LastPass Got Hacked, Time to Switch to KeePass 

> removes all features > becomes paid > gets hacked > refuses to elaborate > dies

The reason why Keepass is good is because you handle the database file yourself and what type of security you use on it. Rather then trusting that LastPass cloud or another companies cloud.

>The virgin password manager >The chad “write my shit down in a book and store it somewhere safe” Ayy lmao

I keep all my passwords in my head, Security gets better with age. Once the dementia update kicks in, Even i won't be able to get my passwords lol.

That's the beauty of offline password managers. Before you even begin to hack one, you very likely need to get through some password authentication first.

The virgin freemium cloud vs. the chad self-hosted lad

I deal with LastPass/LogMeIn’s support staff on a regular basis and can attest that if LastPass says everything is fine, everything is most assuredly as far the fuck away from fine as possible.

Looking at the incidents where master passwords were allegedly stolen - it appears to be either credential stuffing (using passwords from other hacked websites), or something client-side to try to nab the password before it's encrypted (usually a vulnerability in a browser plugin). Should be noted that things like keyloggers can nab passwords from both cloud and local password managers - so a huge part of your own security is ensuring your own systems aren't compromised. In the case of the incident reported by BleepingComputer in 2021, there was apparently a bug in a system LastPass was developing to warn of possible credential stuffing.

Ah yes, the company that thought they could make money by starting to charge their users for using a simple password manager. I'm shocked they had any users left.

I agree with most of your points here. I disagree with the assumption that open source code is actually looked at by a lot of eyes. Several security issues have arisen and affected a vast majority of projects because that's exactly what's not happening

Also worth a mention, KeyPassXC has a browser integration addon by the developer too so you wont even have to copy/paste passwords if you don't want.

We need an alternative software list video. First RustDesk, I2P and now KeePass. It would be helpful to have all these in 1 video so viewers can make decentralized choices first, rather then as they watch more and more videos👍

I adapted using password managers a few years ago. Before that, I was the kind of person who would save them in browser. LastPass was the one I chose, because let's be honest, it is the Chrome of that realm, majority who uses a password manager, is most likely using LastPass. But I never liked the UX personally and was looking for an alternative that works for me, open source or not. So like just after a month of adapting to the password manager ways of things, I made a switch from LastPass to Bitwarden and was it an upgrade in every possible manner. It is FOSS and it's UI/UX is crazy simple that works for me. Never looked for an alternative ever since because I don't see anything being better than this, not at least for me personally.

Hey man, just wanted to say I appreciate u bringing this type of stuff to the public. Thanks!

Thank you for pointing out that open source code is more secure than proprietary code! I wish more people would understand this when they go to the voting booth!!!! We will never have any ways of knowing that our vote has ever counted if we don't have access to the source code!!

I've had an experience with LastPass I can only describe as outraging. I tried to copy a password one day, only to realize the password I copied actually wasn't my password, it was a corrupted Unicode string. Some other passwords had the same issue. I was locked out and unable to log in to some services that I really needed to log into to do some work. I contacted support and they told me the engineers are aware of the issue and it will be fixed in a WEEK. This is on the level of installing a smart door lock for your home, the servers malfunctioning, and support telling you to sleep outside for a week as the engineers try to fix the servers.

Hacks are exactly the reason I've never used a cloud password manager. Way too big of a target. Until now I've been using randomly generated passwords that I store on an encrypted note, but KeePass + Syncthing sounds like perfection. I'll definitely be switching to that.

Just pointing out that for like 99.99% people, if your solution to this problem is "host a server yourself", it will be waaaay less secure than just about any service you can use, including LastPass, and your server will have way more chances to get broken into.

This is exactly why I don't trust "Password Safekeeper" programs that keep all your passwords locked away in one place. You never know when something will go horribly wrong.

I feel like these “password managers” are all vulnerable. And yet they “claim” that writing passwords on paper is “extremely unsecure”. Yeah… if they claim something that everyone is doing for decades is suddenly “unsecure” is all just to get you to “buy the solution” and make storing passwords “easier”

Switched to Keepass and KeepassXC years ago. Keeping your own passwords on 2 usb keys and a computer for backup reduces your risk to you giving up your password and Keyfile. Use both and put 500 random SSH Keys on a usb key, and.....good luck, if I loose it very few people that will ever be able to break encryption. Thanks for the video and heads up !

With Encryption usually it's OK if the algorithms become known, in fact the more scrutiny the better, as long as the private keys remain secure.

Switched to keepass xc months ago. Took a lot of time resetting a ton of password to safe randomly generated ones given by it but I believe it was worth it overall. Have it on my desktop, laptop, and soon android phone. Pretty upset though that Apple iPhone doesn’t have it. Edit: Thank you for showing the iPhone version. I didn’t know there was one compatible with an iPhone application of keepass.

I agree with all points except one, the concept that opensource is more secure than proprietary. Although I would agree that the code quality is likely better in opensource solutions, that doesn't necessarily translate to less discovered vulnerabilities. The fact of the matter is, opensource code bases can be inspected by bad guys too, and those bad guys might have significantly more interest in finding a vulnerability than the overall community. There aren't THAT many qualified software devs that will think about security and decide to audit opensource code especially if it's their spare time. My point is, even if proprietary code is likely to be much poorer quality, it would take stolen source code to be leaked for the wider internet to make the comparison fair. I'm not saying those things don't happen, but I don't think it's as common place.

I use Bitwarden but I might have switch to self hosted

Been using regular KeePass and keeping the DB in my onedrive for years now. It's handy enough and easy to access a credential when go somewhere since most places have Windohs installed.

I've been looking for something like this for years, ditching my other PM immediately. THANK YOU!

I use bitwarden but passwords i store there aren't complete anyway. I add an easily remembered pin codes based on the resource name to the end. This way even if my passwords are stolen they're useless, it should also be pretty hard to complete them without knowing what symbols i use in pins and how many. Sure, it adds the step of manually adding pins every time but since they're based on resource name it's manageable.

Honestly, the only reason I was using lastpass was for the cloud because I don't trust myself with not losing stuff. Definitely switching, however, thanks for the recommendation.

I'm so happy that this happened, its honestly just such a bad idea to use online password services, just use local password storing solutions

My advice use an open source password manager for passwords that aren’t super important but commonly used and write down and hide the important ones somewhere. That way if your computer gets compromised and your master password is leaked the most important ones are still safe

At this point I’m convinced it’s literally safer to just write your passwords on a notepad or something. Like, I write all my passwords on a notepad file, I should find a way to encrypt it though

A LOT of people are trying to sell "self-hosting" in response to this news when they're failing to make the points made in this video-it's closed source.

Bro, you're brilliant! I just set up syncthing just the other day and this didn't even occur to me. Thank you!

I only keep all of my most important passwords in my head or on a paper in a secure physical location (with no context on the paper that would indicate what those passwords go to). Sure it takes more time to insert my passwords as I have to type them out manually, but keeping them stored in an air gapped way rather than on a server I have no control over is the best option and the only way something could possibly get my info unless they hacked the servers for the account itself or through my device as I type it if it's been hacked.

wow, so i think you just solved 2 major problems i've been having for a few years now, thank you

Whole situation sounds like "nah, stealing user data is too easy, let's steal the source code and prepare something awesome".

I've used KeePass for many years but after switching to Linux I just use the "pass" script on Linux (using it from terminal) and I've never been happier since. It's simple, free and practically bulletproof. There are very good rememberable password generators too. I don't know why I've used the clumsy GUIs for such a straightforward task for so many years...

I always was shocked that people use something on a cloud to save passwords. I mean if you worrying about your data getting hacked in one place but you trust other place with the same (or barely better) protection but not one password , but all of them (so there would be way way way way more incentive to try to hack it). Lol Yeah, I was proved right. After being interested in IT for several years and working here for one year I already can see how insecure it is.

I use Bitwarden. Stopped using lastpass after they started removing the features and putting them behind a paywall.

I swear people be like "hurr durr you can get hack!!" without realizing that the only way to get hacked is by BEING CONNECTED TO THE INTERNET

I switched from LastPass to KeePassXC 2, maybe 3 years ago and haven't really ever looked back. Syncthing sounds pretty interesting, but I guess since I already use a self-hosted ownCloud instance, I don't really need that, but it would be for sure an overkill if was made only for this single file... which absolutely wasn't the main reason why I started my own cloud instance.

It has always blown my mind that people would put all their passwords on some third party company's servers, because this exact thing will happen with certainty if you give it enough time

I switched from LastPass to KeePassXC around two years ago, and using Aegis as the choice for 2FA. It even imported my steam authenticator. And It worked great so far, my only complaint being android file manager not playing well with the google drive(I keep keys separate, don't worry.).

It wasn't hacked, one of its development account was compromised and no customer data or PII was exposed to the internet...

Man a while ago I started watching your videos while exercising and ive done it ever since. Thanks for making these slap

You can like this comment when mental Outlaw makes the "KeePass Got Hacked, Time to Switch to the new thing" video at some point.

imagine using the cloud to store passwords

I think the guys in the comments talking shit about how "every password manager is not secure, better use notes/store in *plain text* " are way to extremists and kind of ignorant too, since they miss the biggest advantages of a password manager: 1.- You can make every single one of your passwords insanely long and complicated (im talking about +120 characters with every kind of ASCII) and it doesn't matter, you only ever memorize 1 or 2 at most. 2.- If you use an *offline* password manager it's the same as having a paper in your office, since they need to get access to your drive, much like how they need to break in your office if it was paper, but with the difference being that your database is encripted and password protected, unlike your note, and if you use a +100 digit password on your database then it's gg for them. 3.- Another thing is, an offline pm is by extension, decentralized, there isn't a 'server' or 'group' to attack, anf if most people keep their DB in a usb or small ssd, then it's even more unrealistic to "crack" it. 4.- KeepassXC has the 'Health report' feature from bitwarden but for free, and it makes it trivial to know which accounts have been compromised and to save them/delete them *TL;DR* = KeepassXC Is king, pass is way too basic, and normal keepass sucks for the most part in comparison.

Already been using KeePass for 5+ years now. I remember back when I decided to get a password manager, I did some research & dismissed online options like this LastPass specifically because I didn't really trust their security long term. Ahh... the sweet vindication of a past choice well made.

That's why i just write my long af passwørds on a piece of paper instead and store it in the safest place that no man, woman or blackhat would ever access... in my underwear. Alternatives are just storing it offline or in pgp encrypted txt.

By the way, your keepass file doesn't need to have a .kdbx extension. You can give it any other extension (or none), to keep it stealthy. The only yellow flag I found in KeePassXC, is that it remembers the last folder you loaded your file from. I presume this could be a potential point of weakness. I mean, I don't know, personally I just don't like the idea of anyone even knowing where my passwords are stored. Other than that, I've been using it for a long time and so far I'm happy.

This is why I don’t trust sponsors. I think we can all remember the commetary youtuber nord vpn fiasco where they were saying you would get your bank details stolen at coffee shops like any bank sites don’t use https in 2022.

"Use a password manager" they said I didn't listen

I originally just kept a spreadsheet with all the passwords I used for all the accounts I had, and I only started using LastPass when it became a complimentary service to the anti-virus software I got from Geek Squad; it _was_ handy for the time being, especially since it actively encouraged using different passwords and helped with generating more secure ones than I could've come up with on my own, but I _have_ been working towards transferring what's stored there into a KeePassXC database, and this happening is further incentive to do so.

Can't we just write our passwords on paper and then memorize them?

This is the major reason why I don't and will never use centralized password managers. They are a huge target for hackers

I've seen countless of ads for Lastpass in RU-vid videos and my reaction to them was the same it is now. Why the (expletive) would you store all your passwords on someone else's servers? I bet you'd even lose access to them if you stop paying them (i don't know the costs and terms/conditions of Lastpass, nor do i care). Yeah, just give your passwords to Thieves Inc.

This proved my thoughts on password managers. They can get hacked and boom all ur passwords breached.

Self hosting is the future

I'm actually a bit new to KeePassXC, but have been using KeePass for a while. Only recently learned of KeePassXC when I started moving to Linux.

In their defense, isn't this part of some bigger hack? It doesn't excuse it, but it's not like LP themselves were targeted. I think the attack was dubbed Oktapus or something like that. Your typical phising/SEing hack involving sms 2fa. If it wasn't clear I'd like to reiterate I'm not sure.

You should post on update video about this hack. Turns out hackers HAVE exfiltrated encrypted user password vaults. Currently, the only thing keeping LastPass users' entire digital world safe is the strength of their chosen master password. If you use LastPass (which I do), it's hard to imagine a more serious breach than this. If you'll excuse me, I need to go spend the next 6 hours changing every password on every website I have created an account on over the past 8 years.

And then there's me, self hosting Vaultwarden (a Rust reimplementation of Bitwarden) for maximum security

You can set up your syncthing "server" on a raspberry pi or and old laptop to have it aways on, this way you don't need to juggle making sure you have both your phone and your laptop or both your laptop and desktop on at the same time to sync. Your can also set syncthing to always use encryption for it's communication and syncing.

Self hosting=goals

Self-hosted Bitwarden FTW ❤

This is what makes me skeptical of password managers. They are a single point of failure.

I've been using pass (or GNU/Pass) for a while now. It's based on GPG and has a nice git integration, alongside OTP and password generation

Uninstalled LastPass and deleted my account months ago and switched to KeePassXC cuz I was getting increasingly uncomfortable with putting all my sensitive passwords in the hands of a 3rd party - not to mention them wanting to gyp users by making them PAY for password protection. Really feel like I dodged bullet, there.

Saw this coming. If people really took their security seriously, why the hell they using LastPass of all things.

Your a godsend chad, I thought LastPass was only hacked once or twice before with minor issues, f**k that I'm switching.

It didn't "get hacked", a dev's computer or account got hacked and source code was stolen.

dude the keypass in the thumbnail scared the shit out of me, i almost thought my passwords got hacked ;-;

Literally just write your passwords on a piece of paper. Inconvenient? Yes. Absolutely unhackable? Also yes.

The good old pen and paper still does it for me. Although admittedly, I've had quite a lot of times where I can't access my accounts.

I never trusted password managers

Ohh...how this story unfolds a few months later! They used the information they stole on this breach and now in December same year Lastpass told everyone that a Backup site was compromised with all users encrypted vaults.

I simply remember my passwords. That way only I myself and the CIA know what they are.

Been using Dashlane for a few years now and I love it, personally. Hope something like this never happens to Dashlane.

Why would you use LastPass over Bitwarden ?

Nailed it. It might not be immediately scary but the source is going to either go to a nation state or surface in 5 years with zero days coming out all the holes

Just host Vaultwarden on your home server frens

What I like about keypassXC is the ability to store 2-factor authentication codes without requiring a phone. The browser extension that allows me to click an icon to fill credentials on webpages. It works just like lastpass without the weak secuirty and cost.

cloud storage is a bad idea from the onset.

I think with the 2021 security breach, regardless of if they had "Zero Knowledge" of the users' master passwords at the time, since there were trackers in the actual app itself the third party would still be able to get the passwords.

I personally realize that the only truly safe password manager is a notebook on my desk, and anyone that thinks ANY online password manager is "secure" is deluding themselves.

Lastpass has been getting hacked for YEARS. At this point, I'm not sure why anybody would use that service.

If you must worry, just bite the bullet and use Qubes. Then you can use a KP dedicated environment that is void of any network. Also storing your pws in any sort of cloud is just asking for trouble. I could never understand the logic a decade ago and I still can't today.

At least they are open about the breach. Not trying to hide it under the rug. With such bad history of incidents they don't deserve the trust of the people. To the open source KeePass my lads!

Why is this cooking channel uploading tech videos ???

I’ve been using 1Password for years. After having tried to keep a KeePass file in sync across devices over the course of several years, trusting someone else whose only business is running a password manager made more sense to me. I actually did use and trust LastPass until they were bought by LogMeIn. I knew the writing was on the wall as soon as I heard the news. I’d switch to Bitwarden so I could host everything myself if not for how much of a pain that would be to get my wife on board.

All things considered, it doesn't sound like the attack was anything for customers to worry about. At least, assuming what they're saying is true. ALWAYS use a long master passphrase, around 30 characters. Then you'll be fine. I don't use LastPass personally.

Nice deleted my last pass account 1 month ago cause it was ao annoying that you could only choose to use it on mobile or pc with the free version

I'm all for open source software, and not to throw a wrench in the engine here, but what about the recent security vulnerabilities in the Linux kernel that have been there for almost a decade? How did the "many eyes" mitigate those threats?

When they say "no evidence" doesn't mean it didn't happen. If very confident hackers got in, they likely covered their tracks and activities. That's what I would do for the future activities...

It's hacked again

Been using KeepAss for half a year. The GUI is straight from the windows 98 era, but that aside it's pretty solid and the password generators are very useful. The autofill actually works, unlike some PMs I've used Really helps keeping your ass out of trouble.

You know what's hilarious Writing your passwords into a text file mapped to a username and a domain writing your key to a key file, Encrypting the password text file with gpg using the command line and automatically inputting the password via command line Decrypting when wanting to read the passwords Is literally more secured than these kinds of Password Managers lmao

not surprised... and wayback when i told some people if they really want to keep their account password really secure they need an offline password manager... and they weren't happy that i berated their favorite youtuber that was sponsored by lastpass on the fact that their channel is all about security and how they promote the worst security practices with their sponsored ads... and i did not know it was this company was this bad...