The LastPass Hack Was Worse Than We Thought
ฝัง
- เผยแพร่เมื่อ 31 ก.ค. 2024
- In this video I cover the latest information about the lastpass data breach.
Follow me on Odysee
odysee.com/@AlphaNerd:8
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my TH-cam channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released. - วิทยาศาสตร์และเทคโนโลยี
Thank god i have all my passwords in plain txt on the desktop
surely more secure than proprietary password manager, basically you know something is marked as a target and you know you can't see the source.. literally giving away your data for free.
it sounds like some kind of sick joke, but thats literally safer than many other places lol
Aren't there some ways you can encrypt them on your desktop. I have them all written down in my room so there always secure from hackers. If they're in danger in my room, I'm probably in danger too so the passwords shouldn't be my priority then lol.
@@kaanbuyukerdem Keep ass
@@aurorastudios5955 theres password managers you can install, those will be encrypted, but there are many other ways to encrypt without one.
I only trust my passwords to the voices in my head. No one has stolen them yet.
Elon Musk with his Brain Implant has plans for that.
Can you trust the voices in your head?
getoutofmyheadgetoutofmyheadgetoutofmyheadgetoutofmyheadgetoutofmyheadgetoutofmyheadgetoutofmyhead
@@TyrantExterminator1776 he's to busy implanting hairs in his scalp for that
And siring more illegitimate children.
There’s a pretty critical point you forgot to address in your video for LastPass customers. One of the advanced settings in your vault is the number of iterations used to derive your decryption key. In the ancient of days (for users who’ve had an account for years), the default for this setting was 5,000 iterations. Not so today. It has long since been updated to 100,100 iterations minimum. For users who have a sufficiently complex master password, if your vault was using fewer than 100,100 iterations for that setting, then you could potentially still be at some risk of your vault being brute forced if it was one of those that was accessed. With only needing to go through 5,000 iterations instead of 100,100 iterations or more, that _significantly_ reduces the compute time required to test each brute force password.
Everyone who got a notice about this needs to open their vault and go to settings, advanced settings, and check the number of iterations your vault is configured to use. If it’s not _at least_ 100,100 then you need to update it to at least 100,100 which will require re-encrypting your vault, and then depending on the abundance of caution you want to exercise to protect your logins, you should also update your stored passwords for all your stored accounts.
On the other hand, if you met the suggested mninimum requirements for an actual secure master password _and_ your vault was configured to use at least 100,100 iterations, then you’re all good here already, unless you don’t plan on updating any sensitive passwords in the next several years to the point where 100,100 iterations is also insufficient protection.
Also, you kind of misconstrued what happened here. This was a secondary breach related to the breach back in August, but not the SAME breach as back in August. This breach took place _after_ that one, and occurred because the information obtained in the first breach was then used to phish or social engineer another LastPass user which then allowed them to gain access to backed up vaults on a cloud storage system. Read the blog post again - these were two separate but related security incidents. The reason this point is informative and useful is because what the attacker did to get into LastPass’ systems again following the initial incident is precisely the kind of attack they’d now be trying to use against LastPass customers - a point that needs to not be lost on people who use LastPass, and particularly not lost in board rooms of companies that use LastPass when their security teams start talking to them about things they need to do to ensure that their organizations don’t become victims of yet another sophisticated supply chain attack.
Much thanks for this post. I was already at 100,100 iterations with quality master password. Any localized password sharing programs like lastpass out there?
@@steffen707- there is keypass, open source and you can host it locally
Does the 5,000 vs 100,100 iteration issue apply to people that no longer have a LastPass account, or does it matter for anyone that had their encrypted vault data stolen? I had LastPass for about 10 years (so probably had it at 5,000), but deleted my LastPass account a month or two back as I'd switched to an alternate provider.
I use dual factor authentication with yubikey, does that provide me more protection from this hack? I rather not change password manager and all my accounts that are in lastpass.
I checked my Advanced settings and it doesn't detail anything about iterations anywhere.
EDIT: Found it, I had to access it via web browser to see the setting. It doesn’t look like you can check that setting on the mobile app.
For five years I have used the same notebook for my sensitive info. Works pretty well as long as it can be kept up with. I never really liked the idea of keeping digital records of 16 character alphanumeric / symbolic passwords. After admin/ logins for routers, vpns, computers, emails, phablets, web addresses, work logins, older family member logs of the same, it started to get too risky. I got hacked through the MIT site doing my homework and re did all of my home network, I never looked back from the notebook. Is still not a fail safe as it could get lost or stolen. Maybe memorizing a few and rotating the memorized every six months would be the best action.
