Last Pass Breach and why you should switch

I’m sure those who use it have heard by now that last pass lost all our vaults. I was fine with that since my password is pretty good and I assumed everything was encrypted after doing some research and getting some feedback from some folks in the security world that I follow I no longer feel that way. Here’s the post that changed my view

I foolishly thought the entire vault was encrypted it isn’t… that alone is enough for me to walk away

1 Like

#TeamDashlane

Wonderful. Those note fields and metadata could doom a lot of people, including me.

2 Likes

Yeah, way worse than I had imagined. That was a very nice write up by Jeremi.

Keeping secrets is hard. :person_shrugging:

#TeamDashlane and #Bitwarden

If you really care about .NET then Bitwarden. If you want simplicity then Dashlane. I use both. I also just happen to be a new Contributor to Bitwarden too!

The nice thing about Bitwarden you can self-host the Server too, and its open source. Even Hitachi forked them and rebranded it all and is doing their own cloud selling lol. Tesla or SpaceX uses them too, I know because they were building a proprietary Tesla Cipher or something like that.

1 Like

I’m going 1Password cause UX for Bitwarden is :face_vomiting: I also like their dual key feature

Now that I’ve been at this for a few hours changing all passwords everywhere I have to say to Last Pass
t(0-0)t :fu::fu::fu::fu::fu:

damn this is a pain in the ass

1 Like

Are we talking credential managers for the Enterprise or Individual?

One of the nice thing about an enterprise version, is we can actually know the external systems people login into: customer portals, supplier portals, banks, etc.

1 Like

I’ve been a LastPass customer since like 2013/2014. This latest breach is pretty bad. I’ve been on the fence about switching but I think I’m going to. I’ve defended and supported LastPass through all their breaches. But, I think this is it. What is everyone else using/switching to?

3 Likes

So cheap, so easy. I have more password post-its in my wallet than I do cash.

I think the world is coming full circle. We used to carry pocket phone books with alphabetic index. Now we will have to start carrying pocket password books.

1 Like

Latest:

Just received this email. Of course I don’t listen.

My :poop: above is regarding their email and they stupid keep it confidential bit… which is just absurd on the frigging internet…

Too little too late… Last Pass Who? #1Password4Eva! (or until they too screw the pooch) :yum:

2 Likes

I knew you wouldn’t shit me, I’m your favorite turd.

favorite GIF

Okay so we knew it was bad but I didn’t know it was this bad…

They lost all the MFA Keys, and Seeds which were thanfully encrypted… excep they also lost the Decryption key :man_facepalming:
https://support.lastpass.com/help/what-data-was-accessed

Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.

Secrets used to integrate third-party MFA vendors (e.g., Duo Security, RSA SecurID, SecureAuth) with LastPass.

Seeds used to generate TOTP authentication codes for Google Authenticator, Microsoft Authenticator, LastPass Authenticator, and Grid.

Secrets used to enable LastPass event logs to be sent to a customer’s Splunk instance, providing auditing/monitoring of LastPass events.

Credentials that may have been “pushed” to a LastPass user or group by a LastPass Business Administrator.

YIKES!

YIKES x2

It was Plex!!!

2 Likes

I see you never got any real answers to this question and now I am wondering if my gut feeling of not trusting any password manager was the right thing.

I ended up switching to 1Password and am very happy with it.

1 Like