LastPass Faces Class-Action Lawsuit Over Password Vault Breach

[LAwLz]

1 hour ago, Dean0919 said:

Agreed. Cloud method is better than local method. Imagine if something happens to your operating system or computer and it won't boot one day, like your hard drive fails & you lose all your passwords...

I don't necessarily agree that "cloud method" is better than "local method", but it depends on what you define as "cloud method" and "local method".

I personally use Keepass which stores everything as a local file. I have then uploaded that file to a cloud service and use that to sync all my devices. Automatic backup is definingly a big plus for a cloud service like let's say Bitwarden or LastPass, but I think the ability to use MFA is an even bigger benefit compared to something that stores the database locally like Keepass.

 

But yeah, the best protection you can have is long, unique and complex passwords (preferably longer than 20 characters, including big and small letters, special characters and numbers). If you are really good, you'll change your passwords every once in a while as well. And use MFA every chance you get.

[mr moose]

22 hours ago, LAwLz said:

They are benefits that apply to you too. You just don't care about them.

I don;t care about them because they aren't beneficial enough to warrant me using said managers.

 

22 hours ago, LAwLz said:

There is a big difference between "I don't care about them" and "they don't exist".

I never said they don;t exist, I said there is no benefit in them for me that my pen and paper doesn't already cover.

 

Here, I bolded it for you:

On 1/29/2023 at 9:19 PM, mr moose said:

No, it's weighing up the befits versus the risk?    I know what benefit password managers can provide me, and that benefit is not enough to outweigh the risk.     You can argue as much as you like that the risk is small to insignificant but I don't care because it is still one more risk than I had before and using a pen and paper does not take time out of my day nor is it a chore.   The time a password manager would save me can actually be counted in minutes per year. 

 

 

[LAwLz]

6 hours ago, mr moose said:

I don;t care about them because they aren't beneficial enough to warrant me using said managers.

 

I never said they don;t exist, I said there is no benefit in them for me that my pen and paper doesn't already cover.

 

Here, I bolded it for you:

Quote

No, it's weighing up the befits versus the risk?    I know what benefit password managers can provide me, and that benefit is not enough to outweigh the risk.     You can argue as much as you like that the risk is small to insignificant but I don't care because it is still one more risk than I had before and using a pen and paper does not take time out of my day nor is it a chore.   The time a password manager would save me can actually be counted in minutes per year. 

 

I feel like we are about go to in circles now.

You used the word "benefit" and later said that a password manager saves time, and then you said it adds risk. This implies that you think the only benefit of a password manager is saving time, and you think there is some inherent risk with password managers. I thought this sounded very vague so I asked what you meant, to which you never answered. You replied to this by saying you had already described it and that it "literally offered no advantages". This is false, so I replied by listing some benefits. You might not care about the benefits, but not caring and not existing are two very different things. You can't say something has "Literally no benefits" and then when given a list of benefits go "well I don't care so they don't count".

 

All your posts in this thread have been very vague and you keep refusing to answer any questions when I ask you to be more specific.

 

 

You also keep liking posts which are anti-password managers that do not take into consideration other circumstances, which gives off a strong impression that your stance on password managers are not limited to your very unique circumstance.

 

 

 

To get a bit better understanding of our different POVs I'll describe what I think this conversation is like.

Imagine if a news article about a certain brand of iceberg lettuce being infected with E. coli came out. Anyone who ate lettuce from that brand could be at risk of getting sick. This is how the comment section would have looked like on that article:

 

You: And people told me I was stupid for only eating cheese burgers. Guess I am the smart one after all! I am better off just eating cheese burgers and staying away from vegetables, because they are just a risk and offers no benefits to me.

 

Me: What do you mean? Eating vegetables is healthy and you should do it. Eating only cheese burgers is bad. You will have a deficiency in micronutrients if you only eat cheese burgers. Go and eat some greens. Maybe not iceberg lettuce from this brand but for example tomatoes, spinach and kale.

 

You: Clearly vegetables are dangerous. I have not gotten sick from eating cheese burgers and now people who ate vegetables might get sick, so I was right. I did the right thing avoiding vegetables. They offer literally no benefits to me.

 

Me: Just because this lettuce might be infected with E coli does not mean cheese burgers are good. Spinach and other vegetables are good for you and offer great benefits. They provide a ton of important nurturance like vitamins, fiber and antioxidants. Them not having and benefits is just wrong.

 

You: When I said they offer no benefits I meant I don't care about being healthy, so therefore they are not good for me. Cheese burgers are good. Vegetables are bad for me because I risk getting E coli and they don't benefit me in any way I care about.

 

 

 

The whole conversation really feels that bizarre to me. It's one thing to not care, but it's a whole other thing to pretend like the benefits doesn't exist because you don't care about them, but be hyper focused about the minimal risk to the point where you go around bragging about not taking the "risk" as soon as someone is unlucky and the risk affects them.

You are making absolutist statements based on feelings and preferences and feel and give on the impression that you think your opinion is the objective truth. If you don't care about security then that's fine, but don't go around saying you are right for disregarding proper security advice and thumbing up others who also disregard the sound security advice.

[wanderingfool2]

1 hour ago, LAwLz said:

The whole conversation really feels that bizarre to me. It's one thing to not care, but it's a whole other thing to pretend like the benefits doesn't exist because you don't care about them, but be hyper focused about the minimal risk to the point where you go around bragging about not taking the "risk" as soon as someone is unlucky and the risk affects them.

Moose is talking about not benefits for HIMSELF.  You keep dropping and assuming his statement is a blanket statement for all.

 

The way you are listing benefits is a moot point, as you are assuming certain conditions.  If he knows he will never log into accounts in a public setting, then NO it isn't a benefit to him.  It might be a benefit to other people, but not to him

 

Similar if Moose says, I have no benefit of owning a swimming pool because I have a skin condition that prevents me from swimming, and you start talking about benefits that literally he doesn't benefit from, like it being easier on the joints when exercising.

 

To take it to an extreme, the benefit of high radiation is that it eliminates any cancer cells in your body (the down-side, it also kills all other living cells in your body).  If to achieve a "benefit" you have to sacrifice something else, does it really become a benefit...because in that aspect you could claim nothing have "no benefits"

 

It's also generating a scenario that isn't practical.  If lets say the fire claim, well if he has the important passwords in a fireproof safe or has it in a safety deposit box, then no it isn't a benefit...it's the same.

 

The bugler example, the chances of being robbed at his place might be considerably low in the lifetime.  Then the chances of a thief stealing those passwords are smaller on top of that, and it's less important passwords as well...so things you don't really worry as much about (or isn't much value to thieves).  That also assumes he doesn't write it down in a coded way.  If it's written in a codded manner then it's absolutely no "benefit".  So in the realistic case you might have to change your password, which you have to do anyways with a password manager when events like this happen.

 

FBI stats, 1.4 mill burglaries in 2017, but the higher end stats are 2.5 mill.  That's about 0.75% chance of being burgled each year...or to put it in perspective, in a 50 year period you have a 32% chance of being burgled (blunt statistics).  Of the 2.5m, only 66% were of homes, so that's actually 0.5%/year or 22% over 50 years.  There is a 4:1 ratio of burgles when you don't have an alarm system...so if he had a security system, that's 0.1% chance (or 4.8% chance over 50 years).  If Moose lives in a low crime area (Lets say New Hampshire which apparently has the lowest burglary rates at 0.1%), if the 4:1 ratio still holds true (might not) it would be 0.02% or 1% over 50 years.  So yea, not really a "benefit" by saying a burglar could steal it, because that all assumes the burglar would look at his passwords (which typically it's a smash and grab).

 

The "complex" password argument is also not really true either.  I can tell you now, I have plenty long passwords that could be written down easily.  You don't need too many special characters to effectively make password guessing impossible (if done correctly).  An example, imagine my password was the following:

candl.ecaM!elS1_eepcaSe  [candle camel sleep case]

It's easy to write in a notebook and brute force is unlikely to realistically get that.  The underballed number of guesses it would take would be about 3,500 quintillion (Or 162 days if you had access to 1000 4090's)  [And that assumes only 1000 "word list" was used to crack it, realistically camel doesn't appear until the 5000 word list...which is now in the years range to crack].

 

The above is also something that could be memorized easily as well and really isn't a hassle.  So yea, your "benefits" are all situational dependent...and in Moose's case he claims there isn't a benefit to him.

[vertigo220]

I've held off posting on this so far largely because it's pointless. I say that because I see the same arguments made by the same people here that I specifically disproved in another thread just a few weeks ago, which tells me people just want to argue against password managers, without considering actual facts and presenting an honest argument. I did state in that other thread that @mr moose's situation is unique and if it works for him, that's fine, and I see no point trying to get an old dog to learn new tricks (not meant offensively, just that he's used to his method and it works well enough so even if a password manager would offer him benefits, and I still say it would and could easily offer a few reasons, it's better to not argue about it and just let him continue that). I do have a problem, as @LAwLz does, with people making blanket statements about password managers, and while Moose did say they offer no benefit to him, he also said "And people laugh at me for using a pen and paper.  The term "putting all your eggs in one basket"  sounds fairly apt here." which is basically saying people that use password managers are fools and he was right not to do so. Whether or not he meant it that way, that's how it sounds, and anti-password manager rhetoric is only going to discourage people that could truly benefit from them. And he's not the only one in this thread or others to do so. Even if a password manager has no benefits for him (again, debatable), the vast majority of people would benefit from their use. The key is to be smart about it.

 

2 hours ago, wanderingfool2 said:

It's also generating a scenario that isn't practical.  If lets say the fire claim, well if he has the important passwords in a fireproof safe or has it in a safety deposit box, then no it isn't a benefit...it's the same.

Anyways, the reason I've hesitantly decided to mix in on this (and I'm sure I'll regret it) is due to this whole "fireproof safe" nonsense I've seen mentioned twice now. While I'm happy to let people make that erroneous assumption and learn why it's wrong the hard way, since it seems people rarely actually research anything, I'll go ahead and throw this out there for anyone who actually cares: there is no such thing as a fireproof safe, only fire-resistant. And most safes marketed as either, especially fireproof since the fact it's marketed that way shows the company plays fast and loose with the truth, are not going to survive a house fire and are certainly not going to protect paper stored inside. Just look at pictures of these supposed fireproof safes in the aftermath of fires. Even expensive safes costing hundreds or thousands of dollars typically just use drywall for this, and often the corners/edges where the drywall pieces butt up against each other are especially vulnerable to the heat. For the most part, the only safes that are going to really stand a chance are ones with wool batting, and even then there's no guarantee. Also, you have to consider that even if it survives the fire, it also has to survive the water it's doused in by firefighters. So simply keeping a copy of the passwords in a safe is absolutely not a good backup strategy. Nor is it convenient, since you'd have to take it out and modify it every time any passwords are changed or added. And while a safety deposit box would be a safe backup strategy, it would be even less convenient and, let's face it, how many people are going to bother going that far. Fact is, I wouldn't be surprised if most people that keep passwords written down just have one copy sitting in their desk drawer.

[LAwLz]

7 minutes ago, vertigo220 said:

The term "putting all your eggs in one basket"  sounds fairly apt here." which is basically saying people that use password managers are fools and he was right not to do so.

That's what I took issue with to begin with, as well as statements like this one:

On 1/30/2023 at 11:23 AM, mr moose said:

using a password manager offers literally no advantage to me. 

which he backed off later by saying that they do offer benefits but he don't care about them.

"they don't have any benefits" and "I don't care about the benefits" are two very different things, which is something I have said over and over again.

 

 

10 minutes ago, vertigo220 said:

Nor is it convenient, since you'd have to take it out and modify it every time any passwords are changed or added.

This is the reason why I think everyone who suddenly has a "fireproof safe" when the risk of all their passwords going up in flame are full of BS. It's like with the gun argument when all of a sudden everyone who has a gun also locks it up in vaults at all time when someone brings up the risk of someone else taking their gun.

Like you said, it would be way too incontinent to actually store a notebook in a vault and take it out whenever you needed access to a password, so a result we can probably assume that it's bullshit. It's just something said to avoid further questions that may show flaws in their reasoning.

 

15 minutes ago, vertigo220 said:

Fact is, I wouldn't be surprised if most people that keep passwords written down just have one copy sitting in their desk drawer.

This is exactly what mr moose does, as he said earlier in the thread. He has a notebook with all his passwords lying next to his PC, and yet he thinks he is the clever one for not using a password manager because they are a security risk in his eyes.

[mr moose]

10 hours ago, LAwLz said:

That's what I took issue with to begin with, as well as statements like this one:

which he backed off later by saying that they do offer benefits but he don't care about them.

I said they offer benefits, but they do not apply to me. I don't care about benefits that apply to other people. You are twisting my words.

 

10 hours ago, LAwLz said:

"they don't have any benefits" and "I don't care about the benefits" are two very different things, which is something I have said over and over again.

 

It's a good thing I didn't use them interchangeably. I have always only said they don;t hold benefits to me and that any benefits they do have I don't care about, for that exact same reason.

 

 

 

And yes, I think I might have been correct when I said people laugh at me for using a pen and paper.  Because you are trying really hard to twist my words and attack my personal use case almost as if you take personal offense at it. Is it really hard to accept?

[mr moose]

@vertigo220  I am not attacking PWmanagers, I know there are benefits for different situations.  I don't think I have ever said they were pointless or inherently dangerous.  I was simply pointing out (because I have had this problem before) that people have tried to mock me and laugh at me for using pen and paper,  I have no time for people who play holier than thou games whilst refusing to take into account all possibilities and specific scenarios.   This isn't a black and white condition, not everyone has the same security requirements, not all password managers are the same and nothing is 100% secure.   It's just balancing your personal requirements against risks.  I have made it abundantly clear where I stand,  if someone has the same number of accounts (and level of importance) as me and they feel the risk is low enough that they would rather use a manager then that is their choice and perfectly fine with me. (meaning I am not going to laugh at them or mock them because I feel the risk is too high).

 

 

[vertigo220]

5 hours ago, mr moose said:

@vertigo220  I am not attacking PWmanagers, I know there are benefits for different situations.  I don't think I have ever said they were pointless or inherently dangerous.  I was simply pointing out (because I have had this problem before) that people have tried to mock me and laugh at me for using pen and paper,  I have no time for people who play holier than thou games whilst refusing to take into account all possibilities and specific scenarios.   This isn't a black and white condition, not everyone has the same security requirements, not all password managers are the same and nothing is 100% secure.   It's just balancing your personal requirements against risks.  I have made it abundantly clear where I stand,  if someone has the same number of accounts (and level of importance) as me and they feel the risk is low enough that they would rather use a manager then that is their choice and perfectly fine with me. (meaning I am not going to laugh at them or mock them because I feel the risk is too high).

 

 

That's understandable, I just worry when people make comments that might deter others from using them, and your comment I quoted, while not intended that way, could be easily interpreted as such. In another thread, myself and others tried to present the argument that password managers are useful and have benefits for everyone and that not all password managers have the same potential risks. Providing reasons why pen and paper can be bad and why password managers can be better isn't mocking (though it certainly can be depending on how it's done), so I'm not sure if people truly mock you or are just trying to argue against it, or possibly just jesting. But you say you dislike when people refuse to take into account all possibilities and scenarios (something that bothers me, too, and seems to equally bother most people when you point out they're not doing so, because that ruins their argument), yet to be fair you don't seem to be taking all the factors into account, either.

 

You're not just eliminating some risks and therefore reducing your overall risk by using pen and paper, you're simply opening yourself up to different risks. Worse, you may not even be aware of them; at least, you haven't mentioned many of them, so it can be fairly safely assumed you're not. And regardless of your personal opinion, it's a fact there are benefits of password managers that do apply to you, and the fact you say there aren't (I realize you said there are benefits, but you've repeatedly stated they don't apply to you, when in fact some of them do) is another reason to believe you're not even aware of some of the risks of not using them. If you were fully aware of all the risks and benefits of each, and said the benefits don't matter to you, that would be one thing. But saying they don't apply to you, and that a password manager offers "literally no advantage" to you is factually incorrect and shows you may not be fully aware of and taking into account al possibilities and scenarios yourself.

 

I have no problem if you want to use pen and paper; it's your risk and you're the only one that can determine how much and what kind you want to accept. But I, like you, don't like when people make arguments for something while either being ignorant of or, especially, flat-out ignoring certain aspects. Simply saying there are no advantages and that you prefer it that way and you don't want to discuss it is saying you don't want to learn and possibly have your mind changed, or at the very least have more info to discuss the pros and cons with others or to improve your pen and paper method. Though at least you take the time to expand on it and don't just spew anti-password manager BS like some others here.

[mr moose]

18 hours ago, vertigo220 said:

That's understandable, I just worry when people make comments that might deter others from using them, and your comment I quoted, while not intended that way, could be easily interpreted as such. In another thread, myself and others tried to present the argument that password managers are useful and have benefits for everyone and that not all password managers have the same potential risks. Providing reasons why pen and paper can be bad and why password managers can be better isn't mocking (though it certainly can be depending on how it's done), so I'm not sure if people truly mock you or are just trying to argue against it, or possibly just jesting.

It was genuine mocking, fortunately not from this forum. I have had to leave other forums for the toxic and mostly childish behavior.

 

18 hours ago, vertigo220 said:

But you say you dislike when people refuse to take into account all possibilities and scenarios (something that bothers me, too, and seems to equally bother most people when you point out they're not doing so, because that ruins their argument), yet to be fair you don't seem to be taking all the factors into account, either.

Yes I am,  As has been pointed out the risk factors for using pen and paper (that never leaves my room let alone the house the chances of someone breaking in AND looking for passwords AND knowing which PW was for which account AND knowing where to find it is so small that I would have to argue is much less of a factor than a group of bad actors actually succeeding in getting more information than they got from lastpass. 

 

 I guess the problem with discussions like this is that I cannot give you an exact probability of the safety of my pen and paper ,  Just like you can't give me an exact probability of how likely a security breach of any password manager is.  You are just relying on your personal understanding of it (which unless you are an all seeing god is likely to be restricted to human knowledge from an experts perspective at best and a consumers perspective most likely).

 

18 hours ago, vertigo220 said:

 

You're not just eliminating some risks and therefore reducing your overall risk by using pen and paper, you're simply opening yourself up to different risks. Worse, you may not even be aware of them; at least, you haven't mentioned many of them, so it can be fairly safely assumed you're not. And regardless of your personal opinion, it's a fact there are benefits of password managers that do apply to you, and the fact you say there aren't (I realize you said there are benefits, but you've repeatedly stated they don't apply to you, when in fact some of them do) is another reason to believe you're not even aware of some of the risks of not using them. If you were fully aware of all the risks and benefits of each, and said the benefits don't matter to you, that would be one thing. But saying they don't apply to you, and that a password manager offers "literally no advantage" to you is factually incorrect and shows you may not be fully aware of and taking into account al possibilities and scenarios yourself.

 

Unless you have a crystal ball you cannot sit there and pretend to know my situation well enough to make those claims.   What people need to remember is that it is likely everything has an exploitable flaw, it is only a matter of time before we find out about it and how ling someone has been using it.  As far as I know a keylogger will undermine even a good PW manager.  so there's that too. 

 

 

Remember I fit in to the category of only having a few passwords I need to remember.

 

 

18 hours ago, vertigo220 said:

I have no problem if you want to use pen and paper; it's your risk and you're the only one that can determine how much and what kind you want to accept. But I, like you, don't like when people make arguments for something while either being ignorant of or, especially, flat-out ignoring certain aspects. Simply saying there are no advantages and that you prefer it that way and you don't want to discuss it is saying you don't want to learn and possibly have your mind changed, or at the very least have more info to discuss the pros and cons with others or to improve your pen and paper method. Though at least you take the time to expand on it and don't just spew anti-password manager BS like some others here.

I never said I don't want to discuss it, however when people want to keep putting words in my mouth or assume I have a particular use case that would benefit from a pw manager when I clearly said that is not my actual use case then there is not much I can say.   I can only repeat myself so many times before the conversation turns into a bible bashing conversion and not a genuine discussion.

 

 

 

 

[vertigo220]

2 hours ago, mr moose said:

It was genuine mocking, fortunately not from this forum. I have had to leave other forums for the toxic and mostly childish behavior.

Well, that's just general sh*ttiness of people and, as such, it's everywhere. I've left other forums due to it as well, and LTT is better than some others, but certainly far from perfect itself.

 

2 hours ago, mr moose said:

Yes I am,  As has been pointed out the risk factors for using pen and paper (that never leaves my room let alone the house the chances of someone breaking in AND looking for passwords AND knowing which PW was for which account AND knowing where to find it is so small that I would have to argue is much less of a factor than a group of bad actors actually succeeding in getting more information than they got from lastpass.

But again, and I'm not trying to start an argument here, you keep mentioning risks of someone accessing your passwords as if that's the only risks/benefits of one system over another, and you and others keep referring to Lastpass as if that's the only password manager, or even type of password manager. I can't read your mind, so I don't know what factors you have and haven't considered and what you know and don't know, and I don't want to presume to know, but it very much seems to me that you are, in fact, not accounting for all factors. I'm not saving that if you did, it would change the equation enough to get you to switch; I'm just saying the equation has missing variables.

 

2 hours ago, mr moose said:

Unless you have a crystal ball you cannot sit there and pretend to know my situation well enough to make those claims.   What people need to remember is that it is likely everything has an exploitable flaw, it is only a matter of time before we find out about it and how ling someone has been using it.  As far as I know a keylogger will undermine even a good PW manager.  so there's that too. 

