifically tailored to you.
It also allows them to search for specific users. Maybe there is a user on a crypto forum who is particularly noteworthy. Their username is already known on the site, and hackers are able to cross-reference that with the list of known usernames/emails and see if that user’s vault was part of the breach. If it was, they can focus on breaching that one user’s vault, instead of aimlessly trying random vaults.
That’s valuable in and of itself, because it allows them to spear-phish those users.
I’m sorry, this is the first time I’m hearing the term spear-phish and I love it. It’s hilarious.
LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes
Wait a moment… now I wonder how many people kept their crypto wallet recovery word lists as notes instead of as passwords.
I’m not 100% but I think Bitwarden actual encrypt the entire ‘password object’. So the url, username, password, and any notes. Lastpass didn’t/doesn’t encrypt the url so if anyone gets access to the vault, they have a list of websites where the person will have an account and can more accurately send phishing emails.
There’s no such thing as an impenetrable password manager. I keep my most secure passwords in my head, and so should everyone.
Even if the software were perfect, people aren’t. Anyone can be fooled under the right circumstances. It’s better to expose one service than all of them at once.
Nearly every victim was a LastPass user.
But every victim was a cryptocurrency user.
I’d be willing to bet that people store their key phrases in the notes section in LastPass which was not encrypted at rest
I’m sure they were encrypted. But attackers have the vaults and many people have bad passwords. Brute forcing these days is less about trying every combination and more about trying all known leaked passwords, because people reuse passwords like crazy and also just aren’t as original as they think.
If you have millions of password vaults, I’m sure you can crack open a small number. And the ones you can crack are probably the most likely to not be following best practices, meaning it’s more likely they haven’t changed their passwords since the breach was announced a while back and they probably are less likely to have 2FA. 150 victims is such a tiny number for how many vaults were stolen when LastPass got compromised.
This is incorrect information. Notes are encrypted, just not their “type”. Unfortunately the most direct source for this is a reddit link, but here it is anyway.
Switched to bitwarden as soon as they tried to charge a sub for multiple devices, I see that was the right choice
Are you not worried your vault is still on their servers? I feel most companies don’t delete shit. Most have ways to get around it saying they keep some info for taxes, accounting, etc.
I wouldn’t sleep well knowing my passwords were on there at any given time.
You can host a bitwarden vault yourself. They open sourced and audited. So, trustworthy that there’s no back door somewhere to some degree.
So just change whatever passwords you had saved to LastPass. That would mitigate any issues, right?
Pretty much. Though also any security questions or other private info you have saved, some of which is much more annoying to protect.
Though one annoying thing is that even if you change everything, what they find might help them social engineer an attack.
I second Bitwarden, BTW. Best password manager I’ve used.
Just. It’s not an insurmountable problem, but I wouldn’t be happy changing the login details, one by one, on the some 80 websites I have in my vault.
Not to mention if you’re using an email anonymizer, you’ll have to regenerate new emails for them all too. I guess you could do it on demand, but knowing my batch of emails in floating around the dark web doesn’t sit well with me. Worse yet if it’s your actual email, then they have that now.
same here. nuked my lastpass account and switched everything over to bitwarden. their paid offering was worse from the competition and now i’m very glad i moved from them
Was it a huge pain in the ass moving over or fairly painless? I need to do this.
These guys saved their seed phrases to LastPass, not just account passwords. You can’t just change your seeds without moving funds to a new wallet.
The main lesson here is never store your seeds in digital form, ever. Write it down by hand on paper at creation and then take additional efforts to safeguard it.
I just store recovery phrases of all kinds on an encrypted USB stick (which is obviously only connected to my PC when I need to put a new one in or use it (which so far has happened never)), I feel like that is secure enough for me, although if I could laminate at home I might print and make small cards in a separate a card wallet. Any other way I feel like I would eventually lose them, the particular USB drive ive had for over 15 years, it is 512 MB lol.
USB sticks are not very reliable and can become totally unreadable randomly. I hope you at least have a few backups of it
Yeah, they are horribly unreliable.
I got myself 5 sticks, put the same data on all 5.
1st was dead within a month. 2nd & 3rd both dead in 4m, 4th dead in 6m. The 5th is still alive 3 years later.
It’s a shit lottery, don’t play it, modern flash drives are absolutely garbage. Yet I still have a whole pile of 1,2, 4 GB flash drives from over a decade ago and they all still work.
Carve it in granite and bury it underground so that future archaeologists can be confused over their meaning.
I wrote my seed information down for my poop coin wallet directly on Charmin double ply and then promptly wiped my ass with it and flushed.
All my apes gone!
Shit coin is far superior than poop coin. All the apes have shit coin. You never lose the password to shit coin, there’s always more shit coin passwords.
instead of using a password manager managed by a PRIVATE ENTITY people should start using bitwarden … its opensource, free and much more secure and reliable
But who is running the bitwarden server? Bitwarden the private company.
I self host vault warden, but it’s really not something everyone can do.
I prefer local password managers. Synchronisation is achieved with a syncing service of our choice.
How does bitwarden encrypt their passwords? Im just realising that since it works on both my laptop and phone with no configuration it can’t be overly nuanced
It’s encrypted on the client and bitwarden themselves can’t decrypt it (we assume, but there have been audits that seemed to confirm that).
If you want to you can just run your own server then they can’t see the traffic at all.
Who’s we? You probably mean you assume. Bitwarden is open source so an assumption need not be made.
