More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists
Bitwarden or keepass ftw
I dumped LastPass for Bitwarden a few years ago. So glad I did.
Selfhosted for extra win!?
Any recommendations on how-to?
Vaultwarden is what I use: https://github.com/dani-garcia/vaultwarden/
Their wiki is pretty good assuming you’re comfortable with Docker.
Back before I self-hosted, KeePassXC for desktop and Keepass2Android for mobile (along with Synching to sync the database) got the job done.
Interesting, I’ll check it out, as it looks like it’ll cover what I need. Hopefully it’s simple enough, as always having an iPhone makes things more complicated lol.
I host for my family which has a mix of Android and iPhone. So far, no complaints about Bitwarden on iOS. Hopefully it works out for you. If self hosting becomes a problem, I think premium is only $10/year and family is up to 6 people at $40/year.
It doesn’t have to be difficult.
-
Download keepass to your computer.
-
Keep the save file on a USB or private cloud backup.
-
Done!
As you get more comfortable with it, you’ll start using it in more complex ways. Like having a phone app, connected to a self hosted network. But keep it simple for now.
This might be a good idea for my family, they definitely prefer a K.I.S.S. approach lol.
-
If you wanna use KeePass, you just have to store your database in some secure location. It can be on your local drive or in the cloud, any location you trust really.
Guessing it’s suggested to use a small flash drive and keep it hidden somewhere?
Self-hosted with yubikey 2fa. Even Santa Claus can’t see my info 😎
I should get around to doing this… But it scares me haha.
Not sure about that software specifically but most yubikey 2FA implementations allow you to set up more than one key. That way you don’t lose access if you lose your key. I personally have three keys.
I started out with the Yubikey, which was such a relief all by itself. Even if you have my password, you need my physical USB key to plug in or NFC confirm for the 2fa. I did later move to self-hosting, but I def have a backup of a backup for that since space is cheap-ish.
So what makes Bitwarden better than LastPass if you’re using Bitwarden’s hosted option (I know you can keep it locally).
From what I remember (take this with a grain of salt since it’s all from when the big LastPass breach happened,) LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes, images, etc) were unencrypted. So even without cracking any vaults, hackers got access to gigantic lists of usernames and their associated email addresses. That’s valuable in and of itself, because it allows them to spear-phish those users.
For example, you may not fall for a regular phishing scam. But you may fall for it if the email has your username and recovery info in it. Because they know every email you’ve used to sign up for something and all of your different usernames that you used on that site, so they can craft convincing phishing emails that are specifically tailored to you.
It also allows them to search for specific users. Maybe there is a user on a crypto forum who is particularly noteworthy. Their username is already known on the site, and hackers are able to cross-reference that with the list of known usernames/emails and see if that user’s vault was part of the breach. If it was, they can focus on breaching that one user’s vault, instead of aimlessly trying random vaults.
That’s valuable in and of itself, because it allows them to spear-phish those users.
I’m sorry, this is the first time I’m hearing the term spear-phish and I love it. It’s hilarious.
It refers to targeting phishing attacks. With traditional phishing, scammers simply cast an ultra wide net and catch whichever one’s happen to respond. They don’t really care who it is, because they’re playing a numbers game. Even if only 0.1% of people respond, sending out a thousand phishing emails means you still got a response.
But with spear phishing, it’s a targeted attack. They’ll call you at your desk with a spoofed work number, and pretend to be the CEO’s assistant. The CEO needs you to go buy gift cards for a big sales event coming up. Don’t worry, it can all be expensed later, but he needs the cards now and doesn’t have time to deal with vendors and purchase orders. And now you’re reading gift card numbers to a scammer, because they knew enough about your workplace to be able to reasonably impersonate the CEO’s assistant.
It can also be used to refer to targeted attacks against company leaders or notable figures. Maybe someone has a fat crypto wallet, so someone targets them. Or maybe they try to trick the CEO into giving away a trade secret. Regardless of the reasons, the attack is still the same basic principle; Find a target, meticulously research them enough to be able to fool them, then attack. Most people will be good at avoiding regular phishing. But very few people are prepared for a coordinated and laser-guided spear phishing attack.
Thank you for the realistic depiction of how it can happen.
LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes
Wait a moment… now I wonder how many people kept their crypto wallet recovery word lists as notes instead of as passwords.
Geez I do this in 1 password.
I’m not 100% but I think Bitwarden actual encrypt the entire ‘password object’. So the url, username, password, and any notes. Lastpass didn’t/doesn’t encrypt the url so if anyone gets access to the vault, they have a list of websites where the person will have an account and can more accurately send phishing emails.
It encrypts the entire vault iirc, not the objects themselves. The only thing a breach cound gain access to is the encrypted vault, the hashed master password and the master email.
There’s no such thing as an impenetrable password manager. I keep my most secure passwords in my head, and so should everyone.
Even if the software were perfect, people aren’t. Anyone can be fooled under the right circumstances. It’s better to expose one service than all of them at once.
How would someone steal my password and my physical yubikey for 2fa?
Nearly every victim was a LastPass user.
But every victim was a cryptocurrency user.
I’d be willing to bet that people store their key phrases in the notes section in LastPass which was not encrypted at rest
I’m sure they were encrypted. But attackers have the vaults and many people have bad passwords. Brute forcing these days is less about trying every combination and more about trying all known leaked passwords, because people reuse passwords like crazy and also just aren’t as original as they think.
If you have millions of password vaults, I’m sure you can crack open a small number. And the ones you can crack are probably the most likely to not be following best practices, meaning it’s more likely they haven’t changed their passwords since the breach was announced a while back and they probably are less likely to have 2FA. 150 victims is such a tiny number for how many vaults were stolen when LastPass got compromised.
deleted by creator
This is incorrect information. Notes are encrypted, just not their “type”. Unfortunately the most direct source for this is a reddit link, but here it is anyway.
okay thanks for that I was going off of an earlier report
This doesn’t say anything about crypto.
It says everything about the users themselves.
I also heard every victim were addicted to water…
Switched to bitwarden as soon as they tried to charge a sub for multiple devices, I see that was the right choice
same here. nuked my lastpass account and switched everything over to bitwarden. their paid offering was worse from the competition and now i’m very glad i moved from them
Was it a huge pain in the ass moving over or fairly painless? I need to do this.
Not painless at all. IIRC, I just exported from LastPass and imported (without change) to BitWarden. It worked fine.
These guys saved their seed phrases to LastPass, not just account passwords. You can’t just change your seeds without moving funds to a new wallet.
The main lesson here is never store your seeds in digital form, ever. Write it down by hand on paper at creation and then take additional efforts to safeguard it.
I just store recovery phrases of all kinds on an encrypted USB stick (which is obviously only connected to my PC when I need to put a new one in or use it (which so far has happened never)), I feel like that is secure enough for me, although if I could laminate at home I might print and make small cards in a separate a card wallet. Any other way I feel like I would eventually lose them, the particular USB drive ive had for over 15 years, it is 512 MB lol.
USB sticks are not very reliable and can become totally unreadable randomly. I hope you at least have a few backups of it
Yeah, they are horribly unreliable.
I got myself 5 sticks, put the same data on all 5.
1st was dead within a month. 2nd & 3rd both dead in 4m, 4th dead in 6m. The 5th is still alive 3 years later.
It’s a shit lottery, don’t play it, modern flash drives are absolutely garbage. Yet I still have a whole pile of 1,2, 4 GB flash drives from over a decade ago and they all still work.
Old flash drives used to be all SLC.
Newer ones, use the cheapest tech for the same capacity, with QLC being about 16 times less reliable than SLC.
Carve it in granite and bury it underground so that future archaeologists can be confused over their meaning.
At least better than the cloud.
USB sticks can be very different. I would recommend using small M.2 SSD in a stick enclosure.
I would duplicate to at least 2 sticks, and also a written form that you keep stored with important documents, like a safe with your SSN, birth certificate, etc.
For any significant amount of money, the seed should never even touch a PC. No USBs, no printers.
I wrote my seed information down for my poop coin wallet directly on Charmin double ply and then promptly wiped my ass with it and flushed.
All my apes gone!
Shit coin is far superior than poop coin. All the apes have shit coin. You never lose the password to shit coin, there’s always more shit coin passwords.
How were the wallets cracked? Cracked the master password?
instead of using a password manager managed by a PRIVATE ENTITY people should start using bitwarden … its opensource, free and much more secure and reliable
But who is running the bitwarden server? Bitwarden the private company.
I self host vault warden, but it’s really not something everyone can do.
Vaultwarden is incredible, and runs easily on freebsd.
