LastPass Hack: The CRUCIAL Problem No One Is Talking About
Вставка
- Опубліковано 31 січ 2023
- Sign up for DeleteMe! Use the coupon code SNUBS for 20% off any consumer plans! Linky: www.JoinDeleteMe.com/MorseCode * (coupon code automatically applied at checkout)
LastPass admitted to getting hacked a couple of months ago, and we're just now learning more details about what was breached. Password Managers are often targeted in hacks but in my opinion, LastPass is downplaying a crucial problem that can affect users.
My fav password managers for 2023:
25% off 1Password: www.jdoqocy.com/click-1003458... *
30% off Roboform: www.kqzyfj.com/click-10034586... *
Dashlane: www.dashlane.com/
Bitwarden: bitwarden.com/
Keeper: www.keepersecurity.com/
What Is A Password Manager And Should You Trust Them? - • What Is A Password Man...
LINKS:
blog.lastpass.com/2022/12/not...
support.lastpass.com/help/wha...
support.lastpass.com/download...
www.goto.com/blog/our-respons...
blog.gaborszathmari.me/sessio...
capec.mitre.org/data/definiti...
cwe.mitre.org/data/definition...
FTC: Links marked with * are affiliate links, which means I make a small commission off any sales.
Becoming a Morse Code Member by checking out the perks linked here!:
/ @shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUBSCRIBE! 🌸 ua-cam.com/users/ShannonMorse?s...
TWITTER 🌸 / snubs
Patreon 🌸 / shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUPPORT MY WORK
Patreon 💛 / shannonmorse
Buy Me a Coffee 💛 www.buymeacoffee.com/snubs
Shop 💛 snubsie.com/shop
TeeSpring 💛 teespring.com/stores/morsecode
Coupon Codes 💛 snubsie.com/support
Tech I Use & Recommend 💛 kit.co/ShannonMorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
FOLLOW THE SOCIALS THINGS
Twitter 🌸 / snubs
Instagram 🌸 / snubs
UA-cam 🌸 ua-cam.com/users/ShannonMorse?s...
Website 🌸 www.shannonrmorse.com
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
TECH I USE AND RECOMMEND
My Kits, Builds, and Must Haves ✨ kit.co/ShannonMorse
My Amazon Influencer Page ✨ www.amazon.com/shop/shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
MY OTHER SHOWS
ThreatWire 🌙 ua-cam.com/users/hak5?sub_confi...
Sailor Snubs 🌙 ua-cam.com/users/sailorsnubs?s...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
GET IN TOUCH
Mail ✈
snubsie.com/contact
Email for Business and Sponsorship Inquiries ✈ Shannon@ShannonRMorse.com
My Media Kit ✈ snubsie.com/work-with-me
Sponsor This Channel ✈ snubsie.com/shannon-morse
Music from 🎵 Epidemic Sound: www.epidemicsound.com/referra...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
😍 FTC DISCLAIMER 😍
Affiliate links listed above allow me to receive a small commission. Any sponsorships for videos are noted in video and listed in descriptions. Any products provided as gifts are listed above. Thank you for your support!
Comment section code of conduct policy:
Constructive feedback is appreciated, but please leave unproductive, divisive and harmful conversation at the door. Hateful comments are not tolerated, and these kinds of messages will be automatically removed. Thank you for making this community a welcoming experience for all viewers :)
snubsie.com/code-of-conduct - Наука та технологія
I switched from LastPass to Bitwarden when the hack happened, and actually find BW to be superior. And FWIW, I'm in the infosec business. I'd become anxious about LP after its aquisition by LogMeIn (which didn't have a stellar security record). Wish I'd acted sooner.
How would you consider BW to be superior? I use the LastPass Family subscription but with an over 20 character master PW. Would be interested to know if other options might be better and or cheaper.
@@jeepfanatik1304 Depends which paid services you need. I'm using BitWarden for free and it does everything LastPass used to do before they removed the option for free accounts across multiple devices. The company also seems a whole lot less shady in general, which is nice.
