LastPass Faces Class-Action Lawsuit Over Password Vault Breach

[LAwLz]

6 hours ago, Donut417 said:

Not all these services are the same however. While Bitwarden can store passwords on the cloud, which is how I currently use it. You can also store your password database locally. There are similar password managers that do this as well. The reason the Lastpass thing is so bad was because its a cloud based solution, also some people were down right dumb and stored their 2FA backup keys as well as other information in last pass. When I used Last Pass I never stored any other info besides my passwords, Name, Address and Phone number. My name, address and phone number have been leaked countless times by other hacks. 

 

To me the biggest take aways from this is cloud based password managers are probably a bad idea. Now hosting a pass word database locally is likely fine, because its not like the average hacker is going to hack in to a persons home network to get passwords when they can hack in to a corporate network and get accounts from many people at once. 

No, the reason why the LastPass incident is so bad isn't because it's stored in the cloud. The cloud is not inherently bad, and in many cases it's more secure than trying to keep your own infrastructure safe. 

 

The reasons why this LastPass incident is so bad is because they keep having massive security incidents, don't provide information about them, and do stupid things like safe quite a lot of information unencrypted. That, plus a lack of security audits for their software is why LastPass is very bad compared to Bitwarden. 

 

The take away shouldn't be "don't save passwords online, host it yourself instead". Hosting it locally might not be more safe, and it could potentially be far less secure. The idea that "nobody will target me specifically since I'm not important" is:

1) An argument for "security through obscurity", which isn't security at all. 

2) An argument that shows a clear lack of understanding of how attacks are made. If your locally stored database is compromised its not because you were targeted. It would be because you happened to have a vulnerability that was scanned for. Most attacks are not done through targeted attacks. They are done through "let's run the same attacks against 10 million computers and see if it works on any of them". 

[Donut417]

1 minute ago, LAwLz said:

and in many cases it's more secure than trying to keep your own infrastructure safe. 

I disagree. The cloud contains data from a lot of people. In my opinion cloud providers have a larger target on their back, compared to an average user. Is a hacker going to go thru all the trouble like they did with Lass Pass to hack in to my home network? Probably not, because Im one person and probably not worth the time. But a cloud provided service with tens or hundreds of thousands of users or more is a pretty sizable target. 

 

2 minutes ago, LAwLz said:

is because they keep having massive security incidents, don't provide information about them

The thing is, lots of companies do this. When I was in school we had conference where speakers came in from many fields to speak. I signed up for a speaker about Cyber Security. She pretty much stated, that companies are compromised many times, and we as the public some times never hear about it. 

[LAwLz]

17 minutes ago, Donut417 said:

I disagree.

It's not something you can disagree with. It's a fact. 

 

 

19 minutes ago, Donut417 said:

The cloud contains data from a lot of people. In my opinion cloud providers have a larger target on their back, compared to an average user. Is a hacker going to go thru all the trouble like they did with Lass Pass to hack in to my home network? Probably not, because Im one person and probably not worth the time. But a cloud provided service with tens or hundreds of thousands of users or more is a pretty sizable target.

Most attacks are done through means that doesn't even care about how big the target is. They are done automatically against millions of devices at once. Attackers generally don't do these highly sophisticated targeted attacks. They spray and pray. 

Thinking that you won't be attacked because "I'm just one person" is like thinking you won't get spam emails because you're just one person. The one doing the attack does not care who you are, and they don't know who you are either. They have no idea if you're the CEO of a major company, and therefore worth a lot of money, or if you're an unemployed gamer who lives in your mom's basement. But they don't care because they will attack both demographics.

 

 

30 minutes ago, Donut417 said:

The thing is, lots of companies do this. When I was in school we had conference where speakers came in from many fields to speak. I signed up for a speaker about Cyber Security. She pretty much stated, that companies are compromised many times, and we as the public some times never hear about it. 

I'm not sure what your point is. Is it "you shouldn't trust companies because they are sometimes hacked and we won't hear about it"? Because a lot of private people are attacked too and we don't hear about it. The current estimate is that around 50 million Windows PCs are infected with malware. We don't hear about these attacks against private people because they are so common its not news worthy.

