More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

161 points

Bitwarden or keepass ftw

permalink
report
reply
70 points

I dumped LastPass for Bitwarden a few years ago. So glad I did.

permalink
report
parent
reply
4 points

Same! Thinking i coulda been a victim in this attack is scary!

permalink
report
parent
reply
52 points

Selfhosted for extra win!?

permalink
report
parent
reply
18 points

Any recommendations on how-to?

permalink
report
parent
reply
34 points

KeepassXC (desktop)/KeePassDX(mobile) on top of something like Syncthing or Nextcloud.

permalink
report
parent
reply
27 points
*

Vaultwarden is what I use: https://github.com/dani-garcia/vaultwarden/

Their wiki is pretty good assuming you’re comfortable with Docker.

Back before I self-hosted, KeePassXC for desktop and Keepass2Android for mobile (along with Synching to sync the database) got the job done.

permalink
report
parent
reply
11 points

It doesn’t have to be difficult.

  1. Download keepass to your computer.

  2. Keep the save file on a USB or private cloud backup.

  3. Done!

As you get more comfortable with it, you’ll start using it in more complex ways. Like having a phone app, connected to a self hosted network. But keep it simple for now.

permalink
report
parent
reply
6 points
*

If you wanna use KeePass, you just have to store your database in some secure location. It can be on your local drive or in the cloud, any location you trust really.

permalink
report
parent
reply
2 points

Vaultwarden!

permalink
report
parent
reply
4 points

Self-hosted with yubikey 2fa. Even Santa Claus can’t see my info 😎

permalink
report
parent
reply
1 point

I should get around to doing this… But it scares me haha.

permalink
report
parent
reply
12 points

So what makes Bitwarden better than LastPass if you’re using Bitwarden’s hosted option (I know you can keep it locally).

permalink
report
parent
reply
24 points

From what I remember (take this with a grain of salt since it’s all from when the big LastPass breach happened,) LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes, images, etc) were unencrypted. So even without cracking any vaults, hackers got access to gigantic lists of usernames and their associated email addresses. That’s valuable in and of itself, because it allows them to spear-phish those users.

For example, you may not fall for a regular phishing scam. But you may fall for it if the email has your username and recovery info in it. Because they know every email you’ve used to sign up for something and all of your different usernames that you used on that site, so they can craft convincing phishing emails that are specifically tailored to you.

It also allows them to search for specific users. Maybe there is a user on a crypto forum who is particularly noteworthy. Their username is already known on the site, and hackers are able to cross-reference that with the list of known usernames/emails and see if that user’s vault was part of the breach. If it was, they can focus on breaching that one user’s vault, instead of aimlessly trying random vaults.

permalink
report
parent
reply
7 points

That’s valuable in and of itself, because it allows them to spear-phish those users.

I’m sorry, this is the first time I’m hearing the term spear-phish and I love it. It’s hilarious.

permalink
report
parent
reply
6 points
*

LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes

Wait a moment… now I wonder how many people kept their crypto wallet recovery word lists as notes instead of as passwords.

permalink
report
parent
reply
22 points

I’m not 100% but I think Bitwarden actual encrypt the entire ‘password object’. So the url, username, password, and any notes. Lastpass didn’t/doesn’t encrypt the url so if anyone gets access to the vault, they have a list of websites where the person will have an account and can more accurately send phishing emails.

permalink
report
parent
reply
1 point

It encrypts the entire vault iirc, not the objects themselves. The only thing a breach cound gain access to is the encrypted vault, the hashed master password and the master email.

permalink
report
parent
reply
-5 points

There’s no such thing as an impenetrable password manager. I keep my most secure passwords in my head, and so should everyone.

Even if the software were perfect, people aren’t. Anyone can be fooled under the right circumstances. It’s better to expose one service than all of them at once.

permalink
report
parent
reply
4 points

Your head cannot be securely backed up, and you are not resistant to major thread actors (torture, and so on)

permalink
report
parent
reply
2 points

2fA is an important element too.

permalink
report
parent
reply
1 point

How would someone steal my password and my physical yubikey for 2fa?

permalink
report
parent
reply
154 points

Nearly every victim was a LastPass user.

But every victim was a cryptocurrency user.

permalink
report
reply
19 points

I’d be willing to bet that people store their key phrases in the notes section in LastPass which was not encrypted at rest

permalink
report
parent
reply
13 points
*

I’m sure they were encrypted. But attackers have the vaults and many people have bad passwords. Brute forcing these days is less about trying every combination and more about trying all known leaked passwords, because people reuse passwords like crazy and also just aren’t as original as they think.

If you have millions of password vaults, I’m sure you can crack open a small number. And the ones you can crack are probably the most likely to not be following best practices, meaning it’s more likely they haven’t changed their passwords since the breach was announced a while back and they probably are less likely to have 2FA. 150 victims is such a tiny number for how many vaults were stolen when LastPass got compromised.

permalink
report
parent
reply
1 point
Deleted by creator
permalink
report
parent
reply
7 points

This is incorrect information. Notes are encrypted, just not their “type”. Unfortunately the most direct source for this is a reddit link, but here it is anyway.

permalink
report
parent
reply
1 point

okay thanks for that I was going off of an earlier report

permalink
report
parent
reply
-5 points

This doesn’t say anything about crypto.

It says everything about the users themselves.

permalink
report
parent
reply
-24 points

I also heard every victim were addicted to water…

permalink
report
parent
reply
14 points

*was

permalink
report
parent
reply
1 point

I’m glad you got help and are in recovery. One day at a time, friend.

permalink
report
parent
reply
96 points

Switched to bitwarden as soon as they tried to charge a sub for multiple devices, I see that was the right choice

permalink
report
reply
28 points
*

Are you not worried your vault is still on their servers? I feel most companies don’t delete shit. Most have ways to get around it saying they keep some info for taxes, accounting, etc.

I wouldn’t sleep well knowing my passwords were on there at any given time.

permalink
report
parent
reply
23 points

You can host a bitwarden vault yourself. They open sourced and audited. So, trustworthy that there’s no back door somewhere to some degree.

permalink
report
parent
reply
21 points

I suspect they’re referring to LastPass?

permalink
report
parent
reply
8 points

So just change whatever passwords you had saved to LastPass. That would mitigate any issues, right?

permalink
report
parent
reply
3 points
*

Pretty much. Though also any security questions or other private info you have saved, some of which is much more annoying to protect.

Though one annoying thing is that even if you change everything, what they find might help them social engineer an attack.

I second Bitwarden, BTW. Best password manager I’ve used.

permalink
report
parent
reply
1 point

Your username gives me PTSD for past Hades speedruns and I hate it.

permalink
report
parent
reply
1 point

Just. It’s not an insurmountable problem, but I wouldn’t be happy changing the login details, one by one, on the some 80 websites I have in my vault.

Not to mention if you’re using an email anonymizer, you’ll have to regenerate new emails for them all too. I guess you could do it on demand, but knowing my batch of emails in floating around the dark web doesn’t sit well with me. Worse yet if it’s your actual email, then they have that now.

permalink
report
parent
reply
1 point

It’s e2e and the code to do so is opensource, and you can always host Vaultwarden yourself.

permalink
report
parent
reply
11 points

same here. nuked my lastpass account and switched everything over to bitwarden. their paid offering was worse from the competition and now i’m very glad i moved from them

permalink
report
parent
reply
2 points

Was it a huge pain in the ass moving over or fairly painless? I need to do this.

permalink
report
parent
reply
1 point

Not painless at all. IIRC, I just exported from LastPass and imported (without change) to BitWarden. It worked fine.

permalink
report
parent
reply
76 points

These guys saved their seed phrases to LastPass, not just account passwords. You can’t just change your seeds without moving funds to a new wallet.