I would do the notebook routine myself if I didn't have hundreds of passwords as of late. User names and passwords are so damn behind what technology can do to lock down personal or business accounts. Problem is having something effective and proven that will be adapted by the masses. If it was simple, someone would have come up with it already. 😬
Use KeePass. Free offline password manager works on phones too. Passwords should be short 3-5 word phrases with a number and symbol, making them easy to remember if needed.
I thought that using real dictionary words was not advisable anymore because password crackers attempt dictionary attacks nowadays
@@homuraakemi9556 just replace some letters with something dictionary attacks can't really deal with that.
Something like this sentence
Som5thing li&e th#s se7tence
Then remember the replaced letters and where they go.
that last part is what I do
"Corporations can steal your data"
- data protector corp
Data "protector" Corp
@griffy ye fucking bot
We protect your data, until we dont
hi i'm wallet protector corp, i'm her to protect your wallet. please provide me with your wallet before we can continue
We protect your data from others so only us can have it
I have to be honest, I've always been a little on edge about using one of these things. Just seems like an easy target for hackers to go check out everybody's most important data.
same dude, i keep my stuff on an encrypted drive instead
*Peckers
What do you do instead? I mean, it's pretty much impossible to remember multiple complex passwords
@@bullfrogboss8008 Encrypt a txt/csv file
use keepass
In my opinion, the most secure way to store passwords for people who don't know much about computers is to simply keep them in a notebook next to the computer, or maybe a locked drawer or something. Any service can and will be hacked, it is much easier for laypeople to think about physical security than security on a computer, and in most cases the main threat is from people on the other side of the planet. Pen and paper completely eliminates that technological threat (but of course we must also teach them about scams). But this type of solution doesn't fly with the marketers and gadget-pushers who are constantly trying to sell you something.
That's what my mom's do, but she always end up losing her piece of paper! lol
I really tried to show her how to use a password manager but she always refuses because she thinks it's too complicated for her...
Just explaining to her by phone how to install an app from the Google Store generally takes an hour! 😆
That is also the best solution for people who also know about computers
Just use offline passmanager like Keepass. It's not that hard to sync it yourself to your phone or mobile devices.
The problem there is, it seems like people who write down passwords fall into reusing them or using a formula/base password. And it just takes them ages to find a password, especially if they aren’t at home. That’s what most of my family does.
Not many laypeople will generate a random password for each service and write it down…
Yeah I recommend you watch the lock picking lawyer
I might be mistaken, but if the hackers already have the backup vaults, the 2FA is irrelevant in this case. It only prevents the hacker from accessing the LastPass Vault on behalf of the user. But since they already got access to the vault, only the master password prevent them from accessing your data inside. If you had a weak master password, you must change all the passwords for the accounts stored in the vault, regardless if you had 2FA enabled or not.
2FA on the accounts stored in the lastpass.
The problem with 2FA is that your access have to be secure in two ways. 1. No one but you have to get the access. 2. You have to get the access.
Without any good recover function, 2FA will just be 2 points of failure in at least one of the cases.
At work I can go to the IT department and they check if I am the person that should have the access and can restore my access so then 2FA works! For stuff like my google account it doesn't work and is just there for google to better track me.
I think what he was getting at is that hopefully the service passwords they had stored on last pass also have 2FA on them. Otherwise they're completely compromised.
@@Alexankitty yea, but only if you have a bad master password.
@@nordgaren2358 right. But it would be a good idea to update your password anyway as it's not a matter of if but when it gets exposed since they have the hashes.
The last password you will ever need.
The last password you ever hold (we dont know that, the rest will be breached)
Lost pass
....to hack.
Y'all a bunch of suckers n fools
Good old fashioned piece of paper
+1 for Keepass. Never ever have I been under the illusion that storing my most sensitive data on someone else's disks was a good idea.
Keepass XC is another updated variant.
@@anandsharma7430 Thanks, is it better than standard Keepass? I have only ever used standard
Former Lastpass user here.
I've been learning KeepassXC for the last couple of days. Imported everything from Lastpass.