[Donut417]

14 minutes ago, LAwLz said:

"you shouldn't trust companies because they are sometimes hacked and we won't hear about it"

Thats exactly the point. Just because a company like Bitwarden claims they do things better, are you going to just believe them? Big corporations exist to make money and only exist to make money. Thats why attacks are successful, because most probably dont invest in IT infrastructure the way they should. Thats not just a fault of corporations, the government is the same way, and they have the ability to conjure money out of thin air to pay for it. 

 

20 minutes ago, LAwLz said:

g you can disagree with. It's a fact. 

I can disagree with it. There is no way that you can trust that an entity who's purpose in life is to make as much money as possible is going to have the best interests of its customers in mind. No way thats happening. Every time my data has been leaked it was a fucking billion dollar corporation that leaked it. I know that for a fact. Just got my $5.21 settlement check from the Equifax hack. Im constantly using credit karma to keep track of my credit as well as had to freeze my credit to protect myself, all because Equifax couldn't spend the damn money to secure its servers. 

 

 

Honestly the best place for a password is either in your brain or in a notebook kept in a safe place, because any electronic way of storing them can probably be hacked. 

[mr moose]

21 hours ago, LAwLz said:

Dismissing the benefits of one thing because it might at some point have a drawback is not a very smart thing to do.

 

 

 

No, it's weighing up the befits versus the risk?    I know what benefit password managers can provide me, and that benefit is not enough to outweigh the risk.     You can argue as much as you like that the risk is small to insignificant but I don't care because it is still one more risk than I had before and using a pen and paper does not take time out of my day nor is it a chore.   The time a password manager would save me can actually be counted in minutes per year. 

[LAwLz]

14 hours ago, Donut417 said:

Thats exactly the point. Just because a company like Bitwarden claims they do things better, are you going to just believe them?

No, I don't take their word at face value. I trust them because they are very transparent about what they are doing and hire third party companies to validate their work. Unlike LastPass which does things in secret, refuse to answer questions about their product, and did not have third party validation. There is a reason why LastPass have had 8 serious security issues in the lasts decade or so, while Bitwarden have had zero. It's not just "LastPass is a bigger target".

 

Please note that I do not use Bitwarden myself. But that's because I have certain needs that are not fulfilled by Bitwarden. If I had been a LastPass user then I would have changed to Bitwarden a long time ago however. 

 

 

 

14 hours ago, Donut417 said:

I can disagree with it.

Sure, you can disagree with it. But it'd be a stupid thing to do. People disagree with the covid vaccine being effective, the moon landing being real, and other things too.

 

 

14 hours ago, Donut417 said:

There is no way that you can trust that an entity who's purpose in life is to make as much money as possible is going to have the best interests of its customers in mind. No way thats happening. Every time my data has been leaked it was a fucking billion dollar corporation that leaked it. I know that for a fact. Just got my $5.21 settlement check from the Equifax hack. Im constantly using credit karma to keep track of my credit as well as had to freeze my credit to protect myself, all because Equifax couldn't spend the damn money to secure its servers. 

The problem is that security is hard, and even companies who spend billions on it will mess it up. The problem is looking at a fuckup and going "wow that was bad, so I'll try and do it myself from now on!".

Looking at a security breach and concluding that "I can probably do that better" is like looking at the Boeing 737 MAX issues and going "well, I can probably build a better plane than Boeing". Chances are you can't, and the idea that you are less of a target because you are just one person is utterly foolish and shows a lack of understanding of how attacks are conducted. It's precisely the type of people who think "I can do better" that often times can't do things better.

 

 

14 hours ago, Donut417 said:

Honestly the best place for a password is either in your brain or in a notebook kept in a safe place, because any electronic way of storing them can probably be hacked. 

No, this is terrible advice.

If you store them in your brain then they are not long and complex enough. Most compromised accounts are not obtained through sophisticated attacks. They are made through guessing passwords or reusing passwords. Both of the most common attacks are possible because people rely on their own memory to store passwords.

You're trading a small risk (your password vault being compromised) against a big risk (your password being simple and reused). If you want an analogy, you're basically saying "I saw someone get choked on a seat belt once, so from now on I'll drive without a seat belt. That way I won't get choked". It's ridiculous.

 

Notebooks are not a good idea either because again, it encourages bad passwords. A notebook is also easier to steal than a good password vault, and is much harder to back up. 

 

What you are saying is laughably bad. It's complete bollocks. You are utterly wrong in almost everything you say. You are not the type of person who should be discussing security because you have no idea what you are talking about. It infuriates me that you are so ignorant yet thing you know what you are talking about.

 

 

3 hours ago, mr moose said:

No, it's weighing up the befits versus the risk?    I know what benefit password managers can provide me, and that benefit is not enough to outweigh the risk.     You can argue as much as you like that the risk is small to insignificant but I don't care because it is still one more risk than I had before and using a pen and paper does not take time out of my day nor is it a chore.   The time a password manager would save me can actually be counted in minutes per year. 

Can you please describe what you think the benefits are vs the risks? Because it is not like keeping passwords in a notebook vs a password vault is the same thing except the password vault has one extra risk.

[XWAUForceflow]

And this is why I don't use a password manager that stores my passwords in it's own cloud or has any direct access to my passwords. That means that only one successful attack is required to breach passwords. Since those companies are also well known they are of particular interests to hackers and as such attacks on them are much more likely.

 

I have my passwords stored in a file that is on my local network and also on Dropbox. My local copy is safe enough, if someone manages to break this far into my infrastructure at home they simply don't need to hack my passwords. If you have an attacker within your own network nothing is safe anymore. But even if they get in the file itself is still heavily encrypted.
As for hacking Dropbox? Sure, that's possible and might happen. So yeah, they might steal my password database, but it wont do them any good. Because again, that one is heavily encrypted with a very good password. So in order for them to get access to that file they also have to find an attack vector and fault in that software.

This means that they have to hack two completely separate security systems from two completely separate companies. Is that solution perfect? Certainly not, but I find it is much safer than trusting just one company. And any singular breach should give me enough time to act and move away from that solution.

While it is not the most convenient solution I think it's the best compromise between safety and usability.

[ravenshrike]

On 1/28/2023 at 5:48 AM, mr moose said:

And people laugh at me for using a pen and paper.  The term "putting all your eggs in one basket"  sounds fairly apt here.

My important passwords are all written down and put in a small safe. My unimportant passwords are all in a spiral notebook by my desk. Nothing's been important enough to need to access in 5 seconds through LastPass if I forget them vs the 40 seconds to 2 minutes it takes to grab one of the notebooks and type it in.

[wanderingfool2]

18 hours ago, LAwLz said:

The take away shouldn't be "don't save passwords online, host it yourself instead". Hosting it locally might not be more safe, and it could potentially be far less secure. The idea that "nobody will target me specifically since I'm not important" is:

1) An argument for "security through obscurity", which isn't security at all. 

2) An argument that shows a clear lack of understanding of how attacks are made. If your locally stored database is compromised its not because you were targeted. It would be because you happened to have a vulnerability that was scanned for. Most attacks are not done through targeted attacks. They are done through "let's run the same attacks against 10 million computers and see if it works on any of them". 

That assumes that the service is hosted locally, instead of just stored locally for local host only access.  If a database is stored only locally, then yes it would overall offer more protection; as security is just about probabilities.  The biggest thing of local vs cloud password management isn't necessarily if the cloud provider gets compromised, but rather what the encryption algorithm was used and the master password.  If the master password was something no one could realistically crack, then there isn't much of a problem from using cloud vs other local storage (except for pen/paper method)

 

Also, it seems as though it's an assumption of how it's implemented, as there are ways to have all the data local and have better security than cloud storage.  In one example of an implementation.

 

Everything is local on computer A, the service does keep a connection to xyz server.

You connect with computer B (through the internet).

To do so there are a few options

Option A:

Computer B requests from xyz to act as an intermediate for the data (but all data is already encrypted by a shared password, and also a public-private key like ECC, still could have someone compromise xyz...but at that stage they would have to compromise ECC which is unlikely or act as a middle man forging the public private key combo.  Then guess your master password still and they would only be limited to the passwords shared during that period of time.  The realistic attack on this would be p). 

 

Outcome, pretty unlikely a password would be compromised this way (in the sense of a data breach).  The most likely compromise this way would be having xyz server compromised, and then finding an additional exploit in the program itself.

