The LastPass Hack Was Worse Than We Thought 

Thank god i have all my passwords in plain txt on the desktop

I only trust my passwords to the voices in my head. No one has stolen them yet.

There’s a pretty critical point you forgot to address in your video for LastPass customers. One of the advanced settings in your vault is the number of iterations used to derive your decryption key. In the ancient of days (for users who’ve had an account for years), the default for this setting was 5,000 iterations. Not so today. It has long since been updated to 100,100 iterations minimum. For users who have a sufficiently complex master password, if your vault was using fewer than 100,100 iterations for that setting, then you could potentially still be at some risk of your vault being brute forced if it was one of those that was accessed. With only needing to go through 5,000 iterations instead of 100,100 iterations or more, that _significantly_ reduces the compute time required to test each brute force password. Everyone who got a notice about this needs to open their vault and go to settings, advanced settings, and check the number of iterations your vault is configured to use. If it’s not _at least_ 100,100 then you need to update it to at least 100,100 which will require re-encrypting your vault, and then depending on the abundance of caution you want to exercise to protect your logins, you should also update your stored passwords for all your stored accounts. On the other hand, if you met the suggested mninimum requirements for an actual secure master password _and_ your vault was configured to use at least 100,100 iterations, then you’re all good here already, unless you don’t plan on updating any sensitive passwords in the next several years to the point where 100,100 iterations is also insufficient protection. Also, you kind of misconstrued what happened here. This was a secondary breach related to the breach back in August, but not the SAME breach as back in August. This breach took place _after_ that one, and occurred because the information obtained in the first breach was then used to phish or social engineer another LastPass user which then allowed them to gain access to backed up vaults on a cloud storage system. Read the blog post again - these were two separate but related security incidents. The reason this point is informative and useful is because what the attacker did to get into LastPass’ systems again following the initial incident is precisely the kind of attack they’d now be trying to use against LastPass customers - a point that needs to not be lost on people who use LastPass, and particularly not lost in board rooms of companies that use LastPass when their security teams start talking to them about things they need to do to ensure that their organizations don’t become victims of yet another sophisticated supply chain attack.

For five years I have used the same notebook for my sensitive info. Works pretty well as long as it can be kept up with. I never really liked the idea of keeping digital records of 16 character alphanumeric / symbolic passwords. After admin/ logins for routers, vpns, computers, emails, phablets, web addresses, work logins, older family member logs of the same, it started to get too risky. I got hacked through the MIT site doing my homework and re did all of my home network, I never looked back from the notebook. Is still not a fail safe as it could get lost or stolen. Maybe memorizing a few and rotating the memorized every six months would be the best action.

"Corporations can steal your data" - data protector corp

I have to be honest, I've always been a little on edge about using one of these things. Just seems like an easy target for hackers to go check out everybody's most important data.

I might be mistaken, but if the hackers already have the backup vaults, the 2FA is irrelevant in this case. It only prevents the hacker from accessing the LastPass Vault on behalf of the user. But since they already got access to the vault, only the master password prevent them from accessing your data inside. If you had a weak master password, you must change all the passwords for the accounts stored in the vault, regardless if you had 2FA enabled or not.

In my opinion, the most secure way to store passwords for people who don't know much about computers is to simply keep them in a notebook next to the computer, or maybe a locked drawer or something. Any service can and will be hacked, it is much easier for laypeople to think about physical security than security on a computer, and in most cases the main threat is from people on the other side of the planet. Pen and paper completely eliminates that technological threat (but of course we must also teach them about scams). But this type of solution doesn't fly with the marketers and gadget-pushers who are constantly trying to sell you something.

The last password you will ever need.

Good old fashioned piece of paper

Woah! It is almost like centralizing account credentials of millions of people is a really sweet target for cybercriminals 😳 Truly mind blowing 🤯

+1 for Keepass. Never ever have I been under the illusion that storing my most sensitive data on someone else's disks was a good idea.

Oh I am thankful Bitwarden exists.

