1000%! I think part of what motivated my decision is that I run enough websites during the day, I just wanna relax at night. I’ve proven to myself that I could host it locally, and it’s good to know that option still exists in case Bitwarden changes down the road.
3 Likes
So just changing passwords on financial accounts is just one part. Should also change credentials for account recovery methods such as any email passwords we use?
2 Likes
Yes, e-mail addresses would come under the high priority passwords.
2 Likes
Excellent thread - I’ll be referring to it tomorrow when we cover this story on Ask The Tech Guys. I’ll also demo moving from Lastpass to another PM in real time on the show and discuss the security implications of the breach and what people should consider doing now. Basically a layman’s translation of SN 904.
What’s going to be really interesting is what happens if Lastpass goes belly up (and I really wonder how they’re going to survive this.) Once the revenue disappears they’re going to want to turn off backend services, but how can they do that without screwing any remaining users? This story is far from over, I fear.
3 Likes
In listening to recent Security Now I learned that in LastPass there is a setting for iterations that should be be set to 100100. I heard that 5000 is less desirable. I heard on the podcast many were finding there’s was 5000. In checking mine was at 5000. I checked a friend and his was set at 5000 too. Very disappointing to pay for a service and by default have insecure settings and not be warned. So I am curious if anyone knows what the implications are? With a 12 character non dictionary password how likely is that to be cracked. The podcast mentions it would take 200 years for the higher iteration settings. But what about the lower?
Not good. And 12 characters ain’t much for a master password. Unfortunately there’s nothing you can do about it now. The horse has left the barn with those settings.
Might be a good idea to change your most critical passwords, especially those without two-factor protection.
4 Likes
Thanks Leo! I am in process of changing all critical passwords that are not 2FA. Just trying to determine the urgency. It’s a shame they prior to this did not analyze accounts and recommend security settings. Even Google sends out recommendations. And it’s a shame their email notification did not explain clearly that iterations settings have bearing on the vulnerability of the data. They clearly don’t have clients best interests in mind.
4 Likes
Moving from LastPass to BitWarden was a piece of cake.
I’m currently working on migrating an acquisitions password keeper that is only accessible via VPN to a new server that doesn’t require the VPN (we’re eliminating the VPN). This is just a temporary stopgap until we merge our systems and they go into our corporate system for this. The current system exports into Keepass format, and the system I’m migrating to is supposed to import the file, but it’s barking on the folders.
They do actually, but only for paid accounts… or at least that was the upsell they kept giving me.
- Migrated to Bitwarden from LastPass Family
- Updated LastPass payment to use Privacy.com and placed on pause
- Disabled LastPass account auto renewal
1 Like
Once you are sure that everything has transferred properly, don’t forget to go back and delete all entries in you LastPass safe.
You should also go through all your sites with Bitwarden and change the passwords, to be on the safe side.
1 Like
Do a manual delete before closing LastPass account just in case LastPass fails to appropriately purge closed accounts?
2 Likes
LastPass defaults: why would you not want to receive notifications when your Email or Master password changed?
1 Like
Yes. Even if you delete the account, there is no guaranty that LP will delete it straight away and not simply make it as deleted.
1 Like
Hi all. I’m one of those “Long time listener, first time caller” (in this case. commenter) going back to the TechTV days when I watched Leo and Steve on my DirecTivo.
I just want to say, I was a big fan of LastPass, 99% sure I heard about it from Leo and agree with the need for password manager in our current times. I also accept his apology for telling us to use LastPass.
But I’m having a massive headache in having to deal with this latest hack. I have over 1,000 records saved in LastPass, and while I’m sure I only need 1/10th of them (but it is still a lot, all the banking sites, retirement sites, email sites, credit bureaus, airlines, work, school, the list goes on…), my early guess is this will take me weeks to complete change all my passwords. I will work as fast as I can, but I can’t ignore my family either during this process.
Let me get to my point. By the conclusion of SN 904, Steve agree to move over to BitWarden (and Leo already has several years ago). But is a online repository of millions of users with billions of passwords the best place to store our passwords?
What I’m trying to say is, shouldn’t we store our passwords using a password manager that stores it locally (google “Password Managers with local storage”), and if necessary, sync them across devices using traditional cloud providers? Those can still be hacked, but there’s certainly a lot more stuff that hackers will have to go through, and we control how much encryption (iterations, the type of algos, additional key file that should not be synced, which is like splitting your password).
For the longest time, I thought that having 2FA would protect my LastPass account, but that’s for authentication (literally what the “A” stands for in 2FA). It will never protect against a hacker that gained access to a cloud password manager’s internal systems. While BitWarden has the distinction of being open sourced, that only provide additional assurance that the software itself is less likely to be hacked, it doesn’t give any assurance that BitWarden’s internal systems is better protected than LastPass (even though for now it is, as it is still a private company unlike what LastPass has gone through).
