LastPass has been hacked.
Again.
Still.
This time it’s (for the second time) an attacker getting access to LastPass’s development environment. Same problem they had back three months ago. They also had security incidents in 2011, 2015, 2016, 2017 (twice), 2019, 2021, and twice now in 2022.
Now, according to LP, you shouldn’t worry at all, as their blog post states that “our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture”. I have to think, though, that buying service from a security-focused company who constantly says “we were hacked, but don’t worry about it” rings hollow after a while.
When I first heard about LastPass over a decade ago, the idea seemed interesting. All your data (according to them – it’s not FOSS so you must trust) is an encrypted blob that is passed from server to browser. None of their server code interacts with it, so there’s no chance it’ll be hacked on their servers. In theory.
However, as any security pro can tell you, the weakness in any cryptography system is not the 256-bit RSA crypto or whatever. It’s the implementation details, which is where LastPass keeps falling down, along with their poor corporate security practices.
I’m not recommending the product necessarily, but it’s interesting that 1Password (a key competitor) has zero security incidents listed on its Wikipedia page. Zero. And LastPass has had nine since 2011.
Fool me once, shame on you, fool me nine times…
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
- COMMUNITY NEWS: RackNerd LLC, Global IaaS Provider, Expands European Footprint with New Dublin, Ireland Datacenter - November 16, 2024
- Hey Providers – Want Some FREE Advertising During the SuperBowl? - November 14, 2024
- Inception Hosting is Closing Its Doors - November 12, 2024
I have been using LP for long time. But and a big but… A security-based company that keeps getting hacks just does not sit right with me.
I have never stored any bank, google or other personal like data on LP, but sure got a lot of site info stored.
Questions I have: what are others using? Is there any open source that I can run from a USB drive? How to import LP data to any other locally based USB software?
Solution
Stop trusting
* National Government
* International Corporations
* World Central Banking Cartel
* The ‘cloud’ (someone else’s computer’
* International ((( Mainstream )))
Solution
* Self Hosting
* DIY
* Crowd Funded Community
* Commonality, Privacy, Transparency
* Opensource/FOSS/Linux/BSD
—–
Password Keeping Recommendations
* KeePassXC
https://keepassxc.org/
https://portableapps.com/apps/utilities/keepassxc-portable
https://github.com/keepassxreboot/keepassxc
* Veracypt + your own password file
https://www.veracrypt.fr/code/VeraCrypt/
https://sourceforge.net/projects/veracrypt/
https://github.com/veracrypt/VeraCrypt
https://www.groovypost.com/howto/veracrypt-encrypt-secrets/
https://security.vt.edu/resources/veracrypt.html
https://www.hkcfp.org.hk/Upload/Documents/EXIT/VeraCryptUserguide.pdf
https://www.purdue.edu/research/oevprp/regulatory-affairs/export-controls/guidance-documents/veracrypt.php
* Pass
https://wiki.archlinux.org/title/Pass
https://www.howtogeek.com/devops/how-to-use-pass-a-command-line-password-manager-for-linux-systems/
https://www.redhat.com/sysadmin/management-password-store
https://www.fossmint.com/pass-commandline-password-manager-for-linux/
https://www.passwordstore.org/
________
Regards
Charliebrownau
People’s Republic of Australia
* Email – charliebrownau@protonmail.com
* Website – http://Charliebrownau.com/
* Video – https://JoshwhoTV.com/channel/charliebrownau
* Social – https://pieville.net/@charliebrownau
I use Bit warden and pay the subscription to support them. BW can also be self hosted. I have also self hosted KeePass and XC version.
KeePass was my favourite except auto fill still has issues and credit card auto fill didn’t work last time I tried.
The upside of BW is if something happens to me, my partner can easily access the database. KeePass is more geeky.
Good info, thanks Andy!
Glad to help Susan. There is the added advantage that BW has far less users than Last Pass. So logically a person wanting to compromise the stored data would go after the biggest supplier, LastPass.
Just switched to BW and like it. Nothing is 100% secure online but honestly, was getting tired of LP and the bulk.
Happy Holiday’s to all!
Yep it is all about risk/benefits. BW just ended up being the right balance for me. Each person is different :)