I can, because there are benefits to password managers that literally apply to everyone, benefits that you at least seem to not be aware of. It's that fact, i.e. whether you're aware of them or not, that I don't know due to a lack of a crystal ball, not the fact those benefits apply to you. Because whatever you're situation, if you're using passwords, there are certain things that are the same in your situation as everyone else's. And just the fact you would mention a keylogger as a potential downside to a password manager also shows an apparent misunderstanding of things, because a keylogger will log your manually typed password without question, whereas good password managers use techniques to subvert them, meaning it's at least possible, if not likely, that they would protect against keyloggers. Which is just one of the benefits that I'm talking about that applies to everyone and that you seem to be unaware of.

 

2 hours ago, mr moose said:

I never said I don't want to discuss it, however when people want to keep putting words in my mouth or assume I have a particular use case that would benefit from a pw manager when I clearly said that is not my actual use case then there is not much I can say.   I can only repeat myself so many times before the conversation turns into a bible bashing conversion and not a genuine discussion.

This is entirely fair, and while I agree with their sentiment and mostly share their opinions, I agree the approach wasn't ideal. I'm happy to discuss it and go into specifics if you want, and maybe I could convince you, or at least maybe you'd learn a few things (and I might as well) that could be passed on to others. But I'm also not going to waste my time or yours doing so if you don't, because it would be pointless, which is why I haven't bothered to go into any details any more than necessary so far.

[mr moose]

22 hours ago, vertigo220 said:

Well, that's just general sh*ttiness of people and, as such, it's everywhere. I've left other forums due to it as well, and LTT is better than some others, but certainly far from perfect itself.

Agree

22 hours ago, vertigo220 said:

But again, and I'm not trying to start an argument here, you keep mentioning risks of someone accessing your passwords as if that's the only risks/benefits of one system over another, and you and others keep referring to Lastpass as if that's the only password manager, or even type of password manager.

 

I actually haven't referred to last pass as proof of anything, Most of my discussion has been about managers in general.  

22 hours ago, vertigo220 said:

I can't read your mind, so I don't know what factors you have and haven't considered and what you know and don't know, and I don't want to presume to know,

 

 

22 hours ago, vertigo220 said:

it very much seems to me that you are, in fact, not accounting for all factors.

These two sentences are contradictory, if you claim one is true then the other can't be.

 

22 hours ago, vertigo220 said:

I can, because there are benefits to password managers that literally apply to everyone, benefits that you at least seem to not be aware of. It's that fact, i.e. whether you're aware of them or not, that I don't know due to a lack of a crystal ball, not the fact those benefits apply to you. Because whatever you're situation, if you're using passwords, there are certain things that are the same in your situation as everyone else's. And just the fact you would mention a keylogger as a potential downside to a password manager also shows an apparent misunderstanding of things, because a keylogger will log your manually typed password without question, whereas good password managers use techniques to subvert them, meaning it's at least possible, if not likely, that they would protect against keyloggers. Which is just one of the benefits that I'm talking about that applies to everyone and that you seem to be unaware of.

If I am infected with a keylogger and I just happen to be using a manager then the chances I loose all my passwords and account details is much higher.  It is in the video I linked.  If I do not use a manager and I have been infected with a keylogger, then they only get the service I log into and not all of them.  I have less chance of loosing everything in that situation.  Also because managers are software additions to browsers or standalone software in their own right, then they are subject to the same probability of exploits and vulnerabilities that any software running in windows has (hence why they have bug bounty programs).   Now I know that those risks are small, small enough to not be a factor for most people,  but they are still risks and thus I have weighed them up against the fact I am not most people in my situation.  

 

22 hours ago, vertigo220 said:

This is entirely fair, and while I agree with their sentiment and mostly share their opinions, I agree the approach wasn't ideal. I'm happy to discuss it and go into specifics if you want, and maybe I could convince you, or at least maybe you'd learn a few things (and I might as well) that could be passed on to others. But I'm also not going to waste my time or yours doing so if you don't, because it would be pointless, which is why I haven't bothered to go into any details any more than necessary so far.

Well, Unless you can give me some new information that isn't in the myriad of videos on the subject then it is unlikely you will convince me, However I do appreciate the honest discussion.

[Stahlmann]

3 hours ago, Dean0919 said:

He mentioned keylogger... Key logger is the action of recording the keys struck on a keyboard. So, if you have your passwords written down in your physical notebook and you enter those passwords manually every time you log in your favorite websites and let's assume your system is infected with keylogger, apparently that keylogger is recording your passwords. But if you're using password managers, you just need to enter your vault (I do with PIN code and yes, Bitwarden supports PIN code locking system) and I just copy and paste that password into the field, without typing it manually on keyboard. Thus way, even keylogger wouldn't be able to record my password keystrokes. And this is just one befit from many to why password managers are superior to pen and paper method. I mean, ask any Cybersecurity expert, all of them will tell you that pen and paper is a horrible idea.

 

Of course there's no 100% safety when it comes to Internet, but to stay secure my advice is following (and this is actual copy/pasted text from the cyber security course, so it's not just my advice, but actual thing we are thought on cyber security courses):

• Always use complex, long passwords including symbols, numbers, lower and upper letters.
• Use password manager
• Change passwords periodically
• Don't write your password in open, unsafe folder or file
• Don't share your passwords with anyone
• Don't use your passwords on unknown devices
• Use different passwords for different websites
• Always use 2FA authentication when available

And remember when it comes to cybersecurity - our knowledge is power against it.