To conclude, which provides a better incentive for a hacker? Spending 1,000 hours to get into the internal systems of a cloud password manager (and getting billions of passwords, once they spend enough GPU time to decrypt the databases) or spending 10+ hours or less to target an average joe to get access to only that person’s passwords? We all should carefully consider this before moving to another cloud password manager.
If your master password is secure enough, read at least 25 or more characters and not something you would find in a dictionary attack (so not just a concatenation of words like that XKCD HorseStapleBattery thing) then there is almost zero chance they will ever brute force your password database.
I suggest a password that you derive by a means only you know. Like using a favourite poem or lyric and then using an algorithm to generate your password. I am always loath to show an example with these, because someone will surely try to use it as presented, and it will at the same time get added to existing dictionaries. But for example, if you based a password off a phrase like “There once was a man from Hants, who had a terrible time buying pants, He was really quite tall, Over five hundred feet in all, His tailors all looked like tiny ants.” Now from this, you might intersperse a childhood phone number (let’s pretend 555-123-4567) and end up with a password like: TeOeWsAMnFmHs555WoHdATeTeBgPs123HeWsRyQeTl45Or500FtInAl67HsTsAlLdLeTyAs
Also you’d probably throw some punctuation in there… which makes it a nightmare to type even once, so you’re likely to use the remember this password feature.
1 Like
I thought my password was long enough (longer than 25 characters), but repetition in part of the password reduced the entropy, which I didn’t pay enough attention to until it is too late.
To my knowledge, my passwords stored in LastPass have not been used yet, but it is only a matter of time.
I like the entropy of the password you mentioned (over 293 bits), and interspersing numbers is absolutely necessary as I’m sure some hacker has already asked ChatGPT to create a dictionary of all famous phrases/poems/limericks by only using the first and last character of each word and capitalizing the first word. The only problem is, how does a person remember where the numbers were interspersed in the password?
Well in “my” algorithm, they’re between stanzas of the limerick. You would be advised to do something different, such as maybe stick a digit after every article (a, the, of, etc) or after any word that starts with your favourite letter. Whatever you come up with, so long as it works for you, and you never reveal it, is pretty likely to be good enough if your password is nice and long.
I will also remind you of Steve’s password lengthening approach. If the number were 15 and you decided to do something like 15 underscores instead, that’s likely to have a massive effect on the difficult of cracking it (even thou not high entropy) and is still pretty memorable.
1 Like
The problem is, as soon as you put it on the cloud, whether through a password manager cloud service or a normal cloud service, you are back to square one. With a local password manager, you have the physical security, but inconvenience, of it only being on one device (plus a backup, hopefully). As soon as you put it on a cloud service to sync it, it becomes less secure. The number of itterations etc. is up to you - it was on LastPass as well, but most people didn’t look at those settings and LastPass failed in its duty of care by not informing users, when the number of iterations was no longer strong enough.
Yes, accumulated password managers on one site make them a target, but the cloud data services, like OneDrive, Dropbox etc. are also under constant attack. Whether they get your vault through the password manager cloud or your file storage cloud makes no difference, at the end of the day.
As Steve pointed out in his original Password Haystacks episode, reptition doesn’t matter so much, because, with the hash, you won’t see the repetition and, unless the attacker knows you repeated part of the password, they still need to check every possible combination, starting from the minimum length allowed on the service and working up to the length you have.
He pointed out, that “Adk409ifn45ug$5§t98ge**4ek59reewrklökj” is no more secure than “monkey123…”, because cracking the password isn’t like cracking a mechanical safe, where you crack the first letter, then move on, you have to crack every single character at the same time, so you don’t know, until you have the hacked password, whether there is any repetition in their.
(Caveat - there might be some hashing or encryption algorithms out there that are poorly implemented and might show the repetition, but the ones that are generally used cannot be used to recognise repetition.)
Where the repetition falls down, is if somebody is looking over your shoulder, whilst you are typing the password.
The problem is using known words and phrases on their own, even multiple words strung together, as they are the easiest and quickest to test against, because those know-word passwords are the easiest to humans to remember, so they will be tested first, then they have to resort to going through all possible combinations of characters, symbols and digits and it is that that really takes the time.
2 Likes
I’m a bit confused about entropy for passwords. According to Zxcvbn, if you lengthen a password by repeating the same word (ex: catcatcat), you only have a entropy of 11.30. If you use that 9 character length with a random number (ex: 235432781), the entropy jumps to 25.68.
According to Google, the number of guesses required for a password based on its entropy is 2^n. A entropy of 11.30 is 2^11.30, which is 2,522 guesses. A entropy of 25.68 is 2^25.68, which is 53,758,890 guesses.
So while I can repeat the word “cat” to make it 75 characters long, it still only have 14.35 entropy, which would mean it will take only 20,883 guesses to find the password, making it significantly more vulnerable than the 9 digit password. This is where I’m confused and frighten given how lengthening a password does not significantly increase entropy if there are repeating characters. I wasn’t as egregious in terms of repeating “cat” for my master password, but I’m less than comfortable with what Zxcvbn calculated as its entropy.