Or should, for that matter
How does bitwarden encrypt their passwords? Im just realising that since it works on both my laptop and phone with no configuration it can’t be overly nuanced
Private entities are more reliable for personal data than companies whose stocks have gone public.
Pro Tip: You don’t need to give a private company all of your passwords. That literally defeats the purpose of having passwords.
This. This. This.
I vote for you to be chair person of the board for common sense.
deleted by creator
I’d be worried about losing access to the entirety of your passwords if Google up and decides that one day your account is suspended. There’s been a few reports historically where someone gets their Gmail account suspended for some mistaken reason and all their associated access gets pulled (e.g. from drive, sheets, etc)
deleted by creator
You are saying that bitwarden suspended your account?
My Google account has been rock solid from the day I created it as a child
Hopefully you were of legal age to accept the Terms of Service, otherwise it might’ve been an irregular account all this time.
deleted by creator
If it was, and you haven’t accepted the ToS as of legal age, then you might want to make a new one.
Google is getting ready to purge inactive accounts starting next year, and it wouldn’t be the first time when a service purged irregular accounts many years after the fact, so… better safe than sorry.
As a non-Google user, Lemmy is only “Chrome bad”. They’re “Android is the only way”
…so far.
For those that don’t mind self-hosting, which can be as easy as just running syncthing or resilio sync on your NAS, I can really recommend keepass.
Me with interest, but no technical knowledge reading your comment:
which can be as easy as
:-)
running syncthing or resilio sync on your NAS
:-(
I didn’t understand any of those words
A NAS is a home storage server, like Synology that you can use to store images, videos and backups, etc on so you can access them from any computer or device in your home. With a couple of clicks, they can easily run applications like Syncthing or Resilio Sync, which are kinda like Dropbox, except you don’t have to pay Dropbox, you’ll just be storing the files on your own service.
If that’s too much to handle, you can still just store your Keepass file in Dropbox, so that it’s available on all your devices. But in the end you’ll still be storing your personal data on someone else’s harddisk.
So in short, is at easy as using a prefab service? No, you’ll have to invest some time, money, and knowledge yourself. But in the end, your data is not gathered in silo together with countless other users, which makes it a lot less attractive for hackers to try and steal it.
edit - nevermind I can’t even format a comment, let alone self host a… Thingie. What the other guy said.
deleted by creator
Self hosting is less appealing for criminals, though. Especially if the protocol is “vanilla” like ssh.
When you hack LastPass you know what you’ll find, millions of passwords. When you hack a dude ssh you have one chance over one million that there is one dude password wallet.
It doesn’t make financial sense to hack self hosting (unless it’s specific server software)
There are plenty of use cases for going after self hosters. Bot farms are basically made up of “regular” computers infected with malware.
While you’re at it and have access to tens of thousands computers, also grabbing their passwords is just a nice bonus.
If anything, it doesn’t make financial sense not to do it. You’re right in that self hosters themselves are not the target per se. but they are targeted for other reasons, and that’s where it ends up becoming problematic.
You need to aumatize any operation… It’s not conceivable that an human look at every device for stuff to steal. It would be even more expensive.
Generally all these bit malware do is 1) using a vulnerability to replicate themselves 2) mine crypto or other kind of crap. Sometimes (1) involves also stealing ssh keys but it’s not the goal, it the mean.
Self hosting password/code/photos/whatever niches you are almost guaranteed that no human will look at hit because the amount of IoT/Routers/etc with nothing valuable beyond themselves generally composes the majority of these compromised bots
This is just the economic incentive
Oh yes, because automating a search for csv and json files to search for mail addresses and passwords can’t be done by malware. It must be a human.
Common. This happens on massive scale, wether you like it or not.
https://phys.org/news/2013-12-stolen-credentials-million-compromised-accounts.amp
It’s software, everything can be done. Even if username and passwords are not kept in plaintext as you suggest (and likely nobody would do)
Problem is that the number of people that self host password repositories is so little that it makes no financial sense. And so for this reason your “massive scale” is an hyperbole because there isn’t a massive scale of people that self host password repositories
Botnets that stole from local password repositories makes more sense because there are more people that use password managers of sort.
Humans looking are flexible enough to look at all possible long tail cases like this… but not going to happen except for high profile targets.
