Password manager

Rebian

Rebian

New Member
Reaction score
1
Location
Putten, Netherlands
Hi all,

Do you also use a password manager, which one and why?

I had lastpass but I'm not sure I want to use it anymore. I also read about usb stick that as a password manager.
 
Just a couple of the many threads/discussions via a quick search.

Password manager recommendation for end users?

A client is thinking about a password manager. I was wondering what you guys recommend?
www.technibble.com www.technibble.com

Lastpass breach. Code stolen. No user data taken

Password Manager Software company Lastpass reports that their network was breached and software code was stolen. They say no end user data was accessed in the breach. And even if it was the data is stored encrypted So it’s protected by that...
www.technibble.com www.technibble.com
 
You need to get away from LastPass as fast as possible. Hackers broke into LastPass and stole all the encrypted vaults. So the bad guys have your passwords. If you had a good master password then you should be safe. If not then you should be changing all your important passwords in your vault.

For most people Bitwarden or 1Password are good options.
 
nlinecomputers said:
You need to get away from LastPass as fast as possible. Hackers broke into LastPass and stole all the encrypted vaults. So the bad guys have your passwords. If you had a good master password then you should be safe. If not then you should be changing all your important passwords in your vault.

For most people Bitwarden or 1Password are good options.
Click to expand...
+1 for 1Password

I have like 400-500 passwords in there for all of the various services I use.

I don't know a single one of them. They're all 26 characters upper, lower, number, symbol and anything that allows for 2FA with an authenticator code gets 2FA with an authenticator code.
 
It really depends on what you want.

For those who want "full automation" as far as even providing the correct password when using a given site, I have been impressed with Dashlane.

For those of us with more basic needs, but where the password vault can be cloud stored and accessed across multiple devices, including under Windows, iOS, macOS, and Android, and that is open-source, I prefer Password Safe and its PasswdSafe ports.
 
Rebian said:
Hi all,

Do you also use a password manager, which one and why?

I had lastpass but I'm not sure I want to use it anymore. I also read about usb stick that as a password manager.
Click to expand...
Bitwarden, I was with Lastpass and left a couple of years ago, because they were pretty useless when changing passwords, and the extensions would often have faults.

Bitwarden paid subscription is a lot cheaper then Lastpass, but for me I find it a much better and stable product. Maybe watching Steve Gibson video about Leaving Lastpass


Thanks
 
We use LastPass.

Bitwarden looks good and we almost jumped ship with the recent LastPass hacks but ultimately there is nothing stopping the same thing happening to any other password manager. It wasn't a security flaw with the LastPass software or any code. It was ultimately flawed security policies that got them. Most of the damage was done from a DevOps engineers personal device being keylogged. This got the hackers access to his LastPass vault, which got them access to AWS to where the vault backups were stored.

I think these days you just have to assume it's a matter of when, not if, something like this will be breached. Use MFA everywhere, have good logging and alerting, regularly rotate passwords, use least privileged roles for permissions, restrict some access to PAW's etc. It's a PITA but beats the alternative which could literally be going out of business for many of us here.
 
SAFCasper said:
It was ultimately flawed security policies that got them.
Click to expand...
Which is why you should be running for the exits. It’s not that LastPass got breached its the fact that they failed to immediately change passwords, revoke certificates,etc, after the first breach. A supposed security company that responds inadequately to a security breach is not one you should trust. LastPass was a good company but they sold out to venture capitalists who gutted the security dev teams. Run Forest Run!
 
nlinecomputers said:
its the fact that they failed to immediately change passwords, revoke certificates,etc, after the first breach.
Click to expand...

Do you have any source to back that up? I've seen it claimed a lot yet their blog states passwords & certificates were rotated along with completely destroying then rebuilding the compromised dev environment.

Also, even if they hadn't rotated - would this have made a difference? The main entry point was injecting a keylogger to a staff members laptop through a third-party software exploit. Where would creds or certificates stolen from a Dev environment come into this attack? Surely they wouldn't even be valid for the production environment.
 
SAFCasper said:
Do you have any source to back that up? I've seen it claimed a lot yet their blog states passwords & certificates were rotated along with completely destroying then rebuilding the compromised dev environment.

Also, even if they hadn't rotated - would this have made a difference? The main entry point was injecting a keylogger to a staff members laptop through a third-party software exploit. Where would creds or certificates stolen from a Dev environment come into this attack? Surely they wouldn't even be valid for the production environment.
Click to expand...
No, but common sense tells me that either they failed to find some RAT running on the network, which means the breach was continuous, or they used existing logins to gain access a second time. LastPass has stated that the hacker used information gained in the first breach to target and attack a senior Developer. They then exploited a media player to gain full access. *One wonders if said media player had a patch for that vulnerability that LP failed to address or if this was a same-day exploit. I'm betting on it not being patched*

Surely they wouldn't even be valid for the production environment.
Click to expand...
You would think a Dev would not have access to the production environment. But it appears that this one did. In fact, because this one superuser was targeted it implies that the hackers must have had admin access to the network in order to hunt and find his computers. This means that the senior Dev was also a SysAdmin. Because he was one of 4 Devs who had access to the production side and thus client backups. While it's not unusual for high-ranked employees to have double duties it should have been SOP that his computers should have been isolated from each side of the company. This is a high-security company and that means that extraordinary (re: highly annoying) procedures MUST be done. Which means totally walled-off computers running production. That obviously was not the case here.

Again RUN away. Because these idiots are sloppy and careless and you don't want that holding your keys.
 
Lastpass got bent over twice last year. Once in August. Again in December.....and info stolen in the August breach was used to breach them in December. The key to their front door was stolen in August..and they failed to change the lock on the front door. Simple as that.

Poor practice. Security experts are still unraveling what happened and explaining how its slowly and steadily getting worse as they find more info.

Yes, there is a likely hood that any password manager can have a breach. However it's what they do right after that breach occurs..that will separate the good, from the bad. Lastpass had a second breach 3 months after the first...where the bad folks used info from the first breach. That simply speaks volumes at...failure to do things right.

I wouldn't trust them with my recipe for chicken soup!
 
Maybe I'm naïve but I think you're on a whitch hunt to believe they would have credentials breached and simply forget to reset passwords. Then bring in one of the worlds top cybersecurity contractors to assist (Mandiant) who also forgot recommend resetting passwords.

Yes, we know information from the original breach was used but so far it's not public knowledge what this data was and to what extent it assisted.

It could be something so basic as log files showing this DevOps engineer worked remotely. Pair that with permissions etc in the Dev environment suggesting he is very senior in the company. Now we have a target. Logs show the IP he was remoting in from. Lets probe that IP to find a Plex server exposed publicly. Exploit it to plant a keylogger and wait. We know the story from here...

My speculation is as good as yours
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Family friends son died unexpectedly and is out of options right?
Replies
15
Views
343
fincoder
fincoder
Metanis
OMG! Password resets!
2
Replies
25
Views
685
trevm999
trevm999
Metanis
Peer windows sharing password issues.
Replies
3
Views
571
Sky-Knight
Sky-Knight
britechguy
Comcast.net (Xfinity) email and auto setup in various email clients . . .
Replies
9
Views
610
britechguy
britechguy
britechguy
Comcast/Xfinity and 3rd Party Email Client Access
Replies
1
Views
243
seashore
seashore
Back
Top