The problem with self-hosting your password manager is that it's also potentially easy to break in and steal data, but with the added factor now that you most likely will not notice a data breach this time if you don't have proper monitoring in place. With a big service like LastPass you'll at least hear pretty soon when something happened.

self-hosted means you should absolutely know what you are doing at any moment - and have good security culture, software update mechanisms and habits. Inexorably , software becomes out-of-date and security issues start to emerge. Maintaining this requires time, discipline and expertise. I would not recommend this - instead, manage your password offline, use a solid passphrase and backup your vault often. After all, the vault itself is often a single (encrypted) file. Even if I don't agree about self-hosting, this video is pertinent, as usual

Thank you Mental Outlaw... love your channel ...... it is amazing how they released this just before Christmas, probably thinking everyone is busy and no one will notice

Nice. I just commented on your original Lastpass video like 12 hours ago asking for this crucial update. And boom, now this. I guess you were already on top of it. Thanks!

Merry Xmas! and Thank you for ALL your videos; I have learned so much from you.

Looking forward to the follow-up because the only reason I haven't gone that route is there are certain features like 'password autofill' that are too damn useful to go without.

It's over. The West has fallen. My passwords. My NFTs...

The last time I was this early, LastPass was still saying no customer data was stolen...

Would love to see a self hosting tutorial. Thanks for the info. Keep up the good work.

You have no idea the level of irony... I just got an ad for 1password with the title of the video being what it is, only for 5 seconds in to be listed as one of the many password managers that you are talking about. I'm dying 😂

Yep, I expected something like this when the hack first happened. There's far too much concern about how it looks initially and getting some rushed PR approved garbage in front of people so they don't panic and dump the service, and then that leaves months where password crackers could have been pummeling away at data and maybe got some lucky cracks that lost other companies potentially millions of dollars, or led to their own breaches because they thought that nothing had been taken that could be used like that. I'll forever stick to KeePass, and if it comes down to needing to sync easily in a way a normie can do it, I'll at least show them how to sync it with Google Drive or OneDrive to avoid it being as much of a target as LastPass.

Ever since you recommended KeePass I've felt extremely secure in my passwords. Would love if you could do more videos on alternatives like that. Would be awesome to find an alternative to something like Google Calendar!

Thank you "Mr Mental". Always looking out for the little guy (and NO in-video commercials! How dew you dew it)

I will never betray KeePass. Always been bae

If you have a heavy online footprint, especially into a large number of secure systems, then a PW manager is almost required for any efficiency. This is especially the case with PW modern standards. I look forward to your video about an alternative, because I use LastPass. I have a more secure PW than the recommended standard, so I'm not really worried about the breach. They definitely need better security practices.

Bitwarden is pretty good. Open source and self hostable

420k subs. Grats my dude. Thanks for the videos as always.

Excellent spotlight! Thank you!

I can almost read the phishing emails.... "Dear customer, The hacking from 4 months ago was more theough than we thought. Please click here to reset your credentials and keep your account secure. Best regards, the hackers."

yo kenny you should do some videos on things youre learning in rust. i want to learn it as well, and it would be cool to see someone who is new to it explain what they’re learning

No matter what password manager you chose to use, always SALT your stored passwords. Salting means you store your passwords partially. Since the stored passwords are incomplete, you have to add the missing characters upon logging in. Also since the passwords are incomplete, it's of no use to the hackers.

Thanks for this - I’m a non IT person and appreciate your balanced and calm information

There's a guy on Twitter who puts his wallet seeds in LastPass (why I don't know) and claims wallets have been emptied, implying that either they somehow cracked his master password or LastPass did not encrypt all his secrets. I use Bitwarden paid service, not gonna lie I know it's a target. Security professionals always say "security by obscurity is worthless" but I disagree. If I self hosted, I'm less likely to be a target of great focus, just the usual people scanning IP ranges. That might be better than being part of a huge asset like a password manager's database, sticking out like a sore thumb.

I've been intimidated by the choices and issues with different password manager options, I'd love to see a vid on what the self hosted version looks like.

