• If you use LastPass…. read on

    Home » Forums » Newsletter and Homepage topics » If you use LastPass…. read on

    • This topic has 13 replies, 11 voices, and was last updated 1 month ago.
    Author
    Topic
    #2510901

    So there is a bit of disturbing read on the LastPass situation Read this first. also a bit of commentary from a Security expert on the topic: Ask your
    [See the full post at: If you use LastPass…. read on]

    Susan Bradley Patch Lady

    6 users thanked author for this post.
    Viewing 9 reply threads
    Author
    Replies
    • #2511046

      If you use LastPass and do not have two factor enabled, ensure that you change your master password.

      Why? Passwords were not affected:

      As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

      What Should LastPass Customers Do?

      If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

      LastPass: Notice of Recent Security Incident

      Windows 11 Pro version 22H2 build 22621.1192 + Microsoft 365/Edge

      1 user thanked author for this post.
      • #2511052

        Because humans being humans chances are you may not have a good master password.  Also add two factor.

        Lastpass burying this story right before a holiday and downplaying it is not great.

        I disagree that no actions need to be taken.

         

         

        Susan Bradley Patch Lady

        4 users thanked author for this post.
        • #2511191

          Lastpass burying this story right before a holiday and downplaying it is not great.

          Classic PR damage limitation. Less respect for them than before.

          Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

    • #2511029

      I really disagree with trusting any password manager application.  I think it is an absolutely terrible idea.  Seriously storing all your passwords in one tool (one access point of theft) from a small no name vendor.  And to make it worse the parent company of that vendor is Citrix.  Citrix is not exactly known for great security practices.

    • #2511076

      They had a hiccup a while back –  months ago – security breach or something. I dropped it then.

      - Thinkpad P15s Gen1 20T4-002KUS, i7-10510U, UEFI/GPT, 16GB, Sammy 500GB M.2.
      others...
      - Win 10 22H2. WuMgr. HP laserjets M254dw & P1606dn, Epson 2480 scanner.

      1 user thanked author for this post.
    • #2511079

      SOPHOS is now saying “Given the change in LastPass’s story based on what it has discovered since then, we now suggest that you do change your passwords if you reasonably can.

      Note that you need to change the passwords that are stored inside your vault, as well as the master password for the vault itself”.

      LastPass finally admits: They did steal your password vaults after all – Naked Security (sophos.com)

      It’s going to be a busy Christmas Eve!

    • #2511109

      The entire encrypted user database (vaults) were stolen.  Changing your password now or turning on 2-Factor now is worthless.  But —
      You are only at risk if you used a weak password that can be brute-forced. You can check it here (look at the Offline Fast Attack Scenario): https://www.grc.com/haystack.htm
      Important: This assumes you didn’t use a common password.
      To see if your password has been compromised, check here:
      https://haveibeenpwned.com/

       

      1 user thanked author for this post.
    • #2511192

      Yet another example why users should not be asked to log on using an email address.

      It may be worth changing the email address used with LastPass as well, which for most would be a quick fix pending implementation of other personal measures such as 2FA and updating every password in the vault.

      When I was running LastPass it had about 100 records but as many as possible used  disposable email addresses (different for most) and ridiculously long and complex passwords.

      Group A (but Telemetry disabled Tasks and Registry)
      Win 7 64 Pro desktop
      Win 10 64 Home portable

    • #2511332

      Been a LastPass user for many years and have over 200 entries. Changed my master password and modified some entries with sensitive information (hopefully not too late). The Sophos, Naked Security article was very disturbing. I was unable to implement 2fa as a free user, because there was a requirement to use a smart phone app (or tablet) as a secondary recovery method. In view of the compromises, I will not give out any new information, i.e. my cell phone number or install an app on my phone. By choice, my smart phone is only used as a dumb phone. I have considered upgrading to a paid version of LastPass to be able to use a hardware key for 2fa. However, again, don’t want to provide new info address, cc information and perhaps there will still be a requirement to use a mobile app as a secondary method.

      1 user thanked author for this post.
    • #2511355
    • #2511495

      I switched to Bitwarden over a year ago but foolishly forgot to delete my LastPass account, so I was spending Christmas Eve changing many of my passwords. My LastPass master password is fairly secure and not one of the common passwords, but better to be safe than sorry. If you are switching from LastPass, be sure to delete your account once everything has been imported into your new password manager.

      LastPass downplaying the situation until just before Christmas (perhaps in the hopes that people would be too overstuffed on Christmas turkey to pay attention) is a poor look on the company, especially one supposedly entrusted with other people’s sensitive information.

    • #2511522

      The best master password to use is the little boys name in Shari Lewis’s  song Tiki Tiki Timbo.

    Viewing 9 reply threads
    Reply To: If you use LastPass…. read on

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: