More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

  • LemmyFeed@lemmy.world
    link
    fedilink
    English
    arrow-up
    48
    arrow-down
    2
    ·
    3 years ago

    These guys saved their seed phrases to LastPass, not just account passwords. You can’t just change your seeds without moving funds to a new wallet.

    The main lesson here is never store your seeds in digital form, ever. Write it down by hand on paper at creation and then take additional efforts to safeguard it.

    • DrRatso@lemmy.ml
      link
      fedilink
      English
      arrow-up
      5
      ·
      3 years ago

      I just store recovery phrases of all kinds on an encrypted USB stick (which is obviously only connected to my PC when I need to put a new one in or use it (which so far has happened never)), I feel like that is secure enough for me, although if I could laminate at home I might print and make small cards in a separate a card wallet. Any other way I feel like I would eventually lose them, the particular USB drive ive had for over 15 years, it is 512 MB lol.

      • deafboy@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 years ago

        For any significant amount of money, the seed should never even touch a PC. No USBs, no printers.

      • hihellobyeoh@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 years ago

        I would duplicate to at least 2 sticks, and also a written form that you keep stored with important documents, like a safe with your SSN, birth certificate, etc.

    • aesthelete@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      3 years ago

      I wrote my seed information down for my poop coin wallet directly on Charmin double ply and then promptly wiped my ass with it and flushed.

      All my apes gone!

  • sonnenzeit@feddit.de
    link
    fedilink
    English
    arrow-up
    26
    ·
    edit-2
    3 years ago

    Man am I glad that I picked KeypassXC as my password manager some years ago. Super safe, easy to use, costs nothing, not dependant on internet/cloud, can export data to another app at any time, transparent because open source.

    I’m using Syncthing to synchronize across devices which arguably took some fiddling to set up but I only had to fiddle once and haven’t touched the configuration since; it just works automagically in the background.

      • TitanLaGrange@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        3 years ago

        Nothing major as far as I can tell. Here’s an overview via SuperUser. KeePassXC might be a better option for some use cases if you’re mostly not on Windows as it does not require .NET. Note that “KeePassXC does not support plugins at the moment and probably never will”, but it does have built-in support for some things you might want a plugin for in KeePass2.

          • PlexSheep@feddit.de
            link
            fedilink
            English
            arrow-up
            4
            ·
            3 years ago

            They say that but I can’t help but feel it sucks on Linux. Especially their GUI Apps.

          • TitanLaGrange@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 years ago

            It does indeed. My job includes writing and deploying .NET apps on multiple platforms, and it works fine for me.

            But some people prefer not to use .NET when comparable native options are available, so they might prefer KeePassXC.

    • Anonymousllama@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      3 years ago

      I’d be worried about losing access to the entirety of your passwords if Google up and decides that one day your account is suspended. There’s been a few reports historically where someone gets their Gmail account suspended for some mistaken reason and all their associated access gets pulled (e.g. from drive, sheets, etc)

        • jarfil@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          3 years ago

          My Google account has been rock solid from the day I created it as a child

          Hopefully you were of legal age to accept the Terms of Service, otherwise it might’ve been an irregular account all this time.

            • jarfil@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 years ago

              If it was, and you haven’t accepted the ToS as of legal age, then you might want to make a new one.

              Google is getting ready to purge inactive accounts starting next year, and it wouldn’t be the first time when a service purged irregular accounts many years after the fact, so… better safe than sorry.

    • sab@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      3 years ago

      …so far.

      For those that don’t mind self-hosting, which can be as easy as just running syncthing or resilio sync on your NAS, I can really recommend keepass.

      • NevermindNoMind@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        3 years ago

        Me with interest, but no technical knowledge reading your comment:

        which can be as easy as

        :-)

        running syncthing or resilio sync on your NAS

        :-(

        I didn’t understand any of those words

        • sab@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 years ago

          A NAS is a home storage server, like Synology that you can use to store images, videos and backups, etc on so you can access them from any computer or device in your home. With a couple of clicks, they can easily run applications like Syncthing or Resilio Sync, which are kinda like Dropbox, except you don’t have to pay Dropbox, you’ll just be storing the files on your own service.