 

Option B:

Computer B requests from xyz to setup a connection.  From there computer A and B use hole punching to communicate more directly.  Same kind of outcome as option A though, except that this time since only very simple traffic goes through xyz initially it's should be easier to have the local programs secure.

 

Either way, if done correctly local hosting of the password database can be more secure than cloud based storage.  With that said though, it gets back to what I also said earlier.  If one chooses a really secure master password, and the correctly encryption algo is used then it would make less of a difference between having it on the cloud vs having it local.  The attack vector would be compromising your computer to get your master password.

[mr moose]

20 hours ago, LAwLz said:

Can you please describe what you think the benefits are vs the risks? Because it is not like keeping passwords in a notebook vs a password vault is the same thing except the password vault has one extra risk.

 

I already have,  using a password manager offers literally no advantage to me. But being an app/service means it inherently will have some element of insecurity to it,  I don't care how small it is because it's still a larger possibility than someone breaking into my home network and finding the notepad. 

[LAwLz]

36 minutes ago, mr moose said:

I already have,  using a password manager offers literally no advantage to me.

I must have missed the post where you described the benefits vs risks. Can you please quote that part for me?

Are you saying that a password manager offers "literally no advantage" and that the only drawback is that someone might be able to get a hold of your password database? Because that's false. Here are some advantages:

 

1) Much easier to automatically backup. If you don't have a backup of your notebook, you will probably lose everything in the case of a fire. That is not the case with a password vault that can be stored in multiple locations with ease.

 

2) Is safer when a burglary happens because even if a thief gets your password vault, it will be encrypted. Your notebook is probably not so a burglar gets access to all your accounts.

 

3) Allows you to use more complex passwords, because trying to type in a 20+ character long password by hand that's written in a notebook is not something you actually do, be honest. You use short and simple passwords because it would be too much of a hassle.

 

4) You are able to use your password in public settings. If you whip out a notebook and start copying your passwords into a password field with a bunch of people around, chances are someone will look over your shoulder, see your password, and then be able to copy it.

 

 

43 minutes ago, mr moose said:

But being an app/service means it inherently will have some element of insecurity to it

Such as?

 

 

43 minutes ago, mr moose said:

I don't care how small it is because it's still a larger possibility than someone breaking into my home network and finding the notepad. 

How did you come to that conclusion? Is it a feeling you got, or have you actually looked at statistics and done a risk assessment? 

[ravenshrike]

5 hours ago, mr moose said:

I already have,  using a password manager offers literally no advantage to me. But being an app/service means it inherently will have some element of insecurity to it,  I don't care how small it is because it's still a larger possibility than someone breaking into my home network and finding the notepad. 

The one benefit I could see to a service like LastPass/Bitwarden is if your job required you to travel a lot. That is the one situation in which having a notebook full of passwords lying around would be a bad idea. 

[Bad5ector]

LastPass, you did me dirty, right after I implement you with our Identity provider and get SSO enabled.... this shit happens. Oh well, glad the news broke while I was on vacation. Surprisingly enough (or not, depending on how jaded you are), the business doesn't want to look into switching to a competitor. *shrug emoji*

[LAwLz]

16 hours ago, ravenshrike said:

The one benefit I could see to a service like LastPass/Bitwarden is if your job required you to travel a lot. That is the one situation in which having a notebook full of passwords lying around would be a bad idea. 

What about these things:

 

21 hours ago, LAwLz said:

1) Much easier to automatically backup. If you don't have a backup of your notebook, you will probably lose everything in the case of a fire. That is not the case with a password vault that can be stored in multiple locations with ease.

 

2) Is safer when a burglary happens because even if a thief gets your password vault, it will be encrypted. Your notebook is probably not so a burglar gets access to all your accounts.

 

3) Allows you to use more complex passwords, because trying to type in a 20+ character long password by hand that's written in a notebook is not something you actually do, be honest. You use short and simple passwords because it would be too much of a hassle.

 

4) You are able to use your password in public settings. If you whip out a notebook and start copying your passwords into a password field with a bunch of people around, chances are someone will look over your shoulder, see your password, and then be able to copy it.

 

Not having backups of your important passwords is a bad idea, and the backup needs to be stored in a separate physical location so that it doesn't get for example destroyed in case of a fire. Isn't that a benefit?

 

Isn't being protected against a physical burgular breaking in a benefit?

