Teams
Forum List
Toggle sidebar

Password Managers

Trice

Trice

Well-Known Member
Apr 1, 2010
7,315
12,173
113
kcbob79clone said:
I need help from the LastPass gurus. Let's go with espn.com. I go to change my very old very unsafe password to a generated one and first problem is Lastpass won't fill the password so I go to generate one and copy it in but then LastPass won't pop up and offer to save it. So then I try to login and paste the password again and only get 1 character. Please help!!
Click to expand...

Is the problem with ESPN.com only, or other sites too? Occasionally a site just doesn't work with Lastpass like it should, for whatever reason. But if this happens with lots of sites, I would suggest uninstalling and reinstalling Lastpass and/or hitting up the Lastpass support forum for help.

But to solve your immediate problem, I'd just generate your new password then temporarily paste it into an empty Word doc or email. Then copy/paste it into ESPN.com to change it, and then manually go into your Lastpass vault to update your ESPN.com entry.
 
kcbob79clone

kcbob79clone

Well-Known Member
Apr 13, 2006
2,566
2,841
113
Where our RV is parked
bobandjotravelblog.blogspot.com
Trice said:
Is the problem with ESPN.com only, or other sites too? Occasionally a site just doesn't work with Lastpass like it should, for whatever reason. But if this happens with lots of sites, I would suggest uninstalling and reinstalling Lastpass and/or hitting up the Lastpass support forum for help.

But to solve your immediate problem, I'd just generate your new password then temporarily paste it into an empty Word doc or email. Then copy/paste it into ESPN.com to change it, and then manually go into your Lastpass vault to update your ESPN.com entry.
Click to expand...


That's a great idea! Thanks!! It has happened on a few sites.
 
  • Like
Reactions: Trice
Trice

Trice

Well-Known Member
Apr 1, 2010
7,315
12,173
113
I think it's time for Lastpass users to leave that product behind. I moved on a couple years ago because I felt the product was becoming stagnant after changing ownership once or twice - though it does seem like lately it had found its footing again. Also worth noting that this is the second major breach it has had in the last few years. I realize passwords were not stolen, but a password manager not getting hacked is the very definition of "you had one job."

I'd recommend 1Password to anyone looking for something different. And read up on passkeys, which are actually relatively close (a few years?) to eliminating the need for passwords altogether.
 
  • Like
Reactions: Angie
NodawayRiverClone

NodawayRiverClone

Well-Known Member
May 1, 2018
376
333
63
76
There are several good password managers out there, all prime targets for crackers and hackers, obviously. Probably no need to spend part of your holiday vacation moving things to a new manager out of misplaced panic. From the Last Pass blog (I know, compromised companies are not always forthcoming with information, but Last Pass has a vested interest in being fairly honest.)

As a reminder, LastPass’ default master password settings and best practices include the following:

  • Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing.
  • To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
  • We also recommend that you never reuse your master password on other websites. If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account (this is referred to as a “credential stuffing” attack).
If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.
 
  • Like
Reactions: Cyclonepride
simply1

simply1

Rec Center HOF
SuperFanatic
SuperFanatic T2
Jun 10, 2009
45,713
34,457
113
Pdx
NodawayRiverClone said:
There are several good password managers out there, all prime targets for crackers and hackers, obviously. Probably no need to spend part of your holiday vacation moving things to a new manager out of misplaced panic. From the Last Pass blog (I know, compromised companies are not always forthcoming with information, but Last Pass has a vested interest in being fairly honest.)

As a reminder, LastPass’ default master password settings and best practices include the following:

  • Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing.
  • To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
  • We also recommend that you never reuse your master password on other websites. If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account (this is referred to as a “credential stuffing” attack).
If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.
Click to expand...
It doesn’t take long to export data and import that data into another manager.

How can you say LastPass doesn’t have a vested interest in not being forthcoming? They’re owned by a private equity firm for a few years now.

Tons of other personal information was stolen as well, opening the door to phishing attacks.

Technically, the LastPass default standard is not 100,100. OWasp recommends 310,000 iterations.

Password Storage - OWASP Cheat Sheet Series

Website with the collection of all the cheat sheets of the project.
cheatsheetseries.owasp.org cheatsheetseries.owasp.org

If the master password was a reused password, which you shouldn’t do but I can guarantee someone has done, you absolutely need to change all of your passwords in the vault.
 
Trice

Trice

Well-Known Member
Apr 1, 2010
7,315
12,173
113
NodawayRiverClone said:
There are several good password managers out there, all prime targets for crackers and hackers, obviously. Probably no need to spend part of your holiday vacation moving things to a new manager out of misplaced panic. From the Last Pass blog (I know, compromised companies are not always forthcoming with information, but Last Pass has a vested interest in being fairly honest.)

As a reminder, LastPass’ default master password settings and best practices include the following:

  • Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing.
  • To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
  • We also recommend that you never reuse your master password on other websites. If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account (this is referred to as a “credential stuffing” attack).
If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.
Click to expand...

It's a company that has had multiple breaches in recent years, and on this particularly egregious one chose the days leading into the biggest holiday and busiest time of the year to disclose that enormously sensitive customer data was lost. Nobody should panic, but it certainly isn't "misplaced." Nobody should continue doing business with this company.
 
NodawayRiverClone

NodawayRiverClone

Well-Known Member
May 1, 2018
376
333
63
76
For those looking to change password managers, here's a history of some hacks that have occurred in addition to the latest Last Pass issue (cybernews.com):

Password manager hacks​

The list of notable password manager hacks is quite short. Otherwise, they wouldn't have the reputation they have today. That's why I'll be also adding reported vulnerabilities that might not have resulted in any damage.

