(Ars Technica)   If you had a secure password in LastPass, today is change all your passwords day   (arstechnica.com)
Get Your Dick Out Of My Food
6 hours ago  
I use a different password manager, but this kind of thing frightens me.
 
Bootleg
5 hours ago  
The backup data contained both unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-filled data, which had an additional layer of encryption using 256-bit AES. The new details explain how the threat actor obtained the S3 encryption keys.

You know, it might be helpful to be really clear on what data was unencrypted, and what was encrypted.

/Also, when will we find out that those keys were also compromised?
 
Unobtanium
3 hours ago  
I dumped LastPass early this year. Switched back to KeePass after many years. Changed every password to each account (and password length), deactivated some old accounts I wasn't using, and added app-based 2FA to several accounts that I didn't know had added the capability. Took me several days to get all my passwords updated. I didn't realize how many accounts I had until I did this exercise.

Still tweaking the settings, occasionally but the setup wasn't hard, just the tedium of changing all the passwords.

This guy has several online tutorials about KeePass. https://youtube.com/playlist?list=PLBNApfcGv5dqGLi3c0VmVstiore0dB1so
 
Chthonic Echoes
1 hour ago  

Get Your Dick Out Of My Food: I use a different password manager, but this kind of thing frightens me.


The best place to keep your passwords is a post-it stuck under your keyboard.
 
thealgorerhythm
1 hour ago  
external-content.duckduckgo.comView Full Size

I'm good
 
SpectroBoy
1 hour ago  
The "DevOps" engineer had the unencrupted vault at his house on a laptop!!!!

Grossly negligent.

* Should never be stored unencrypted
* should not have been on a laptop or at his house


Lawsuits should follow.
 
SBinRR
1 hour ago  
Just add an exclamation point to the end of each one.
 
Olthoi
1 hour ago  

Chthonic Echoes: Get Your Dick Out Of My Food: I use a different password manager, but this kind of thing frightens me.

The best place to keep your passwords is a post-it stuck under your keyboard.


That's probably safer these days than relying on password storage apps.
 
qorkfiend
1 hour ago  

Unobtanium: I dumped LastPass early this year. Switched back to KeePass after many years. Changed every password to each account (and password length), deactivated some old accounts I wasn't using, and added app-based 2FA to several accounts that I didn't know had added the capability. Took me several days to get all my passwords updated. I didn't realize how many accounts I had until I did this exercise.

Still tweaking the settings, occasionally but the setup wasn't hard, just the tedium of changing all the passwords.

This guy has several online tutorials about KeePass. https://youtube.com/playlist?list=PLBNApfcGv5dqGLi3c0VmVstiore0dB1so


Been using KeePass for the last ten years, never regretted it once.
 
vudukungfu
1 hour ago  
Cyber security training from corporate recommended last pass.

Since I learned in elementary, middle school, high school and college, memorize, spit back expectations (expectorations I call them) and seek the truth.

Aced the corporate quiz but I know better than to trust ANYFAAKINGBODY with my 14 passwords, and that is just for work


No wonder companies get hacked all to Fark
 
Fano
1 hour ago  

Olthoi: Chthonic Echoes: Get Your Dick Out Of My Food: I use a different password manager, but this kind of thing frightens me.

The best place to keep your passwords is a post-it stuck under your keyboard.

That's probably safer these days than relying on password storage apps.


At least Pam from accounting isn't trying to brute force your desk 20 times a day.
 
Paddy
1 hour ago  

SBinRR: Just add an exclamation point to the end of each one.


HEY!!! Now I have to change my passwords all over again.
 
Incog_Neeto
1 hour ago  
I tattoo all my passwords on the inside of my eyelids.
 
Chthonic Echoes
1 hour ago  

Olthoi: Chthonic Echoes: Get Your Dick Out Of My Food: I use a different password manager, but this kind of thing frightens me.

The best place to keep your passwords is a post-it stuck under your keyboard.

That's probably safer these days than relying on password storage apps.


Russian hackers can't defeat post-it notes, and bad actors who have physical access to your post-it notes also have physical access to your devices.
 
Marcus Aurelius
1 hour ago  

Get Your Dick Out Of My Food: I use a different password manager, but this kind of thing frightens me.


My company was using LastPass up until the first breach.  We changed providers, but the new one is just as vulnerable as the old one.  Using a password manager only increases your attack surface, because the thieves have a much larger target to shoot at than just some random small to mid sized business.  You need layered and compartmentalized security these days, even if you're just a small business.
 
xanadian
1 hour ago  
You never, ever, take sensitive data off-premises.

JFC

I mean, hacks happen, but...JFC.
 
Skyfrog
1 hour ago  
Online password programs are the dumbest thing. I use Keepass and the database is offline only, here on my computer. I can put it on a flash drive if I need to and take it anywhere I want, no need to have it on the internet.
 
