this post was submitted on 07 Sep 2023
981 points (99.0% liked)

Technology

59581 readers
3372 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 161 points 1 year ago (4 children)
[–] [email protected] 70 points 1 year ago (1 children)

I dumped LastPass for Bitwarden a few years ago. So glad I did.

[–] [email protected] 4 points 1 year ago

Same! Thinking i coulda been a victim in this attack is scary!

[–] [email protected] 52 points 1 year ago (2 children)
[–] OberonSwanson 18 points 1 year ago (5 children)

Any recommendations on how-to?

[–] [email protected] 34 points 1 year ago (1 children)

KeepassXC (desktop)/KeePassDX(mobile) on top of something like Syncthing or Nextcloud.

[–] OberonSwanson 3 points 1 year ago (1 children)

Thanks for the suggestion, I’ll try checking out both options. Unfortunately, I have an iPhone, so sadly there’s no KeepassDX. 🤔

[–] [email protected] 3 points 1 year ago

I think there's probably a Keepass compatible iPhone app out there but I haven't vetted it. Worth looking for though.

[–] [email protected] 27 points 1 year ago* (last edited 1 year ago) (1 children)

Vaultwarden is what I use: https://github.com/dani-garcia/vaultwarden/

Their wiki is pretty good assuming you're comfortable with Docker.

Back before I self-hosted, KeePassXC for desktop and Keepass2Android for mobile (along with Synching to sync the database) got the job done.

[–] OberonSwanson 4 points 1 year ago (1 children)

Interesting, I’ll check it out, as it looks like it’ll cover what I need. Hopefully it’s simple enough, as always having an iPhone makes things more complicated lol.

[–] [email protected] 3 points 1 year ago

I host for my family which has a mix of Android and iPhone. So far, no complaints about Bitwarden on iOS. Hopefully it works out for you. If self hosting becomes a problem, I think premium is only $10/year and family is up to 6 people at $40/year.

[–] [email protected] 11 points 1 year ago (1 children)

It doesn't have to be difficult.

  1. Download keepass to your computer.

  2. Keep the save file on a USB or private cloud backup.

  3. Done!

As you get more comfortable with it, you'll start using it in more complex ways. Like having a phone app, connected to a self hosted network. But keep it simple for now.

[–] OberonSwanson 3 points 1 year ago

This might be a good idea for my family, they definitely prefer a K.I.S.S. approach lol.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (2 children)

If you wanna use KeePass, you just have to store your database in some secure location. It can be on your local drive or in the cloud, any location you trust really.

[–] OberonSwanson 4 points 1 year ago

Guessing it’s suggested to use a small flash drive and keep it hidden somewhere?

[–] [email protected] 3 points 1 year ago

You can set the encryption strength though, so I guess you could set it high and could even have it untrusted.

Mine takes a while to open on my phone because of that

[–] [email protected] 3 points 1 year ago
[–] [email protected] 4 points 1 year ago (1 children)

Self-hosted with yubikey 2fa. Even Santa Claus can't see my info 😎

[–] [email protected] 1 points 1 year ago (2 children)

I should get around to doing this... But it scares me haha.

[–] [email protected] 3 points 1 year ago

I started out with the Yubikey, which was such a relief all by itself. Even if you have my password, you need my physical USB key to plug in or NFC confirm for the 2fa. I did later move to self-hosting, but I def have a backup of a backup for that since space is cheap-ish.

[–] [email protected] 2 points 1 year ago

Not sure about that software specifically but most yubikey 2FA implementations allow you to set up more than one key. That way you don’t lose access if you lose your key. I personally have three keys.

[–] [email protected] 12 points 1 year ago (2 children)

So what makes Bitwarden better than LastPass if you're using Bitwarden's hosted option (I know you can keep it locally).

[–] [email protected] 23 points 1 year ago (2 children)

From what I remember (take this with a grain of salt since it’s all from when the big LastPass breach happened,) LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes, images, etc) were unencrypted. So even without cracking any vaults, hackers got access to gigantic lists of usernames and their associated email addresses. That’s valuable in and of itself, because it allows them to spear-phish those users.

For example, you may not fall for a regular phishing scam. But you may fall for it if the email has your username and recovery info in it. Because they know every email you’ve used to sign up for something and all of your different usernames that you used on that site, so they can craft convincing phishing emails that are specifically tailored to you.

It also allows them to search for specific users. Maybe there is a user on a crypto forum who is particularly noteworthy. Their username is already known on the site, and hackers are able to cross-reference that with the list of known usernames/emails and see if that user’s vault was part of the breach. If it was, they can focus on breaching that one user’s vault, instead of aimlessly trying random vaults.

[–] can 7 points 1 year ago (1 children)

That’s valuable in and of itself, because it allows them to spear-phish those users.

I'm sorry, this is the first time I'm hearing the term spear-phish and I love it. It's hilarious.

[–] [email protected] 9 points 1 year ago (1 children)

It refers to targeting phishing attacks. With traditional phishing, scammers simply cast an ultra wide net and catch whichever one’s happen to respond. They don’t really care who it is, because they’re playing a numbers game. Even if only 0.1% of people respond, sending out a thousand phishing emails means you still got a response.

But with spear phishing, it’s a targeted attack. They’ll call you at your desk with a spoofed work number, and pretend to be the CEO’s assistant. The CEO needs you to go buy gift cards for a big sales event coming up. Don’t worry, it can all be expensed later, but he needs the cards now and doesn’t have time to deal with vendors and purchase orders. And now you’re reading gift card numbers to a scammer, because they knew enough about your workplace to be able to reasonably impersonate the CEO’s assistant.

It can also be used to refer to targeted attacks against company leaders or notable figures. Maybe someone has a fat crypto wallet, so someone targets them. Or maybe they try to trick the CEO into giving away a trade secret. Regardless of the reasons, the attack is still the same basic principle; Find a target, meticulously research them enough to be able to fool them, then attack. Most people will be good at avoiding regular phishing. But very few people are prepared for a coordinated and laser-guided spear phishing attack.

[–] can 3 points 1 year ago

Thank you for the realistic depiction of how it can happen.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (1 children)

LastPass didn’t actually encrypt your entire vault. They only encrypted the passwords. The rest of the vault, (which would be comprised of usernames and the sites that are associated with them, notes

Wait a moment... now I wonder how many people kept their crypto wallet recovery word lists as notes instead of as passwords.

[–] [email protected] 1 points 1 year ago

Geez I do this in 1 password.

[–] [email protected] 21 points 1 year ago (1 children)

I’m not 100% but I think Bitwarden actual encrypt the entire ‘password object’. So the url, username, password, and any notes. Lastpass didn’t/doesn’t encrypt the url so if anyone gets access to the vault, they have a list of websites where the person will have an account and can more accurately send phishing emails.

[–] [email protected] 1 points 1 year ago

It encrypts the entire vault iirc, not the objects themselves. The only thing a breach cound gain access to is the encrypted vault, the hashed master password and the master email.

[–] Lucidlethargy -5 points 1 year ago (3 children)

There's no such thing as an impenetrable password manager. I keep my most secure passwords in my head, and so should everyone.

Even if the software were perfect, people aren't. Anyone can be fooled under the right circumstances. It's better to expose one service than all of them at once.

[–] [email protected] 4 points 1 year ago

Your head cannot be securely backed up, and you are not resistant to major thread actors (torture, and so on)

[–] [email protected] 2 points 1 year ago

2fA is an important element too.

[–] [email protected] 1 points 1 year ago

How would someone steal my password and my physical yubikey for 2fa?