No video
LastPass Hack: The CRUCIAL Problem No One Is Talking About
Рет қаралды 126,622
Күн бұрынSign up for DeleteMe! Use the coupon code SNUBS for 20% off any consumer plans! Linky: www.JoinDelete... * (coupon code automatically applied at checkout)
LastPass admitted to getting hacked a couple of months ago, and we're just now learning more details about what was breached. Password Managers are often targeted in hacks but in my opinion, LastPass is downplaying a crucial problem that can affect users.
My fav password managers for 2023:
25% off 1Password: www.jdoqocy.co... *
30% off Roboform: www.kqzyfj.com... *
Dashlane: www.dashlane.com/
Bitwarden: bitwarden.com/
Keeper: www.keepersecu...
What Is A Password Manager And Should You Trust Them? - • What Is A Password Man...
LINKS:
blog.lastpass....
support.lastpa...
support.lastpa...
www.goto.com/b...
blog.gaborszat...
capec.mitre.or...
cwe.mitre.org/...
FTC: Links marked with * are affiliate links, which means I make a small commission off any sales.
Becoming a Morse Code Member by checking out the perks linked here!:
/ @shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUBSCRIBE! 🌸 www.youtube.com...
TWITTER 🌸 / snubs
Patreon 🌸 / shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUPPORT MY WORK
Patreon 💛 / shannonmorse
Buy Me a Coffee 💛 www.buymeacoff...
Shop 💛 snubsie.com/shop
TeeSpring 💛 teespring.com/...
Coupon Codes 💛 snubsie.com/su...
Tech I Use & Recommend 💛 kit.co/Shannon...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
FOLLOW THE SOCIALS THINGS
Twitter 🌸 / snubs
Instagram 🌸 / snubs
KZfaq 🌸 www.youtube.com...
Website 🌸 www.shannonrmor...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
TECH I USE AND RECOMMEND
My Kits, Builds, and Must Haves ✨ kit.co/Shannon...
My Amazon Influencer Page ✨ www.amazon.com...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
MY OTHER SHOWS
ThreatWire 🌙 www.youtube.com...
Sailor Snubs 🌙 www.youtube.co...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
GET IN TOUCH
Mail ✈
snubsie.com/co...
Email for Business and Sponsorship Inquiries ✈ Shannon@ShannonRMorse.com
My Media Kit ✈ snubsie.com/wo...
Sponsor This Channel ✈ snubsie.com/sh...
Music from 🎵 Epidemic Sound: www.epidemicso...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
😍 FTC DISCLAIMER 😍
Affiliate links listed above allow me to receive a small commission. Any sponsorships for videos are noted in video and listed in descriptions. Any products provided as gifts are listed above. Thank you for your support!
Comment section code of conduct policy:
Constructive feedback is appreciated, but please leave unproductive, divisive and harmful conversation at the door. Hateful comments are not tolerated, and these kinds of messages will be automatically removed. Thank you for making this community a welcoming experience for all viewers :)
snubsie.com/co...
@happysprollie Жыл бұрын
I switched from LastPass to Bitwarden when the hack happened, and actually find BW to be superior. And FWIW, I'm in the infosec business. I'd become anxious about LP after its aquisition by LogMeIn (which didn't have a stellar security record). Wish I'd acted sooner.
@jeepfanatik1304 Жыл бұрын
How would you consider BW to be superior? I use the LastPass Family subscription but with an over 20 character master PW. Would be interested to know if other options might be better and or cheaper.
@Squant Жыл бұрын
@@jeepfanatik1304 Depends which paid services you need. I'm using BitWarden for free and it does everything LastPass used to do before they removed the option for free accounts across multiple devices. The company also seems a whole lot less shady in general, which is nice.
@ivanlawrence2 Жыл бұрын
@@jeepfanatik1304 I'm not in infosec but I know enough to be dangerous... BW is arguably "superior" as a product since it is open source and has been independently audited. But BW is also faster performing and its default settings give you a stronger starting point. We LP refugees with long MPs are likely fine against brute force, but I went through and changed all 500+ passwords anyway... which sucks. This did allow me to increase the security at each site (add new MFA or use generated passphrases for site "security questions" answers) and remove sites that no longer exist or are not needed. It is laborious to do but seems worth it in the long run.
@itsathejoey Жыл бұрын
Bitwarden is only superior if you are self hosting. If you don't have the means to self host it, then 1Password would be best.
@zadekeys2194 Жыл бұрын
Same, I moved myself and my clients away from LP to BW after their 1st hack.
@Wyrenth Жыл бұрын
An updated password manager video would be awesome. As well as how to make the process of migrating easier. Right now the challenge is momentum - it’s hard to just get started.
@ShannonMorse Жыл бұрын
I feel this tweet in my soul. It's so hard to get started!
@not_adiitya Жыл бұрын
@@ShannonMorse YEP
@pauldamian2988 Жыл бұрын
@@ShannonMorse Agreed... but I would argue it might even be harder to SWITCH!?!?!?!?! I run Lastpass with a long (23?) master... now I gotta change?
@mementomori29231 Жыл бұрын
Google switch from LastPass to bitwarden, super easy with export / import. Steve Gibson (IT guru) talks about how easy this is in his podcast.
@shaunreich Жыл бұрын
@@pauldamian2988 super easy to switch to bitwarden. Export your LastPass file and import it, boom. Took me like 10 minutes. It has much better field support, and auto fill on Android and web support, too. Works a bit better overall I've found
@mu_zines Жыл бұрын
There’s also an additional problem you didn’t mention - LastPass not updating customers’ hash iteration value. They changed the default to 100,000+ iterations, but people who created accounts a decade ago had iteration counts of 5000, or even *1* for early accounts, and LastPass *did not upgrade customer accounts* according to their own security standards. This means these passwords are *way* more brute-forcible. It’s really bad…
@brianfritz575 Жыл бұрын
This is one of the big factors that has lead me to dump LastPass. I paid LastPass, because they seemed to be making good decisions about security. I wanted to not have to be a fulltime security person. I wanted to farm that out to LastPass. At the time I did this, about a decade ago, LastPass seemed to be doing a great job. The issue, is that LastPass appears to have gotten lazy. They filed to increase the PBKDF2 hash iterations... actually they did so for new customers... but not those of us who had been singing their praises and been longtime customers! This tells me the problem is not really the hackers, it is that I no longer trust LastPass to make good decisions about my Vault and what is secure. Add to that the info that URL's were not encrypted, even though all LastPass marketing talks about how customer vaults are encrypted, never seeming to mention that important data like URL's is not... Yeah, Bye Bye LastPass. They've made business decisions that are not in the favor of my account being secure, so I am making a business decision that will not be in favor of their business goals. I'm gone, Won't be seeing you even again LastPass. You've shown how quickly you decide to do what is easy rather than what is best! Why would I continue with a password management company that has proven I cannot trust them!
@babybirdhome Жыл бұрын
And this is the reason that I’m considering moving after being a customer for over a decade. They need to have done a better job of communicating those updated security settings to their users when they changed their best practices. Like, if I have two sites using the same password in my vault, it’ll yell at me every time I open my browser and click to fill a password, but not once did that same popup mechanism ever tell me that, “hey, you’re using an outdated security setting for your vault, and if you don’t udpate it to the modern recommended setting, you’re putting the security of your entire vault at risk.” Everything else I can forgive because they can happen to any organization, but that one was a seriously dropped ball.
@bassmaiasa1312 Жыл бұрын
If 5000 used to be adequate but not now, how long before 100K+ won't be adequate? 5 years? 2 years? Lastpass''s dodge about 'generally available cracking tools' -- that's generally available now. What will be 'generally available' in two years? Time flies.
@brianfritz575 Жыл бұрын
@@bassmaiasa1312 Since OWASP is already recommending 310,000 iterations, what LastPass is doing right now is inadequate. LastPass is not keeping up. That LastPass was not actively alerting users who had iterations set below 100,000 is pure ineptitude on LastPass.
@killer2600 Жыл бұрын
@@bassmaiasa1312 100k is no longer considered adequate, OWASP recently changed the recommendation from 310k to 600k PBKDF2 iterations. But encryption in general is a rat race, we encrypt things to be currently unbreakable but computers in the future may be able to break it with ease. Thus what you're really doing with encryption is buying time that when an adversary finally breaks into the vault, the treasure within is no longer useful.
@paulsullivan649 Жыл бұрын
Thanks so much for talking about this. I love that you bring issues like this to a wider community, on top of always talking about safer ways to keep our private information actually private!
@ShannonMorse Жыл бұрын
You are so welcome!