Marcus Aurelius
1 hour ago  

Chthonic Echoes: Get Your Dick Out Of My Food: I use a different password manager, but this kind of thing frightens me.

The best place to keep your passwords is a post-it stuck under your keyboard.


You'll run out of space eventually, and need to upgrade to a coffee mug.  Mine's almost full.
 
Habitual Cynic
1 hour ago  
It doesn't matter what "security" is developed and employed, some farkwad will devise a way to defeat it.
 
TheSubjunctive
1 hour ago  

SpectroBoy: The "DevOps" engineer had the unencrupted vault at his house on a laptop!!!!

Grossly negligent.

* Should never be stored unencrypted
* should not have been on a laptop or at his house


We're talking about in-memory attack, not sitting around at-rest unencrypted.  ANY security vault is unencrypted in memory at some point, or you can't use what's in it.  It's how they all work.  At home on a laptop? Hard to say, could be more paranoid.  Shouldn't have had some 3rd party plugin (sounds like VLC?), of course not.
 
gyorg
1 hour ago  

SpectroBoy: The "DevOps" engineer had the unencrupted vault at his house on a laptop!!!!

Grossly negligent.

* Should never be stored unencrypted
* should not have been on a laptop or at his house


Lawsuits should follow.


I don't think you read the article.
 
KangTheMad
1 hour ago  
Wow, storing all your passwords on the internet is a bad idea????
 
The5thElement
1 hour ago  
Attack happened 6 months ago. Glad they're letting everyone know now.
 
Tax Boy
1 hour ago  
I switched a long time ago from LastPass to bitwarden and it's been fine. I might consider self hosting it
 
spaceman375
1 hour ago  
I worked in cyber security since before the term was coined. Never, ever have I recommended that people use a password manager. It's just a honeypot looking for takers. Make up an algorithm to mangle and change something to do with the website at hand (NOT the name or URL). I often start with a competitor. Then change things in a way that you can predict but isn't obvious if you get 3 examples. More than just substitutions, switch positions around, add a character, all based on stuff like "If there's an h, insert a v two characters later, capital if it precedes a vowel."
You'll be able to recreate that password a year later without having ever written it down, and they'll all be different.
 
freakdiablo
1 hour ago  

Habitual Cynic: It doesn't matter what "security" is developed and employed, some farkwad will devise a way to defeat it.


Home Depot engineering.

Doesn't matter how good your security is, "hackers" just need to go after someone with a $5 wrench.
 
qorkfiend
1 hour ago  

KangTheMad: Wow, storing all your passwords on the internet is a bad idea????


TBH personally it's more the part where you're trusting some company to do it for you
 
Russ1642
56 minutes ago  
There's too much confusion over what they stole, what's encrypted, and what's unencrypted. It appears they got into the employee's home computer using methods that didn't depend on the earlier breach. But the takeaway is that LastPass having anything on its users that's unencrypted is a sure sign to stay the fark away from them.
 
neaorin
54 minutes ago  
You should use KeePass or whatever password manager app allows you to șelf-host the database file.
 
Warthog
54 minutes ago  
Just use my method for never forgeting a password:

I l0ve [Company name] moderator @!

So, for this site it's

I l0ve Fark moderator @!
 
Atomic Redneck
54 minutes ago  

xanadian: You never, ever, take sensitive data off-premises.

JFC

I mean, hacks happen, but...JFC.


Give the guy a break. He was probably trying to find a more secure place to store the data than at LastPass.
 
buntz
53 minutes ago  
Fark user imageView Full Size

All my passwords are safe
 
adj_m
53 minutes ago  
Never trusted these things in the first place, having all your password in one spot like that seemed sketchy.

I just have a few dozen phrases and combinations, and then I write references in notepad to help me keep track of which one is which, and so that I can save it online in case physical copy is lost.

i.e: email password reminder: main B Third third variation short

Will help me remember the password if I forget, and only I know what it means. Everything important on 3 factor auth as well.

Still, I appreciate the Fark feature where it detects credit card numbers and replaces them with asterisks, more websites should def do that.

**************** **/** ***
 
Marcus Aurelius
52 minutes ago  

Russ1642: There's too much confusion over what they stole, what's encrypted, and what's unencrypted. It appears they got into the employee's home computer using methods that didn't depend on the earlier breach. But the takeaway is that LastPass having anything on its users that's unencrypted is a sure sign to stay the fark away from them.


Having that kind of information on a laptop in someone's house is something that should never have happened to begin with.  Four people have access to the info, and one of them is GOING TO TAKE IT HOME WITH THEM ON A LAPTOP?!?!?!?  What the actual?
 