@@jeepfanatik1304 I'm not in infosec but I know enough to be dangerous... BW is arguably "superior" as a product since it is open source and has been independently audited. But BW is also faster performing and its default settings give you a stronger starting point. We LP refugees with long MPs are likely fine against brute force, but I went through and changed all 500+ passwords anyway... which sucks. This did allow me to increase the security at each site (add new MFA or use generated passphrases for site "security questions" answers) and remove sites that no longer exist or are not needed. It is laborious to do but seems worth it in the long run.
Bitwarden is only superior if you are self hosting. If you don't have the means to self host it, then 1Password would be best.
Same, I moved myself and my clients away from LP to BW after their 1st hack.
An updated password manager video would be awesome. As well as how to make the process of migrating easier. Right now the challenge is momentum - it’s hard to just get started.
I feel this tweet in my soul. It's so hard to get started!
@@ShannonMorse YEP
@@ShannonMorse Agreed... but I would argue it might even be harder to SWITCH!?!?!?!?! I run Lastpass with a long (23?) master... now I gotta change?
Google switch from LastPass to bitwarden, super easy with export / import. Steve Gibson (IT guru) talks about how easy this is in his podcast.
@@pauldamian2988 super easy to switch to bitwarden. Export your LastPass file and import it, boom. Took me like 10 minutes. It has much better field support, and auto fill on Android and web support, too. Works a bit better overall I've found
There’s also an additional problem you didn’t mention - LastPass not updating customers’ hash iteration value. They changed the default to 100,000+ iterations, but people who created accounts a decade ago had iteration counts of 5000, or even *1* for early accounts, and LastPass *did not upgrade customer accounts* according to their own security standards. This means these passwords are *way* more brute-forcible. It’s really bad…
This is one of the big factors that has lead me to dump LastPass. I paid LastPass, because they seemed to be making good decisions about security. I wanted to not have to be a fulltime security person. I wanted to farm that out to LastPass. At the time I did this, about a decade ago, LastPass seemed to be doing a great job. The issue, is that LastPass appears to have gotten lazy. They filed to increase the PBKDF2 hash iterations... actually they did so for new customers... but not those of us who had been singing their praises and been longtime customers! This tells me the problem is not really the hackers, it is that I no longer trust LastPass to make good decisions about my Vault and what is secure. Add to that the info that URL's were not encrypted, even though all LastPass marketing talks about how customer vaults are encrypted, never seeming to mention that important data like URL's is not... Yeah, Bye Bye LastPass. They've made business decisions that are not in the favor of my account being secure, so I am making a business decision that will not be in favor of their business goals. I'm gone, Won't be seeing you even again LastPass. You've shown how quickly you decide to do what is easy rather than what is best! Why would I continue with a password management company that has proven I cannot trust them!
And this is the reason that I’m considering moving after being a customer for over a decade. They need to have done a better job of communicating those updated security settings to their users when they changed their best practices. Like, if I have two sites using the same password in my vault, it’ll yell at me every time I open my browser and click to fill a password, but not once did that same popup mechanism ever tell me that, “hey, you’re using an outdated security setting for your vault, and if you don’t udpate it to the modern recommended setting, you’re putting the security of your entire vault at risk.”
Everything else I can forgive because they can happen to any organization, but that one was a seriously dropped ball.
If 5000 used to be adequate but not now, how long before 100K+ won't be adequate? 5 years? 2 years? Lastpass''s dodge about 'generally available cracking tools' -- that's generally available now. What will be 'generally available' in two years? Time flies.
@@bassmaiasa1312 Since OWASP is already recommending 310,000 iterations, what LastPass is doing right now is inadequate. LastPass is not keeping up. That LastPass was not actively alerting users who had iterations set below 100,000 is pure ineptitude on LastPass.
@@bassmaiasa1312 100k is no longer considered adequate, OWASP recently changed the recommendation from 310k to 600k PBKDF2 iterations. But encryption in general is a rat race, we encrypt things to be currently unbreakable but computers in the future may be able to break it with ease. Thus what you're really doing with encryption is buying time that when an adversary finally breaks into the vault, the treasure within is no longer useful.
Thanks so much for talking about this. I love that you bring issues like this to a wider community, on top of always talking about safer ways to keep our private information actually private!
You are so welcome!
@@ShannonMorse Or self-host PW manager with the likes of KeePass and such
Another problem with this is that it makes people lose trust in password managers, which ultimately leaves them more vulnerable. I like your advice of not having your most valuable passwords in your manager and to switch managers early if you hear of a breach. Hopefully it is sinking in that people need to take an active approach to security.
its a shame... business say stuff,, but cannot back up the proof. If you have a updated iteration hash/count, and a complex master password, you should be fine..
i just had to go thew 20 websites in my vault to update all passwords. Now i have no idea what any of them are 😆
Great breakdown. I hadn't considered the Session ID issue in the URL until your video. As much as I loved Lastpass, this breach was the last straw for me.
Switched to Keeper. The bad part is the vault data that was stolen is not going to be impacted by what you change now, so it can be scanned for years to try and get new credentials that are still in place. What users should really do is change every single password in their lastpass list, save on a different service or locally, and drop all go-to products from this point forward.
👏👏👏
Switched to Keeper as well. Much happier now
I'm glad I'm not the only one that pays attention to the words used like "such as" in statements.
Bruh 👀👀 I am sus
Absolutely love this video! Great explanation of what happened.
Also WHERE DID YOU GET THIS SHIRT?!
great video and love how u break it down so easily that anyone thats not very tech savvy can understand.👍
Glad you liked it
As a network Sysadmin geek myself I love your videos. Will spoken clear and to the point.
I've just updated to Yubikey from a previous video and love it!
Small pain in the butt to keep it with me, but it protects me and my client data and schematics for their systems so I'm a happy camper 🤓
That's a really good point. I already had those thoughts when I read about it as well, thankfully though this should really only affect either the websites you recently added (which might still have a valid session ongoing), I really hope there are no websites around that never change the session. But as you said, you can't know so it's always the safest to change the passwords to make sure.
Agreed. It would seem unlikely that session ids in a url would persist. I'm pretty sure that banks (financial institutions), Google, MS, FB/Insta, Tweety and more, would allow session IDs to be persistent, especially on different IP addresses.
Hardware 2FA needs to be a universal option.
Everywhere should use them, and free. Obscured a security product makes you pay to be the most secure
My suggestion, no matter where you record your passwords, is to use and store a partial passwords, but to have a secret code, e.g., three ending characters you add to every password. And never record that secret code anywhere except maybe on the side of your bottom dresser drawer. That way if your UN/PW is hacked you're safe because the hacker has only a partial password. Also protected if you have a written list.
Wow cool idea!
The same 3 characters (e.g. 123) for every password or different?
Lastpass does have the OPT/recover in case you forget your Master Password.. Call me a goof, but the first thing i do when setting up plugin, is turning OFF these things..
I manage my *own* security.. (... which could become a problem in later years)
Great information! You gave me more to think about on this hack.
Thank you! I love the tech videos, but this is great information!😎
Thank you for explaining this in detail, I know nothing about security, more of an hardware guy. So this thought me a lot. Session hijack achievement unlocked.
Great info, Shannon. Thank you!
That’s it, we’re going off the grid!
Thanks for the deep dive.
All normal session ID expires fast. I am not an expert but I beleve that things like Facebook uese cookies that is not hadeld by a password manager. And I like that the urls are stored unencrypted so that I dont have to unlock the password manger every time I want to fill out a form.
Seems excessive. Those session ID's have expired a long time ago. Hackers can only access 'active' session id's. A session expires either when logging out, or timing out (set on the servers). A PC restart will kill every active session, or closing all tabs and clearing browser cache, or inactivity. Also avoid using / checking a box that says 'stay logged in', this extends the session timeout to days or weeks before it expires (generally not found on sites with payment portals). Some sites will also dynamically change and update your session id seamlessly as you browse, you will notice this if you open tabs from the site you are logged in, and when you go back to the tabs you are met with a login page or it shows you logged out (as guest or whatever), those tabs never updated to the new session id and have reverted to the default page.
And some are active for years. It's far better to be vigilant than sorry
@@TheErador Sockets yes, sessions no (at least none I have ever come across, feel free to give an example), they will be terminated either client side or server side (whichever activates first). Idle sessions not closed are more like placeholders, they are deactivated when referenced again and a new active session is created.
@ShannonMorse Snubs, a critical data point so far not disclosed by Lastpass/Logmein is the date range for the backup data stolen. This could be critical information for people who deleted their Lastpass vault before this latest breach. Dependingg on the when the stolen backup was performed, customers who deleted their Lastpass vaults six, twelve, maybe even 24-months before this breach might still be at risk! --bump
The backups were from September 22nd 2022 as a LP user mentioned on another podcast . The LP user asked LP and that is what they told him.
@@GregM which podcast?
@@GregM Yeah, but who can trust the LP employee to know or tell the absolute truth.
I love tripe too! Big thumbs up for that last session info. Going through the log-ins exported from Chrome to 1pass I noticed these weird looking URLs? with a bunch of extra nonsense. I'm deleteing those too. Thanks. ( I doubt that making a mistake will lock me out of anything important).
Thanks for the walkthrough of the issues.
If you have a Yubikey on your LastPass account, does that still protect you from brute force if they have the encrypted data in their possession? I guess I don't know if the MFA key is just queried to log in or does it get integrated somehow into the encryption itself?
11:37 ummm if anyone HASNT switched. Do so now. Pause the video and switch. Thanks! And your future self will thank you too!
So I use a 60 character password for LastPass, do you think I'm OK?
I also purposely stripped URLs down to the main domain name as I've had issues with it not auto populating or filling in because the site has changed the sub directories. Either way I'm planning to move and I'm a paying customer.
I'm glad I switched a long time ago to Bitwarden. Your video on showcasing different password managers really helped me on making my decision.
Same
Glad I could help!
You should try Pocket Pass Manager, local + only shares with other computers via the local network.
The only snag is : whats gonna happen when Bitwarden is breached?? Are we (again) going to export/import our stuff to 'something else''??
Everytime we do this its harder and harder.. and its not exactly quick. The more stuff we store in these cloud-based managers, the trickier it becomes. Its not just passwords anymore,....its drivers licenses, secure notes and dark web monitoring as well as 'emergency access' etc... Not every password manager supports all features either. So it becomes mores of a simple solution.. What features are we willing to give up by changing??
I've been using KeyPass...Yes, it means having a OneDrive/Thumb Drive/DropBox/GoogleDrive etc. to store the PW Database, and yes it leaves a "potential" security hole, but what doesn't??? I used to just carry it on my thumbdrive but my old employer then disabled all access to USB ports for memory storage (intellectual property theft deterrent). Is it perfect? Nope...but I've yet to hear a big "OMG KEYPASS HAS BEEN HACKED" yet.
Right! And they have to download your database, which is stored locally.
We all keep hoping along from one lily-pad to another like a bloody frog in a swamp, export/importing as we go..That's fun.... anyway.
When I used the "Analyze Lastpass" powershell script, I noticed that some of my unencrypted URL's were password reset URL's with long reset tokens. 🤦. They didn't seems to work anymore, but that's still really bad. I didn't realized that when I'd do a password reset and the Lastpass extension would prompt me "would you like to update the password for this site?" it was also changing the URL and saving the reset token in plain text.
Yup!!! I noticed that too
>makes secure password manager
>GETS HACKED
Nice f*cking work, you guys. People put their trust in you keeping their passwords safe. Unacceptable.
5:43 now I don’t know if you talk about this yet… but another nugget here is LastPass (at least up until the hack happened) did not require strong passwords. I think my old account had like a 8 character password that can be hacked in under a minute.
Again very bad :/
Just like game saves you shouldn't trust cloud storage, especially when your security is concerned.
Locally Encrypted list for usernames and passwords etc. on one cheap USB pen-drive, encryption keys backup on another one in case you loose your OS install.
You should also double check your motherboard/logic board's BIOS is implementing 'Secure Boot' properly too as that seems an issue on MSI stuff...could be others with the same problem too though.
KeePass.
URL wasn’t encrypted, means they might have been selling the url information to data brokers - why would it not be encrypted and other thing’s encrypted
Omg good point! 😱 /Checks that my deleteme membership isn't expiring anytime soon.
I guess the session hijacking was the scariest part of this breach. IMHO, I thought that Lastpass could have been more transparent (especially in August when they sent their first notification) about what was taken and the scope of the breach instead of, as you mentioned, letting users know that it was worse than they originally stated in subsequent communications. I previously thought that session hijacking was called browser hijacking. Still, a Web search on that term just returned good but usual advice about running an antivirus, firewall, VPN, and keeping your OS and software up-to-date. I have heard that session hijacking has gotten so sophisticated that hackers will set up a browser to look like your browser to Websites including fake IP addresses from your location.
An updated video would be great but personally, I'd really like to hear about local options (especially open source) as this was something I didn't find much information on when I did my research last year.
I use Bitwarden, which is open source - you can run your own vault server if you like. I like it so much that I pay their annual fee for 2FA.
Take a look at bitwarden
If you mean offline options, I'm very happy with KeePassXC
@@esquilax5563 Thanks, I'll have a look.
Can you link your roundup of password managers?
Thank U for sharing this information.
My pleasure
"She KNOWS it's a MultiPass" :) (I just now noticed your "Multi Pass" in the background
Shannon says leave Last Pass. Done!
That thing about session IDs is a great shout, and I need to check mine. I am not a fan of LP linking the session to the password anyway as it doesn't always recognise. I am one of those people who tries not to save and autofill passwords - in other words I log in anew each time - which can be a pain in the arse but surely that has to be more secure!?
Great information! I bet a certain Jerry will be very interested in this. ;-)
What is better password manager or usb key like yubi key?
So glad I stuck with one password for everything on this post-it attached to my monitor.
Would love to get an overview of some of the alternatives. It's been a while since I looked and I feel like searching is just going to show me who has the best SEO unless I spend an inordinate amount of time digging for myself.
I mentioned this elsewhere, but I would start and stop my search at bitwarden. See my comment at the top, I've found it to be much better. I'm not a shill I just am very pleased with them and it is free lol
Bitwarden ftw
Pocket Pass Manager for iOS, 100% local, access from other devices with an integrated web server, and you can import the passwords from other devices. Indi developers, and all the security stuff from open source. It's crazy good.
Look at my shocked face that a password company isnt secure... 😐
Quick question: After a hack like this, is it too paranoid to change every password, username, email, 2FA, and credit/debit cards? I dealt with a hacker who took all personal info & then 'ransomed' my accounts. Very scary experience that I never want to go through again.
Nope you can change all that the credit you can keep same as if used and was not you can do a charge back and such
In terms of 2FA I don't really like the hardware keys because it depends a little too much on the OS. I prefer the authentication apps on separate devices that are not connected to the internet. It's a bit more universal, and you can still write your key down on a paper and wipe your device add it back later.
Hey there! What do you mean by the hardware keys are dependent on the OS?
@@flynntsang Hardware keys are physical and require a physical receptor to identify and validate, they can cause compatibility issues if the software being authenticated is multi-OS and multi-device. For example, if you use a password manager that requires 2FA on multiple devices, such as Windows, Mac, Linux, Android, and iPhone, it may not be easy to register one hardware key for all devices. And what happens when you upgrade your devices in the future? Will they always be compatible with your current hardware key?
On the other hand, an authentication software key is just data that can be used for any and all human inputs. Additionally, you can write down the key on paper and delete the app for increased security, only adding it when you need to use it.
I'm not saying that hardware keys aren't useful, I have one myself. However, I think it's important to consider the downsides before making a decision, as it's more of a situational choice.
@@flynntsang For an OS to do anything it requires a driver to translate the messages the device is sending. There is no universal 2FA key that is recognized by every OS. There is also not even a universal 2FA key standard established on the internet. For example FIDO2 has a lot of promise... but hardly anyone uses the standard. The few sites that do have 2FA use OTP, which is very outdated and insecure at this point.
Thanks, Shannon~
Session hijacking can be greatly reduced by monitoring when the session is and making the date and time part of the session ID.
How do you switch and take all your information without you without exposure?
Could you post a link to the original review please ?
Wow you got 700 subs in 2 days? Your Subscribers counter is doing its thing !
Yup lol 👍
I'm glad I moved to Bitwarden before that happened based on your password manager recommended video.
Great choice 😊
You should still double check your passwords. Even if you deleted your LP account, considering everything we've seen I wouldn't be surprised if it turns out LP have a very lax attitude regarding GDPR / Data Protection for backups.
@@cinnamon4183 excellent idea
I was looking forward to this one, thanks
Hope you enjoyed it!
Affected users should always presume security hacks on their password manager vendor was worse than initially thought - on principle. Thanks for this useful information.
*_TRUST !!_*
Do any password managers have a way to auto-rotate all your passwords? Then set up a scheduled rotation once a year?
I was just commenting on Gary's video about how part of the reason I haven't committed to using a password manager is that I'm in a constant state of concern that the password manager service will get hacked.
Then use a open source local password manager like Keepass and have absolute control over your vault.
@@AJ-po6up fair point. I've been considering it.
There are local only password managers. That would solve your problem there. Bit warden has that ability I believe, but also KeePass
keepass or other local hosted ones work just never loose the database
Awesome video Shannon. Just heads up, you missed the embed for the "Watch this about Yubikeys" etc. Love your content. Have an awesome day.
I fell asleep I'll add it in this morning 😅
@@ShannonMorse no probs. I don't blame you. Great video though. Re last pass, we use it in our business but looking to move to something else. We do understand however that our data is safe because we are federated. Would you agree?
LastPass was the most recommended password manager on UA-cam that I've seen in the last few years. Tech UA-camrs have been singing it's praises for awhile so there are going to be a lot of people affected by this breach. Thanks for the heads up.
They got fat stacks for promoting it.
Maybe other tech UA-camrs did, but I have never been sponsored by LastPass. I did used to recommend it for years for a lot of reasons, but this was the final straw. I'm generally pretty forgiving but I can't stand them anymore.
@@ShannonMorse What's your opinion about KeePassXC?
and despite all that people still use it.
not a lastpass user, but any recommended way or tips to change 200+ passwords quicker? just curious
It is a world of hurt and pain. I had a few techniques to minimize dupes when exporting from various pw managers to 1Password, like using spreadsheet text functions to extract domain names in URLs and then sorting by the domain name to find dupes. That way I had fewer to import. But the actual process is painful, painful, painful. My only tip is in 1Password you can create different vaults. As you verify a password, move it to a "clean" vault.
oh. indeed, pain it is. i created folders in keepass to do the same thing you mentioned.
The thing is the fact that they got the backup of the Vault means they can apply multiple different computers to try and crack the thing instead of over a single line
That wouldn't help as much as you think. The longer the password the difficulty increases exponentially. A 10 character password would take a few years to brute force. 12 characters 30K years. They could toss the entire computing power of the world at a vault secured with 13 characters. They would all be dead before even putting a dent in the possible combinations.
I would love to see a video about local solutions that I could use as to not have to use a cloud service. And as @Esper Wyrenth said if you could show the process of migrating everything that would be great. May would also be a good video idea to show the best ways to secure multiple accounts for different uses, such as having multiple emails for different things or any other good practices that would come along with that.
KeePassXC is one of the best local PW managers.
SplashID… been around forever and can be completely non-cloud. Very basic but if you want all the “features” you have to deal with this risk.
For most people it's really overkill to not use a cloud service, provided it's like Bitwarden that only store encrypted data and that your master password is complex (at least 14 random characters including symbols). A local only solution is potentially more secure but it's also waaaay more difficult to manage.
@@davidriosg I'm okay with the management honestly. I care more about the security than having to keep up with it. I'll look at bitwarden though and see what it is about.
I use password management software that keeps my passwords on my local computer. I don't think that I am perfectly safe, but I am a small target
I use LastPass with 2fa. Wouldn't the 2fa further protect the encrypted data, even if they could brute force the master password?
I don't believe so. 2FA proects against logging into the LastPass website/services. If hackers have the vault it's just the encryption keeping it safe.
Excellent video. None of this is going to make sense until password manager companies are reasonably, legally liable for the damages they cause by screw ups like this.
Not just password managers. The whole tech industry is basically an organized cybercrime family.
Password manager companies could never afford the insurance to back that liability!
@@andyburns wow, so true! ... Things that make you go, "hmmm..."
What are your thoughts on Keepass? It is a local password manager that is available on nearly every platform but stores a local encrypted copy of password library.
Or KeepassXC. Also you can sync that file with Syncthing or Cloud service safely, because everything is encrypted
It's pretty good for usecases where you don't have a team that needs constant access to a shared set of passwords, where it's impossible for them to have individuated accounts. Team shared folders are the reason we went with lastpass other than ease of use.
As long as you use a strong master password i think its encryption is pretty well respected. I store a keepass vault in Google drive, but you do need to check the permissions on that file to ensure that it's not available to the public etc. It's the biggest issue with keepass, you either have to carry your vault with you on a mobile or a usb drive or store it on a cloud storage service - in order to have access to passwords when you need them
Say NO to EVERY password manager!
You do know there are old people with difficulty remembering their names, let alone passwords? Writing it down in that 3 ring binder beside your computer with the label PASSSWORDS, is safe until you're robbed like my in-laws. Then you've handed them the keys to the kingdom.
we really need to go passwordless. I like the direction Microsoft has went with their accounts.
So Microsoft uses their auth app instead of a password right? What happens if you lose your phone? How are you going to re-authenticate on a new device?
@@michaell1603 you have more than just the Auth app configured. I use three methods for account access
HOLY CRAP! I remember Shannon from watching TWIT before Leo became super annoying (among other things). Thank you for starting your own channel so your voice is heard...
🫢🫢🫢
would making your own password server be better at this point ?
It's unfortunate - what really sucks is that for my job, I have to use a password manager that the company approves. LastPass is one of them, and I've been using them for almost 2 years! =(
😯
I have a lot of close friends who are in the same boat.
This is a big issue for businesses, other competitors in the password manager market should focus on the migration from LastPass and make it as easy as possible, while maintaining the same policies and settings from LastPass.
😆 opps... that's a bad boss. There's still noting wrong but we all egt scared the moment someone has a proprietary source code.
I think the biggest thing is users just have to start accepting breaches will always happen, no matter how great of a security model we have... There is such a thing as "security is good enough for the individual"
Are there any password managers that auto change your current passwords for each site?
while this would be awesome, i think this would be rather hard, since the process of changing passwords differ a lot between different sites and would be difficult to automate (and of course, only doing it in the password manager would just lock you out of your accounts :P)
I know LastPass gave you the option to choose "change all passwords" and the platform would TRY to do it for you. But it sucked and didn't work well.
I have switched from Lastpass to Bitwarden when the first breach was announced. Do anyone have a recommendation on a MFA app that would be a good replacement for Lastpass Auth or Authy?
Believe it or not, Bitwarden itself will do MFA for you. You just have to add the shared secret to the site like you would a password, and it'll generate codes for you, and even let you copy them like you can the username or password. It's putting all the eggs in one basket, which may or may not be a good idea, but it does do it.
Aegis Authenticator is great if you'd rather not do what Trevor mentioned! I enjoy it because it can do automatic encrypted backups.
@@ken-rx6hb That actually does sound like a darn good feature! I'll have to check it out for the couple of MFA's I'd like to keep outside of Bitwarden
+1 to Aegis, is really good check it out.
Great video! I'd love to see a video from you about the password managers available now and how secure they are or aren't now. Personally, I'm interested in a cloud based service, so I'd also love to see you break them down by type (local, cloud based, etc) and the trade offs of each type. Thanks! :)
Would it actually be good? The rule of thumb with these peacocking weirdos is to avoid them.
That t-shirt is amazing, really cool hair match👍😆
if you use a mac or iphone you can use the password manger built in to the mac or iPhone keychain works well on the current devices like phones macs and even pcs with the windows store app
I'm unable to join the discord from the link provided in the membership tab, invitation is expired :(
Thanks for bringing that to my attention! Which membership did you join? YT, BuyMeaCoffee or Patreon?
@@ShannonMorse through YT
The session ID in url can be a necessary evil, especially with the don't allow any cookies popups.
Good and bad cookies and how security and privacy don't always mix well could be a whole video in itself.
But hopefully sites are doing it right and won't fall to session fixation or anything. 🤪
Don't sessions have expirations?
Ditched them :P Thanks Shannon !
Great info. Also... I want that shirt
I got it from Hot Topic a while back!
Nice video Shanon
An update would be very welcome 👍
Great video. I recently found your channel and like you views and opinions. I'd like to know if you could cover or do a review on Synology's C2 Password product. Thanks and I look forward to more great content.
where did you get your t-shirt from?
Hot Topic!
@@ShannonMorse thankyou
2023 recommended password managers please. 🙏
Switched to locally hosted bitwarden
Shannon's Channel is underrated.
It is great in every respect !!
I just left those fools. They are not doing what's necessary to resolve the problem. They''re going to get hacked again. Love the mononoke shirt btw. Forest spirit ftw.
Heres what i recommend go to all of your accounts hit log out of all devices then relogin so that forces links to be invalid
VERY interested in a local password manager!
Madame , Security Morse 👩.... I 🙎🏾♂luv🖤❤ your Style of Thinking , & the Moves that can keep us all safe with Important Documents 🏮🏮🗞🖇📚 & Money 💰💸❗.... for that , ... I 🙎🏾♂thank👋🏾you ❗.... From S J 🙎🏾♂ = D M V Production 📺🎥📸📹❗...... PEACEEEEE 🙏🏾 💪🏾✌🏾❗💯
I love Princess Mononoke. One of my few remaining DVDs.
1:05 oh I remember how awful this was. It was the hack that kept of giving… giving to hackers, that is. :/
New password manager vid would be great. Ill be moving away from Lastpass soon ;)
I stopped using LP since the 1st hack years ago....
lastpass is my last password manager now
Are you considering switching?
@@ShannonMorse yup, just gonna use the firefox one
Honestly, the app stores should start pulling software that has had a breach until a quality external audit had been passed.. it protects clients in many ways...
People complain when something gets taken down "as is", accidentally or deliberate, and you want then to wait longer? Good luck to you sir... Everything is a balance, unfortunately.
@@Tech-geeky most people don't have a clue re modern digital security and how to keep themselves safe. Like a parent, you sometimes need to do what is best for them, and ignore their dislikes.
Also, it's not like every 10th app is going to suddenly get taken away. It's probably 1 in every 1k apps.
I use the hell out of KeepassXC/DX on Linux and Droid.