![]() In this situation, the plaintext URLs in a vault could give attackers an idea of what’s inside and help them to prioritize which vaults to work on cracking first. And LastPass has long been criticized for storing its vault data in a hybrid format where items like passwords are encrypted but other information, like URLs, are not. The breach also includes other customer data, including names, email addresses, phone numbers, and some billing information. “I'd be either looking for new options or looking to see a renewed focus on building trust over the next few months from their new management team.” “In my opinion, they are doing a world-class job detecting incidents and a really, really crummy job preventing issues and responding transparently,” says Evan Johnson, a security engineer who worked at LastPass more than seven years ago. In characterizing the scale of the situation, the company said in its announcement that hackers were “able to copy a backup of customer vault data from the encrypted storage container.” The company also did not respond to WIRED's questions about what it calls “a proprietary binary format” it uses to store encrypted and unencrypted vault data. If attackers have had three or four months with the stolen data, the situation is even more urgent for impacted LastPass users than if hackers have had only a few weeks. It seems to have been sometime after August 2022, but the timing is significant, because a big question is how long it will take attackers to start “cracking,” or guessing, the keys used to encrypt the stolen password vaults. ![]() The company hasn't even clarified when the breach occurred. LastPass has not returned WIRED's multiple requests for comment about how many password vaults were compromised in the breach and how many users were affected. Now, nearly a week since the disclosure, the company has not provided additional information to confused and worried customers. The details LastPass provided about the situation a week ago were worrying enough that security professionals quickly started calling for users to switch to other services. For the security service's 25.6 million users, though, the company made a worrying announcement on December 22: A security incident the firm had previously reported (on November 30) was actually a massive and concerning data breach that exposed encrypted password vaults-the crown jewels of any password manager-along with other user data. And if you finally took the plunge with a free and mainstream option, particularly during the 2010s, it was probably LastPass. Ill never use it again and I will never recommend it to anyone.You've heard it again and again: You need to use a password manager to generate strong, unique passwords and keep track of them for you. This post will probably get deleted, I really dont care if they see this. Pretty much, Last Pass is the crappy over priced corporate sell out of the password manager space. The only other password manager that I can recommend is 1password as its UI/UX is great. If you do not need the Yubikey or TOTP or Webauth options you can use the free version as it will operate lightyears better than LastPass ever will. ![]() Its 30% cheaper than LastPass at 10$ a year. ![]() Along side that, it has great browser extensions and the UI is very slick. Why the hell is there even a separate Authenticator app?!Ĭheck out Bitwarden, its open source, streamlined, has an app for all major OS's, Windows, Mac (Yes, Mac Store), iOS, Android, even a Linux version and A CLI version if thats your cup of tea (Also can self host your own server). Its UI is overall terrible and the Authenticator functions for it are buggy as hell when trying to approve logins. I hated it since i started using it 2 years ago and even gave feedback about it to Logmein about how terrible the UX is. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |