LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Just Stop Using LastPass: They've Been Hacked for the 9th Time

LastPassLastPass has been hacked.

Again.

Still.

This time it’s (for the second time) an attacker getting access to LastPass’s development environment.  Same problem they had back three months ago.  They also had security incidents in 2011, 2015, 2016, 2017 (twice), 2019, 2021, and twice now in 2022.

Now, according to LP, you shouldn’t worry at all, as their blog post states that “our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture”.  I have to think, though, that buying service from a security-focused company who constantly says “we were hacked, but don’t worry about it” rings hollow after a while.

When I first heard about LastPass over a decade ago, the idea seemed interesting.  All your data (according to them – it’s not FOSS so you must trust) is an encrypted blob that is passed from server to browser.  None of their server code interacts with it, so there’s no chance it’ll be hacked on their servers.  In theory.

However, as any security pro can tell you, the weakness in any cryptography system is not the 256-bit RSA crypto or whatever.  It’s the implementation details, which is where LastPass keeps falling down, along with their poor corporate security practices.

I’m not recommending the product necessarily, but it’s interesting that 1Password (a key competitor) has zero security incidents listed on its Wikipedia page.  Zero.  And LastPass has had nine since 2011.

Fool me once, shame on you, fool me nine times…

 

 

raindog308

7 Comments

  1. Susan:

    I have been using LP for long time. But and a big but… A security-based company that keeps getting hacks just does not sit right with me.

    I have never stored any bank, google or other personal like data on LP, but sure got a lot of site info stored.

    Questions I have: what are others using? Is there any open source that I can run from a USB drive? How to import LP data to any other locally based USB software?

    December 9, 2022 @ 4:36 pm | Reply
  2. Solution

    Stop trusting
    * National Government
    * International Corporations
    * World Central Banking Cartel
    * The ‘cloud’ (someone else’s computer’
    * International ((( Mainstream )))

    Solution
    * Self Hosting
    * DIY
    * Crowd Funded Community
    * Commonality, Privacy, Transparency
    * Opensource/FOSS/Linux/BSD

    —–

    Password Keeping Recommendations

    * KeePassXC
    https://keepassxc.org/
    https://portableapps.com/apps/utilities/keepassxc-portable
    https://github.com/keepassxreboot/keepassxc

    * Veracypt + your own password file
    https://www.veracrypt.fr/code/VeraCrypt/
    https://sourceforge.net/projects/veracrypt/
    https://github.com/veracrypt/VeraCrypt
    https://www.groovypost.com/howto/veracrypt-encrypt-secrets/
    https://security.vt.edu/resources/veracrypt.html
    https://www.hkcfp.org.hk/Upload/Documents/EXIT/VeraCryptUserguide.pdf
    https://www.purdue.edu/research/oevprp/regulatory-affairs/export-controls/guidance-documents/veracrypt.php

    * Pass
    https://wiki.archlinux.org/title/Pass
    https://www.howtogeek.com/devops/how-to-use-pass-a-command-line-password-manager-for-linux-systems/
    https://www.redhat.com/sysadmin/management-password-store
    https://www.fossmint.com/pass-commandline-password-manager-for-linux/
    https://www.passwordstore.org/

    ________
    Regards
    Charliebrownau
    People’s Republic of Australia
    * Email – charliebrownau@protonmail.com
    * Website – http://Charliebrownau.com/
    * Video – https://JoshwhoTV.com/channel/charliebrownau
    * Social – https://pieville.net/@charliebrownau

    December 9, 2022 @ 4:42 pm | Reply
  3. Andy:

    I use Bit warden and pay the subscription to support them. BW can also be self hosted. I have also self hosted KeePass and XC version.

    KeePass was my favourite except auto fill still has issues and credit card auto fill didn’t work last time I tried.

    The upside of BW is if something happens to me, my partner can easily access the database. KeePass is more geeky.

    December 9, 2022 @ 4:43 pm | Reply
    • Susan:

      Good info, thanks Andy!

      December 9, 2022 @ 5:29 pm | Reply
      • Andy:

        Glad to help Susan. There is the added advantage that BW has far less users than Last Pass. So logically a person wanting to compromise the stored data would go after the biggest supplier, LastPass.

        December 9, 2022 @ 6:38 pm | Reply
        • Susan:

          Just switched to BW and like it. Nothing is 100% secure online but honestly, was getting tired of LP and the bulk.

          Happy Holiday’s to all!

          December 9, 2022 @ 7:12 pm | Reply
  4. Andy:

    Yep it is all about risk/benefits. BW just ended up being the right balance for me. Each person is different :)

    December 9, 2022 @ 7:15 pm | Reply

Leave a Reply to Andy Cancel reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *