this post was submitted on 07 Sep 2023
986 points (99.0% liked)

Technology

59030 readers
3070 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 161 points 1 year ago (7 children)
[–] [email protected] 70 points 1 year ago (1 children)

I dumped LastPass for Bitwarden a few years ago. So glad I did.

load more comments (1 replies)
[–] [email protected] 52 points 1 year ago (5 children)

Selfhosted for extra win!?

[–] [email protected] 18 points 1 year ago (8 children)

Any recommendations on how-to?

[–] [email protected] 34 points 1 year ago (2 children)

KeepassXC (desktop)/KeePassDX(mobile) on top of something like Syncthing or Nextcloud.

load more comments (2 replies)
[–] [email protected] 27 points 1 year ago* (last edited 1 year ago) (2 children)

Vaultwarden is what I use: https://github.com/dani-garcia/vaultwarden/

Their wiki is pretty good assuming you're comfortable with Docker.

Back before I self-hosted, KeePassXC for desktop and Keepass2Android for mobile (along with Synching to sync the database) got the job done.

load more comments (2 replies)
load more comments (6 replies)
load more comments (4 replies)
[–] [email protected] 12 points 1 year ago (2 children)

So what makes Bitwarden better than LastPass if you're using Bitwarden's hosted option (I know you can keep it locally).

[–] [email protected] 24 points 1 year ago (5 children)

From what I remember (take this with a grain of salt since it’s all from when the big LastPass breach happened,) LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes, images, etc) were unencrypted. So even without cracking any vaults, hackers got access to gigantic lists of usernames and their associated email addresses. That’s valuable in and of itself, because it allows them to spear-phish those users.

For example, you may not fall for a regular phishing scam. But you may fall for it if the email has your username and recovery info in it. Because they know every email you’ve used to sign up for something and all of your different usernames that you used on that site, so they can craft convincing phishing emails that are specifically tailored to you.

It also allows them to search for specific users. Maybe there is a user on a crypto forum who is particularly noteworthy. Their username is already known on the site, and hackers are able to cross-reference that with the list of known usernames/emails and see if that user’s vault was part of the breach. If it was, they can focus on breaching that one user’s vault, instead of aimlessly trying random vaults.

load more comments (5 replies)
[–] [email protected] 22 points 1 year ago (1 children)

I’m not 100% but I think Bitwarden actual encrypt the entire ‘password object’. So the url, username, password, and any notes. Lastpass didn’t/doesn’t encrypt the url so if anyone gets access to the vault, they have a list of websites where the person will have an account and can more accurately send phishing emails.

load more comments (1 replies)
load more comments (4 replies)
[–] [email protected] 153 points 1 year ago (6 children)

Nearly every victim was a LastPass user.

But every victim was a cryptocurrency user.

[–] [email protected] 19 points 1 year ago (3 children)

I'd be willing to bet that people store their key phrases in the notes section in LastPass which was not encrypted at rest

[–] [email protected] 13 points 1 year ago* (last edited 1 year ago) (1 children)

I'm sure they were encrypted. But attackers have the vaults and many people have bad passwords. Brute forcing these days is less about trying every combination and more about trying all known leaked passwords, because people reuse passwords like crazy and also just aren't as original as they think.

If you have millions of password vaults, I'm sure you can crack open a small number. And the ones you can crack are probably the most likely to not be following best practices, meaning it's more likely they haven't changed their passwords since the breach was announced a while back and they probably are less likely to have 2FA. 150 victims is such a tiny number for how many vaults were stolen when LastPass got compromised.

load more comments (1 replies)
load more comments (2 replies)
load more comments (5 replies)
[–] [email protected] 96 points 1 year ago (4 children)

Switched to bitwarden as soon as they tried to charge a sub for multiple devices, I see that was the right choice

[–] [email protected] 28 points 1 year ago* (last edited 1 year ago) (6 children)

Are you not worried your vault is still on their servers? I feel most companies don’t delete shit. Most have ways to get around it saying they keep some info for taxes, accounting, etc.

I wouldn’t sleep well knowing my passwords were on there at any given time.

[–] [email protected] 23 points 1 year ago (1 children)

You can host a bitwarden vault yourself. They open sourced and audited. So, trustworthy that there's no back door somewhere to some degree.

[–] [email protected] 21 points 1 year ago (1 children)

I suspect they're referring to LastPass?

load more comments (1 replies)
load more comments (5 replies)
load more comments (3 replies)
[–] [email protected] 76 points 1 year ago (14 children)

These guys saved their seed phrases to LastPass, not just account passwords. You can't just change your seeds without moving funds to a new wallet.