 

Isn't the ease of using unique, long and complicated passwords a benefit? After all, you are more likely to be a victim of a brute force attacks or credential stuffing than someone breaking into your password vault.

 

You don't even have to "travel a lot" for it to be beneficial. Bringing a book full of clear text passwords with you outside the home, hell even keeping it at home, is a terrible idea. Passwords should not be stored in clear text, ever, not even if they are stored in a drawer or whatever.

[mr moose]

23 hours ago, LAwLz said:

I must have missed the post where you described the benefits vs risks. Can you please quote that part for me?

Are you saying that a password manager offers "literally no advantage" and that the only drawback is that someone might be able to get a hold of your password database? Because that's false. Here are some advantages:

 

1) Much easier to automatically backup. If you don't have a backup of your notebook, you will probably lose everything in the case of a fire. That is not the case with a password vault that can be stored in multiple locations with ease.

 

2) Is safer when a burglary happens because even if a thief gets your password vault, it will be encrypted. Your notebook is probably not so a burglar gets access to all your accounts.

 

3) Allows you to use more complex passwords, because trying to type in a 20+ character long password by hand that's written in a notebook is not something you actually do, be honest. You use short and simple passwords because it would be too much of a hassle.

 

4) You are able to use your password in public settings. If you whip out a notebook and start copying your passwords into a password field with a bunch of people around, chances are someone will look over your shoulder, see your password, and then be able to copy it.

 

 

Such as?

 

 

How did you come to that conclusion? Is it a feeling you got, or have you actually looked at statistics and done a risk assessment? 

Are you trying to say that password managers have ZERO exploitable or hackable risk? I mean, it is more software that integrates into your web browser is it not?  Every time you install software to your PC you install another risk, sometimes they are huge and sometime they are really small, but it is still a risk.

 

It seem you aren't listening to me when I tell you that I don't need one, I have about 3 really important passwords, and about 6 that I couldn't care if I never had access to those services again, they are all different, they are all written down in a book beside my PC.  Do you really think that being able to back up my passwords is such a demanding task that it could only be a benefit to use a manager?  Do you think I can't safely keep a copy of these passwords somewhere else?  I don;t even log on to anything in public as I don't carry my PC with me when I travel.  I mean really, I don't know why you are so invested in trying to convince me I need something that offers no benefit to me.

 

 

 

 

[ravenshrike]

4 hours ago, LAwLz said:

 

Not having backups of your important passwords is a bad idea, and the backup needs to be stored in a separate physical location so that it doesn't get for example destroyed in case of a fire. Isn't that a benefit?

 

Isn't being protected against a physical burgular breaking in a benefit?

 

Isn't the ease of using unique, long and complicated passwords a benefit? After all, you are more likely to be a victim of a brute force attacks or credential stuffing than someone breaking into your password vault.

Fire safe.

 

The fire safe is bolted to the floor in the closet behind several suitcases, with enough people living in the house that a burglar is unlikely to have the time window needed to access and remove it, especially with the 7 camera system on the outside of the house. Moreover since I live in Texas home invasions(burglary where the residents are home) are really fucking low.

 

All my passwords are 14+ characters long except for those services that get pissy at more than 12 characters. I don't find it particularly burdensome, no. 

 

 

[LAwLz]

6 hours ago, mr moose said:

Are you trying to say that password managers have ZERO exploitable or hackable risk?

No, but what I am saying is that so far it seems like those risks are smaller than the risks of not using one.

Likewise, there is a risk that a seat belt will choke you, but that risk is smaller than the risks of not using it.

 

6 hours ago, mr moose said:

it is more software that integrates into your web browser is it not?

Not necessarily. Mine doesn't integrate with my browser.

 

6 hours ago, mr moose said:

Every time you install software to your PC you install another risk, sometimes they are huge and sometime they are really small, but it is still a risk.

Yes, but there are also unique risks inherent to writing your passwords down in a notebook.

It's not about minimizing the amount of risks. It's about weighting risks against each other and determining the likelihood of them happening, and what the damage it might cause.

It's risk assessment, not risk avoidance, because you will always have risks.

 

6 hours ago, mr moose said:

It seem you aren't listening to me when I tell you that I don't need one, I have about 3 really important passwords, and about 6 that I couldn't care if I never had access to those services again, they are all different, they are all written down in a book beside my PC.

Ah yes, storing the passwords next to your PC... Sounds like great security advice... I am being sarcastic if you can't tell.

I assume the passwords are also brute force resistant, correct?

 

 

6 hours ago, mr moose said:

Do you really think that being able to back up my passwords is such a demanding task that it could only be a benefit to use a manager?

You said that it didn't offer any benefits and that it was only a risk. What I pointed out would be a benefit, even if you think it is small.

Something that is a small benefit to you is still a small benefit, and since we are talking about a very small risk I think it is unfair to dismiss the benefits as "not big enough to count" yet the risk, which is very small, gets to count. Also, I gave you more than one benefit which you ignored.

 

 

6 hours ago, mr moose said:

Do you think I can't safely keep a copy of these passwords somewhere else?

Well, do you? And do you update your passwords every now and again, and update those other copies too? How do you ensure that the copies that are stored elsewhere are also kept safe?

 

 

6 hours ago, mr moose said:

I mean really, I don't know why you are so invested in trying to convince me I need something that offers no benefit to me.

I am not trying to convince you to do anything. What bothered me is that you came into this thread feeling vindicated because you have been told that writing your passwords down in clear text, in a book, stored next to your PC, is bad, which it is. It might be less bad for you because you got less to lose, but it's still bad compared to the alternatives.

 

Someone keeping all your savings in the mattress is bad advice too, regardless of whether or not you have 1000 dollars or 10 million dollars. The consequences are worse if something happens, but when we have a clearly better system it might be a good idea to use that.

I don't like people who do something that is bad in 99,9% of situations comes in and act all high and mighty because this one time their way of doing things might have been slightly better. 

It's what the video I linked goes over.

 

 

I am typing this because a lot of people, who are in other situations than you, are also doing what you are doing and using this as an opportunity to justify their bad practices. In your case it is only slightly bad because of some rather unique circumstances (only have 9 accounts, don't use computers in public etc) but it's still worse than what is possible.

[wanderingfool2]

6 hours ago, mr moose said:

Are you trying to say that password managers have ZERO exploitable or hackable risk? I mean, it is more software that integrates into your web browser is it not?  Every time you install software to your PC you install another risk, sometimes they are huge and sometime they are really small, but it is still a risk.

Not all password managers are ones that are integrated.  There are some that are effectively just an encrypted database where you can copy out the password when needed.  In cases like that though, an attacker would need to compromise your PC (which if they had it compromised they could already key log for your passwords).  Although in the case of password managers they do allow for all of them being compromised at one time (vs single)...but at the same time it's about the risk factor.  The chances of you having your PC infected and infected by one that is stealing passwords is likely low.

 

53 minutes ago, LAwLz said:

Ah yes, storing the passwords next to your PC... Sounds like great security advice... I am being sarcastic if you can't tell.

53 minutes ago, LAwLz said:

I am not trying to convince you to do anything. What bothered me is that you came into this thread feeling vindicated because you have been told that writing your passwords down in clear text, in a book, stored next to your PC, is bad, which it is. It might be less bad for you because you got less to lose, but it's still bad compared to the alternatives.

You are making assumptions about his life though, and assumptions about risk assessment.

 

As an example, I have alarms, cameras, live in a low crime area, I don't really have people over at my house, and I can write in a cypher that unless someone had a password of mine they won't work out the cypher key.  Having a notebook next to my computer with passwords would 100% be safer and easier to use than using a password manager.  I actually have that for a few accounts that I don't care enough about to memorize a new password but access it frequently enough that I need it readily available.

 

While there is a small chance of it happening, the above scenario in my reply to Moose is still a valid concern.  If you have malware on your system, the chances of having it steal all your passwords is considerably larger than if you had it on pen an paper (as if it's an account that you only log once a week or two that won't be compromised if you realize something is wrong within a week).

 

Everything comes down to context, Moose said in his situation and unless you know his situation you can't categorically say it's bad.  Pen and paper aren't inherently bad as well, unless of course you are in a corporate situation or traveling with the password.  (And like what he mentioned, it's 6 passwords that aren't critical if he lost).  Everything is talking about risk levels, with probabilities.  Pen and paper are generally discussed as bad options because many users do so at a corporate level, where the situation is completely different given that the amount of traffic that is encountered (and targeted attacks).

