LastPass Hack: The CRUCIAL Problem No One Is Talking About

Подписаться 124 тыс.

Просмотров 126 тыс.

50% 1

Sign up for DeleteMe! Use the coupon code SNUBS for 20% off any consumer plans! Linky: www.JoinDeleteMe.com/MorseCode * (coupon code automatically applied at checkout)
LastPass admitted to getting hacked a couple of months ago, and we're just now learning more details about what was breached. Password Managers are often targeted in hacks but in my opinion, LastPass is downplaying a crucial problem that can affect users.
My fav password managers for 2023:
25% off 1Password: www.jdoqocy.com/click-1003458... *
30% off Roboform: www.kqzyfj.com/click-10034586... *
Dashlane: www.dashlane.com/
Bitwarden: bitwarden.com/
Keeper: www.keepersecurity.com/
What Is A Password Manager And Should You Trust Them? - • What Is A Password Man...
LINKS:
blog.lastpass.com/2022/12/not...
support.lastpass.com/help/wha...
support.lastpass.com/download...
www.goto.com/blog/our-respons...
blog.gaborszathmari.me/sessio...
capec.mitre.org/data/definiti...
cwe.mitre.org/data/definition...
FTC: Links marked with * are affiliate links, which means I make a small commission off any sales.
Becoming a Morse Code Member by checking out the perks linked here!:
/ @shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUBSCRIBE! 🌸 ru-vid.com?s...
TWITTER 🌸 / snubs
Patreon 🌸 / shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUPPORT MY WORK
Patreon 💛 / shannonmorse
Buy Me a Coffee 💛 www.buymeacoffee.com/snubs
Shop 💛 snubsie.com/shop
TeeSpring 💛 teespring.com/stores/morsecode
Coupon Codes 💛 snubsie.com/support
Tech I Use & Recommend 💛 kit.co/ShannonMorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
FOLLOW THE SOCIALS THINGS
Twitter 🌸 / snubs
Instagram 🌸 / snubs
RU-vid 🌸 ru-vid.com?s...
Website 🌸 www.shannonrmorse.com
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
TECH I USE AND RECOMMEND
My Kits, Builds, and Must Haves ✨ kit.co/ShannonMorse
My Amazon Influencer Page ✨ www.amazon.com/shop/shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
MY OTHER SHOWS
ThreatWire 🌙 ru-vid.com?sub_confi...
Sailor Snubs 🌙 ru-vid.com?s...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
GET IN TOUCH
Mail ✈
snubsie.com/contact
Email for Business and Sponsorship Inquiries ✈ Shannon@ShannonRMorse.com
My Media Kit ✈ snubsie.com/work-with-me
Sponsor This Channel ✈ snubsie.com/shannon-morse
Music from 🎵 Epidemic Sound: www.epidemicsound.com/referra...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
😍 FTC DISCLAIMER 😍
Affiliate links listed above allow me to receive a small commission. Any sponsorships for videos are noted in video and listed in descriptions. Any products provided as gifts are listed above. Thank you for your support!
Comment section code of conduct policy:
Constructive feedback is appreciated, but please leave unproductive, divisive and harmful conversation at the door. Hateful comments are not tolerated, and these kinds of messages will be automatically removed. Thank you for making this community a welcoming experience for all viewers :)
snubsie.com/code-of-conduct

Наука

Опубликовано:

31 янв 2023

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 471

@happysprollie Год назад

I switched from LastPass to Bitwarden when the hack happened, and actually find BW to be superior. And FWIW, I'm in the infosec business. I'd become anxious about LP after its aquisition by LogMeIn (which didn't have a stellar security record). Wish I'd acted sooner.

@jeepfanatik1304 Год назад

How would you consider BW to be superior? I use the LastPass Family subscription but with an over 20 character master PW. Would be interested to know if other options might be better and or cheaper.

@Squant Год назад

@@jeepfanatik1304 Depends which paid services you need. I'm using BitWarden for free and it does everything LastPass used to do before they removed the option for free accounts across multiple devices. The company also seems a whole lot less shady in general, which is nice.

@ivanlawrence2 Год назад

@@jeepfanatik1304 I'm not in infosec but I know enough to be dangerous... BW is arguably "superior" as a product since it is open source and has been independently audited. But BW is also faster performing and its default settings give you a stronger starting point. We LP refugees with long MPs are likely fine against brute force, but I went through and changed all 500+ passwords anyway... which sucks. This did allow me to increase the security at each site (add new MFA or use generated passphrases for site "security questions" answers) and remove sites that no longer exist or are not needed. It is laborious to do but seems worth it in the long run.

@itsathejoey Год назад

Bitwarden is only superior if you are self hosting. If you don't have the means to self host it, then 1Password would be best.

@zadekeys2194 Год назад

Same, I moved myself and my clients away from LP to BW after their 1st hack.

@Wyrenth Год назад

An updated password manager video would be awesome. As well as how to make the process of migrating easier. Right now the challenge is momentum - it’s hard to just get started.

@ShannonMorse Год назад

I feel this tweet in my soul. It's so hard to get started!

@not_adiitya Год назад

@@ShannonMorse YEP

@pauldamian2988 Год назад

@@ShannonMorse Agreed... but I would argue it might even be harder to SWITCH!?!?!?!?! I run Lastpass with a long (23?) master... now I gotta change?

@mementomori29231 Год назад

Google switch from LastPass to bitwarden, super easy with export / import. Steve Gibson (IT guru) talks about how easy this is in his podcast.

@shaunreich Год назад

@@pauldamian2988 super easy to switch to bitwarden. Export your LastPass file and import it, boom. Took me like 10 minutes. It has much better field support, and auto fill on Android and web support, too. Works a bit better overall I've found

@mu_zines Год назад

There’s also an additional problem you didn’t mention - LastPass not updating customers’ hash iteration value. They changed the default to 100,000+ iterations, but people who created accounts a decade ago had iteration counts of 5000, or even *1* for early accounts, and LastPass *did not upgrade customer accounts* according to their own security standards. This means these passwords are *way* more brute-forcible. It’s really bad…

@brianfritz575 Год назад

This is one of the big factors that has lead me to dump LastPass. I paid LastPass, because they seemed to be making good decisions about security. I wanted to not have to be a fulltime security person. I wanted to farm that out to LastPass. At the time I did this, about a decade ago, LastPass seemed to be doing a great job. The issue, is that LastPass appears to have gotten lazy. They filed to increase the PBKDF2 hash iterations... actually they did so for new customers... but not those of us who had been singing their praises and been longtime customers! This tells me the problem is not really the hackers, it is that I no longer trust LastPass to make good decisions about my Vault and what is secure. Add to that the info that URL's were not encrypted, even though all LastPass marketing talks about how customer vaults are encrypted, never seeming to mention that important data like URL's is not... Yeah, Bye Bye LastPass. They've made business decisions that are not in the favor of my account being secure, so I am making a business decision that will not be in favor of their business goals. I'm gone, Won't be seeing you even again LastPass. You've shown how quickly you decide to do what is easy rather than what is best! Why would I continue with a password management company that has proven I cannot trust them!

@babybirdhome Год назад

And this is the reason that I’m considering moving after being a customer for over a decade. They need to have done a better job of communicating those updated security settings to their users when they changed their best practices. Like, if I have two sites using the same password in my vault, it’ll yell at me every time I open my browser and click to fill a password, but not once did that same popup mechanism ever tell me that, “hey, you’re using an outdated security setting for your vault, and if you don’t udpate it to the modern recommended setting, you’re putting the security of your entire vault at risk.” Everything else I can forgive because they can happen to any organization, but that one was a seriously dropped ball.

@bassmaiasa1312 Год назад

If 5000 used to be adequate but not now, how long before 100K+ won't be adequate? 5 years? 2 years? Lastpass''s dodge about 'generally available cracking tools' -- that's generally available now. What will be 'generally available' in two years? Time flies.

@brianfritz575 Год назад

@@bassmaiasa1312 Since OWASP is already recommending 310,000 iterations, what LastPass is doing right now is inadequate. LastPass is not keeping up. That LastPass was not actively alerting users who had iterations set below 100,000 is pure ineptitude on LastPass.

@killer2600 Год назад

@@bassmaiasa1312 100k is no longer considered adequate, OWASP recently changed the recommendation from 310k to 600k PBKDF2 iterations. But encryption in general is a rat race, we encrypt things to be currently unbreakable but computers in the future may be able to break it with ease. Thus what you're really doing with encryption is buying time that when an adversary finally breaks into the vault, the treasure within is no longer useful.

@paulsullivan649 Год назад

Thanks so much for talking about this. I love that you bring issues like this to a wider community, on top of always talking about safer ways to keep our private information actually private!

@ShannonMorse Год назад

You are so welcome!

@ilannguaqjonathansen8208 Год назад

@@ShannonMorse Or self-host PW manager with the likes of KeePass and such

@Rickmakes Год назад

Another problem with this is that it makes people lose trust in password managers, which ultimately leaves them more vulnerable. I like your advice of not having your most valuable passwords in your manager and to switch managers early if you hear of a breach. Hopefully it is sinking in that people need to take an active approach to security.

@Tech-geeky Год назад

its a shame... business say stuff,, but cannot back up the proof. If you have a updated iteration hash/count, and a complex master password, you should be fine.. i just had to go thew 20 websites in my vault to update all passwords. Now i have no idea what any of them are 😆

@TimDavis77 Год назад

Great breakdown. I hadn't considered the Session ID issue in the URL until your video. As much as I loved Lastpass, this breach was the last straw for me.