The main lesson here is never store your seeds in digital form, ever. Write it down by hand on paper at creation and then take additional efforts to safeguard it.

load more comments (14 replies)
[–] [email protected] 57 points 1 year ago (11 children)

instead of using a password manager managed by a PRIVATE ENTITY people should start using bitwarden ... its opensource, free and much more secure and reliable

[–] [email protected] 19 points 1 year ago (2 children)

But who is running the bitwarden server? Bitwarden the private company.

I self host vault warden, but it's really not something everyone can do.

load more comments (2 replies)
[–] [email protected] 18 points 1 year ago

I personally use KeepassXD on my phone, although it hasn't had a security audit. There is also KeepassXC for desktop, which has had an audit

[–] [email protected] 14 points 1 year ago

Bitwarden, the host, is a private entity

[–] [email protected] 13 points 1 year ago (1 children)

I prefer local password managers. Synchronisation is achieved with a syncing service of our choice.

load more comments (1 replies)
load more comments (7 replies)
[–] [email protected] 47 points 1 year ago* (last edited 1 year ago) (6 children)

Man am I glad that I picked KeypassXC as my password manager some years ago. Super safe, easy to use, costs nothing, not dependant on internet/cloud, can export data to another app at any time, transparent because open source.

I'm using Syncthing to synchronize across devices which arguably took some fiddling to set up but I only had to fiddle once and haven't touched the configuration since; it just works automagically in the background.

[–] [email protected] 14 points 1 year ago (1 children)

Keepassxc and syncthing? Are you a clone of myself? :D

Same setup, working as a charm

load more comments (1 replies)
load more comments (5 replies)
[–] [email protected] 42 points 1 year ago (8 children)

Pro Tip: You don't need to give a private company all of your passwords. That literally defeats the purpose of having passwords.

load more comments (8 replies)
[–] [email protected] 32 points 1 year ago (8 children)

Any obvious holes in keeping a text file on my laptop that I encrypt when not using it? Using ccrypt on linux.

I do not want my passwords - even encrypted - on the cloud or at the mercy of a 3rd party in any fashion.

[–] [email protected] 27 points 1 year ago* (last edited 1 year ago) (8 children)

Use KeePass.

My concern with using a text file is you have to defrost it to use it and whenever it's not encrypted it's potentially exposed. You are also vulnerable to keyloggers or clipboard captures

KeePass works entirely locally, no cloud. And it's far more secure/functional than a text file.

I personally use KeePass, secured with a master password + YubiKey.

Then I sync the database between devices using SyncThing over a Tailscale network.

KeePass keeps the data secure at rest and transferring is always done P2P over SSL and always inside a WireGuard network so even on public networks it's protected.

You could just as easily leave out the Tailscale/SyncThing and just manually transfer your database using hardware air-gapped solutions instead but I am confident in the security of this solution for myself. Even if the database was intercepted during transit it's useless without the combined password/hardware key.

load more comments (8 replies)
[–] [email protected] 15 points 1 year ago* (last edited 1 year ago) (2 children)

Yes, if you write the decrypted file to disk, it could be recovered. Deleting files only removes the file system entries - it does not wipe the content.

Use a local password manager. KeePass (use the KeePassXC variant on Linux) is the most popular choice. If you prefer a command line tool, pass (passwordstore.org) is an option.

load more comments (2 replies)
load more comments (6 replies)
[–] [email protected] 29 points 1 year ago (1 children)

That's an average of over 200k each. I'm wondering how they managed to target people with so much money.

[–] [email protected] 15 points 1 year ago

People with less might just not complain loudly

[–] [email protected] 28 points 1 year ago

migrated my shit out of lastpass like 10 years ago or whenever it was bought by logmein. douches.

[–] [email protected] 17 points 1 year ago (1 children)

This is the best summary I could come up with:


Cybersecurity blogger Brian Krebs reports that several researchers have identified a “highly reliable set of clues” that seemingly connect over 150 victims of crypto theft with the LastPass service.

Taylor Monahan, lead product manager at crypto wallet company MetaMask and one of the key researchers investigating the attacks, concluded that the common thread connecting the victims was that they’d previously used LastPass to store their “seed phrase” — a private digital key that’s required to access cryptocurrency investments.

These keys are often stored on encrypted services like password managers to prevent bad actors from gaining access to crypto wallets.

We have reached out to LastPass to confirm if any of the stolen password vaults have been cracked and will update this story if we hear back.

Researcher Nick Bax, director of analytics at crypto wallet recovery company Unciphered, also reviewed the theft data and agreed with Monahan’s conclusions in an interview with KrebsOnSecurity:

“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”


The original article contains 363 words, the summary contains 196 words. Saved 46%. I'm a bot and I'm open source!

load more comments (1 replies)
[–] [email protected] 14 points 1 year ago (2 children)

I mean, they've had more than long enough to change passwords.

Nobody is after your password for the Moravian rug weaving forum but in this day and age it's on you, if you know there's a breach and you don't change your banking / crypto passwords.

load more comments (2 replies)
load more comments
view more: next ›