[Lex Computer & Tech Group/LCTG] LastPass confirms users' password vaults were stolen by hackers

Peter Albin palbin24 at yahoo.com
Fri Dec 30 07:48:08 PST 2022 

FWIW, I am a Dashlane user as I have stated before.

The Dashlane architecture ( as others might be as well) provided cloud 
based storage of password vaults that are /_*encrypted locally.*_/ That 
is the local device downloads the current version of the vault and 
locally decrypts it. The local program provides security by time 
stamping the encryption and forcing a refresh periodically on the local 
device.

In my opinion, this architecture limits the exposure of hacking or 
threat as the unencrypted data exists only for a short time on any 
individual device. In the cloud, your personal vault is just a blob of 
data that would be subject to decryption with your personal credentials. 
Stealing this data seems to me to be particularly ineffective in that 
each "blob" would need to be individually hacked.

So much for my two cents ...

Peter

On 12/30/2022 9:56 AM, Adam Broun wrote:
> Here is a different take from Jeremy Gosney 
> https://infosec.exchange/@epixoip/109585049354200263
>
> In particular:
>
> "Is the cloud the problem? No. The vast majority of issues LastPass 
> has had have nothing to do with the fact that it is a cloud-based 
> solution. Further, consider the fact that the threat model for a 
> cloud-based password management solution should *start* with the vault 
> being compromised. In fact, if password management is done correctly, 
> I should be able to host my vault anywhere, even openly downloadable 
> (open S3 bucket, unauthenticated HTTPS, etc.) without concern. I 
> wouldn't do that, of course, but the point is the vault should be just 
> that -- a vault, not a lockbox.”
>
>
>
>> On Dec 29, 2022, at 20:27, Robert Primak <bobprimak at yahoo.com> wrote:
>>
>> In light of all this discussion, I think I see where the Lastpass 
>> breach(-es) happened. It's not front-end account cracking or browser 
>> hacking. It's back-end data theft from servers owned by a Cloud 
>> Service. These servers either have outside vendors who have way too 
>> much privileged access, or else they have really wicked-bad security 
>> to begin with.
>>
>> If this is the case, I would recommend NEVER using cloud-based 
>> password managers. DO NOT allow anyone to keep your database on THEIR 
>> servers. This is where local database creation where YOU control 
>> where and how the database is stored (local-only, or on someplace 
>> like Google Drive, knowing it is likely eventually to be stolen) 
>> looks to me like the best solution. Keepass and the cross-platform 
>> KeepassX (no connection between these two products, BTW) are examples 
>> of this sort of password manager. Your database is YOUR property, not 
>> the property of some vendor.
>>
>> Where you store your vault is up to you. But YOU need to be in 
>> control of this choice, NOT your password manager's vendor.
>>
>> And don't keep unprotected password information anywhere where 
>> someone can find it. But then again, your heirs and sometimes others 
>> will need to be able to get at your passwords to access your accounts 
>> if need be.
>>
>> In the near future, here's hoping passwords will be sunsetted in 
>> favor of more secure login methods. Microsoft and several other 
>> vendors are working on finalizing the protocols for paskeys:
>> https://fidoalliance.org/passkeys/
>>
>> This is where we are headed, and this latest LastPass breach only 
>> highlights the urgency of converting sooner than later.
>>
>> -- Bob Primak
>>
>> On Thursday, December 29, 2022 at 04:14:51 PM EST, Alan Millner 
>> <armillner48 at gmail.com> wrote:
>>
>>
>> I put my passwords on my paper rolodex.
>> It has never been hacked.
>>
>> Alan Millner
>> amillner at alum.mit.edu
>> 781-862-7893
>> 48 North St., Lexington MA 02420
>>
>>
>>
>> On Dec 29, 2022, at 3:55 PM, Jon Dreyer <jon at jondreyer.org> wrote:
>>
>> My approach is a bit more work, but it makes me feel safe despite how 
>> theoretically easy it would be to break it.
>>
>> I have a text file in an unlinked, and trivially password protected, 
