Submitted by glawgii t3_ztx9k5 in technology
colonel_beeeees t1_j1fxi3j wrote
When these things came out I was like ok so instead of hoping I don't get hacked, I just have to worry about this giant repository not getting hacked? Should I trust any of these password managers and why?
DrQuantum t1_j1g1sy3 wrote
Security is about mitigation. Every company is a target. They will be hacked. Its about mitigating risk of those hacks. So zero knowledge architecture is what Last Pass uses. All of your data is encrypted, by your master password key. Even with encryption, they can brute force into your account. The longer and more complex your password the harder this is.
This hack happened in August. Depending on your password complexity for example, they could still be trying to get in today on just your password.
So password managers still work and as long as you prioritize best practice passwords or hopefully pass phrases you should mitigate most of the risk to your accounts.
But, you don’t want to take chances and again you mitigate risk by still resetting your password.
Generally, you can trust password managers with zero trust architecture. Last Pass has become unreputabme over time due to its practices but that doesn’t mean that if implemented correctly you wouldn’t mitigate a lot of your risk.
Its still way better to have your passwords there than sitting plain text on your PC as an example.
iLikeFunToo t1_j1gon05 wrote
Building on this, if your password is 16-18 long and has all character types to brute force your password could take like billions of years (or trillions) with current computing. A good password make a lot of difference in these cases.
OppositeCode t1_j1g29qx wrote
Well I personally trust my current password manager (Bitwarden). When you save your account to that password manager. It is supposed to be fully encrypted and uploaded to the cloud. This is that if there is a breach, the hackers only have your encrypted information (essentially useless).
In the case of this LastPass hack, the URLs of accounts weren't encrypted while the rest of the usernames and passwords were. This can lead to phishing attacks attempting to gain access to that website's account.
There are also local password managers, however I decided against them, as it is not convenient for my personal situation. I started with LastPass but switched to Bitwarden after they implemented their single device policy. As of now Bitwarden has not been breached. With the code being open source, the ability to self host, and the developers responsive & open to suggestions; it has earned my trust.
scruffles360 t1_j1gs5fw wrote
I presume bitwarden doesn’t have any browser integration until the user logs in and asks for credentials?
I ask because that’s likely why LastPass doesn’t encrypt urls. When you go to a site, it knows it has a password and can prompt you to fill it. It’s a compromise in security for the convenience of browser integration. Whether or not it’s a good compromise is debatable but a lot of people are making it sound like laziness or a flaw. It’s most likely a usability choice.
OppositeCode t1_j1gxe32 wrote
Yes, unless you are logged in your vault won't be decrypted. I assume you mean something similar to this? https://bitwarden.com/help/uri-match-detection/ https://bitwarden.com/help/website-icons/
Correct me if I'm wrong, but I assume the website match should be done locally otherwise it would be encrypted. https://bitwarden.com/help/what-encryption-is-used/
Browser extensions are a weak point but it also prevents everyday people from getting phished. As if the domain is not matching, you won't be able to fill your information (since it won't show).
As always, if you don't trust cloud you can either self host or use a local password manager.
scruffles360 t1_j1gymq9 wrote
That may be similar. When you go to a login page and LastPass tells you you have 4 accounts on that site.. it gets that information using the unencrypted URLs. It doesn’t log you into your vault unless you try to use one of them. (There are settings to leave you logged in, but they discourage that).
I’m going to have to do some research and see what’s out there.
OppositeCode t1_j1gz5yx wrote
I'm not a developer so it would be your best bet to ask in different subreddits such as: r/privacy r/PrivacyGuides r/Bitwarden
coolfarmer t1_j1i9egc wrote
I LOVE Bitwarden! I switched from LastPass 6 months ago, best move ever :)
The_Countess t1_j1gaaex wrote
The hackers don't actually have access to any passwords though.
Each account is still encrypted with a unique key that lastpass doesn't even know so can't expose when getting hacked. The hackers would still need to brute force each account individually to get at the passwords.
Unless you are extremely interesting, or your master key is vulnerable to rainbow table attacks (meaning it consists mostly of words, making it much easier to guess), you probably still have nothing to worry about.
sleepybrett t1_j1ghju1 wrote
if you trust lastpass... they've been hacked like half a dozen times at this point. If they can't secure their network, what makes me think they secure my passwords any better.
Viewing a single comment thread. View all comments