Most managers also support auto fill-in when your vault is unlocked. Idk how that impacts remote security, but this is obviously something to reconsider when living in a shared apartment or something like that. But that's by far the biggest QOL feature they bring imo. As a bonus they also prevent keylogging your login data apart from your master password, which isn't of much use because you typically don't have to re-enter your e-mail adress every time you unlock your vault. But i'd say anyone using a manager should use 2FA at least for that. And without your authentification device the keylogger wouldn't get into your vault either way.

 

And you can also set the manager to prompt you to change a password every few months or so. Even though it's technically the right thing to do, i find that tedious. Once you approach 100 entries in your vault you get to a point where you get these "change your password" popups on a daily basis.

 

I'd say even with the potential security risks, using a free password manager like Bitwarden is absolutely worth the risk for the average person. Especially compared to using the same easily memorable password for dozens of accounts, that way you're in a heap of trouble once the login credentials of one site have been leaked. Writing down and manually entering secure 20+ character passwords also including symbols and numbers will take minutes to log into anything since you'll have a typo 50% of the time. (And it can potentially lock you out of your account when you enter it wrong too many times.)

[vertigo220]

7 hours ago, Dean0919 said:

He mentioned keylogger... Key logger is the action of recording the keys struck on a keyboard. So, if you have your passwords written down in your physical notebook and you enter those passwords manually every time you log in your favorite websites and let's assume your system is infected with keylogger, apparently that keylogger is recording your passwords. But if you're using password managers, you just need to enter your vault (I do with PIN code and yes, Bitwarden supports PIN code locking system) and I just copy and paste that password into the field, without typing it manually on keyboard. Thus way, even keylogger wouldn't be able to record my password keystrokes.

Any decent keylogger likely can and will also be monitoring the clipboard. Doing it this way is far from a guarantee of protection. It's preferable to use an autofill that has obfuscation built in, and even that's not a guarantee, as nothing is, but it's better than typing or copy/pasting. Of course, keyloggers in general are not really considered major threats, and I hardly see anything about their use and there's not many programs to help with them, because the simple fact is that if someone can infect you with one, they can typically do much worse, making a keylogger redundant in many cases. That's not to say extra precautions shouldn't be used just in case, but it's low on the threat scale and copy/pasting is certainly not a solution.

 

Also, changing passwords regularly isn't really necessary with a good password. Yes, it can possibly help, but the likelihood is so low, especially compared to the effort of doing so. The only sites it should even be considered on for most people are important ones like banking, email, and social media, and those should all be set up with 2FA, making password changes less important anyway.

 

3 hours ago, mr moose said:

I actually haven't referred to last pass as proof of anything, Most of my discussion has been about managers in general.  

On 2/5/2023 at 6:27 AM, mr moose said:

Yes I am,  As has been pointed out the risk factors for using pen and paper (that never leaves my room let alone the house the chances of someone breaking in AND looking for passwords AND knowing which PW was for which account AND knowing where to find it is so small that I would have to argue is much less of a factor than a group of bad actors actually succeeding in getting more information than they got from lastpass. 

Maybe this is your only reference, and maybe it wasn't meant to say LastPass specifically, but you did refer to it, and even if not meant specifically, it's still a statement that very much appears to be grouping all password managers in the LastPass (cloud) category.

 

3 hours ago, mr moose said:

These two sentences are contradictory, if you claim one is true then the other can't be.

Not at all. I said I don't know what factors you've considered, then I said it seems you haven't considered all factors. It's most certainly possible to have a very strong suspicion of something without knowing it for sure, and to suggest otherwise is bordering on a strawman.

 

3 hours ago, mr moose said:

If I am infected with a keylogger and I just happen to be using a manager then the chances I loose all my passwords and account details is much higher.  It is in the video I linked.  If I do not use a manager and I have been infected with a keylogger, then they only get the service I log into and not all of them.  I have less chance of loosing everything in that situation.  Also because managers are software additions to browsers or standalone software in their own right, then they are subject to the same probability of exploits and vulnerabilities that any software running in windows has (hence why they have bug bounty programs).   Now I know that those risks are small, small enough to not be a factor for most people,  but they are still risks and thus I have weighed them up against the fact I am not most people in my situation.  

A keylogger will only log what's actually typed or copied to the clipboard, not all content on the computer. So it won't grab all of the passwords, only the ones used. And even then, a good password manager will use autotype with obfuscation to attempt to bypass or throw off keyloggers, so at least there's a chance it won't get the passwords, whereas typing them in is guaranteed to expose them. But as I said in my reply to Dean at the top of this post, keyloggers aren't typically much of a threat. A bigger concern is general malware, and you are correct that leads to a higher risk with a password manager than without one. I never said there weren't risks exclusive to password managers, only that it's different risks, with more benefits. And just like the risks with pen and paper, there are ways to at least partially mitigate those risks as well. But yes, you are absolutely right that the use of a password manager has a small risk of exposing everything. And if that very small risk is not worth it despite the additional benefits provided, that's fine. All I'm saying is one should be aware of all the benefits of a password manager and all the risks of pen and paper, just as they should be aware of the inverse.

 

A couple questions: how do you create your passwords, and how exactly do you access/go to the sites on which you use them?

 

3 hours ago, Stahlmann said:

Most managers also support auto fill-in when your vault is unlocked. Idk how that impacts remote security, but this is obviously something to reconsider when living in a shared apartment or something like that.

Autofill is irrelevant if sharing a computer. If you leave your vault unlocked so autofill can work, even without it roommates, etc would be able to access all your info. The key is to not leave it unlocked on a public computer. Use timeouts to auto-lock it after a short amount of time, set it to auto-lock when the computer locks, and use a quick unlock feature to open it without having to type your full password every time.