>> Web page. That file looks like a list of my passwords, but it isn't 
>> quite. Each password in the file is a randomly generated string, but 
>> what the attacker (except for you all) doesn't know is that the 
>> actual passwords are those random strings but with my own personal 
>> tweak. When I log in to, say, my bank account, I copy/paste the 
>> string from the file into the password field and then tweak it.
>>
>> So the only way I'm screwed is if they find this file and figure out 
>> my ttweak (and there's no clue that one is needed except that the 
>> passwords don't work). Cryptographically unsafe, but it feels 
>> pragmatically pretty safe to me, since you can break into millions of 
>> accounts if you hack lastpass, but you can only get my accounts if 
>> you hack this.
>>
>> Somebody who doesn't have their own Web site could do this with 
>> something like a google doc or google sheet.
>>
>> And I also use 2FA for important sites as well.
>>
>> -- 
>>
>> Jon "I Don't Have To Outrun The Bear; I Just Have To Outrun You" Dreyer
>> Math Tutor/Computer Science Tutor <http://www.passionatelycurious.com/>
>> Jon Dreyer Music <http://music.jondreyer.com/>
>>
>> ===============================================
>> ::The Lexington Computer and Technology Group Mailing List::
>> Reply goes to sender only; Reply All to send to list.
>> Send to the list: LCTG at lists.toku.us      Message archives: 
>> http://lists.toku.us/pipermail/lctg-toku.us/
>> To subscribe: email lctg-subscribe at toku.us 
>> <mailto:lctg-subscribe at toku.us>  To unsubscribe: email 
>> lctg-unsubscribe at toku.us <mailto:lctg-unsubscribe at toku.us>
>> Future and Past meeting information: http://LCTG.toku.us 
>> <http://LCTG.toku.us>
>> List information: http://lists.toku.us/listinfo.cgi/lctg-toku.us
>> This message was sent to armillner48 at gmail.com.
>> Set your list options: 
>> http://lists.toku.us/options.cgi/lctg-toku.us/armillner48@gmail.com
>>
>> ===============================================
>> ::The Lexington Computer and Technology Group Mailing List::
>> Reply goes to sender only; Reply All to send to list.
>> Send to the list: LCTG at lists.toku.us     Message archives: 
>> http://lists.toku.us/pipermail/lctg-toku.us/
>> To subscribe: email lctg-subscribe at toku.us To unsubscribe: email 
>> lctg-unsubscribe at toku.us
>> Future and Past meeting information: http://LCTG.toku.us 
>> <http://lctg.toku.us/>
>> List information: http://lists.toku.us/listinfo.cgi/lctg-toku.us
>> This message was sent to bobprimak at yahoo.com.
>> Set your list options: 
>> http://lists.toku.us/options.cgi/lctg-toku.us/bobprimak@yahoo.com
>> ===============================================
>> ::The Lexington Computer and Technology Group Mailing List::
>> Reply goes to sender only; Reply All to send to list.
>> Send to the list: LCTG at lists.toku.us      Message archives: 
>> http://lists.toku.us/pipermail/lctg-toku.us/
>> To subscribe: email lctg-subscribe at toku.us 
>> <mailto:lctg-subscribe at toku.us>  To unsubscribe: email 
>> lctg-unsubscribe at toku.us <mailto:lctg-unsubscribe at toku.us>
>> Future and Past meeting information: http://LCTG.toku.us 
>> <http://LCTG.toku.us>
>> List information: http://lists.toku.us/listinfo.cgi/lctg-toku.us
>> This message was sent to abroun at gmail.com.
>> Set your list options: 
>> http://lists.toku.us/options.cgi/lctg-toku.us/abroun@gmail.com
>
>
> ===============================================
> ::The Lexington Computer and Technology Group Mailing List::
> Reply goes to sender only; Reply All to send to list.
> Send to the list:LCTG at lists.toku.us       Message archives:http://lists.toku.us/pipermail/lctg-toku.us/
> To subscribe: emaillctg-subscribe at toku.us   To unsubscribe: emaillctg-unsubscribe at toku.us
> Future and Past meeting information:http://LCTG.toku.us
> List information:http://lists.toku.us/listinfo.cgi/lctg-toku.us
> This message was sent topalbin24 at yahoo.com.
> Set your list options:http://lists.toku.us/options.cgi/lctg-toku.us/palbin24@yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.toku.us/pipermail/lctg-toku.us/attachments/20221230/d8792eb3/attachment.htm>

More information about the LCTG mailing list