Russ1642
51 minutes ago  

spaceman375: I worked in cyber security since before the term was coined. Never, ever have I recommended that people use a password manager. It's just a honeypot looking for takers. Make up an algorithm to mangle and change something to do with the website at hand (NOT the name or URL). I often start with a competitor. Then change things in a way that you can predict but isn't obvious if you get 3 examples. More than just substitutions, switch positions around, add a character, all based on stuff like "If there's an h, insert a v two characters later, capital if it precedes a vowel."
You'll be able to recreate that password a year later without having ever written it down, and they'll all be different.


Those methods are weak. And password managers are a great idea, just not these all-online ones that are more interested in harvesting customer data than security. LastPass farking up doesn't mean password managers are all bad. That's textbook strawman arguing.
 
LarryDan43
50 minutes ago  
I think I'm the only one at my company who doesn't use lastpass. I've brought up the previous breach to IT and they don't seem to care.
 
keldaria
50 minutes ago  

Get Your Dick Out Of My Food: I use a different password manager, but this kind of thing frightens me.


You fool, you should just memorize all your passwords like I do. If you use the same one everywhere it's incredibly easy. My password of Password12345 has never been broken!
 
toraque
49 minutes ago  
This will not look good on someone's annual review.
 
styckx
49 minutes ago  
KeePass is all I've ever used for over a decade. The database stays local and solely my responsibility
 
Random Companion
48 minutes ago  
Fark user imageView Full Size


/ Yes, I really do generate my passwords this way.
 
Russ1642
48 minutes ago  

Marcus Aurelius: Russ1642: There's too much confusion over what they stole, what's encrypted, and what's unencrypted. It appears they got into the employee's home computer using methods that didn't depend on the earlier breach. But the takeaway is that LastPass having anything on its users that's unencrypted is a sure sign to stay the fark away from them.

Having that kind of information on a laptop in someone's house is something that should never have happened to begin with.  Four people have access to the info, and one of them is GOING TO TAKE IT HOME WITH THEM ON A LAPTOP?!?!?!?  What the actual?


RTFA. They didn't have shiat on their laptop. They were remotely accessing AWS to do their job.
 
Lsherm
46 minutes ago  
"This was accomplished by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware," LastPass officials wrote.

So, Winamp?
 
Marcus Aurelius
45 minutes ago  

Russ1642: Marcus Aurelius: Russ1642: There's too much confusion over what they stole, what's encrypted, and what's unencrypted. It appears they got into the employee's home computer using methods that didn't depend on the earlier breach. But the takeaway is that LastPass having anything on its users that's unencrypted is a sure sign to stay the fark away from them.

Having that kind of information on a laptop in someone's house is something that should never have happened to begin with.  Four people have access to the info, and one of them is GOING TO TAKE IT HOME WITH THEM ON A LAPTOP?!?!?!?  What the actual?

RTFA. They didn't have shiat on their laptop. They were remotely accessing AWS to do their job.


Sorry, I never RTFA.  It limits my knee jerk responses if I do that.
 
KangTheMad
45 minutes ago  

Lsherm: "This was accomplished by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware," LastPass officials wrote.

So, Winamp?


Desktoppoledancers.exw
 
qorkfiend
44 minutes ago  
In fairness I will admit to using "correct horse battery staple" on a couple occasions
 
Lsherm
44 minutes ago  

KangTheMad: Lsherm: "This was accomplished by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware," LastPass officials wrote.

So, Winamp?

Desktoppoledancers.exw


If I had bothered to read further, I would know it was Plex...
 
hairywoogit
40 minutes ago  

Random Companion: [Fark user image 346x175]

/ Yes, I really do generate my passwords this way.


I have a hand written password log next to my desk.  Most passwords are a minimum of 9 characters, upper and lower case, with special characters and numbers, except the very few web sites that don't allow special characters.  It works fairly well.
 
KangTheMad
40 minutes ago  

Lsherm: KangTheMad: Lsherm: "This was accomplished by targeting the DevOps engineer's home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware," LastPass officials wrote.

So, Winamp?

Desktoppoledancers.exw

If I had bothered to read further, I would know it was Plex...


Good network security isn't just for the business.
 
Joe USer
39 minutes ago  

Skyfrog: Online password programs are the dumbest thing. I use Keepass and the database is offline only, here on my computer. I can put it on a flash drive if I need to and take it anywhere I want, no need to have it on the internet.


I keep my KeePass database on the Internet.

I'm not concerned because I'm using a keyfile that never goes online and a passphrase long enough to be highly annoying to type in on mobile.

I recommend using MFA for KeePass to everyone.
 
Omnivorous
38 minutes ago  
I didn't realize how many accounts I had until I did this exercise.

Everything online requires an account: often multiple accounts with the same entity.  Last count: 250.
 
