• Last Pass security

    Home » Forums » Tools » Last Pass security

    Author
    Topic
    #2531375

    I know what the general consensus is about Last Pass on this site. Nevertheless, for the few who still may still be using it, me included, here’s a very interesting article that I read on gHacks that explains how to increase the server-side KDF iterations.  (FYI, even Bitwarden’s password manager was hacked, once three times in a single day.)

    Peace, CAS

    P>S>Please, no preaching about my choice to use Last Pass.

    Viewing 1 reply thread
    Author
    Replies
    • #2531419

      It’s how you protect your master password that is also important.

      Susan Bradley Patch Lady

      1 user thanked author for this post.
    • #2531432

      Good information in the article. Did not realize OWASP updated their recommendations from 310,000 to 600,000 for PBKDF2-HMAC-SHA256

      Would it be possible to get some clarification on the statement about Bitwarden being hacked?

      (FYI, even Bitwarden’s password manager was hacked, once three times in a single day.)

      The closest reference to this I could find is a post on Bitwarden’s forums from an individual claiming to have been hacked 3 times in one day. There is nothing I can see from this that Bitwarden itself had been hacked or that the persons account was actually compromised.
      https://community.bitwarden.com/t/hacked-three-times-in-one-day-leaving-bitwarden/45419

      I can find other references on Reddit to people suspecting their Bitwarden accounts were compromised but nothing pointing to Bitwarden itself being hacked (as the point of compromise) as seen in the LastPass situation.

      Just want to make sure something wasn’t missed so everyone has the accurate information.

      1 user thanked author for this post.
      • #2531521
        • #2531535

          Nothing was hacked there (apart from the headline).

          One person didn’t understand “failed login attempt”.

          Windows 11 Pro version 22H2 build 22621.1485 + Microsoft 365 + Edge

          2 users thanked author for this post.
        • #2531545

          https://community.bitwarden.com/t/hacked-three-times-in-one-day-leaving-bitwarden/45419

          I would recommend the Bitwarden forum post be read again. The person posting is claiming they have been hacked because they received email notifications of failed login attempts.
          The persons post from the Bitwarden forum:

          “I received an email notifying of failed login attempts since I haven’t used BW for a while. I immediately changed my password. 2 hours later I get the SAME email. I changed my password AGAIN and set up 2FA. Another 2 hours later, the SAME email! I now have purged my vault and deleted my account since it’s pretty obvious that someone from BW is leaking my changed master passwords to scum hackers otherwise would I be spammed with “failed login attempts” emails EVERY 2 Hours?! Bitwarden can no longer be trusted!”

          If the login attempt failed then the party attempting to log in did not have the master password. The continued notifications after the person changed their password is not an indication of their account being compromised or hacked, only that someone was continuing to attempt to log into the account.

          This information was noted in the response to the post:

          “First of all, if the email notifications said “Failed login attempt”, then that indicates your Master Password was not known to whoever was trying to log in. If your Master Password had been leaked, then the emails would just say Your Bitwarden account was just logged into from a new device.
          All it would take for a failed login attempt to occur is for somebody to know your email address, and then make a lucky guess that you have a Bitwarden account. Have you tried checking your email address in HaveIBeenPwned? Or have you ever publicly disclosed your email address anywhere on the internet (e.g., on forums)? Have you tried Googling your email address and seeing if it comes up?”

          The claim by the person in the forum of being hacked would not even fit under its loosest definition.

          The statement that “(FYI, even Bitwarden’s password manager was hacked, once three times in a single day.)” is a hasty generalization.

          A comparison of the LastPass security breach and this single post on Bitwardens forums would be disingenuous.

          While the article that is linked in the original post has good information in it regardless of the password manager being used, the statement about Bitwarden being hacked does it a disservice by convoluting the information being provided.

    Viewing 1 reply thread
    Reply To: Last Pass security

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: