LastPass "accidentally" blocked users from exporting their passwords (Password managers thread) - A potential GDPR violation in progress

[Seasoned News Reporter]

There is KeePassXC which is a Cross-Platform fork of KeePass.

Here to shill for KeePassXC. It's genuinely good especially as a cross platform app. The original KeePass while it is good it's kinda wonky to use on say linux because it relies on mono. No idea about how that shit works on a mac if it's even available for mac.

Rather just write them all in a notepad file and throw it in a folder labeled "Not Passwords" then trust them with a third party company.

My dad does this. While it does infuriate me because fucking why it's still better than lastpass or whatever the fuck online password managers people like shilling. If the whole point is securing your passwords then why would you give a third party company access to your passwords for literally everything? That defeats the entire fucking point. It's even more retarded than poking the whole in the condom. This is like poking it full of multiple holes then marinating it in fucking soy sauce & mustard or some shit. It's a bad time for everybody involved.

 

[tulskij_tochnyj]

I don't want to create a new thread, but there's a major happening that deserves PSA, perhaps even a feature @Null : LastPass customer DB and encrypted vaults was stolen, 25 million users affected.
What info hackers have: account metadata, vault metadata (incl URL field) - URLs from vault entries were stored in simple SQLdb. Absolute infosec niggery from LastPass. For example, if you stored your KF credentials in LastPass, they're now associated with your e-mail, partial CC number, other websties you have accounts on (incl. personal/work/business accts) and IP address. Imagine paying money for this shit.
What they don't have: name, password and notes. If encrypted vault has strong master key and LastPass properly implemented the encryption algorithm (which they didn't in the past btw ), this data should be safe.
If you're a LastPass customer, change your passwords (especially if your master password is weak), set up 2FA, delete your LastPass account and ask for a refund.

 

[Pee Cola]

I've never trusted any of these password managers. Whilst it sucks for those who rely on LastPass to keep their passwords for them, I can't help feeling a bit smug that I didn't fall for the password manager meme.

I manage my passwords by writing them down on paper and storing them in my safe at home, and I've not had a single password compromised in all my years of using passwords.

 

[tulskij_tochnyj]

I've never trusted any of these password managers. Whilst it sucks for those who rely on LastPass to keep their passwords for them, I can't help feeling a bit smug that I didn't fall for the password manager meme.

I manage my passwords by writing them down on paper and storing them in my safe at home, and I've not had a single password compromised in all my years of using passwords.

Password managers are not a meme if they're local or self-hosted. I don't like generating password then writing it on a sheet of paper then trying to tell 0 form O and 1 from l each time I need to enter the password (and if password has special characters in it it's another level of pain). It's better if you use passphrases but reasonably long ones (7+ words, 100+ bits of entropy) don't fit into password length limit for most sites.

Spoiler: Cryptosperging

Another thing to consider is login attempt limits. Most sites mitigate brute-forcing attempts by blocking IPs with too many attempts, 2FA, putting CAPTCHAs and PoW challenges. That's why a password may seem more resilient than it really is. On the other hand, encrypted containers can be brute-forced/dictionary attacked with full speed if the adversary has the copy of the container.
My recipe is 14-word passphrases generated with diceware which I use as master keys for full-disk encryption and .kdbx file in my cloud + keyfiles on my devices, all other passwords are generated using KeePass generator. Even on mobile, typing 14 words is easier than typing 30 random digits and letters in lower/upper case. And as a bonus, some passphrases look like something a skitzocow would wrote. Read in Terry Davis' voice:
Princess hungry cupid defame gradually tradition
reroute legal guts posh trespass bonfire antitoxic perjury.
Stable revolver conducting graceless limeade driving
exuberant untying size clapper parasite staging anthill foster.

 

[AmpleApricots]

LastPass customer DB and encrypted vaults was stolen.

lmao. Who could've guessed that could happen. Literally nobody could have forseen this!

 

[RACISM]

I've been saying this for years, and laughed at. All the tech talking heads (and even dear feeder) recommend password managers. They are fucking retarded. One single point of failure. I don't care if it's even an offline program only, it's still the digital equivalent of a fucking post-it note on your pc with the password. Don't care if it's encrypted. All that means is you end up with shit Like this, and also break the master password and you have the rest.

Password managers are for niggers.

 

[Flaming Dumpster]

On the other hand, encrypted containers can be brute-forced/dictionary attacked with full speed if the adversary has the copy of the container.

One way to deal with this is to have a large number of iterations required as part of the hashing process. KeePass (and KeePassXC) can benchmark your CPU and then determine # of iterations based on an acceptable time delay for DB opening/saving operations. Bitwarden does this too but with hardcoded values which aren't nearly as time consuming as KeePass' benchmarked values https://github.com/bitwarden/server/issues/589

Vaultwarden does let you configure KDF iterations and is probably the best option for people just hosting small Bitwarden implementations at home. Especially as you don't have to pay for YubiKey support with that.

I manage my passwords by writing them down on paper and storing them in my safe at home, and I've not had a single password compromised in all my years of using passwords.

Only passwords I've had compromised were weak ass passwords from before I used a password manager. Storing passwords on paper is a bad idea. How do you access the passwords while away from home? What's your recovery method if a nigger breaks in and steals your physical password safe? The only benefit I can imagine is sometimes you have more legal protections when refusing to open a physical safe vs a digital one at the behest of the police but if that's applicable, just put the 2nd factor for the digital password safe in the physical safe.

All the tech talking heads (and even dear feeder) recommend password managers. They are fucking retarded

A terrible company that has been shitting in the mouths of its users for years did what they do best and stupid niggers like you use it to decry the use of password managers altogether. There's an alternate reality version of you that's smugly chuckling to himself about how retarded everyone is for having e-mail because they saw an article about Rackspace's Hosted Exchange service getting completely fucking owned. That's the level of retardation you're operating on and frankly I hope the other Dec 2022 users aren't this bad or we're completely screwed.

 

[tulskij_tochnyj]

One way to deal with this is to have a large number of iterations required as part of the hashing process. KeePass (and KeePassXC) can benchmark your CPU and then determine # of iterations based on an acceptable time delay for DB opening/saving operations. Bitwarden does this too but with hardcoded values which aren't nearly as time consuming as KeePass' benchmarked values https://github.com/bitwarden/server/issues/589

Vaultwarden does let you configure KDF iterations and is probably the best option for people just hosting small Bitwarden implementations at home. Especially as you don't have to pay for YubiKey support with that.

Still, guessing rates online and offline are orders of magnitude different. And while SHA2 with 1000-100100 iterations (which LP uses/used) is good enough at making random guessing unfeasable, it's bad at mitigatimg dictionary attacks. One modern ASIC miner calculates ~3,3*10^18 H/kW*day. With 100000 hash iterations that's ~3,3*10^13 passwords per day, good enough for a dictionary attack (or even guessing nigger-tier 6-symbol passwords). Plus, since the attacker has URLs and other metadata, he can estimate value of the vault and be more selective with directing his hash power.

 

[Flaming Dumpster]

Plus, since the attacker has URLs and other metadata, he can estimate the value of the vault and be more selective with directing his hash power.

Yeah, not encrypting metadata is just astonishingly stupid. A friend recommended 1Password to me and they tend to review very well but I just can't get behind a proprietary system because of the risk that they do stupid shit like that. I've had faggots shill LastPass to me on the basis that it is heavily audited but clearly the auditors are just box checking retards for letting that slip by.

 

[Smaug's Smokey Hole 2]

I manage my passwords by writing them down on paper and storing them in my safe at home, and I've not had a single password compromised in all my years of using passwords.

I write them down on paper and take a picture of them with my phone. No AI will be able to read my handwriting.

 

[Pee Cola]

How do you access the passwords while away from home?

I don't.

What's your recovery method if a nigger breaks in and steals your physical password safe?

We don't have a nigger problem around here. Even if there was, good luck trying to unbolt said safe from a concrete floor.

 

[AnyballLecter]

Absolute infosec niggery from LastPass.

I.T. discussion just hits different on KiwiFarms.

 

[⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛]

If encrypted vault has strong master key and LastPass properly implemented the encryption algorithm (which they didn't in the past btw ), this data should be safe.

1. Attackers first get in August
2. Then follow up on that (probably using S3 keys someone left in the source code lol) in November
3. December.... Microsoft bans cryptomining on Azure to protect customers from cryptojacking reserve GPU capacity for the Feds

hmmm

 

[Jimjamflimflam]

I've been saying this for years, and laughed at. All the tech talking heads (and even dear feeder) recommend password managers. They are fucking retarded. One single point of failure. I don't care if it's even an offline program only, it's still the digital equivalent of a fucking post-it note on your pc with the password. Don't care if it's encrypted. All that means is you end up with shit Like this, and also break the master password and you have the rest.

Password managers are for niggers.

I just kidnapped and chained a idiot savant in my basement in a state of total sensory deprivation where my passwords are the only stimulus he gets.

When I need it I shout down:

Hey Rain Man, what's my password for kiwifarms? To which he replies "niggerballs69... yeah its niggerballs69"