Not as easy to use as Lastpass, but it does the trick with the browser extension. Also I was using the free version of Lastpass, so I only got desktop support. It was a pain to dig up log in info through the website on my phone, but KeepassDX (the android app) made it much more simpler, although it's still kinda clunky but I can deal with it.
Also installed Syncthing to always have an updated version of my database on all devices. Sharing the database across devices with Google drive or One drive works too but, then it's out in the open again, though with something like 20 character password nobody's getting it open in a few million years. Adding a key file to the decryption also adds another layer of protection and doesn't add any time to the login process.
@@samik83 That's really great info, thanks!
@@PrettyBlueThings Actually, I've sort of misinformed you. I use Linux and Keepass is not available on Linux, so someone made KeePassXC. However, on Windows, KeePass is fine and standard, nothing to worry. Sorry, my bad.
Woah! It is almost like centralizing account credentials of millions of people is a really sweet target for cybercriminals 😳
Truly mind blowing 🤯
Putin is good
@@phoneticalballsack “Putin is good” -a fucking elephant
@@Velvet-Veil I Love lego stop motioning
Not really, no.
The passwords are still safe, unless the user was dumb.
Maybe LastPass shoupd be more careful with their user metadata that isn't security priority.
@@phoneticalballsack Based
Oh I am thankful Bitwarden exists.
open source BABY!
Merry Xmas! and Thank you for ALL your videos; I have learned so much from you.
Would love to see a self hosting tutorial. Thanks for the info. Keep up the good work.
Thank you Mental Outlaw... love your channel ...... it is amazing how they released this just before Christmas, probably thinking everyone is busy and no one will notice
@chad007. fuck you chad glowie bot, get fucked son! I aint clikin dat shit!
The best Christmas gift
@Chad 007 fuck sake
Keepass is used with Cryptomator and Dropbox. This is the best method!
According to GDPR they have to notify their users as soon as they find out data was compromised.
Nice. I just commented on your original Lastpass video like 12 hours ago asking for this crucial update. And boom, now this. I guess you were already on top of it. Thanks!
self-hosted means you should absolutely know what you are doing at any moment - and have good security culture, software update mechanisms and habits. Inexorably , software becomes out-of-date and security issues start to emerge.
Maintaining this requires time, discipline and expertise.
I would not recommend this - instead, manage your password offline, use a solid passphrase and backup your vault often. After all, the vault itself is often a single (encrypted) file.
Even if I don't agree about self-hosting, this video is pertinent, as usual
Agreed, although if you're in the field anyway and you know the risks and best practices to mitigate those risks to a reasonable degree, you should be alright. Self-hosted also means you're less of a target, since the adversaries will put focus their focus on the service hosting the most vaults
KeePass or Password Safe. The only cloud software I recommend is Password Safe.
Just create Keepass file with strong password and sync it with Google Drive or something similar. Not even the cloud provider will have access to it
Just be a Gigachad and write down your password on a piece of paper.
The problem with self-hosting your password manager is that it's also potentially easy to break in and steal data, but with the added factor now that you most likely will not notice a data breach this time if you don't have proper monitoring in place. With a big service like LastPass you'll at least hear pretty soon when something happened.
Yup, I trust a specialised service more than myself when it comes to sensitive data which is why I will never host anything on my NAS that is public facing. Not that I use cloud password managers anyway.
The problem with trusting a centralized service to host your password is they're a giant target so the odds of them getting attacked are literally 100%. The odds of you being attacked are as close to 0 as the term "Nonzero" can support.
@@hobomisanthropus2414 Until a general exploit is found for the self hosted password mananger, then it doesnt take a long time to hack a lot of sites, just like how IOT devices get hacked. When that happens you are on your own
@@hobomisanthropus2414 Which is true until an exploit for self-hosted services is found... which is entirely automated then and steals it on-the-fly without your notice
its encrypted anyways, so if someone breaches your selfhosted password manager its not that big of a deal. I trust a self hosted password manager more than a proprietary one, which is also a big target
Also if you run your self hosted password manager behind wireguard, its much more secure
Thank you "Mr Mental". Always looking out for the little guy (and NO in-video commercials! How dew you dew it)
yo kenny you should do some videos on things youre learning in rust. i want to learn it as well, and it would be cool to see someone who is new to it explain what they’re learning
Looking forward to the follow-up because the only reason I haven't gone that route is there are certain features like 'password autofill' that are too damn useful to go without.