[mr moose]

17 hours ago, LAwLz said:

No, but what I am saying is that so far it seems like those risks are smaller than the risks of not using one.

Likewise, there is a risk that a seat belt will choke you, but that risk is smaller than the risks of not using it.

 

Not necessarily. Mine doesn't integrate with my browser.

 

Yes, but there are also unique risks inherent to writing your passwords down in a notebook.

It's not about minimizing the amount of risks. It's about weighting risks against each other and determining the likelihood of them happening, and what the damage it might cause.

It's risk assessment, not risk avoidance, because you will always have risks.

 

Ah yes, storing the passwords next to your PC... Sounds like great security advice... I am being sarcastic if you can't tell.

I assume the passwords are also brute force resistant, correct?

 

 

You said that it didn't offer any benefits and that it was only a risk. What I pointed out would be a benefit, even if you think it is small.

Something that is a small benefit to you is still a small benefit, and since we are talking about a very small risk I think it is unfair to dismiss the benefits as "not big enough to count" yet the risk, which is very small, gets to count. Also, I gave you more than one benefit which you ignored.

 

 

Well, do you? And do you update your passwords every now and again, and update those other copies too? How do you ensure that the copies that are stored elsewhere are also kept safe?

 

 

I am not trying to convince you to do anything. What bothered me is that you came into this thread feeling vindicated because you have been told that writing your passwords down in clear text, in a book, stored next to your PC, is bad, which it is. It might be less bad for you because you got less to lose, but it's still bad compared to the alternatives.

 

Someone keeping all your savings in the mattress is bad advice too, regardless of whether or not you have 1000 dollars or 10 million dollars. The consequences are worse if something happens, but when we have a clearly better system it might be a good idea to use that.

I don't like people who do something that is bad in 99,9% of situations comes in and act all high and mighty because this one time their way of doing things might have been slightly better. 

It's what the video I linked goes over.

 

 

I am typing this because a lot of people, who are in other situations than you, are also doing what you are doing and using this as an opportunity to justify their bad practices. In your case it is only slightly bad because of some rather unique circumstances (only have 9 accounts, don't use computers in public etc) but it's still worse than what is possible.

My god, it's not complicated, I am a pretty simple person when it comes to accounts, As I have said, I don't long on to anything in public, my PC (where I do everything) is secure at home.  If someone breaks into my house l can assure you they are not looking for notebooks with scribble in them, they are looking for cash, wallets, valuables.  If someone breaks into my house looking specifically for my passwords then I have bigger troubles than just the security of my accounts, I have someone stalking me with intent to harm. 

 

So yes, In a way I am vindicated, because one of the password managers had an issue that could have compromised me while my current notebook is still safe after more than 2 decades of use.

[ravenshrike]

On 1/28/2023 at 4:33 PM, LAwLz said:

I'm not sure what your point is. Is it "you shouldn't trust companies because they are sometimes hacked and we won't hear about it"? Because a lot of private people are attacked too and we don't hear about it.

Sure, but it's a question of the amount of gain for the effort. Proper password management with a home notebook means that it's much harder to gain any significant amount of passwords on many users at once outside of a single specific company from a server side attack. With something like LastPass, hackers can gain the logins and passwords of many targets for most if not all the sites they frequented. 

1 hour ago, mr moose said:

If someone breaks into my house looking specifically for my passwords then I have bigger troubles than just the security of my accounts

Bingo, and If that level of espionage is likely to occur to you you need to be memorizing the important login info anyway and changing your passwords and memorizing the new ones at least twice a year. You sure as hell shouldn't be using a third party service.

[mr moose]

5 minutes ago, ravenshrike said:

 

Bingo, and If that level of espionage is likely to occur to you you need to be memorizing the important login info anyway and changing your passwords and memorizing the new ones at least twice a year. You sure as hell shouldn't be using a third party service.

I really can't think what level of corruption I'd have to get into to invite that kind of thing, suffice to say that I'd be maintaining a squeaky clean and very minimal digital life if that was the case.

[LAwLz]

9 hours ago, mr moose said:

My god, it's not complicated, I am a pretty simple person when it comes to accounts, As I have said, I don't long on to anything in public, my PC (where I do everything) is secure at home.  If someone breaks into my house l can assure you they are not looking for notebooks with scribble in them, they are looking for cash, wallets, valuables.  If someone breaks into my house looking specifically for my passwords then I have bigger troubles than just the security of my accounts, I have someone stalking me with intent to harm. 

 

So yes, In a way I am vindicated, because one of the password managers had an issue that could have compromised me while my current notebook is still safe after more than 2 decades of use.

You are very stuck on that specific part and ignoring all the other reasons for why password managers are better than having passwords written down in clear text next to your PC.

 

And the part I had an issue with was that you said that password managers provided no benefits and just drawbacks, which is not the case, not even in your scenario. You might not care about the benefits, but they are still benefits nonetheless. 

And the whole "good thing I didn't use a password manager because in this case it would have been bad!" reeks of the "good thing I don't use seat belts because it might choke you!" argument I brought up earlier.

It's just survival bias layered with a lack of care or understanding to do proper risk assessment and because of that you jump to incorrect conclusions.

 

 

You can't just say "they offer no benefits!" and then dismiss all the benefits because you don't care.

If you had started by saying "I don't leave my house, I only have a handful of accounts, I don't want to have secure passwords and I don't mind losing access to my accounts in case of for example a fire, so password managers is just a hassle to me" then I wouldn't have responded.

The issue I have is that you came into this thread and basically bragged about not using a password manager, pointing at those who do and basically went "told you so", even though using a password manager is the right thing to do for 99,99% of people, because they do care about security, they do go out, they do care about losing access to their accounts, and so on. Telling people to use a password manager in combination with things like unique passwords and complex passwords is the right thing to do, because that's what's best for security. Don't brag about doing the bad thing because it happened to be beneficial this one time.

[mr moose]

13 hours ago, LAwLz said:

You are very stuck on that specific part and ignoring all the other reasons for why password managers are better than having passwords written down in clear text next to your PC.

 

And the part I had an issue with was that you said that password managers provided no benefits and just drawbacks, which is not the case, not even in your scenario. You might not care about the benefits, but they are still benefits nonetheless. 

And the whole "good thing I didn't use a password manager because in this case it would have been bad!" reeks of the "good thing I don't use seat belts because it might choke you!" argument I brought up earlier.

It's just survival bias layered with a lack of care or understanding to do proper risk assessment and because of that you jump to incorrect conclusions.

 

 

You can't just say "they offer no benefits!" and then dismiss all the benefits because you don't care.

If you had started by saying "I don't leave my house, I only have a handful of accounts, I don't want to have secure passwords and I don't mind losing access to my accounts in case of for example a fire, so password managers is just a hassle to me" then I wouldn't have responded.

The issue I have is that you came into this thread and basically bragged about not using a password manager, pointing at those who do and basically went "told you so", even though using a password manager is the right thing to do for 99,99% of people, because they do care about security, they do go out, they do care about losing access to their accounts, and so on. Telling people to use a password manager in combination with things like unique passwords and complex passwords is the right thing to do, because that's what's best for security. Don't brag about doing the bad thing because it happened to be beneficial this one time.

 

I substitute your reality for my desire to be right.

 

Honestly, you did not list anything that is a benefit to ME.  They might be to other people with lots of important accounts and shit they travel with, might even be really important as a redundancy service, but just not for me.

[LAwLz]

3 hours ago, mr moose said:

I substitute your reality for my desire to be right.

 

Honestly, you did not list anything that is a benefit to ME.  They might be to other people with lots of important accounts and shit they travel with, might even be really important as a redundancy service, but just not for me.

They are benefits that apply to you too. You just don't care about them.

There is a big difference between "I don't care about them" and "they don't exist".

[Stahlmann]

I just tried out Bitwarden. So far it seems like it's actually better than LastPass. I has the same selection of apps including the standard website, browser extensions, mobile apps, etc. Importing my stuff and setting up everything took less than 30 minutes. I strongly recommend anyone that has doubts about LastPass to at least try out Bitwarden. Not to mention the free version of Bitwarden offers everything the Premium LastPass subsrciption offers.

 

I'm gonna try it for a few more days before i delete my LastPass account but so far it seems like that's exactly what's gonna happen.