@solarnightedge5732 Год назад

great video and love how u break it down so easily that anyone thats not very tech savvy can understand.👍

@ShannonMorse Год назад

Glad you liked it

@Alexoladele Год назад

Absolutely love this video! Great explanation of what happened. Also WHERE DID YOU GET THIS SHIRT?!

@craigbailey9487 Год назад

Thank you! I love the tech videos, but this is great information!😎

@genxguy Год назад

As a network Sysadmin geek myself I love your videos. Will spoken clear and to the point. I've just updated to Yubikey from a previous video and love it! Small pain in the butt to keep it with me, but it protects me and my client data and schematics for their systems so I'm a happy camper 🤓

@pudelz Год назад

I'm glad I'm not the only one that pays attention to the words used like "such as" in statements.

@ShannonMorse Год назад

Bruh 👀👀 I am sus

@jonnyhepcat Год назад

Great information! You gave me more to think about on this hack.

@Blizzard4242 Год назад

That's a really good point. I already had those thoughts when I read about it as well, thankfully though this should really only affect either the websites you recently added (which might still have a valid session ongoing), I really hope there are no websites around that never change the session. But as you said, you can't know so it's always the safest to change the passwords to make sure.

@bertblankenstein3738 Год назад

Agreed. It would seem unlikely that session ids in a url would persist. I'm pretty sure that banks (financial institutions), Google, MS, FB/Insta, Tweety and more, would allow session IDs to be persistent, especially on different IP addresses.

@wavemakersdj Год назад

Switched to Keeper. The bad part is the vault data that was stolen is not going to be impacted by what you change now, so it can be scanned for years to try and get new credentials that are still in place. What users should really do is change every single password in their lastpass list, save on a different service or locally, and drop all go-to products from this point forward.

@ShannonMorse Год назад

👏👏👏

@HillbillyWhisperer63 Год назад

Switched to Keeper as well. Much happier now

@dougjones4538 9 месяцев назад

Great info, Shannon. Thank you!

@jmr Год назад

Hardware 2FA needs to be a universal option.

@Heat2234 Год назад

Everywhere should use them, and free. Obscured a security product makes you pay to be the most secure

@russellinman3464 Год назад

That’s it, we’re going off the grid! Thanks for the deep dive.

@pullybungieharder Год назад

Thanks for the walkthrough of the issues.

@LedNe0nDevil Год назад

Thank you for explaining this in detail, I know nothing about security, more of an hardware guy. So this thought me a lot. Session hijack achievement unlocked.

@alonzosmith6189 Год назад

Thank U for sharing this information.

@ShannonMorse Год назад

My pleasure

@williamwilliams7706 4 месяца назад

I love tripe too! Big thumbs up for that last session info. Going through the log-ins exported from Chrome to 1pass I noticed these weird looking URLs? with a bunch of extra nonsense. I'm deleteing those too. Thanks. ( I doubt that making a mistake will lock me out of anything important).

@JonnyTheLarge Год назад

Awesome video Shannon. Just heads up, you missed the embed for the "Watch this about Yubikeys" etc. Love your content. Have an awesome day.

@ShannonMorse Год назад

I fell asleep I'll add it in this morning 😅

@JonnyTheLarge Год назад

@@ShannonMorse no probs. I don't blame you. Great video though. Re last pass, we use it in our business but looking to move to something else. We do understand however that our data is safe because we are federated. Would you agree?

@gd.ritter Год назад

If you have a Yubikey on your LastPass account, does that still protect you from brute force if they have the encrypted data in their possession? I guess I don't know if the MFA key is just queried to log in or does it get integrated somehow into the encryption itself?

@imark7777777 Год назад

So I use a 60 character password for LastPass, do you think I'm OK? I also purposely stripped URLs down to the main domain name as I've had issues with it not auto populating or filling in because the site has changed the sub directories. Either way I'm planning to move and I'm a paying customer.

@roobscoob47 Месяц назад

Thanks, Shannon~

@cmdrbozo Год назад

My suggestion, no matter where you record your passwords, is to use and store a partial passwords, but to have a secret code, e.g., three ending characters you add to every password. And never record that secret code anywhere except maybe on the side of your bottom dresser drawer. That way if your UN/PW is hacked you're safe because the hacker has only a partial password. Also protected if you have a written list.

@mschwage Год назад

Wow cool idea!

@elizabethg7806 Год назад

The same 3 characters (e.g. 123) for every password or different?

@Tech-geeky Год назад

Lastpass does have the OPT/recover in case you forget your Master Password.. Call me a goof, but the first thing i do when setting up plugin, is turning OFF these things.. I manage my *own* security.. (... which could become a problem in later years)

@superdaveofendor Год назад

Shannon says leave Last Pass. Done!