Ever since you recommended KeePass I've felt extremely secure in my passwords. Would love if you could do more videos on alternatives like that. Would be awesome to find an alternative to something like Google Calendar!
self hosted bitwarden is also nice
Yeah, KeePassXC is a godsent, couldn't be more satisfied with it.
@@JustPlayerDE This. Vaultwarden lets you have all the premium features, namely the TOTP feature while self-hosting.
Thunderbird has a built in calendar that works with mail invitations.
Check out proton mails calendar. Haven't used it myself but might be what you're looking for.
It's over. The West has fallen. My passwords. My NFTs...
>NFT gone
Good 👍
Thanks for this - I’m a non IT person and appreciate your balanced and calm information
proof :
th-cam.com/video/mCfYi7634rU/w-d-xo.html
Excellent spotlight! Thank you!
420k subs. Grats my dude. Thanks for the videos as always.
The last time I was this early, LastPass was still saying no customer data was stolen...
Bitwarden is pretty good. Open source and self hostable
This is best I think you can even spin your own instance as nexcloud on own server.
Isn't hosting your own hackable server worse then a company with a security team?
@@hopelessdecoyNo. Most people are nobodies so why would they specifically target you and your server?
@@amber1862 arguing security by obscurity is nonsense. If you self host on the internet you will get scanned and if you don't stay up to date with patching you will get pwned.
@@Gunzy83 As a LastPass victim, it’s hard to completely dismiss. You never know what’s on someone’s server, but you can be absolutely sure what’s on LastPass’ system, especially when you consider how this was even achieved in the first place…
Obscurity is a terrible thing to rely on, I agree, but it’s still effective and if you’re monitoring your servers correctly, you can be notified instantly, instead of the truth/true damage hiding behind vague, delayed and financially-incentivised BS like LastPass repeatedly put out to their customers.
This was a valuable video on such a serious topic. I do hope you consider producing a video or mini-series on self-hosted password management implementation. Thanks so much!
👍
You have no idea the level of irony... I just got an ad for 1password with the title of the video being what it is, only for 5 seconds in to be listed as one of the many password managers that you are talking about.
I'm dying 😂
I've been intimidated by the choices and issues with different password manager options, I'd love to see a vid on what the self hosted version looks like.
Even having technical skills I do not think I would trust myself to self-host something like a password manager. Like, is ssh only with key files enough, what else should one do with fresh server? I would be glad if you would in the video go over those aspects as well.
Kenny already did a video on securing an SSH server, as for self hosting just setup a VPN and set the listen interface on whatever program you’re using to the vpn interface.
@@mrbanana6464 can you say what is the ssh video?
@@Random_Internet_Dude might be something with free bsd on the title...?
As long as it's encrypted, you have nothing to worry about. Individuals are rarely targeted by hackers, as they aren't worth the effort unless they're very wealthy and can be easily exploited.
@@Random_Internet_Dude It’s called “how to secure a VPS”
Looking forward to your next video, Kenny! I use Bitwarden myself but I plan to switch to a self-hosted one.
That's why I use my own instance of Vaultwarden instead of default cloud solution. I really got concerned about the possibility of someone to hack into these password management services in the first place.
Yep, I expected something like this when the hack first happened. There's far too much concern about how it looks initially and getting some rushed PR approved garbage in front of people so they don't panic and dump the service, and then that leaves months where password crackers could have been pummeling away at data and maybe got some lucky cracks that lost other companies potentially millions of dollars, or led to their own breaches because they thought that nothing had been taken that could be used like that.
I'll forever stick to KeePass, and if it comes down to needing to sync easily in a way a normie can do it, I'll at least show them how to sync it with Google Drive or OneDrive to avoid it being as much of a target as LastPass.
Keepass is used with Cryptomator and Dropbox. This is the best method!
@@TyrellJoanna I use keepass. However, I am still learning Cryptomator. Do you have an good video guides? There are a lot of technical details I must learn?
Also trying to learn how to properly use PGP. Funny I am an old head yet never fully learned how to use PGP.
I don't think that's actually substantially more secure than a password manager. You can already self-host open source password managers like Bitwarden and KeeWeb for free, and that ensures the data is following best practices in terms of what's sent over the network.
This seems like the classic folly where, it _might_ be more secure if you really know what you're doing and aren't a huge target, but you're also introducing a lot of room for mistakes. Essentially you're either a valuable target, in which case it's substantially less secure, or you're not a big target in which case the only security you're getting is just hoping that people won't bother.