Another case for always assuming anything you ever put online is known to anyone. It's fine to use lastpass, but don't store full passwords there, invent your own system of prefixes and/or suffixes so that the password only becomes complete in your head.

Looking forward to your next video, Kenny! I use Bitwarden myself but I plan to switch to a self-hosted one.

Even having technical skills I do not think I would trust myself to self-host something like a password manager. Like, is ssh only with key files enough, what else should one do with fresh server? I would be glad if you would in the video go over those aspects as well.

Yes, this is a big leak. But, even with this leak, LastPass was probably still safer than not using a password manager for the common Joe.

Thanks for the amazing videos this year Kenny! Merry Christmasss!! :)

That's why I use my own instance of Vaultwarden instead of default cloud solution. I really got concerned about the possibility of someone to hack into these password management services in the first place.

This was a valuable video on such a serious topic. I do hope you consider producing a video or mini-series on self-hosted password management implementation. Thanks so much! 👍

LastPass went from the number one open source password manager recommended by Richard Stallman to now the number one public security database! The hits keep comin'!

I moved from lastpass long ago from the past breech to moved to something else but i've had my eyes on self hosting options for a password manager can't wait for your video on it.

Love that I got an ad for another password manager at the start of this video.

Thank god I use my own Vaultwarden installation.

It's almost like trusting an external service to host all your passwords isn't a good idea. They should've invested into opsec instead of sponsoring Linus videos

Nothing more secure than the sticky note in my bedroom drawer

they called me crazy for writing my passwords down in a notebook

Id be interested In your self hosted passwords video. I use lastpass extensively on both mobile and PC. As a data horder that likes hosting data locally I'd be interested to see the features avalible and if it plays nicely with ios (which seems to be the hardest aspect)

I'm so glad I switched to fully self-hosted KeePass with Yubikey-2FA. I always thought it is going to be dangerous to host password at a third-party service, even if they say it is all end-to-end encrypted. I mean, what happens when that service simply loses your data? Not even talking about stealing...

I've personally been using Keepass along with dropbox for quite some time now, the dropbox choice was to make life easier for syncing with mobile Keepass-compatible apps. Setup is easy and doesn't rely on a whole password manager as a service thingy

One aspect you missed is old Last Pass accounts were not updated to 100,100 iterations , the old ones are set to 5000 unless the user updated it themselves. Iterations being the key to making brute force attacks harder to crack.

When you made your first video on it I panicked and spent several hours transferring passwords on LastPass to my phone locally thinking it was overkill. WELP.

Good thing I write my passwords written down on a stone tablet

Merry Christmas, Kenny!

Does 2 factor auth actually help with encryption? Or is only the master password required when you have vault. Also if LastPass has a password reset system couldn't you attack that to decrypt vaults?

Imagine using proprietary password manager..you really have to be..idk..bitwarden ftw. Using proprietary password manager is same energy as if you were an FTX user 😂

Not directly related but my visa card was used in an attempted fraud recently. The bank intercepted it luckily but I still have no idea how they got my card details in the first place because my endpoint security is tight. The only thing I can think of is that some small Joe Schmo business that I bought from was storing card details against my wishes in an insecure way and got hacked. Makes me really angry that you can't control for these things given the amount of hassle involved in replacing the card in time for Christmas. First time it's ever happened so I see a future with multiple bank accounts and cards!

Im pretty basic when it comes to this kind of thing, so if im understanding this video correctly if I had used laspass to just create a randomized password, am I screwed? or is it only applying to people who created accounts with this website?

A lot of hacks happen because some admin fails to upgrade backend software. My web server got hacked and it was down to the fact that the server providers were running an insecure version of PHP.

I'd love to hear about a FOSS password solution in one of your videos.Especially something which can be used in teams to share credential information would be nice.

Password leaks are ALWAYS far worse than what the hacked companies admit to!

Thank God I keep my passwords on a comically small notebook in a run down desk

A week after their message, I got my passwords stollen. Luckily I found out when someone make a reservation with my booking account to Albania and I was able to cancel it. It took me a lot of hours to change over 200 passwords.

Funny, I was just thinking about this a few hours ago. Notebooks are much safer. Not for business purposes, but definitely for personal security

I write my passwords on a piece of cardboard, put them inside an envelope inside my safe, next to my firearm. Yes I'm a boomer, but I will never trust a piece of code do handle my financial data.

hope you create that video as soon as possible, and thanks for your informative and useful content

Self-hosted Bitwarden on a RPI in a trusted building where it cannot be physically stolen, with access only through a VPN (zerotier-one is the easiest to set up for both PC and android) and daily encrypted backups with an append-only key seems like the best option out there.

This is why I keep my passwords in a notebook in my safe. I don't particularly trust any of these password managers and rather not have it on my PC in a text document either to be safe.

*laughs in bitwarden*

Best is that 1Password had an ad on your video for me

That zero knowledge architecture seems to leak out a lot of knowledge.

Who knew that using a centrally synced, single password to access, password manager advertised as "better" than just remembering them were quite dangerous

Sounds like hackers keep finding ways to ruin Christmas some how like with the log4j panic a while ago.

Sounds great, looking forward to it...cool yule & a frantic first!

Is Dashlane potentially open to the same risks? I have ultra strong masterpassword, 2fa and unique passwords for each credential but it is still concerning. I also have hardcopy prints and digital USB copies in a fireproof safe.

BASED

I'm so glad I switched off LastPass years ago

Thank god I store all my passwords in a ledger in a safe inside a house that has concrete walls

Does a password manager service use the same encryption key to encrypt all different kinds of information, say username, saved passwords etc.? Or do they use different algorithms to derive different keys from the master password?

To me this is just another example of why we need to move past passwords

6:10 I'm not sure how plausible this attack is and would like someone elses assesment. According to the FAQ they use 100,100 rounds of PBKDF2 (a key-derivation function) to add a work factor to cracking. I just installed a python library that does this (backports.pbkdf2, quite possibly not ideal performance, I don't know how this library compares). It does the 100100 iterations in 0.11 seconds (Ryzen 5 5600). Even 1/10th of this seems like a lot of work for brute forcing a single password. That's still a lot less than the 2 seconds (iterations set relative to user PC specs) default in keepass which a company like Lastpass should be able to afford. I'm thinking that the very most basic passwords are unsafe but any password that anyone would consider an actually decent password seems out of reach.

Now if hackers want to get my passwords they'll have to get my address and then find the sticky note.

I got many scam emails trying to scare me with my passwords and logins. Good thing I changed all passwords after i've seen your video on the leak.

source code can still be valuable to hackers because it can allow them to see how the encryption works and all them to write a brute forcer algorithm and brute force decrypt the data breaches in the future or past. i wouldnt be surprised if last pass algorithms make it into hashcat or equiv.

Thank goodness I live under a rock and I've never heard of any companies on this channel. I legit found out through you that Whatsapp existed.

The cloud, basically someone else's computer. Ya'll be amazed how much access technical staff has at these big companies.

Gosh am I glad having switched since the very first breach from LastPass to Enpass (where youre able to save the DB where you want). Never looked back.

bitwarden > lastass

Is this one of those things where people upload their most sensitive data to a web service operated by a business they can't personally verify or audit, and the constant corner-cutting and profits-first policies result in a massive data breach, but the business executives downplay it to save their profits? Oh man, I love those!

Looking forward to that future vid. Keep up the great work.

The way i "self-host" my password manager, is i simply use syncthing to sync the encrypted password database across all of my devices (including a phone) and use a corresponding password manager to decrypt the database, KeePassXC on my PC and a Netbook, and KeePassDX on my android phone.

Would love to see your take on a self-hosted solution. I know you’ve endorsed KeypassXC before, but having that be useful across multiple devices or be useful in a shared business setting would be great.

Was considering a service like LastPass for a year now but my rationale always thought “if someone hacks them, you’re screw entirely”

Would be great to see a video on self-hosting a password manager from you!

Liked and subbed so I can see when you release the self hosted video!

god bless keepass