If you use LastPass…. read on

Topic

New Reply

So there is a bit of disturbing read on the LastPass situation Read this first. also a bit of commentary from a Security expert on the topic: Ask your
[See the full post at: If you use LastPass…. read on]

Susan Bradley Patch Lady/Prudent patcher

6 users thanked author for this post.

Hailstorm, BobbyB, abbodi86, M. Paquet, knygdrsojgae33s, dgc-art

Reply | Quote

Replies

Susan Bradley wrote:

If you use LastPass and do not have two factor enabled, ensure that you change your master password.

Why? Passwords were not affected:

As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.
…
What Should LastPass Customers Do?
…
If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

LastPass: Notice of Recent Security Incident

1 user thanked author for this post.

wavy

Reply | Quote

Because humans being humans chances are you may not have a good master password.  Also add two factor.

Lastpass burying this story right before a holiday and downplaying it is not great.

I disagree that no actions need to be taken.

 

 

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

Hailstorm, samak, Michael432, wavy

Reply | Quote

Susan Bradley wrote:

Lastpass burying this story right before a holiday and downplaying it is not great.

Classic PR damage limitation. Less respect for them than before.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

I really disagree with trusting any password manager application.  I think it is an absolutely terrible idea.  Seriously storing all your passwords in one tool (one access point of theft) from a small no name vendor.  And to make it worse the parent company of that vendor is Citrix.  Citrix is not exactly known for great security practices.

Reply | Quote

I agree about Citrix, but they no longer own the company. See
Private Equity Gave Your Bank Password to Hackers
https://mattstoller.substack.com/p/private-equity-gave-your-bank-password

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

They had a hiccup a while back –  months ago – security breach or something. I dropped it then.

1 user thanked author for this post.

BobbyB

Reply | Quote

SOPHOS is now saying “Given the change in LastPass’s story based on what it has discovered since then, we now suggest that you do change your passwords if you reasonably can.

Note that you need to change the passwords that are stored inside your vault, as well as the master password for the vault itself”.

LastPass finally admits: They did steal your password vaults after all – Naked Security (sophos.com)

It’s going to be a busy Christmas Eve!

Reply | Quote

The entire encrypted user database (vaults) were stolen.  Changing your password now or turning on 2-Factor now is worthless.  But —
You are only at risk if you used a weak password that can be brute-forced. You can check it here (look at the Offline Fast Attack Scenario): https://www.grc.com/haystack.htm
Important: This assumes you didn’t use a common password.
To see if your password has been compromised, check here:
https://haveibeenpwned.com/

 

1 user thanked author for this post.

windbg

Reply | Quote

Yet another example why users should not be asked to log on using an email address.

It may be worth changing the email address used with LastPass as well, which for most would be a quick fix pending implementation of other personal measures such as 2FA and updating every password in the vault.

When I was running LastPass it had about 100 records but as many as possible used  disposable email addresses (different for most) and ridiculously long and complex passwords.

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

Been a LastPass user for many years and have over 200 entries. Changed my master password and modified some entries with sensitive information (hopefully not too late). The Sophos, Naked Security article was very disturbing. I was unable to implement 2fa as a free user, because there was a requirement to use a smart phone app (or tablet) as a secondary recovery method. In view of the compromises, I will not give out any new information, i.e. my cell phone number or install an app on my phone. By choice, my smart phone is only used as a dumb phone. I have considered upgrading to a paid version of LastPass to be able to use a hardware key for 2fa. However, again, don’t want to provide new info address, cc information and perhaps there will still be a requirement to use a mobile app as a secondary method.

1 user thanked author for this post.

wdburt1

Reply | Quote

Every one should move to FIDO and make cloud password services useless.

https://www.askwoody.com/forums/topic/paypal-goes-passkeys/

https://www.askwoody.com/forums/topic/tired-of-memorizing-so-many-passwords-here-comes-fido/

Reply | Quote

I switched to Bitwarden over a year ago but foolishly forgot to delete my LastPass account, so I was spending Christmas Eve changing many of my passwords. My LastPass master password is fairly secure and not one of the common passwords, but better to be safe than sorry. If you are switching from LastPass, be sure to delete your account once everything has been imported into your new password manager.

LastPass downplaying the situation until just before Christmas (perhaps in the hopes that people would be too overstuffed on Christmas turkey to pay attention) is a poor look on the company, especially one supposedly entrusted with other people’s sensitive information.

Reply | Quote

The best master password to use is the little boys name in Shari Lewis’s  song Tiki Tiki Timbo.

Reply | Quote