@@r.pizzamonkey7379 While it may not be substantially more secure from a technical perspective, a file that's kept offline and inaccessible to attackers that aren't able to physically access a machine is always going to be tougher to even get the chance for those technical attacks.
As for normies who have to have it sync via Google Drive or something similar, teaching them to have MFA enabled and configured properly can mitigate any threats as long as they're also not a target worth investing a ton of time into, or a complete dunce with security.
Unless you were talking about the above replies which were essentially saying to encrypt an already encrypted file, which seems a bit silly to me.
@@unlucky1307 having a file that's kept offline and "inaccessible" (in theory) would be substantially more secure. I say "in theory" because again, if you're a huge target it's entirely possible someone gets remote access to your computer through a trojan or something to that effect.
Again though, you run the risk of putting all your eggs in one basket. If the hard drive that file is saved upon fails, you're screwed. You can sync it on the cloud like mentioned above, but that's basically just reinventing a password manager with all of the opportunities for failure mentioned above. Again a password manager will never actually be a substitute for good security practices, but I think it's safer than trying to do everything yourself, specifically because it's been heavily audited and has stood the test of time.
It's the same reason I advocate for *not* using apps like Google authenticator which don't allow you to back up your authenticator codes. 2FA is only secure if you can't bypass it, which means if you lose it you're screwed. I think apps like Authy or Aegis are a much better choice for your 2FA codes, assuming a very strong password or exporting and encrypting your tokens somewhere secure
Thank god I use my own Vaultwarden installation.
Love that I got an ad for another password manager at the start of this video.
If you have a heavy online footprint, especially into a large number of secure systems, then a PW manager is almost required for any efficiency. This is especially the case with PW modern standards. I look forward to your video about an alternative, because I use LastPass. I have a more secure PW than the recommended standard, so I'm not really worried about the breach. They definitely need better security practices.
You should still change your maspass because overtime, encryption standards will improve, and naturally, decryption methods, and compute power will ALSO get better meaning it'll be a matter of time before even the most complex passwords get cracked...especially so if they're spreading around copies of vaults....
I will never betray KeePass. Always been bae
yep...
#keepass crew gang squad checking in we are masterrace kthx
@@Kuznet609 I use KeePassXC and KeePassDX on Android because that seemed like the only real option at the time.
How many clicks does it take to enter a password with KeePass2Android?
Because it's a whole thing with KeePassDX, even using a fingerprint instead of typing anything to access my passwords.
- Switch keyboard
- Select keyboard
- Click password icon
- Fingerprint reader
- Select entry set
- Paste name
- Paste password
- Switch keyboard
- Select main keyboard
So yeah... 9 actions for a single sign in.
@don't be surprised What!? I had been waiting for it for so long!
@trajectoryunown Keepass2Android can recognize sites and apps, so you just have to press on the input field and it can autofill. Only works when your vault is unlocked. Most of the time it isn't, so you still need a shortcut and copy from the app. Could use the k2a-keyboard but never bothered tbh.
I've personally been using Keepass along with dropbox for quite some time now, the dropbox choice was to make life easier for syncing with mobile Keepass-compatible apps. Setup is easy and doesn't rely on a whole password manager as a service thingy
Dropbox is an unencrypted glowie honeypot.
@@YodielandInhabitant710 In theory doesn't matter too much as long as the keepass is secured with a strong master password.
But I agree Dropbox isn't really the best choice.
@@lozzamanuk yeah, the encryption of the file itself is the important bit, I just don't want anyone thinking dropbox itself is secure
Have been using KeePassXC and Syncthing. Maybe you should consider switching from Dropbox to Syncthing as it syncs files using P2P. Also, maybe consider switching to a self-hosted Nextcloud? Dropbox could also be breached and idk what you store there but it certainly would be bad if it would get stolen.
@@marlonbasten Self hosted Nextcloud is really cool if you have an old computer laying around that you can turn into a server. Ain't nobody else getting even the encryped vault file that way.
I moved from lastpass long ago from the past breech to moved to something else but i've had my eyes on self hosting options for a password manager can't wait for your video on it.
Thanks for the amazing videos this year Kenny! Merry Christmasss!! :)
LastPass went from the number one open source password manager recommended by Richard Stallman to now the number one public security database! The hits keep comin'!
Wait....If they are open source, how was the source code "stolen?"