@ilannguaqjonathansen8208 Жыл бұрын
@@ShannonMorse Or self-host PW manager with the likes of KeePass and such
@Rickmakes Жыл бұрын
Another problem with this is that it makes people lose trust in password managers, which ultimately leaves them more vulnerable. I like your advice of not having your most valuable passwords in your manager and to switch managers early if you hear of a breach. Hopefully it is sinking in that people need to take an active approach to security.
@Tech-geeky Жыл бұрын
its a shame... business say stuff,, but cannot back up the proof. If you have a updated iteration hash/count, and a complex master password, you should be fine.. i just had to go thew 20 websites in my vault to update all passwords. Now i have no idea what any of them are 😆
@wavemakersdj Жыл бұрын
Switched to Keeper. The bad part is the vault data that was stolen is not going to be impacted by what you change now, so it can be scanned for years to try and get new credentials that are still in place. What users should really do is change every single password in their lastpass list, save on a different service or locally, and drop all go-to products from this point forward.
@ShannonMorse Жыл бұрын
👏👏👏
@HillbillyWhisperer63 Жыл бұрын
Switched to Keeper as well. Much happier now
@pudelz Жыл бұрын
I'm glad I'm not the only one that pays attention to the words used like "such as" in statements.
@ShannonMorse Жыл бұрын
Bruh 👀👀 I am sus
@TimDavis77 Жыл бұрын
Great breakdown. I hadn't considered the Session ID issue in the URL until your video. As much as I loved Lastpass, this breach was the last straw for me.
@cmdrbozo Жыл бұрын
My suggestion, no matter where you record your passwords, is to use and store a partial passwords, but to have a secret code, e.g., three ending characters you add to every password. And never record that secret code anywhere except maybe on the side of your bottom dresser drawer. That way if your UN/PW is hacked you're safe because the hacker has only a partial password. Also protected if you have a written list.
@mschwage Жыл бұрын
Wow cool idea!
@elizabethg7806 Жыл бұрын
The same 3 characters (e.g. 123) for every password or different?
@Tech-geeky Жыл бұрын
Lastpass does have the OPT/recover in case you forget your Master Password.. Call me a goof, but the first thing i do when setting up plugin, is turning OFF these things.. I manage my *own* security.. (... which could become a problem in later years)
@jmr Жыл бұрын
Hardware 2FA needs to be a universal option.
@Heat2234 Жыл бұрын
Everywhere should use them, and free. Obscured a security product makes you pay to be the most secure
@kevorka3281 Жыл бұрын
>makes secure password manager >GETS HACKED Nice f*cking work, you guys. People put their trust in you keeping their passwords safe. Unacceptable.
@genxguy Жыл бұрын
As a network Sysadmin geek myself I love your videos. Will spoken clear and to the point. I've just updated to Yubikey from a previous video and love it! Small pain in the butt to keep it with me, but it protects me and my client data and schematics for their systems so I'm a happy camper 🤓
@MorbidGod391 10 ай бұрын
11:37 ummm if anyone HASNT switched. Do so now. Pause the video and switch. Thanks! And your future self will thank you too!
@gavincrouch Жыл бұрын
Seems excessive. Those session ID's have expired a long time ago. Hackers can only access 'active' session id's. A session expires either when logging out, or timing out (set on the servers). A PC restart will kill every active session, or closing all tabs and clearing browser cache, or inactivity. Also avoid using / checking a box that says 'stay logged in', this extends the session timeout to days or weeks before it expires (generally not found on sites with payment portals). Some sites will also dynamically change and update your session id seamlessly as you browse, you will notice this if you open tabs from the site you are logged in, and when you go back to the tabs you are met with a login page or it shows you logged out (as guest or whatever), those tabs never updated to the new session id and have reverted to the default page.
@TheErador Жыл бұрын
And some are active for years. It's far better to be vigilant than sorry
@gavincrouch Жыл бұрын
@@TheErador Sockets yes, sessions no (at least none I have ever come across, feel free to give an example), they will be terminated either client side or server side (whichever activates first). Idle sessions not closed are more like placeholders, they are deactivated when referenced again and a new active session is created.
@dougjones4538 10 ай бұрын
Great info, Shannon. Thank you!
@hedbergmicke Жыл бұрын
All normal session ID expires fast. I am not an expert but I beleve that things like Facebook uese cookies that is not hadeld by a password manager. And I like that the urls are stored unencrypted so that I dont have to unlock the password manger every time I want to fill out a form.
@rerunx5 Жыл бұрын
I'm glad I switched a long time ago to Bitwarden. Your video on showcasing different password managers really helped me on making my decision.
@MrPontiac005 Жыл бұрын
Same
@ShannonMorse Жыл бұрын
Glad I could help!
@jorgefrias6100 Жыл бұрын
You should try Pocket Pass Manager, local + only shares with other computers via the local network.
@Tech-geeky Жыл бұрын
The only snag is : whats gonna happen when Bitwarden is breached?? Are we (again) going to export/import our stuff to 'something else''?? Everytime we do this its harder and harder.. and its not exactly quick. The more stuff we store in these cloud-based managers, the trickier it becomes. Its not just passwords anymore,....its drivers licenses, secure notes and dark web monitoring as well as 'emergency access' etc... Not every password manager supports all features either. So it becomes mores of a simple solution.. What features are we willing to give up by changing??
@solarnightedge5732 Жыл бұрын
great video and love how u break it down so easily that anyone thats not very tech savvy can understand.👍
@ShannonMorse Жыл бұрын
Glad you liked it
@mrkmdz Жыл бұрын
@ShannonMorse Snubs, a critical data point so far not disclosed by Lastpass/Logmein is the date range for the backup data stolen. This could be critical information for people who deleted their Lastpass vault before this latest breach. Dependingg on the when the stolen backup was performed, customers who deleted their Lastpass vaults six, twelve, maybe even 24-months before this breach might still be at risk! --bump
@GregM Жыл бұрын
The backups were from September 22nd 2022 as a LP user mentioned on another podcast . The LP user asked LP and that is what they told him.
@vidmonkey Жыл бұрын
@@GregM which podcast?
@Wigglythegreat2 Жыл бұрын
@@GregM Yeah, but who can trust the LP employee to know or tell the absolute truth.
@LedNe0nDevil Жыл бұрын
Thank you for explaining this in detail, I know nothing about security, more of an hardware guy. So this thought me a lot. Session hijack achievement unlocked.
@WreckDiver99 Жыл бұрын
I've been using KeyPass...Yes, it means having a OneDrive/Thumb Drive/DropBox/GoogleDrive etc. to store the PW Database, and yes it leaves a "potential" security hole, but what doesn't??? I used to just carry it on my thumbdrive but my old employer then disabled all access to USB ports for memory storage (intellectual property theft deterrent). Is it perfect? Nope...but I've yet to hear a big "OMG KEYPASS HAS BEEN HACKED" yet.
@mschwage Жыл бұрын
Right! And they have to download your database, which is stored locally.
@Tech-geeky Жыл бұрын
We all keep hoping along from one lily-pad to another like a bloody frog in a swamp, export/importing as we go..That's fun.... anyway.
@Alexoladele Жыл бұрын
Absolutely love this video! Great explanation of what happened. Also WHERE DID YOU GET THIS SHIRT?!
@beachboardfan9544 Жыл бұрын
Look at my shocked face that a password company isnt secure... 😐
@oldmanonyoutube Жыл бұрын
LastPass was the most recommended password manager on KZfaq that I've seen in the last few years. Tech KZfaqrs have been singing it's praises for awhile so there are going to be a lot of people affected by this breach. Thanks for the heads up.
@StrawberryKitten Жыл бұрын
They got fat stacks for promoting it.
@ShannonMorse Жыл бұрын
Maybe other tech KZfaqrs did, but I have never been sponsored by LastPass. I did used to recommend it for years for a lot of reasons, but this was the final straw. I'm generally pretty forgiving but I can't stand them anymore.
@StrawberryKitten Жыл бұрын
@@ShannonMorse What's your opinion about KeePassXC?
@Tech-geeky Жыл бұрын
and despite all that people still use it.
@witcnshum Жыл бұрын
URL wasn’t encrypted, means they might have been selling the url information to data brokers - why would it not be encrypted and other thing’s encrypted
@ShannonMorse Жыл бұрын
Omg good point! 😱 /Checks that my deleteme membership isn't expiring anytime soon.
@JuxZeil Жыл бұрын
Just like game saves you shouldn't trust cloud storage, especially when your security is concerned. Locally Encrypted list for usernames and passwords etc. on one cheap USB pen-drive, encryption keys backup on another one in case you loose your OS install. You should also double check your motherboard/logic board's BIOS is implementing 'Secure Boot' properly too as that seems an issue on MSI stuff...could be others with the same problem too though.