The main lesson here is never store your seeds in digital form, ever. Write it down by hand on paper at creation and then take additional efforts to safeguard it.

permalink
report
reply
9 points

I just store recovery phrases of all kinds on an encrypted USB stick (which is obviously only connected to my PC when I need to put a new one in or use it (which so far has happened never)), I feel like that is secure enough for me, although if I could laminate at home I might print and make small cards in a separate a card wallet. Any other way I feel like I would eventually lose them, the particular USB drive ive had for over 15 years, it is 512 MB lol.

permalink
report
parent
reply
36 points

USB sticks are not very reliable and can become totally unreadable randomly. I hope you at least have a few backups of it

permalink
report
parent
reply
15 points
*

Yeah, they are horribly unreliable.

I got myself 5 sticks, put the same data on all 5.

1st was dead within a month. 2nd & 3rd both dead in 4m, 4th dead in 6m. The 5th is still alive 3 years later.

It’s a shit lottery, don’t play it, modern flash drives are absolutely garbage. Yet I still have a whole pile of 1,2, 4 GB flash drives from over a decade ago and they all still work.

permalink
report
parent
reply
8 points

Carve it in granite and bury it underground so that future archaeologists can be confused over their meaning.

permalink
report
parent
reply
2 points

At least better than the cloud.

permalink
report
parent
reply
-1 points

USB sticks can be very different. I would recommend using small M.2 SSD in a stick enclosure.

permalink
report
parent
reply
2 points

I would duplicate to at least 2 sticks, and also a written form that you keep stored with important documents, like a safe with your SSN, birth certificate, etc.

permalink
report
parent
reply
1 point

For any significant amount of money, the seed should never even touch a PC. No USBs, no printers.

permalink
report
parent
reply
5 points
*

I wrote my seed information down for my poop coin wallet directly on Charmin double ply and then promptly wiped my ass with it and flushed.

All my apes gone!

permalink
report
parent
reply
2 points

Shit coin is far superior than poop coin. All the apes have shit coin. You never lose the password to shit coin, there’s always more shit coin passwords.

permalink
report
parent
reply
4 points

permalink
report
parent
reply
1 point

How were the wallets cracked? Cracked the master password?

permalink
report
parent
reply
57 points

instead of using a password manager managed by a PRIVATE ENTITY people should start using bitwarden … its opensource, free and much more secure and reliable

permalink
report
reply
20 points

But who is running the bitwarden server? Bitwarden the private company.

I self host vault warden, but it’s really not something everyone can do.

permalink
report
parent
reply
9 points
*

Vaultwarden is incredible, and runs easily on freebsd.

permalink
report
parent
reply
5 points

Or should, for that matter

permalink
report
parent
reply
1 point

Well… hosting it on your home network and making it only accessible via VPN kinda nips any intruder problems right in the bud.

permalink
report
parent
reply
18 points

I personally use KeepassXD on my phone, although it hasn’t had a security audit. There is also KeepassXC for desktop, which has had an audit

permalink
report
parent
reply
14 points

Bitwarden, the host, is a private entity

permalink
report
parent
reply
13 points

I prefer local password managers. Synchronisation is achieved with a syncing service of our choice.

permalink
report
parent
reply
3 points

That’s pretty much what Bitwarden does at its core. It will only synchronize the encrypted password vault and each client keeps an offline copy of it.

permalink
report
parent
reply
6 points

How does bitwarden encrypt their passwords? Im just realising that since it works on both my laptop and phone with no configuration it can’t be overly nuanced

permalink
report
parent
reply
13 points

It’s encrypted on the client and bitwarden themselves can’t decrypt it (we assume, but there have been audits that seemed to confirm that).

If you want to you can just run your own server then they can’t see the traffic at all.

permalink
report
parent
reply
-13 points

Who’s we? You probably mean you assume. Bitwarden is open source so an assumption need not be made.

permalink
report
parent
reply
1 point
Deleted by creator
permalink
report
parent
reply
1 point

It’s a crypto donation software

permalink
report
parent
reply
1 point

Private entities are more reliable for personal data than companies whose stocks have gone public.

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 18K

    Monthly active users

  • 12K

    Posts

  • 553K

    Comments