All in all what i am saying is that i don’t see clear evidence that self hosting is more dangerous (in practice) than centralized hosting
PS: pro tip If you link references, make sure to read the references you link… The second one has nothing to do with password stealing, it was about a password cracker that was a trojan horse for a botnet. Yes, it fits the search “botnet password” but it doesn’t sustain your point
Any obvious holes in keeping a text file on my laptop that I encrypt when not using it? Using ccrypt on linux.
I do not want my passwords - even encrypted - on the cloud or at the mercy of a 3rd party in any fashion.
Use KeePass.
My concern with using a text file is you have to defrost it to use it and whenever it’s not encrypted it’s potentially exposed. You are also vulnerable to keyloggers or clipboard captures
KeePass works entirely locally, no cloud. And it’s far more secure/functional than a text file.
I personally use KeePass, secured with a master password + YubiKey.
Then I sync the database between devices using SyncThing over a Tailscale network.
KeePass keeps the data secure at rest and transferring is always done P2P over SSL and always inside a WireGuard network so even on public networks it’s protected.
You could just as easily leave out the Tailscale/SyncThing and just manually transfer your database using hardware air-gapped solutions instead but I am confident in the security of this solution for myself. Even if the database was intercepted during transit it’s useless without the combined password/hardware key.
Is there a recovery process if your yubikey breaks?
Having a recovery process for the YubiKey would really just be a potential security hole.
Ideally you have a backup clone of the key in case yours is lost/broken.
Keeping a recovery seed or backup password instead would be inherently less secure as the YubiKey uses an HMAC challenge-response key for KeePass rather than a static password/key file.
A static password or key would be a better target for hackers as it would be easier to crack so having that option would lower your overall security.
Also worth noting that the way KeePassXC handles the HMAC challenge-response is different from how KeeChallenge does it.
In KeeChallenge the HMAC secret is used to encrypt the database, which requires storing the encrypted secret in a separate file.
In KeePassXC the database’s seed is used as the challenge and the response is used to encrypt the database.
The benefit to the KeePassXC method is two-fold:
-
It’s less vulnerable as the HMAC secret never leaves the YubiKey or get stored in a file.
-
It increases security because the challenge-response changes every time you save the database (changing its seed)
Thank you for your detailed responses - I’m going to look into KeePass and maybe a Yubikey after reading your description of how it works. I hadn’t considered a Yubikey before mostly because I’m prone to lose things, but also because my encrypted file password is >12 characters and a fairly random mix of lower and uppercase letters, numbers and special characters.
-
Yes, if you write the decrypted file to disk, it could be recovered. Deleting files only removes the file system entries - it does not wipe the content.
Use a local password manager. KeePass (use the KeePassXC variant on Linux) is the most popular choice. If you prefer a command line tool, pass (passwordstore.org) is an option.
Thanks, great point. Lots of suggestions for KeePass here, so I’ll definitely look into it. I appreciate the command line tool recommendation as well, as that’s my preference. Cheers!
All it takes is a malicious program accessing your clipboard or running commands to find your password file while your machine is booted and decrypted.
If something happens to your SSD, you lose all access to everything. And SSDs can die without warning, and be un-recoverable.
Would cloudless self hosting count? https://keepassxc.org/
If we’re talking crypto keys like in the article, that would be an improvement over storing them in the cloud, but it’s still vulnerable to malware/keyloggers. Ideally you should use a dedicated hardware wallet and/or write it down physically and have some form of offline signing setup.
If you care about security, use FDE. Then a text file with proper file permissions is probably fine.
That’s an average of over 200k each. I’m wondering how they managed to target people with so much money.
migrated my shit out of lastpass like 10 years ago or whenever it was bought by logmein. douches.
deleted by creator
The idea is fine. Still trusting lastpass was the bad idea. Others have much better implementations to protector your vault and don’t drop the ball on security time after time.
deleted by creator
Removed by mod
After years as a family plan subscriber, I moved my personal (1k+) passwords off of LP after the last – and most egregious – breach. I have quite a bit self hosted in my environment but Proton Pass interests me as I can get my wife and son in it easily as we already have the family plan. Lemmy is loaded with tech savy, so my question is; same devil different form? I’ve tried BW but it wasn’t condusive to the whole familys use (at least not a few years ago).
If it is cloud hosted then there is always a possibility. Programs like keypass run locally and are only in jeopardy once your system is compromised. The issue with keypass is implementing it for multiple users is probably a chore (never looked into it).
Is there any reason to use a password manager over just an excel spreadsheet?
So what makes lastpass untrustworthy and do we think competitors like 1pass are any different?