@beltaxxe Год назад

I was looking forward to this one, thanks

@ShannonMorse Год назад

Hope you enjoyed it!

@hedbergmicke Год назад

All normal session ID expires fast. I am not an expert but I beleve that things like Facebook uese cookies that is not hadeld by a password manager. And I like that the urls are stored unencrypted so that I dont have to unlock the password manger every time I want to fill out a form.

@rerunx5 Год назад

I'm glad I switched a long time ago to Bitwarden. Your video on showcasing different password managers really helped me on making my decision.

@MrPontiac005 Год назад

Same

@ShannonMorse Год назад

Glad I could help!

@jorgefrias6100 Год назад

You should try Pocket Pass Manager, local + only shares with other computers via the local network.

@Tech-geeky Год назад

The only snag is : whats gonna happen when Bitwarden is breached?? Are we (again) going to export/import our stuff to 'something else''?? Everytime we do this its harder and harder.. and its not exactly quick. The more stuff we store in these cloud-based managers, the trickier it becomes. Its not just passwords anymore,....its drivers licenses, secure notes and dark web monitoring as well as 'emergency access' etc... Not every password manager supports all features either. So it becomes mores of a simple solution.. What features are we willing to give up by changing??

@mrkmdz Год назад

@ShannonMorse Snubs, a critical data point so far not disclosed by Lastpass/Logmein is the date range for the backup data stolen. This could be critical information for people who deleted their Lastpass vault before this latest breach. Dependingg on the when the stolen backup was performed, customers who deleted their Lastpass vaults six, twelve, maybe even 24-months before this breach might still be at risk! --bump

@GregM Год назад

The backups were from September 22nd 2022 as a LP user mentioned on another podcast . The LP user asked LP and that is what they told him.

@vidmonkey Год назад

@@GregM which podcast?

@Wigglythegreat2 Год назад

@@GregM Yeah, but who can trust the LP employee to know or tell the absolute truth.

@noenken Год назад

Great information! I bet a certain Jerry will be very interested in this. ;-)

@rysieklee9866 Год назад

An updated video would be great but personally, I'd really like to hear about local options (especially open source) as this was something I didn't find much information on when I did my research last year.

@BrianTeague00 Год назад

I use Bitwarden, which is open source - you can run your own vault server if you like. I like it so much that I pay their annual fee for 2FA.

@blindtechworld Год назад

Take a look at bitwarden

@esquilax5563 Год назад

If you mean offline options, I'm very happy with KeePassXC

@rysieklee9866 Год назад

@@esquilax5563 Thanks, I'll have a look.

@CriusDigital Год назад

Wow you got 700 subs in 2 days? Your Subscribers counter is doing its thing !

@ShannonMorse Год назад

Yup lol 👍

@calebmccool Год назад

Quick question: After a hack like this, is it too paranoid to change every password, username, email, 2FA, and credit/debit cards? I dealt with a hacker who took all personal info & then 'ransomed' my accounts. Very scary experience that I never want to go through again.

@rfkgaming Год назад

Nope you can change all that the credit you can keep same as if used and was not you can do a charge back and such

@mjbates Год назад

When I used the "Analyze Lastpass" powershell script, I noticed that some of my unencrypted URL's were password reset URL's with long reset tokens. 🤦. They didn't seems to work anymore, but that's still really bad. I didn't realized that when I'd do a password reset and the Lastpass extension would prompt me "would you like to update the password for this site?" it was also changing the URL and saving the reset token in plain text.

@ShannonMorse Год назад

Yup!!! I noticed that too

@JuxZeil Год назад

Just like game saves you shouldn't trust cloud storage, especially when your security is concerned. Locally Encrypted list for usernames and passwords etc. on one cheap USB pen-drive, encryption keys backup on another one in case you loose your OS install. You should also double check your motherboard/logic board's BIOS is implementing 'Secure Boot' properly too as that seems an issue on MSI stuff...could be others with the same problem too though.

@jamesedwards3923 11 месяцев назад

KeePass.

@Tyler_Shaw Год назад

Can you link your roundup of password managers?

@BlackLabelExpat Год назад

In terms of 2FA I don't really like the hardware keys because it depends a little too much on the OS. I prefer the authentication apps on separate devices that are not connected to the internet. It's a bit more universal, and you can still write your key down on a paper and wipe your device add it back later.

@flynntsang Год назад

Hey there! What do you mean by the hardware keys are dependent on the OS?

@BlackLabelExpat Год назад

@@flynntsang Hardware keys are physical and require a physical receptor to identify and validate, they can cause compatibility issues if the software being authenticated is multi-OS and multi-device. For example, if you use a password manager that requires 2FA on multiple devices, such as Windows, Mac, Linux, Android, and iPhone, it may not be easy to register one hardware key for all devices. And what happens when you upgrade your devices in the future? Will they always be compatible with your current hardware key? On the other hand, an authentication software key is just data that can be used for any and all human inputs. Additionally, you can write down the key on paper and delete the app for increased security, only adding it when you need to use it. I'm not saying that hardware keys aren't useful, I have one myself. However, I think it's important to consider the downsides before making a decision, as it's more of a situational choice.