I'd love to hear about a FOSS password solution in one of your videos.Especially something which can be used in teams to share credential information would be nice.
Bitwarden has plenty of options and its open-source.
@@darukutsu I took a quick look at bitwarden and it seems to me as you need a license to use features needed in a team setup to share logins. So although it is open source, the license thing could still be a thing as I am not willing to remove code and recompile from the altered source every time as there are updates coming out? I may also have missed something :D
@@gerhardroediger8331 Vaultwarden lets you self-host Bitwarden with all the premium features for free. Its a reimplementation of Bitwarden, though, so that's not as ideal as if Bitwarden was just free.
@@RottenFishbone Thanks for the hint. This looks like a solution I was looking for. Divingsuite is on...taking a jump into the depths of the Vaultwarden documentation ;)
Keepass is good
Sounds great, looking forward to it...cool yule & a frantic first!
Looking forward to that future vid. Keep up the great work.
I can almost read the phishing emails....
"Dear customer,
The hacking from 4 months ago was more theough than we thought.
Please click here to reset your credentials and keep your account secure.
Best regards, the hackers."
There's a guy on Twitter who puts his wallet seeds in LastPass (why I don't know) and claims wallets have been emptied, implying that either they somehow cracked his master password or LastPass did not encrypt all his secrets. I use Bitwarden paid service, not gonna lie I know it's a target. Security professionals always say "security by obscurity is worthless" but I disagree. If I self hosted, I'm less likely to be a target of great focus, just the usual people scanning IP ranges. That might be better than being part of a huge asset like a password manager's database, sticking out like a sore thumb.
I've been thinking of doing the same thing. I would recommend encrypting your secrets with PGP though. I've never trusted secure notes even if they are master password protected
@@KC-rd3gw thanks, is there a nice and easy way to encrypt and decrypt this way on the fly?
@@jamessmith1652 KeePass?
hope you create that video as soon as possible, and thanks for your informative and useful content
Thanks for providing this additional insight on the lastpass hack !
No matter what password manager you chose to use, always SALT your stored passwords. Salting means you store your passwords partially. Since the stored passwords are incomplete, you have to add the missing characters upon logging in. Also since the passwords are incomplete, it's of no use to the hackers.
Interesting suggestion - I might try that. Thanks.
That's not too practical for password managers, they automatically fill in your passwords and try to auto-sign you into sites.
@@shadowninja6689 idk never had any that try to auto-login instantly after filling in the password
This is great advice, people. Keep part of the password only in your brain. Don't use the site name or something obvious as the "salt" (i.e. the part of password which is in your brain). Use something from your childhood memories or other such obscure personal knowledge.
@@shadowninja6689 - I know and I agree it's not practical, but for my peace of mind I chose not to use the auto sign feature of the password managers because of the reason the video just mentioned. It's not gonna bother me if BitWarden gonna get hacked because my passwords that I stored in their vault were not complete.
It's a little convenience but it's small price to pay.
Id be interested In your self hosted passwords video. I use lastpass extensively on both mobile and PC. As a data horder that likes hosting data locally I'd be interested to see the features avalible and if it plays nicely with ios (which seems to be the hardest aspect)
Merry Christmas, Kenny!
Would be great to see a video on self-hosting a password manager from you!
Yes, this is a big leak. But, even with this leak, LastPass was probably still safer than not using a password manager for the common Joe.
A few years ago I was using LastPass and when they started charging us for using multiple platforms (Windows, Android, etc...) I switched to a password manager that is open source. It's even better and it's free! My mistake was to keep LastPass as a Backup just in case there's a problem with the new password manager...
I think it's now time for me to delete my LP account! lol I hope these morons just don't keep our data when we delete our account.
A notepad and pen is a superior choice if you're going to keep it on you.
@@unnamed7337
Haha not a bad idea! :D
Or simply not saving the passwords in browser (why the fu.k does it still even exist)
@@vxicepickxv ture lmao
Not directly related but my visa card was used in an attempted fraud recently. The bank intercepted it luckily but I still have no idea how they got my card details in the first place because my endpoint security is tight. The only thing I can think of is that some small Joe Schmo business that I bought from was storing card details against my wishes in an insecure way and got hacked. Makes me really angry that you can't control for these things given the amount of hassle involved in replacing the card in time for Christmas. First time it's ever happened so I see a future with multiple bank accounts and cards!