          If that’s too much to handle, you can still just store your Keepass file in Dropbox, so that it’s available on all your devices. But in the end you’ll still be storing your personal data on someone else’s harddisk.

          So in short, is at easy as using a prefab service? No, you’ll have to invest some time, money, and knowledge yourself. But in the end, your data is not gathered in silo together with countless other users, which makes it a lot less attractive for hackers to try and steal it.

        • Jerkface@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          3 years ago

          edit - nevermind I can’t even format a comment, let alone self host a… Thingie. What the other guy said.

        • diffusive@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          3 years ago

          Self hosting is less appealing for criminals, though. Especially if the protocol is “vanilla” like ssh.

          When you hack LastPass you know what you’ll find, millions of passwords. When you hack a dude ssh you have one chance over one million that there is one dude password wallet.

          It doesn’t make financial sense to hack self hosting (unless it’s specific server software)

  • dangblingus@lemmy.world
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    5
    ·
    3 years ago

    Pro Tip: You don’t need to give a private company all of your passwords. That literally defeats the purpose of having passwords.

  • RBWells@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    ·
    3 years ago

    That’s an average of over 200k each. I’m wondering how they managed to target people with so much money.

    • smolyeet@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      3 years ago

      The idea is fine. Still trusting lastpass was the bad idea. Others have much better implementations to protector your vault and don’t drop the ball on security time after time.

  • z00s@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    3 years ago

    I mean, they’ve had more than long enough to change passwords.

    Nobody is after your password for the Moravian rug weaving forum but in this day and age it’s on you, if you know there’s a breach and you don’t change your banking / crypto passwords.

    • UFO@programming.dev
      link
      fedilink
      English
      arrow-up
      7
      ·
      3 years ago

      Cannot change crypto seed phrases (but that can be mitigated). Cannot change addresses, social security numbers etc

  • momtheregoesthatman@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    3 years ago

    After years as a family plan subscriber, I moved my personal (1k+) passwords off of LP after the last – and most egregious – breach. I have quite a bit self hosted in my environment but Proton Pass interests me as I can get my wife and son in it easily as we already have the family plan. Lemmy is loaded with tech savy, so my question is; same devil different form? I’ve tried BW but it wasn’t condusive to the whole familys use (at least not a few years ago).

    • Yeahboy92@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 years ago

      If it is cloud hosted then there is always a possibility. Programs like keypass run locally and are only in jeopardy once your system is compromised. The issue with keypass is implementing it for multiple users is probably a chore (never looked into it).

  • Neptune@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    3 years ago

    All that promotion/awards tagging as best password manager for nothing. Glad I picked up KeyPassXC and KeyPassDX and sync between my phone and PC with gdrive

    • Buddahriffic@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      3 years ago

      At first I was confused about why this was being downvoted, but then I noticed the “gdrive”. You’re using a different cloud to avoid this specific cloud.

      • PlexSheep@feddit.de
        link
        fedilink
        English
        arrow-up
        3
        ·
        3 years ago

        Not really a problem until aes-256 is broken, especially with an extra pass file and/or hardware Tokens.

        But yeah that’s suboptimal

      • Neptune@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 years ago

        I know google sucks but it’s easier to sync across and I have separate key file locally on both devices… 🤷

  • Smacks@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 years ago

    The only password manager I trust to connect to the internet is the Firefox manager, Keypass for the important stuff.

  • asudox@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    2
    ·
    3 years ago

    The seeds are passphrases anyway. Just memorize them. Passphrases are so that they are easier to memorize.

  • Holyginz@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    2
    ·
    3 years ago

    Is there any reason to use a password manager over just an excel spreadsheet?