@xe-wf5iv Год назад

@@flynntsang For an OS to do anything it requires a driver to translate the messages the device is sending. There is no universal 2FA key that is recognized by every OS. There is also not even a universal 2FA key standard established on the internet. For example FIDO2 has a lot of promise... but hardly anyone uses the standard. The few sites that do have 2FA use OTP, which is very outdated and insecure at this point.

@benjiepr Год назад

What is better password manager or usb key like yubi key?

@altaporro Год назад

Excellent video. None of this is going to make sense until password manager companies are reasonably, legally liable for the damages they cause by screw ups like this.

@bassmaiasa1312 Год назад

Not just password managers. The whole tech industry is basically an organized cybercrime family.

@andyburns Год назад

Password manager companies could never afford the insurance to back that liability!

@mschwage Год назад

@@andyburns wow, so true! ... Things that make you go, "hmmm..."

@MartinParnham Год назад

That thing about session IDs is a great shout, and I need to check mine. I am not a fan of LP linking the session to the password anyway as it doesn't always recognise. I am one of those people who tries not to save and autofill passwords - in other words I log in anew each time - which can be a pain in the arse but surely that has to be more secure!?

@ivanlawrence2 Год назад

"She KNOWS it's a MultiPass" :) (I just now noticed your "Multi Pass" in the background

@Raika63 Год назад

Would love to get an overview of some of the alternatives. It's been a while since I looked and I feel like searching is just going to show me who has the best SEO unless I spend an inordinate amount of time digging for myself.

@shaunreich Год назад

I mentioned this elsewhere, but I would start and stop my search at bitwarden. See my comment at the top, I've found it to be much better. I'm not a shill I just am very pleased with them and it is free lol

@Endpoint101 Год назад

Bitwarden ftw

@jorgefrias6100 Год назад

Pocket Pass Manager for iOS, 100% local, access from other devices with an integrated web server, and you can import the passwords from other devices. Indi developers, and all the security stuff from open source. It's crazy good.

@timsexton Год назад

Affected users should always presume security hacks on their password manager vendor was worse than initially thought - on principle. Thanks for this useful information. *_TRUST !!_*

@kbruff2010 Год назад

How do you switch and take all your information without you without exposure?

@BlueLeafSoftware Год назад

Could you post a link to the original review please ?

@janokartal5690 Год назад

Nice video Shanon

@wizardofki Год назад

I guess the session hijacking was the scariest part of this breach. IMHO, I thought that Lastpass could have been more transparent (especially in August when they sent their first notification) about what was taken and the scope of the breach instead of, as you mentioned, letting users know that it was worse than they originally stated in subsequent communications. I previously thought that session hijacking was called browser hijacking. Still, a Web search on that term just returned good but usual advice about running an antivirus, firewall, VPN, and keeping your OS and software up-to-date. I have heard that session hijacking has gotten so sophisticated that hackers will set up a browser to look like your browser to Websites including fake IP addresses from your location.

@GregoryFolk Год назад

Great video! I'd love to see a video from you about the password managers available now and how secure they are or aren't now. Personally, I'm interested in a cloud based service, so I'd also love to see you break them down by type (local, cloud based, etc) and the trade offs of each type. Thanks! :)

@SirBlackReeds Год назад

Would it actually be good? The rule of thumb with these peacocking weirdos is to avoid them.

@modembuddy Год назад

So glad I stuck with one password for everything on this post-it attached to my monitor.

@MrPontiac005 Год назад

I'm glad I moved to Bitwarden before that happened based on your password manager recommended video.

@ShannonMorse Год назад

Great choice 😊

@cinnamon4183 Год назад

You should still double check your passwords. Even if you deleted your LP account, considering everything we've seen I wouldn't be surprised if it turns out LP have a very lax attitude regarding GDPR / Data Protection for backups.

@MrPontiac005 Год назад

@@cinnamon4183 excellent idea

@kevorka3281 Год назад

>makes secure password manager >GETS HACKED Nice f*cking work, you guys. People put their trust in you keeping their passwords safe. Unacceptable.

@briancoverstone4042 Год назад

Do any password managers have a way to auto-rotate all your passwords? Then set up a scheduled rotation once a year?

@pcislocked Год назад

not a lastpass user, but any recommended way or tips to change 200+ passwords quicker? just curious

@flynntsang Год назад

It is a world of hurt and pain. I had a few techniques to minimize dupes when exporting from various pw managers to 1Password, like using spreadsheet text functions to extract domain names in URLs and then sorting by the domain name to find dupes. That way I had fewer to import. But the actual process is painful, painful, painful. My only tip is in 1Password you can create different vaults. As you verify a password, move it to a "clean" vault.

@pcislocked Год назад

oh. indeed, pain it is. i created folders in keepass to do the same thing you mentioned.

@BrianGlaze Год назад

I was just commenting on Gary's video about how part of the reason I haven't committed to using a password manager is that I'm in a constant state of concern that the password manager service will get hacked.

@AJ-po6up Год назад

Then use a open source local password manager like Keepass and have absolute control over your vault.

@BrianGlaze Год назад

@@AJ-po6up fair point. I've been considering it.

@shaunreich Год назад

There are local only password managers. That would solve your problem there. Bit warden has that ability I believe, but also KeePass

@rfkgaming Год назад

keepass or other local hosted ones work just never loose the database

@MorbidGod391 9 месяцев назад

11:37 ummm if anyone HASNT switched. Do so now. Pause the video and switch. Thanks! And your future self will thank you too!

@raymondrizzuto7997 Год назад

I use LastPass with 2fa. Wouldn't the 2fa further protect the encrypted data, even if they could brute force the master password?

@mixpix Год назад

I don't believe so. 2FA proects against logging into the LastPass website/services. If hackers have the vault it's just the encryption keeping it safe.

@beachboardfan9544 Год назад

Look at my shocked face that a password company isnt secure... 😐

@gavincrouch Год назад

Seems excessive. Those session ID's have expired a long time ago. Hackers can only access 'active' session id's. A session expires either when logging out, or timing out (set on the servers). A PC restart will kill every active session, or closing all tabs and clearing browser cache, or inactivity. Also avoid using / checking a box that says 'stay logged in', this extends the session timeout to days or weeks before it expires (generally not found on sites with payment portals). Some sites will also dynamically change and update your session id seamlessly as you browse, you will notice this if you open tabs from the site you are logged in, and when you go back to the tabs you are met with a login page or it shows you logged out (as guest or whatever), those tabs never updated to the new session id and have reverted to the default page.

@TheErador Год назад

And some are active for years. It's far better to be vigilant than sorry

@gavincrouch Год назад

@@TheErador Sockets yes, sessions no (at least none I have ever come across, feel free to give an example), they will be terminated either client side or server side (whichever activates first). Idle sessions not closed are more like placeholders, they are deactivated when referenced again and a new active session is created.

@witcnshum Год назад

URL wasn’t encrypted, means they might have been selling the url information to data brokers - why would it not be encrypted and other thing’s encrypted

@ShannonMorse Год назад

Omg good point! 😱 /Checks that my deleteme membership isn't expiring anytime soon.

@Veretax Год назад

The thing is the fact that they got the backup of the Vault means they can apply multiple different computers to try and crack the thing instead of over a single line

@xe-wf5iv Год назад

That wouldn't help as much as you think. The longer the password the difficulty increases exponentially. A 10 character password would take a few years to brute force. 12 characters 30K years. They could toss the entire computing power of the world at a vault secured with 13 characters. They would all be dead before even putting a dent in the possible combinations.

@aaronmicalowe Год назад

Session hijacking can be greatly reduced by monitoring when the session is and making the date and time part of the session ID.

@halfthehalfer Год назад

I would love to see a video about local solutions that I could use as to not have to use a cloud service. And as @Esper Wyrenth said if you could show the process of migrating everything that would be great. May would also be a good video idea to show the best ways to secure multiple accounts for different uses, such as having multiple emails for different things or any other good practices that would come along with that.

@joshuapk9808 Год назад

KeePassXC is one of the best local PW managers.

@kuhndj67 Год назад

SplashID… been around forever and can be completely non-cloud. Very basic but if you want all the “features” you have to deal with this risk.

@davidriosg Год назад

For most people it's really overkill to not use a cloud service, provided it's like Bitwarden that only store encrypted data and that your master password is complex (at least 14 random characters including symbols). A local only solution is potentially more secure but it's also waaaay more difficult to manage.

@halfthehalfer Год назад

@@davidriosg I'm okay with the management honestly. I care more about the security than having to keep up with it. I'll look at bitwarden though and see what it is about.

@real_rivolta Год назад

Say NO to EVERY password manager!

@shadow-wulf Год назад

You do know there are old people with difficulty remembering their names, let alone passwords? Writing it down in that 3 ring binder beside your computer with the label PASSSWORDS, is safe until you're robbed like my in-laws. Then you've handed them the keys to the kingdom.

@edwardfletcher7790 Год назад

That t-shirt is amazing, really cool hair match👍😆

@MorbidGod391 9 месяцев назад

5:43 now I don’t know if you talk about this yet… but another nugget here is LastPass (at least up until the hack happened) did not require strong passwords. I think my old account had like a 8 character password that can be hacked in under a minute. Again very bad :/

@firdaushbhadha2597 Год назад

HOLY CRAP! I remember Shannon from watching TWIT before Leo became super annoying (among other things). Thank you for starting your own channel so your voice is heard...

@ShannonMorse Год назад

🫢🫢🫢

@JamesDLegan Год назад

Are there any password managers that auto change your current passwords for each site?

@scizophreniac Год назад

while this would be awesome, i think this would be rather hard, since the process of changing passwords differ a lot between different sites and would be difficult to automate (and of course, only doing it in the password manager would just lock you out of your accounts :P)

@ShannonMorse Год назад

I know LastPass gave you the option to choose "change all passwords" and the platform would TRY to do it for you. But it sucked and didn't work well.

@myname-mz3lo Год назад

would making your own password server be better at this point ?

@oldmanonyoutube Год назад

LastPass was the most recommended password manager on RU-vid that I've seen in the last few years. Tech RU-vidrs have been singing it's praises for awhile so there are going to be a lot of people affected by this breach. Thanks for the heads up.

@StrawberryKitten Год назад

They got fat stacks for promoting it.

@ShannonMorse Год назад

Maybe other tech RU-vidrs did, but I have never been sponsored by LastPass. I did used to recommend it for years for a lot of reasons, but this was the final straw. I'm generally pretty forgiving but I can't stand them anymore.

@StrawberryKitten Год назад

@@ShannonMorse What's your opinion about KeePassXC?

@Tech-geeky Год назад

and despite all that people still use it.

@WreckDiver99 Год назад

I've been using KeyPass...Yes, it means having a OneDrive/Thumb Drive/DropBox/GoogleDrive etc. to store the PW Database, and yes it leaves a "potential" security hole, but what doesn't??? I used to just carry it on my thumbdrive but my old employer then disabled all access to USB ports for memory storage (intellectual property theft deterrent). Is it perfect? Nope...but I've yet to hear a big "OMG KEYPASS HAS BEEN HACKED" yet.

@mschwage Год назад

Right! And they have to download your database, which is stored locally.

@Tech-geeky Год назад

We all keep hoping along from one lily-pad to another like a bloody frog in a swamp, export/importing as we go..That's fun.... anyway.

@klabs007 Год назад

Great video. I recently found your channel and like you views and opinions. I'd like to know if you could cover or do a review on Synology's C2 Password product. Thanks and I look forward to more great content.

@JasonsLabVideos Год назад

Ditched them :P Thanks Shannon !

@noneyabusiness9636 Год назад

Shannon's Channel is underrated.

@garys2187 Год назад

It is great in every respect !!

@Christian-jz3xt Год назад

Great info. Also... I want that shirt

@ShannonMorse Год назад

I got it from Hot Topic a while back!

@ErichSchulz Год назад

I have switched from Lastpass to Bitwarden when the first breach was announced. Do anyone have a recommendation on a MFA app that would be a good replacement for Lastpass Auth or Authy?

@GothPanda Год назад

Believe it or not, Bitwarden itself will do MFA for you. You just have to add the shared secret to the site like you would a password, and it'll generate codes for you, and even let you copy them like you can the username or password. It's putting all the eggs in one basket, which may or may not be a good idea, but it does do it.

@ken-rx6hb Год назад

Aegis Authenticator is great if you'd rather not do what Trevor mentioned! I enjoy it because it can do automatic encrypted backups.

@GothPanda Год назад

@@ken-rx6hb That actually does sound like a darn good feature! I'll have to check it out for the couple of MFA's I'd like to keep outside of Bitwarden

@lea7802 Год назад

+1 to Aegis, is really good check it out.

@joeljudd9421 Год назад

What are your thoughts on Keepass? It is a local password manager that is available on nearly every platform but stores a local encrypted copy of password library.

@Slada1 Год назад

Or KeepassXC. Also you can sync that file with Syncthing or Cloud service safely, because everything is encrypted

@TheErador Год назад

It's pretty good for usecases where you don't have a team that needs constant access to a shared set of passwords, where it's impossible for them to have individuated accounts. Team shared folders are the reason we went with lastpass other than ease of use. As long as you use a strong master password i think its encryption is pretty well respected. I store a keepass vault in Google drive, but you do need to check the permissions on that file to ensure that it's not available to the public etc. It's the biggest issue with keepass, you either have to carry your vault with you on a mobile or a usb drive or store it on a cloud storage service - in order to have access to passwords when you need them

@ericbursley9464 Год назад

we really need to go passwordless. I like the direction Microsoft has went with their accounts.

@michaell1603 Год назад

So Microsoft uses their auth app instead of a password right? What happens if you lose your phone? How are you going to re-authenticate on a new device?