  • In 2015, LastPass detected an intrusion to its servers. Hackers took users' email addresses and password reminders, among other info. This resulted in no known damages because even if you used a weak master password and the attackers cracked it, they would still need to verify the access by email.
  • In 2016, plenty of security vulnerabilities were reported by white-hat hackers and security experts. Among the affected password managers were LastPass, Dashlane, 1Password, and Keeper. In most cases, the attacker would still have to use phishing to trick the user into revealing some data.
  • In 2017, LastPass reported a serious vulnerability in its browser add-ons and asked subscribers to refrain from using it. It was fixed in less than 24 hours. Keeper and OneLogin also had issues that didn't result in casualties.
  • In 2019, serious vulnerabilities were found in the code of Dashlane, LastPass, 1Password, and KeePass. This applied to Windows 10 users and only if the right malware was installed. Once again, the users didn't suffer any reported casualties.
 
C

Cloneon

Well-Known Member
Oct 29, 2015
3,005
3,120
113
West Virginia
Trice said:
Nice Christmas news dump here. Get the hell away from this company.

techcrunch.com

LastPass says hackers stole customers' password vaults | TechCrunch

The password manager giant said hackers stole both encrypted and unencrypted customer data, including password vaults.
techcrunch.com techcrunch.com
Click to expand...
This comes as no surprise. I used to use Lastpass, but since they were sold all you could see was 'marketing' hype and less attention to details that matter. I jumped to Bitwarden and haven't been dissappointed.
 
simply1

simply1

Rec Center HOF
SuperFanatic
SuperFanatic T2
Jun 10, 2009
45,713
34,457
113
Pdx
NodawayRiverClone said:
For those looking to change password managers, here's a history of some hacks that have occurred in addition to the latest Last Pass issue (cybernews.com):

Password manager hacks​

The list of notable password manager hacks is quite short. Otherwise, they wouldn't have the reputation they have today. That's why I'll be also adding reported vulnerabilities that might not have resulted in any damage.

  • In 2015, LastPass detected an intrusion to its servers. Hackers took users' email addresses and password reminders, among other info. This resulted in no known damages because even if you used a weak master password and the attackers cracked it, they would still need to verify the access by email.
  • In 2016, plenty of security vulnerabilities were reported by white-hat hackers and security experts. Among the affected password managers were LastPass, Dashlane, 1Password, and Keeper. In most cases, the attacker would still have to use phishing to trick the user into revealing some data.
  • In 2017, LastPass reported a serious vulnerability in its browser add-ons and asked subscribers to refrain from using it. It was fixed in less than 24 hours. Keeper and OneLogin also had issues that didn't result in casualties.
  • In 2019, serious vulnerabilities were found in the code of Dashlane, LastPass, 1Password, and KeePass. This applied to Windows 10 users and only if the right malware was installed. Once again, the users didn't suffer any reported casualties.
Click to expand...
Do you have an interest in LastPass?
 
  • Disagree
Reactions: keepngoal
NodawayRiverClone

NodawayRiverClone

Well-Known Member
May 1, 2018
376
333
63
76
simply1 said:
Do you have an interest in LastPass?
Click to expand...
I use it.

People I know that I encourage to use a password manager don't trust the concept of a password manager - they tell me adamantly they will continue to use a notebook with each password written down. I don't care which manager is chosen, but I think they are better off using a manager than not.

I'm just not convinced (yet) that Last Pass must be avoided. Others have better recommendations, but it's based mostly on features or convenience, not security.
 
  • Disagree
Reactions: Trice
simply1

simply1

Rec Center HOF
SuperFanatic
SuperFanatic T2
Jun 10, 2009
45,713
34,457
113
Pdx
NodawayRiverClone said:
I use it.

People I know that I encourage to use a password manager don't trust the concept of a password manager - they tell me adamantly they will continue to use a notebook with each password written down. I don't care which manager is chosen, but I think they are better off using a manager than not.

I'm just not convinced (yet) that Last Pass must be avoided. Others have better recommendations, but it's based mostly on features or convenience, not security.
Click to expand...
palant.info

What’s in a PR statement: LastPass breach explained

The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.
palant.info palant.info

Jeremi M Gosney :verified: (@[email protected])

I recently wrote a post detailing the recent #LastPass breach from a #password cracker's perspective, and for the most part it was well-received and widely boosted. However, a good number of people questioned why I recommend ditching LastPass and expressed concern with me recommending people...
infosec.exchange infosec.exchange
 
Trice

Trice

Well-Known Member
Apr 1, 2010
7,315
12,173
113
This just keeps getting worse. If I'm reading this correctly, a subset of Lastpass customers affected by this breach basically had the entire contents of their accounts stolen, including encryption keys - which would make available full access to all their accounts to the hackers with this info in their possession. I hope Lastpass is communicating to affected customers directly because they've been pretty dodgy with the media.

www.cnet.com

Still Using LastPass? You Need to Do These 5 Things

Spoiler alert: One of those things is to find a new password manager.
www.cnet.com www.cnet.com
 
  • Wow
Reactions: Cyclonepride and cyfanatic
NickTheGreat

NickTheGreat

Well-Known Member
SuperFanatic
SuperFanatic T2
Jan 17, 2012
10,803
4,773
113
Central Iowa
Still using Bitwarden and loving it. Open source and free. There's a self hosted option if you want, but I"ve never messed with that.

Works well across devices and even sharing with my wife.
 
You must log in or register to reply here.

Latest posts

Help Support Us

Become a patron
Top Bottom