For educational purposes only, but there are something called "bins". Those consist of the identification numbers of your card type/provider etc. For example with a bin a person can tell your card is visa, from x bank at y place. There is a possibility an attacker has been basically testing different combos of numbers with a bin to see if they hit any "alive" card. I recommend you to always when not using keep online payments off, use stuff like apple pay etc, keep your card in nfc blocking case for better safety. It may sound overkill, but its worth it considering the headache one would get from dealing with unauthorized purchases etc.
@@SheIITear That's interesting and sounds plausible. When I asked the bank how they knew it was a fraudulent transaction they wouldn't tell me and said they don't discuss security measures. I'm pretty sure it had nothing to do with rfid because it was an attempted online purchase from some random website and as far as I know the card cvv is never transmitted wirelessly. If it's really possible to brute force numbers to find working cards then the banks need to up their game or this type of thing will only get more common as compute power increases.
services like oxygen are handy for that, single use limited cards that vanish once they're spent.
Merry Christmas to you too
Thanks for the succinct summary
Another case for always assuming anything you ever put online is known to anyone. It's fine to use lastpass, but don't store full passwords there, invent your own system of prefixes and/or suffixes so that the password only becomes complete in your head.
I'm so glad I switched to fully self-hosted KeePass with Yubikey-2FA. I always thought it is going to be dangerous to host password at a third-party service, even if they say it is all end-to-end encrypted. I mean, what happens when that service simply loses your data? Not even talking about stealing...
True true
BASED
Based name
The way i "self-host" my password manager, is i simply use syncthing to sync the encrypted password database across all of my devices (including a phone) and use a corresponding password manager to decrypt the database, KeePassXC on my PC and a Netbook, and KeePassDX on my android phone.
Merry Christmas.
It's almost like trusting an external service to host all your passwords isn't a good idea. They should've invested into opsec instead of sponsoring Linus videos
Who knew that using a centrally synced, single password to access, password manager advertised as "better" than just remembering them were quite dangerous
If you're using a good password manager with 2-Step Verifications it can be relatively secure. What method are you using for your passwords?
Are you able to remember 20 different passwords with a length of 20 random characters? Or maybe you are using the same password for everything? lol
@@Reth_Hard or keepass with everything locally stored and encrypted
It really isn't though. As long as you have a strong master password, it doesn't matter if they have your password vault. If you have a 30+ character master password with numbers, upper and lower case letters, and symbols, they can throw the total computing power of mankind at it for millennia and still not break it. It's much more secure than just remembering them. The human brain just isn't capable of remembering a large number of unique, strong passwords. Depending on memory means you either have to make weak passwords or you have to reuse a few strong ones. Both of those are huge vulnerabilities.
i put all my eggs into one basket! where did I go wrong?
hopefully that single pw is hiding behind a lot of hashing
Gosh am I glad having switched since the very first breach from LastPass to Enpass (where youre able to save the DB where you want). Never looked back.
Self-hosted Bitwarden on a RPI in a trusted building where it cannot be physically stolen, with access only through a VPN (zerotier-one is the easiest to set up for both PC and android) and daily encrypted backups with an append-only key seems like the best option out there.
Imagine using proprietary password manager..you really have to be..idk..bitwarden ftw.
Using proprietary password manager is same energy as if you were an FTX user 😂
whats the difference between bitwarden and lastpass?
@@sleepspacee Bitwarden is fully open source and you can self-host it. (also the android app and ff integrations are flawless, imo at least)
Benefits of open soruce are that you basically can't write bad code because of the security experts are constantly trying to find vulnerabilities, and most of them are already known ones so they're fixed instantly
@@sleepspacee You can self host bitwarden if you pay. Safer. Or use an offline manager such as keepass XC
@@sleepspacee bitwarden is open source and self hostable, has a nice UI, isnt a scam and has really good benefits for £10 a year but can still be very useable as a free service. LastPass is propretary and closed source software which is expensive, doesnt have many free benefits, and the UI looks like shit (my opinion tho).
@@OLI-qx2rl Wdym if you pay? Vaultwarden is free.
Funny, I was just thinking about this a few hours ago. Notebooks are much safer. Not for business purposes, but definitely for personal security
Ol' trusty notebook
Best is that 1Password had an ad on your video for me
Liked and subbed so I can see when you release the self hosted video!
