Yeah, I’ve been changing passwords anyway. It’s a bloody pain, but it’s a good exercise to do for the important sites every so often anyway.
I preferred it when I could be assured that passwords in password managers like this were relatively safe. Love to know why there weren’t notifications/articles about the lower security (like these iterations) brought up long before now, or how I missed them if they had been. I mean, it’s great to point out the failings after a breach but why is the information so hidden from users? General users are going to be left to the wolves.
I just checked, the piece of paper that I write my passwords down onto has yet to be hacked. Well, except by my kids, they have learned how to hack the system.
Once I started having to carry a book around to manage all my passwords, which were long and unique even back before password managers were all the rage, I had to give up on that particular ‘hack-proof’ method.
I do have MFA/2FA on accounts that support it, too, but I just hate the idea of someone accessing private info even if the account holds very little of importance.
I’m mostly being sarcastic when I mention my password list. The truth is a bunch of my passwords are saved on Chromium so it’s not like they aren’t all out there in once place ready to be stolen.
There were articles, and it was talked about-- I remember increasing my iterations in 2018, before switching to bitwarden. I don’t think LastPass itself notified users though.
I’d forgotten about my LastPass account after switching to BitWarden. Then this morning I just got an email saying that someone had tried to log on to my LP account (oddly enough, from my city.) It said you don’t have to do anything if it wasn’t you, we blocked it.
Like an idiot, I accidentally hit the link that said “Verify” and verified that it was me, duh! Hopefully since they were already blocked they moved on, but I did go in and figured out (after finally remembering my master PW!) how to completely delete my Last Pass account. Hopefully that wipes out all current info on me in the LP data banks.
Welp, someone tried to log into my Discord account this morning, so I’ve been going through and changing all the important passwords. God dammit LastPass.
This is one critical bit of info that’s missing from all this: how long are ‘backups’ kept once something is deleted? I mean, you may have deleted your vault/account, but this particular breach had the LastPass vault backup taken. If the backup, say, went back six months, that means people that don’t even have an account anymore may have their data in this breach, they won’t be notified, think they don’t have to do anything and may not even know what accounts were in their vault at the time they deleted.
Would that be plausible? Businesses keep rolling backups for a very long time, depending on their requirements, even into the years. Once your LastPass info it gone from the vault, is it gone from their one and only backup and there’s no other copies anywhere?
Certainly not, it’ll be in backups for an indeterminate period of time. There’s nothing anyone can do about that. Just change your important passwords-- I know I increased my iterations back in 2018, but I sadly failed to delete my LP account, and that’s what I did. Also I deleted my LP account.
What’s this iterations thing?
Here’s LastPass’ info: About Password Iterations - LastPass Support
It’s not entirely correct, though. While their current default may be 100,100 iterations, mine was still set at the old 5000 level because I didn’t hear/know about the need to change it back when it was discussed (as mentioned earlier by @stusser ).
Here’s some extra detail: PBKDF2 - Wikipedia
I increased my personal one from 5000 to the better 310,000 now recommended. But yeah, I didn’t even know this was a thing, being that cryptography isn’t my wheelhouse.
I mean, my passwords alone are usually long enough and random enough that dictionary attacks aren’t going to work, but if they can decrypt my vault, which they now have unlimited time to do, and view the passwords, well, that’d be a problem. I don’t think it’s likely in my case, but I changed many of my passwords as a precaution, and I’ll keep changing them until they’re all done.
Hopefully 2023 will be the year companies start adopting passkeys and we can do away with passwords forever.
Just went through all my passwords, and a good couple dozen are for websites that don’t even exist anymore. Gotta do better about cleaning those up I guess.
I must have had hundreds of passwords in LastPass and I just went through them all and changed the ones that were for things that still exists. It must have taken me 11 hours. I deleted that account.
I hope I can trust Google to keep my passwords safe.
I’ve been trying to migrate to 1Password for the past 7 days. The number of issues I’ve had, their support is 2-3 days to respond, their instructions online suck balls and I have grown so frustrated. I don’t understand how a company can try to “pare down” instructions to the point where it’s just not obvious.
I’m at a point where I need to decide to just fucking bail and go and try bitwarden.
My god if 1Password had a decent UX person to review their shit, they wouldn’t be receiving my ire.
I know I’m getting off Lastpass and I thought 1Password would be a good choice but my god they make me hate them with the burning passion of a thousand suns.
What kinds of issues have you had? Issues importing a Lastpass export? Have you seen this page? (Last posted in this thread by mono in 2016, according to Discourse!)
I remember all kinds of steps from way back them, which I believe included community created conversion utilities, and multiple intermediary steps between the export and import. It’s much simpler these days.
I’m currently on 1Password, but have moved between Lastpass/Bitwarden and 1Password a number of times over the years. Never ran into anything too daunting. However if you’ve already made the move to Bitwarden, I’d stick w/ that @Tman . My only issue w/ Bitwarden is that the Android app (with my 2800 item vault) is a bit sluggish compared to the other products. Works fine on my vault w/ iOS devices.
The slow trickle of revelations continues.
Lastpass passwords are encrypted not hashed, so they must be talking about Logmein or other products there.