Favourite Password Manager

[gittiest personITW]

and, I don't believe the ballyhoo that LastPass customer information has been divulged.
their servers might have been hacked, but the encrypted info did not get divulged....

I have never once, had any password hacked and I have been using LastPass for many years, before it was renamed as "LastPass"

https://www.forbes.com/sites/daveywinde ... ow-so-far/

There are many things I don't believe, however, it doesn't make me a genius either.

[AZgl1800]

read deeper

At this early stage in the investigation, Toubba said that work is underway to determine the scope of the breach and the specific nature of the customer information that has been accessed. "Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture," Toubba confirmed. This, as in the August breach, is good news for users of the LastPass password manager.

I read all the info, and I am NOT concerned that my "passwords" have been divulged....

and BitWarden uses a web server, so what is the difference???

I tried BW as a local only password manager, and it failed horribly,
I am done with it.

I tried KeepPassXC and it don't like it either.

The FBI tried to force "Signal" to reveal messages that one of their customers/clients/user said.

the end result?
Signal appeared at the Grand Jury court room, and provided the FBI two things.

1) the phone number which was already supplied by the FBI

2) the date/time of the last use in Unix Time format
https://www.youtube.com/watch?v=3oPeIbpA5x8


IMO, the result for LastPass and Signal and Telegram are all the same.
End to End Encryption.
No middle man

[gittiest personITW]

Hi AZL.
At no point did I say passwords had been breached. It was just that if a company is slack enough to have been breached twice in the last 4 months then it might be worth having a look around for another solution. Or not, completely up to you.
It seems you know your way around password managers anyway so at least you have a head start on that.

[Iceberg]

Lastpass hack is actually a breach and they finally admit it after 4 months.

https://arstechnica.com/information-tec ... omer-info/

Password manager says breach it disclosed in August was much worse than thought.

[AZgl1800]

Lastpass hack is actually a breach and they finally admit it after 4 months.

https://arstechnica.com/information-tec ... omer-info/

Password manager says breach it disclosed in August was much worse than thought.

you folks are quoting out of Context, just like the crap on Facebook.


if you read their Blog, no user passwords have been divulged, the encryption is extremely deep
and the only access was to a backup server and one Administrator's password.
( he was fired )
that backup server has been Deep Sixed, and has not been online since that happened.


https://blog.lastpass.com/2022/12/notic ... -incident/

To quote them:

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time. 

[dave0808]

LastPass may have done a great job with their software, but it's closed-source, so we only have their word for it.

They use pretty standard 256-bit AES encryption. You can call it "extremely deep" if you like, but it's no better and no worse than most of the other solutions out there. Also we would have to assume that they've implemented the encryption properly. Plenty of screw ups have occurred not because the algorithm is broken but because the implementation was broken.

it would take millions of years to guess your master password

That is assuming that you've chosen a good, strong password in the first place. And you've not tinkered with the settings and reduced the overall security. It also assumes that there are no sudden breakthroughs in crypt-analysis that render current systems unworthy - though if that happens, there are going to be problems all over.

Online password managers are very useful and have their pros, but they also have their cons (what doesn't?!) and readers need to make an informed decision, not just based on marketing PR.

[AZgl1800]

is 24 character passwords deep enough for you with the Default Settings?

[dave0808]

For me? Sure, I don't have anywhere near the computing power required, unless I was extremely lucky of course...

The thing is, whatever the quoted (or sometimes calculated) time-period is to brute-force a password by guessing, that figure is the worst-case scenario of having to try every single possible combination and coming up with the correct one on the last guess. If the guesses are attempted randomly, there's an equal probability of guessing right first time.

[acerimusdux]

While your passwords are still very likely secure if you used Lastpass, this also means someone who got that database now has your usernames, email address, IP address, and urls of all the websites you visit. So it's still pretty terrible for privacy purposes (though not that different from the kinds of data companies like Google are able to collect on you).

With Bitwarden though, everything in the vault is encrypted, including names, phone numbers, user names, email addresses, any notes, and website urls. I don't know why Lastpass didn't design their system this way.

But still, if you want to be sure that no information about what websites you have in your Bitwarden vault could be discoverable, you might also wish to disable website icons.

[AZgl1800]

While your passwords are still very likely secure if you used Lastpass, this also means someone who got that database now has your usernames, email address, IP address, and urls of all the websites you visit. So it's still pretty terrible for privacy purposes (though not that different from the kinds of data companies like Google are able to collect on you).

With Bitwarden though, everything in the vault is encrypted, including names, phone numbers, user names, email addresses, any notes, and website urls. I don't know why Lastpass didn't design their system this way.

But still, if you want to be sure that no information about what websites you have in your Bitwarden vault could be discoverable, you might also wish to [disable website icons](https://bitwarden.com/help/website-icons/).

while I had BitWarden installed, I followed that feature, and my passwords are clean.

there is a website that searches for you also, forget what it is, and that came up clean

[OunceofCommonSense]

https://www.schneier.com/blog/archives/ ... reach.html

Seems like flogging a dead horse at this point but in essence the article says ...."this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer."

[AZgl1800]

My son is one of those "the world is doomed" and has Diesel fuel stored in barrels underground around his home.
and more barrels with stored Dry goods.

not going there, I am not one to get paranoid over everything the doom sayers spout.

I change passwords on my Financial websites every now and then, the forums I surf have never once in 20 years been afflicted with a hacker on my accounts.

[OunceofCommonSense]

Bruce Schneier is one of the world's top experts on computer security

[icewind]

I use Bitwarden, its a great password manager.

[Cosmo.]

The own passwords on a cloud server? Brrr.

Besides that: Just 2 days ago a security hole in Bitwarden has been found, which can reveal passwords.

[gittiest personITW]

The own passwords on a cloud server? Brrr.

Besides that: Just 2 days ago a security hole in Bitwarden has been found, which can reveal passwords.

Good link.
Thanks.

Just waiting for my keepassxc to be found wanting in some way - although it seems to be holding up pretty well - so far.

[stevengarland]

We have used Dashlane for several years. No problems - only gets better. Since it is in the cloud it is easily used on any computer I happen to be using. Also works well in Iphone.

[icewind]

The own passwords on a cloud server? Brrr.

Besides that: Just 2 days ago a security hole in Bitwarden has been found, which can reveal passwords.

Interesting link, i did not know that about Bitwarden.

I maybe go back to Keepass instead.