Password Manager Security problems? or Not?

Questions about applications and software
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
User avatar
AZgl1800
Level 20
Level 20
Posts: 11145
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes Sweeping down the Plains
Contact:

Password Manager Security problems? or Not?

Post by AZgl1800 »

I have been using LastPass for many years, normally without any problems at all,

BUT, I have just come to realize that was probably because I have always had a Dedicated IP address previous to changing my ISP over to T-Mobile Wireless.
because they give me 100gB for $50/month: Verizon is astronomically unaffordable and has a 30gB max/month plan, no Unlimited LTE at all.

Now, when TM changes my IP address, LastPass blocks me from doing an AutoLogin via Firefox using it as a Password Manager.

So, I have to go to my email and verify that it was me, and then try to login to Lastpass again.
sometimes it works, but more often it does not.

I have just switched over to my Verizon MiFi to verify who I am, and get my password for LastPass sync'd up again.
it continues to work just fine, until I switch back to T-Mobile and then I get in trouble again.

I realize, and LastPass email messages make it quite clear, they think I am being hacked, so they block the new login from a strange IP address.

anyone else have similar issues with their online password managers ?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 3 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
LM21.3 Cinnamon ASUS FX705GM | Donate to Mint https://www.patreon.com/linux_mint
Image
t42
Level 11
Level 11
Posts: 3708
Joined: Mon Jan 20, 2014 6:48 pm

Re: Password Manager Security problems

Post by t42 »

AZgl1500 wrote: Tue Jul 27, 2021 2:24 pm So, I have to go to my email and verify that it was me, and then try to login to Lastpass again.
You can disable that option:

1. First, log in to LastPass and access your Vault
2. Then go to https://lastpass.com/?ac=1 and log in with your email and password.
3. Select Account Settings on the left.
4. Click Show Advanced Settings.
5. Find Disable Email Verification, check the box to enable the Don't require email verification from unknown devices and locations setting.
6. When prompted, confirm that with Master Password and click OK /Update.
-=t42=-
User avatar
Kris345
Level 5
Level 5
Posts: 534
Joined: Mon Jun 22, 2020 10:22 am
Location: New England

Re: Password Manager Security problems

Post by Kris345 »

@AZgl1500 thanks for sharing. @t42 thanks for fix. I have used LP for a long time but I am on comcast so a fixed ISP addy.
-- ThinkPad P15s-Gen1-20T4-002KUS, i7-10510U, UEFI/GPT, 16GB, Sammy 970 EVO Plus 500GB M.2.
- others -
-laserjets: HP M254dw color, HP P1606dn. Epson Perfection 2480 flatbed scanner -
User avatar
AZgl1800
Level 20
Level 20
Posts: 11145
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes Sweeping down the Plains
Contact:

Re: Password Manager Security problems

Post by AZgl1800 »

t42 wrote: Tue Jul 27, 2021 4:36 pm
AZgl1500 wrote: Tue Jul 27, 2021 2:24 pm So, I have to go to my email and verify that it was me, and then try to login to Lastpass again.
You can disable that option:

1. First, log in to LastPass and access your Vault
2. Then go to https://lastpass.com/?ac=1 and log in with your email and password.
3. Select Account Settings on the left.
4. Click Show Advanced Settings.
5. Find Disable Email Verification, check the box to enable the Don't require email verification from unknown devices and locations setting.
6. When prompted, confirm that with Master Password and click OK /Update.
I think I will have to do that, as my IP address keeps jumping, it is different every time I boot up the laptop.

I have a very difficult password for it, not likely to be found by anyone, and I have Firefox's data encrypted, so no way to get my bookmarks or passwords that way...
LM21.3 Cinnamon ASUS FX705GM | Donate to Mint https://www.patreon.com/linux_mint
Image
SimonPeter
Level 5
Level 5
Posts: 582
Joined: Tue Jul 13, 2021 5:13 am

Re: Password Manager Security problems

Post by SimonPeter »

TL; DR
Use Keepass XC, backup the small encrypted password database (about 10KB) to the cloud.

Keepass XC is a well-maintained and secure password manager.

Its encrypted password database is just a single small .kdbx file.
It has a browser extension, can autotype, can generate random password, you can also store notes in it .......
Aside from the master password, you can optionally have keyfiles or YubiKey 2FA.
It won't connect to the internet.
It is Free and Open Source Software (a HUGE plus -- you can really trust it with your passwords)

My encrypted password database (.kdbx) is about 10KB and I can easily back it up to the cloud (it's already encrypted, so even your cloud provider can't read it).
User avatar
AZgl1800
Level 20
Level 20
Posts: 11145
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes Sweeping down the Plains
Contact:

Re: Password Manager Security problems

Post by AZgl1800 »

I found out what the "real problem was".

I had decided to change how FF handles cookies and passwords, and just rely on LastPass to handle things.

Unfortunately, I had forgotten to exclude LastPass as being a cookie that gets tossed away.
So, when FF was booted on a different IP, it did not know what the password was to invoke LastPass.

I decided to go back to the way I had it before, let Firefox remember certain logins, and keep the database itself Encrypted.

that seems to have resolved it for me.

I tried Keepass XC several years ago, but it felt clumsy, or awkward, or I just didn't like how it worked??

don't remember now, I wake up to a new world every morning.

The major thing I did NOT like about Keepass XC, was the fact it did not reside in the 'cloud', because I use LastPass on several PCs, different versions of Linux Mint, a lot of them experiments loaded into VirtualBox and I want LastPass to work there too.

and then, when I go to bed, my bedside laptop wouldn't know what the latest passwords are now.
For me, it was fraught with way too much trouble to keep everything sync'd up.
and, which PC had the latest copy of that new password??

So, I went back to LastPass.
and it works with Win10 ( sigh ) and anywhere I might be...
LM21.3 Cinnamon ASUS FX705GM | Donate to Mint https://www.patreon.com/linux_mint
Image
newlyminted7
Level 5
Level 5
Posts: 563
Joined: Sat Jan 02, 2021 4:44 pm

Re: Password Manager Security problems

Post by newlyminted7 »

I'd also highly recommend something along the lines of KeepassXC. But I'd go further and encourage you to only use it offline. And commit your most frequently used passwords to memory.

Bear in mind the risks of entrusting your passwords to a supposedly "trustworthy company" online. They're all trustworthy until... they aren't. (remember when Google's tagline was "do no evil"?) Something to think about. Online password services are major hacker targets, for obvious reasons. And if one can be hacked, they all can be.

Because once your passwords are gone - they're not just gone but they are in someone else's hands and you'll never get them back. Also understand that the best hacks are the ones you never hear about at all...
t42
Level 11
Level 11
Posts: 3708
Joined: Mon Jan 20, 2014 6:48 pm

Re: Password Manager Security problems

Post by t42 »

newlyminted7 wrote: Thu Jul 29, 2021 1:35 am Bear in mind the risks of entrusting your passwords to a supposedly "trustworthy company" online.
How do you suppose to crack LastPass encrypted vault 5,000 rounds of PBKDF2-SHA256 key with a salt of 100,000 rounds? Please remember, LastPass never has access to your master password. Browser's form autofill feature is a real danger for passwords leak and how many people have it disabled?
-=t42=-
SimonPeter
Level 5
Level 5
Posts: 582
Joined: Tue Jul 13, 2021 5:13 am

Re: Password Manager Security problems

Post by SimonPeter »

I don't want to start a fight, I'm just giving some information.
t42 wrote: Thu Jul 29, 2021 2:02 am
newlyminted7 wrote: Thu Jul 29, 2021 1:35 am Bear in mind the risks of entrusting your passwords to a supposedly "trustworthy company" online.
How do you suppose to crack LastPass encrypted vault 5,000 rounds of PBKDF2-SHA256 key with a salt of 100,000 rounds? Please remember, LastPass never has access to your master password. Browser's form autofill feature is a real danger for passwords leak and how many people have it disabled?
It is just what they CLAIM to have. We can't see the source code to be sure.

We don't know what is inside LastPass (it is NOT open-source).
It could be anything inside it. We just don't know.

For example, anyone can make a closed source app storing passwords with something like truncated md5pass / 56 bit RC4 , and claim it uses Argon2 / SHA3-512 / AES-256 + Twofish .... blah blah.

Or, anyone can make an app that sends passwords encrypted with the companies' public key (so that the company can read them), or ...... anyone can make anything and claim to be something else.

LastPass' Android app already has 3rd party trackers.
Ref: https://en.wikipedia.org/wiki/LastPass# ... y_trackers https://www.reviewgeek.com/72272/the-la ... %9F%98%AC/

So, the solution is to encrypt it with Free and Open Source Software (so that we can see the source code to be sure that it really DOES encrypt our data safely) , and KeepassXC is such a software.
SimonPeter
Level 5
Level 5
Posts: 582
Joined: Tue Jul 13, 2021 5:13 am

Re: Password Manager Security problems

Post by SimonPeter »

AZgl1500 wrote: Wed Jul 28, 2021 2:24 pm I tried Keepass XC several years ago, but it felt clumsy, or awkward, or I just didn't like how it worked??
We have choice -- we can use other Free and Open Source Software (FOSS) password managers -- like Bitwarden https://bitwarden.com/download/
https://en.wikipedia.org/wiki/List_of_password_managers -- in the "Features" section

BTW: I feel KeepassXC's GUI pretty good -- Create a new database, set the master password, save it like any other file, open it like any other file, type your master password,...
AZgl1500 wrote: Wed Jul 28, 2021 2:24 pm The major thing I did NOT like about Keepass XC, was the fact it did not reside in the 'cloud'.
Bitwarden can reside on the 'cloud'. It is Free and Open Source Software (FOSS).
https://bitwarden.com/

You can also backup the small (about 10KB) KeepassXC database to the 'cloud'.
AZgl1500 wrote: Wed Jul 28, 2021 2:24 pm So, I went back to LastPass.
and it works with Win10 ( sigh ) and anywhere I might be...
Bitwarden officially works on Windows, Linux, macOS, Android, iOS.
It also has extensions for Google Chrome / Chromium, Mozilla Firefox, Safari,Vivaldi, Opera, Microsoft Edge, Brave and Tor browsers.
https://bitwarden.com/download/

KeepassXC officially works on Windows, Linux, macOS etc.,
(there are other ports to BSDs, Android etc.,)
newlyminted7
Level 5
Level 5
Posts: 563
Joined: Sat Jan 02, 2021 4:44 pm

Re: Password Manager Security problems

Post by newlyminted7 »

t42 wrote: Thu Jul 29, 2021 2:02 am
newlyminted7 wrote: Thu Jul 29, 2021 1:35 am Bear in mind the risks of entrusting your passwords to a supposedly "trustworthy company" online.
How do you suppose to crack LastPass encrypted vault 5,000 rounds of PBKDF2-SHA256 key with a salt of 100,000 rounds?
It isn't all about encryption. There are many weak points within any system - and hackers aren't going after the strongest point of defense. Weak points exist, even if it is a human, or unscrupulous business practices, or when data is in transit. Do they decrypt for any reason? How do you know they don't? What about for legal reasons? What exactly happens in such a case? Just because a system or service utilizes encryption doesn't mean they are 100% secure. Nothing is. It is a matter of who do you trust. Do they have regular third party audits? Open source code? Why not? Those should be your first red flags right there. Anyone can put anything up online talking about how secure they are. Are they owned by crooks? A shady country? How would you know? Because they have a nice website talking about how great and secure they are? Security doesn't work that way.

Not many people thought gmail would datamine everyone's emails for ads when they launched, either. Why not? Because people thought they could trust them.

I'm pointing out that it is worth reconsidering where we store valuable information, especially if people are willing to store such valuable information with an online service. Maybe LastPass is fine. Maybe it's not. It's those red flags that should really raise eyebrows, though. And how comfortable are you being their beta tester with your data? Again, the best hacks go undetected, which means you'll never know if your data has been stolen (or shared by crooked businesses - remember the FB / Cambridge Analytca scandal? Does an apology get your data back?).

And, as SimonPeter pointed out, we just don't know what their code contains, nor what other online services it interacts with, or who their "partners" might be. And those third-party trackers in their Android app prove they are willing to engage in unethical and unscrupulous behaviour. Red flag number three. They are a business, not a well-respected, audited, and open-source organization with a track record. They are in business to make money - as their adoption of third party trackers proves. This makes their motivation suspect, at least in my opinion.
t42 wrote: Thu Jul 29, 2021 2:02 am Please remember, LastPass never has access to your master password.
LastPass has access to whatever it wants access to and they don't have to tell you. Companies have been known to do unscrupulous things before. If you type text into the password field and they record it, then they have that text. They don't have to tell you and they can do whatever they want. Can they be trusted? Perhaps. Forever? Who knows. Just like people used to trust Google, and many other companies. What if the company gets bought? Bottom line is there are many, many situations that can expose data to third parties. My point is you greatly reduce the chances of your data being stolen, shared, or otherwise obtained if it's not there in the first place. In general, people are just too trusting of online services, in my opinion. Especially free ones.
User avatar
AZgl1800
Level 20
Level 20
Posts: 11145
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes Sweeping down the Plains
Contact:

Re: Password Manager Security problems

Post by AZgl1800 »

newlyminted7 wrote: Thu Jul 29, 2021 1:35 am I'd also highly recommend something along the lines of KeepassXC. But I'd go further and encourage you to only use it offline. And commit your most frequently used passwords to memory.
that is the most ludricous suggestion I have ever seen.

most of my passwords are random generated characters by the Password Manager / Lastpass for me.

Secondly, unless you a geniac, no one remember a dozen or 1,256 passwords...

Third, I was hit by a Semi truck back in 2008 which destroyed my short term memory.
IF, it was 35 years ago, I can remember it.
IF, it was in the last 5 years, it is vaporized within 15 seconds...

I can't even remember a phone number, long enough to type it on different application.
your recommendation is pure BS.

sorry I started all of this,
MODs

Close this thread, I am out of here.
LM21.3 Cinnamon ASUS FX705GM | Donate to Mint https://www.patreon.com/linux_mint
Image
newlyminted7
Level 5
Level 5
Posts: 563
Joined: Sat Jan 02, 2021 4:44 pm

Re: MODERATORS ---- DELETE THIS THREAD PLEASE

Post by newlyminted7 »

:shock: Sorry to cause you so much distress, I obviously wasn't aware you had memory troubles.
That wasn't even my main point...
Was only trying to help.
I do wish you the best, take care.
User avatar
Kris345
Level 5
Level 5
Posts: 534
Joined: Mon Jun 22, 2020 10:22 am
Location: New England

Re: MODERATORS ---- DELETE THIS THREAD PLEASE

Post by Kris345 »

@newlyminted7 When you suggested that, I went to take a look at it. I did notice that it had 44,000 users vs 749,000 users of LastPass. I stopped looking.

I have thousands of passwords. I have never had a security prob with LastPass. Used it for years. I don't have a memory problem other than being near 80.
-- ThinkPad P15s-Gen1-20T4-002KUS, i7-10510U, UEFI/GPT, 16GB, Sammy 970 EVO Plus 500GB M.2.
- others -
-laserjets: HP M254dw color, HP P1606dn. Epson Perfection 2480 flatbed scanner -
newlyminted7
Level 5
Level 5
Posts: 563
Joined: Sat Jan 02, 2021 4:44 pm

Re: MODERATORS ---- DELETE THIS THREAD PLEASE

Post by newlyminted7 »

That's great if it works for you, Kris345.

Although I highly doubt you'll be able to get a real number of users of KeepassXC since it can be freely downloaded and used offline without needing to create an account online (and I wasn't the only one to recommend it, fyi). But it most certainly has fewer users than LastPass, yes.

Popularity has nothing to do with security, though. Usually the inverse, actually. Windows is a good example.
t42
Level 11
Level 11
Posts: 3708
Joined: Mon Jan 20, 2014 6:48 pm

Re: MODERATORS ---- DELETE THIS THREAD PLEASE

Post by t42 »

@ AZgl1500: still it was useful topic until it wasn't (till 28 Jul 2021 20:24 including). After that it became mildly interesting. I'm using both LastPass and KeepassXC. No antagonism on my part. But anty. LastPass school of thought is a bonus.
-=t42=-
t42
Level 11
Level 11
Posts: 3708
Joined: Mon Jan 20, 2014 6:48 pm

Re: MODERATORS ---- DELETE THIS THREAD PLEASE

Post by t42 »

lf hacking of one's passwords leads to the loss of life, financial ruin, leaking of state or enterprise secrets, etc then above antyLP recommendations are of importance. Otherwise...
-=t42=-
User avatar
AZgl1800
Level 20
Level 20
Posts: 11145
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes Sweeping down the Plains
Contact:

Re: MODERATORS ---- DELETE THIS THREAD PLEASE

Post by AZgl1800 »

Kris345 wrote: Thu Jul 29, 2021 9:33 pm @newlyminted7 When you suggested that, I went to take a look at it. I did notice that it had 44,000 users vs 749,000 users of LastPass. I stopped looking.

I have thousands of passwords. I have never had a security prob with LastPass. Used it for years. I don't have a memory problem other than being near 80.
I came back to see what has transpired.
this is my problem, I have literally thousands of passwords scattered all over the globe ( websites )
most of them only used rarely, maybe 2 or 3 years or more since the last visit.

Lastpass dutifully logs me into those websites.
I have been using LastPass since BEFORE it was called lastpass, and due to my pitiful excuse for a memory bank, I can't recall the name of the password manager I was using at the time.

It used to be Free, not anymore.
Even so, to me, it is worth every penny, and I have never, ever, seen any reports on Lastpass being hacked.

If you forget / don't write down / the lastpass password, you are royally screwed, they make it a point to tell you, there are NO back doors, and they can't help you restore your account.

For that very reason, I always write it down, then do a copy/paste when I change the Master Password.
this means I have to keep that Password somewhere, and for me, that is in Evernote.com which is also in the cloud, and uses a very strict password protection.... loose that password, and you have lost your Evernote account.... :twisted:

I will restore the title to the thread, please carry on, BUT be mindful of us very senior citizens who don't have a brain anymore.... Penske stole it from me.


Accident 94SE.jpg
LM21.3 Cinnamon ASUS FX705GM | Donate to Mint https://www.patreon.com/linux_mint
Image
User avatar
AZgl1800
Level 20
Level 20
Posts: 11145
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes Sweeping down the Plains
Contact:

Re: Password Manager Security problems? or Not?

Post by AZgl1800 »

Oh,
One last comment:

The problem with Lastpass complaining to me, was a bad network connection in Dallas, Texas courtesy of T-Mobile, it was a fault in their Servers on my account....

something got all scrambled up, took them 2 days to figure it out, but they got it fixed.
Not having any more problems now.

The upside to them Fixing it, was my transfer speeds TRIPLED !!!!
wow!

went from 2-5 dn and a miserable 0.2 to 0.5 up, to 32 dn and 7 up.
LM21.3 Cinnamon ASUS FX705GM | Donate to Mint https://www.patreon.com/linux_mint
Image
User avatar
Kris345
Level 5
Level 5
Posts: 534
Joined: Mon Jun 22, 2020 10:22 am
Location: New England

Re: Password Manager Security problems? or Not?

Post by Kris345 »

Why does lastpass cost you. Free for me. Maybe some feature I don't use? Had it forever. I do have my passwords collected, and detached from the mainframe, but FAR easier to let lastpass autofill. Been totally secure for me.

Hell of a mess. Not much chance on a bike, especially against that. Lucky you are alive. Thanks for sharing.

Am surprised but pleased that Tmobile fixed it for you. Good.
-- ThinkPad P15s-Gen1-20T4-002KUS, i7-10510U, UEFI/GPT, 16GB, Sammy 970 EVO Plus 500GB M.2.
- others -
-laserjets: HP M254dw color, HP P1606dn. Epson Perfection 2480 flatbed scanner -
Locked

Return to “Software & Applications”