 

4 hours ago, Stahlmann said:

And you can also set the manager to prompt you to change a password every few months or so.

As I mentioned in my first reply in this post, the potential benefit of, and therefore need for, doing this is very small if you use good passwords, and even less so with 2FA. This recommendation has fallen out of favor with most security experts and supposedly even the government.

[mr moose]

17 hours ago, vertigo220 said:

Maybe this is your only reference, and maybe it wasn't meant to say LastPass specifically, but you did refer to it, and even if not meant specifically, it's still a statement that very much appears to be grouping all password managers in the LastPass (cloud) category.

Only in as much as they all have the same target on them and one can only hope that the next successful attack is not worse than in the case of last pass.  If anything all this sentence says is that last pass is the worst known exploit of PW managers and it fortunately was more just personalized data like what they get from any other successful corporate attack.  Which means they are not immune to being targeted.

 

17 hours ago, vertigo220 said:

Not at all. I said I don't know what factors you've considered, then I said it seems you haven't considered all factors. It's most certainly possible to have a very strong suspicion of something without knowing it for sure, and to suggest otherwise is bordering on a strawman.

If you don't know what factors I have considered how can you know I haven;t considered all of them?

 

17 hours ago, vertigo220 said:

A keylogger will only log what's actually typed or copied to the clipboard, not all content on the computer. So it won't grab all of the passwords, only the ones used. And even then, a good password manager will use autotype with obfuscation to attempt to bypass or throw off keyloggers, so at least there's a chance it won't get the passwords, whereas typing them in is guaranteed to expose them. But as I said in my reply to Dean at the top of this post, keyloggers aren't typically much of a threat. A bigger concern is general malware, and you are correct that leads to a higher risk with a password manager than without one. I never said there weren't risks exclusive to password managers, only that it's different risks, with more benefits. And just like the risks with pen and paper, there are ways to at least partially mitigate those risks as well. But yes, you are absolutely right that the use of a password manager has a small risk of exposing everything. And if that very small risk is not worth it despite the additional benefits provided, that's fine. All I'm saying is one should be aware of all the benefits of a password manager and all the risks of pen and paper, just as they should be aware of the inverse.

They are a threat, if there is a keylogger or malware on my system and present when I access a manager to setup new accounts or edit accounts then woosh, all is gone. But I haveI have already said this is a small risk, but to me it is a bigger risk than pen and paper.  If someone has 20 accounts with passwords, is using their PC for forum chatting, web surfing for "content" or even downloading and trying out new programs from not so well known programmers then I would strongly recommend a password manager, but only after paying for a decent anti malware and anti virus service and having a thorough clean out.     It's just about being realistic with what you do and where the least amount of risks lie.  For me it's pen and paper, for someone with only 1 PC and who needs to use it for everything everyday, then a PW manager is probably a really good idea. 

 

 

 

17 hours ago, vertigo220 said:

A couple questions: how do you create your passwords, and how exactly do you access/go to the sites on which you use them?

I can;t help but feel after this question there will be an "ah ha" post with a whole heap of reasoning as to why you think I would be better off with a manager.  But anyway here it is,   My passwords are all a string of random characters and I use them on a dedicated machine for banking, purchasing. Something that I only do once a week and I run update anti malware and antivirus regularly (on top of the automated scans).  That is why it works for me, I literally only have a few passwords to remember. 

 

 

 

[vertigo220]

3 hours ago, mr moose said:

Only in as much as they all have the same target on them

But they don't. There's a reason I use KeePass, which uses a local database, rather than any of these, which I and others have brought up here before. The likelihood somebody is going to target me specifically, and go after my single vault, is orders of magnitude lower than that of someone targeting an online service. My risk of that is slightly higher than yours due to your use of pen and paper, but significantly lower than that of online vaults. And this is a big distinction that people keep on "missing" ad nauseum.

 

3 hours ago, mr moose said:

If you don't know what factors I have considered how can you know I haven;t considered all of them?

And you keep changing my words and the meaning of what I say, continuing to create a straw man argument, showing that you don't, in fact, care to have a fair and honest discussion. So it's at this point that I'm done with this.

[mr moose]

19 hours ago, vertigo220 said:

But they don't. There's a reason I use KeePass, which uses a local database, rather than any of these, which I and others have brought up here before. The likelihood somebody is going to target me specifically, and go after my single vault, is orders of magnitude lower than that of someone targeting an online service. My risk of that is slightly higher than yours due to your use of pen and paper, but significantly lower than that of online vaults. And this is a big distinction that people keep on "missing" ad nauseum.

I think the target is the same, the way they try to attack changes, cloud services the target is the cloud, the end user software and possibly even the end user phishing.  With local managers the target becomes a way into the software you use on your PC, be that through a windows exploit, bug in the program or again phishing.  Fortunately most of us are a fair bit less likely to fall for phishing scams than the average user, but that still leaves us open to other exploits in the system.  Like all security measures, it is only as safe as the weakest link.

 

19 hours ago, vertigo220 said:

And you keep changing my words and the meaning of what I say, continuing to create a straw man argument, showing that you don't, in fact, care to have a fair and honest discussion. So it's at this point that I'm done with this.

Not true,  If you think I haven't considered all the facts then tell which ones.  So far all the facts you have raised I have demonstrated an understanding and explained how I considered them. 

 

[LAwLz]

11 hours ago, mr moose said:

Not true,  If you think I haven't considered all the facts then tell which ones.  So far all the facts you have raised I have demonstrated an understanding and explained how I considered them. 