This is why I keep my passwords in a notebook in my safe. I don't particularly trust any of these password managers and rather not have it on my PC in a text document either to be safe.
Chad move
Sounds like hackers keep finding ways to ruin Christmas some how like with the log4j panic a while ago.
Thank you for making this video!
Would love to see a self hosted password manager tutorial!
god bless keepass
Would love to see your take on a self-hosted solution. I know you’ve endorsed KeypassXC before, but having that be useful across multiple devices or be useful in a shared business setting would be great.
You can use syncthing to keep and update the keepass file in multiple computers/mobile using some vpn/vlan like zerotier if it's over the internet. Basically you can make your own """cloud""" storage this way.
I think BitWarden has a self hosted option. Haven’t tried them though
Merry Christmas to you aswell
When you made your first video on it I panicked and spent several hours transferring passwords on LastPass to my phone locally thinking it was overkill.
WELP.
*laughs in bitwarden*
Good thing I write my passwords written down on a stone tablet
Merry Christmas my based man
Thanks for your sharing
Password leaks are ALWAYS far worse than what the hacked companies admit to!
source code can still be valuable to hackers because it can allow them to see how the encryption works and all them to write a brute forcer algorithm and brute force decrypt the data breaches in the future or past.
i wouldnt be surprised if last pass algorithms make it into hashcat or equiv.
Hmm... but the encryption algorithm is AES 256-bit. Everyone knows how that encrypts the data, guess the numbers is the hard part.
@@SummerRainn Right I don't think they understand how encryption works. You can know exactly how the data was encrypted and know exactly how it decrypts that data. Its all useless if you don't have the key that was used to encrypt the data originally. The only person that has that key is the owner of the passwords. LastPass does not have that key.
A lot of hacks happen because some admin fails to upgrade backend software.
My web server got hacked and it was down to the fact that the server providers were running an insecure version of PHP.
Was always skeptical about such "services"...
with a good reason as it turns out.
I write my passwords on a piece of cardboard, put them inside an envelope inside my safe, next to my firearm. Yes I'm a boomer, but I will never trust a piece of code do handle my financial data.
I'm so glad I switched off LastPass years ago
I got many scam emails trying to scare me with my passwords and logins. Good thing I changed all passwords after i've seen your video on the leak.
I've always felt this way about centralized password managers like this. Your data becomes part of such a massive target. An offline, local manager like KeepassXC/DX should be far more secure. Although if you do use a local manager, take the time to sync it on your devices manually, either with a direct usb connection or at least without leaving your local network. It's less convenient sure, but syncing it with something like google drive is going to end up less secure than Lastpass.
I disagree. Before switching to 1Password, I had all my passwords in KeePass with the vault backed up to Google Drive. With that setup, I could put it in a non-standard folder or change the file extension which would thwart all automated scripts.
@@themikegarrett Do you really think none of them are going to check other folders or file extensions? That is not good opsec my guy
@@LilacMonarch yes, I do. Have you personally written a file traversal script?
6:10
I'm not sure how plausible this attack is and would like someone elses assesment.
According to the FAQ they use 100,100 rounds of PBKDF2 (a key-derivation function) to add a work factor to cracking. I just installed a python library that does this (backports.pbkdf2, quite possibly not ideal performance, I don't know how this library compares).
It does the 100100 iterations in 0.11 seconds (Ryzen 5 5600). Even 1/10th of this seems like a lot of work for brute forcing a single password. That's still a lot less than the 2 seconds (iterations set relative to user PC specs) default in keepass which a company like Lastpass should be able to afford.
I'm thinking that the very most basic passwords are unsafe but any password that anyone would consider an actually decent password seems out of reach.
Thank god I used a generated password as my master password
Thank goodness I live under a rock and I've never heard of any companies on this channel. I legit found out through you that Whatsapp existed.
Looking forward to the self hosted video ! Because I use last pass
Bitwarden / Vaultwarden is my way to go self-hosted and it's actually very easy to set up plus to maintain.
bitwarden > lastass
keepassxc > all of the other ones
Both true. Keepass + syncthing is the GOAT.
To me this is just another example of why we need to move past passwords
A video on how to set up and configure a self-hosted password manager would be great
No F here :D
But thanks for this vid!
It is a shame that internet security almost didn't got better et all since the 90's. It actually went worse and it is always the same excuse: "Hackers are always one step ahead" .. well how about proper spending into security instead of private jets for the CEO's?!