@ericbursley9464 Год назад

@@michaell1603 you have more than just the Auth app configured. I use three methods for account access

@byrd203 Год назад

if you use a mac or iphone you can use the password manger built in to the mac or iPhone keychain works well on the current devices like phones macs and even pcs with the windows store app

@Boslandschap1 Год назад

An update would be very welcome 👍

@pat999x Год назад

I use password management software that keeps my passwords on my local computer. I don't think that I am perfectly safe, but I am a small target

@stanjackson007 Год назад

Madame , Security Morse 👩.... I 🙎🏾‍♂luv🖤❤ your Style of Thinking , & the Moves that can keep us all safe with Important Documents 🏮🏮🗞🖇📚 & Money 💰💸❗.... for that , ... I 🙎🏾‍♂thank👋🏾you ❗.... From S J 🙎🏾‍♂ = D M V Production 📺🎥📸📹❗...... PEACEEEEE 🙏🏾 💪🏾✌🏾❗💯

@maineiac_lost_in_the_woods Год назад

VERY interested in a local password manager!

@TheTaipan Год назад

New password manager vid would be great. Ill be moving away from Lastpass soon ;)

@alphabee8171 11 месяцев назад

Don't sessions have expirations?

@joshperez2124 Год назад

I'm unable to join the discord from the link provided in the membership tab, invitation is expired :(

@ShannonMorse Год назад

Thanks for bringing that to my attention! Which membership did you join? YT, BuyMeaCoffee or Patreon?

@joshperez2124 Год назад

@@ShannonMorse through YT

@DiceMasterChannel Год назад

2023 recommended password managers please. 🙏

@zadekeys2194 Год назад

Honestly, the app stores should start pulling software that has had a breach until a quality external audit had been passed.. it protects clients in many ways...

@Tech-geeky Год назад

People complain when something gets taken down "as is", accidentally or deliberate, and you want then to wait longer? Good luck to you sir... Everything is a balance, unfortunately.

@zadekeys2194 Год назад

@@Tech-geeky most people don't have a clue re modern digital security and how to keep themselves safe. Like a parent, you sometimes need to do what is best for them, and ignore their dislikes. Also, it's not like every 10th app is going to suddenly get taken away. It's probably 1 in every 1k apps.

@nzhook Год назад

The session ID in url can be a necessary evil, especially with the don't allow any cookies popups. Good and bad cookies and how security and privacy don't always mix well could be a whole video in itself.

@ShannonMorse Год назад

But hopefully sites are doing it right and won't fall to session fixation or anything. 🤪

@UndregoGrey Год назад

Switched to locally hosted bitwarden

@MP-vg7ug Год назад

where did you get your t-shirt from?

@ShannonMorse Год назад

Hot Topic!

@MP-vg7ug Год назад

@@ShannonMorse thankyou

@JohlBrown Год назад

Hi I enjoy your delivery but there's often a lot of good info that I miss cause I'm fairly visual.. it would be great if there were some short texts on the screen so it's a bit easier to keep up

@ShannonMorse Год назад

I'm a one person show, with an editor for a few videos per month. If I had more time and resources, I could definitely spend more time on the edit and add more visuals! Thank you for watching, it helps. 😊

@JohlBrown Год назад

@@ShannonMorse I understand, good luck for the future!

@BradleySmith1985 Год назад

Rainbow list with a Decrypt bot can get in. its just going to be a mater of time. so yes change all your passwords you had on last pass. once there in there in. they will get your master pass and will unlock all your data.

@RadfordCastro1 Год назад

I just left those fools. They are not doing what's necessary to resolve the problem. They''re going to get hacked again. Love the mononoke shirt btw. Forest spirit ftw.

@hafizyaakob5753 Год назад

Hi I'm from Malaysia to see your video👋🏻🇲🇾😊

@ShannonMorse Год назад

Hello 😊

@hafizyaakob5753 Год назад

@@ShannonMorse Hello 😊

@byrd203 Год назад

Heres what i recommend go to all of your accounts hit log out of all devices then relogin so that forces links to be invalid

@hugoedelarosa Год назад

KeePass gang! 👋🏽

@peterlewandowski9912 Год назад

It's unfortunate - what really sucks is that for my job, I have to use a password manager that the company approves. LastPass is one of them, and I've been using them for almost 2 years! =(

@MrPontiac005 Год назад

😯

@ShannonMorse Год назад

I have a lot of close friends who are in the same boat.

@mohammedshengheer3730 Год назад

This is a big issue for businesses, other competitors in the password manager market should focus on the migration from LastPass and make it as easy as possible, while maintaining the same policies and settings from LastPass.

@Tech-geeky Год назад

😆 opps... that's a bad boss. There's still noting wrong but we all egt scared the moment someone has a proprietary source code. I think the biggest thing is users just have to start accepting breaches will always happen, no matter how great of a security model we have... There is such a thing as "security is good enough for the individual"