I tried asking you which pros and cons you had considered earlier and you only replied with pointing to a post where you said using a password manager literally didn't offer any benefit and only increased the risk because passwords might leak in case of an attack on the service.

 

 

I think both vertigo and I have reached the same point in our discussion with you. You keep things vague and don't want to elaborate because you don't want us to point out that your method of doing things might not be the best, and those that ridiculed you before might be right. So you refuse to elaborate but implies a lot of things and once we counter those implications you back off and go "wow, that's not what I said!" or "how do you know what I really think?" and then post a bunch of other vague stuff that heavily implies things. 

 

I tried to reason with you, but clearly you do not want to reason about this. You have made up your mind and are digging your heels in. You want to feel superior but is afraid of having an actual discussion, so you resort to tipping around and never actually making any concrete statements, which leads people to have to assume things which you can later deny and never elaborate on.

 

 

I was hoping that when vertigo joined the discussion I could leave because our discussion was poisoned. You didn't want to have a discussion with me, you just wanted to dig your heels in more and feel vindicated. When vertigo joined you seemed to loosen up a bit and became a bit more reasonable, but as soon as your stance started to be questioned you went back into defense.

 

 

 

You are free to keep writing your passwords into a notebook and keeping that at your computer if you want. It does not matter to me at all. What I don't like are your posts which can only be described as attacks on password managers because they are full of exaggerations, inaccuracies and strongly indicate a lack of understanding about the situation, and they clearly encourage others who are in situations different than yours to also spread FUD about password managers. Your posts are contributing to the weakening of cyber security in the same way people who post bullshit about vaccines weakens the trust in healthcare and modern medicine. You are doing the equivalence of spreading FUD about doctors and how vaccines are killing people, and when questioned you go "you are not allowed to question me because you don't know if I am for example allergic to something in the vaccine, therefore everything I have said is justified". Then when questioned if you are allergic you just go "I won't tell, but you shouldn't assume things about me".

 

I don't care if you don't use a password manager, but I would like if you at the very least stopped making posts which spreads fear and doubt about them and encourages people who may or may not be in the same situation as you to not use them. I mean, just look at the people who thumbed up your posts, and the posts you have thumbed up. They are most likely in a very different situation than you are and would benefit from password managers, yet your posts seem to encourage them to not use them. You are validating their (most likely) incorrect beliefs. And this is true even if me assume that password managers would be bad in your case, which is something I very much doubt based on the information you have given me, because your posts seems to imply that you have not considered more than a couple of aspects.

[missell]

sucks that people hack these places.

hope they learn from this and it didnt seriously affect too many poeple

[mr moose]

12 hours ago, LAwLz said:

I don't care if you don't use a password manager, but I would like if you at the very least stopped making posts which spreads fear and doubt about them and encourages people who may or may not be in the same situation as you to not use them.

 

I guess people aren't capable of reading then (or even watching the video I posted).   I have not said people shouldn't use them, Hell,  on the contrary I stated that they are better for most people.  But if explaining why I am not most people isn't enough for you then there isn't anything more to say.

[Baconbh8]

Well arstechnica just dropped some news that the breach was way worse than initially reported (https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/)
 

Now I'm sad that I cannot join the lawsuit from Brasil...

[LAwLz]

4 minutes ago, Baconbh8 said:

Well arstechnica just dropped some news that the breach was way worse than initially reported (https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/)
 

Now I'm sad that I cannot join the lawsuit from Brasil...

They aren't really reporting that the breach was way worse. They are just posting more details about what happened.

 

What we knew from before was that the attacked had managed to get a hold of encrypted databases, but that the databases also included a lot of unencrypted data.

 

What's new in this article is the speculation/allegations that the reason why the databases were obtained was because a developer at LastPass had their home computer compromised through Plex, and that's how the attacked gained access to LastPass's systems.

[Stahlmann]

12 minutes ago, LAwLz said:

They aren't really reporting that the breach was way worse. They are just posting more details about what happened.

 

What we knew from before was that the attacked had managed to get a hold of encrypted databases, but that the databases also included a lot of unencrypted data.

 

What's new in this article is the speculation/allegations that the reason why the databases were obtained was because a developer at LastPass had their home computer compromised through Plex, and that's how the attacked gained access to LastPass's systems.

It's very surprising to me that a service that stores a lot of important information and responsibility even allows any kind of remote work that would allow a home computer to open a back door.

[LAwLz]

14 minutes ago, Stahlmann said:

It's very surprising to me that a service that stores a lot of important information and responsibility even allows any kind of remote work that would allow a home computer to open a back door.

I wouldn't say this matches my definition of "backdoor".

What happened was that the credentials to login to an S3 bucket were stolen because a developed kept those credentials on his own PC. You can't prevent someone from storing those credentials on their own PC (maybe in some policy but not in practice).

 

It's not really a backdoor since it didn't bypass any authentication, and it's probably explicitly designed that way for a reason. If the story was that the developer had some password that could unlock someone's vault then I would agree that it was a backdoor, but this just seems like the normal way for them to work.

A LastPass employee being able to access the file area where the vaults are stored is no more a "backdoor" than the fact that a Microsoft employee can access the source code for Windows (or at the very least part of it).

 

 

 

I am not that experienced with S3 buckets but I think you can limit access to specific IPs, but that would make it harder to do "work from home" even with their work laptops, and for all we know those buckets are accessed through other services that may use other IPs. Locking things down to specific IPs might be very impractical and could cause other issues, especially in systems like these that might be configured to scale up or down depending on load.