@jamesedwards3923 Жыл бұрын
KeePass.
@MorbidGod391 10 ай бұрын
5:43 now I don’t know if you talk about this yet… but another nugget here is LastPass (at least up until the hack happened) did not require strong passwords. I think my old account had like a 8 character password that can be hacked in under a minute. Again very bad :/
@mjbates Жыл бұрын
When I used the "Analyze Lastpass" powershell script, I noticed that some of my unencrypted URL's were password reset URL's with long reset tokens. 🤦. They didn't seems to work anymore, but that's still really bad. I didn't realized that when I'd do a password reset and the Lastpass extension would prompt me "would you like to update the password for this site?" it was also changing the URL and saving the reset token in plain text.
@ShannonMorse Жыл бұрын
Yup!!! I noticed that too
@russellinman3464 Жыл бұрын
That’s it, we’re going off the grid! Thanks for the deep dive.
@Veretax Жыл бұрын
The thing is the fact that they got the backup of the Vault means they can apply multiple different computers to try and crack the thing instead of over a single line
@xe-wf5iv Жыл бұрын
That wouldn't help as much as you think. The longer the password the difficulty increases exponentially. A 10 character password would take a few years to brute force. 12 characters 30K years. They could toss the entire computing power of the world at a vault secured with 13 characters. They would all be dead before even putting a dent in the possible combinations.
@Blizzard4242 Жыл бұрын
That's a really good point. I already had those thoughts when I read about it as well, thankfully though this should really only affect either the websites you recently added (which might still have a valid session ongoing), I really hope there are no websites around that never change the session. But as you said, you can't know so it's always the safest to change the passwords to make sure.
@bertblankenstein3738 Жыл бұрын
Agreed. It would seem unlikely that session ids in a url would persist. I'm pretty sure that banks (financial institutions), Google, MS, FB/Insta, Tweety and more, would allow session IDs to be persistent, especially on different IP addresses.
@emaij Жыл бұрын
Where is the outrage? Reminds me of the Catholic Church scandal. Why are we not hearing from the CEO of last pass? What is the company doing about it? Where is their response?
@Tech-geeky Жыл бұрын
All that being good, but doi you really think people will be anymore safer if they hear from a CEO? Its done, and no amount of hearing from an expert is gonna change that, because they can't. No amount of "sorry stories" from a CEO is gonna get back whats now public... And you only get [1] chance. By definition, users make THAT happen when we *decide* to engage in cloud services for convenience. That's why I will always say "no matter who people try and blame, it still always comes back to the user" I'm not saying they asked for this to happen, but its not like they thought about it either.
@superdaveofendor Жыл бұрын
Shannon says leave Last Pass. Done!
@williamwilliams7706 5 ай бұрын
I love tripe too! Big thumbs up for that last session info. Going through the log-ins exported from Chrome to 1pass I noticed these weird looking URLs? with a bunch of extra nonsense. I'm deleteing those too. Thanks. ( I doubt that making a mistake will lock me out of anything important).
@real_rivolta Жыл бұрын
Say NO to EVERY password manager!
@shadow-wulf Жыл бұрын
You do know there are old people with difficulty remembering their names, let alone passwords? Writing it down in that 3 ring binder beside your computer with the label PASSSWORDS, is safe until you're robbed like my in-laws. Then you've handed them the keys to the kingdom.
@ericbursley9464 Жыл бұрын
we really need to go passwordless. I like the direction Microsoft has went with their accounts.
@michaell1603 Жыл бұрын
So Microsoft uses their auth app instead of a password right? What happens if you lose your phone? How are you going to re-authenticate on a new device?
@ericbursley9464 Жыл бұрын
@@michaell1603 you have more than just the Auth app configured. I use three methods for account access
@BrianGlaze Жыл бұрын
I was just commenting on Gary's video about how part of the reason I haven't committed to using a password manager is that I'm in a constant state of concern that the password manager service will get hacked.
@AJ-po6up Жыл бұрын
Then use a open source local password manager like Keepass and have absolute control over your vault.
@BrianGlaze Жыл бұрын
@@AJ-po6up fair point. I've been considering it.
@shaunreich Жыл бұрын
There are local only password managers. That would solve your problem there. Bit warden has that ability I believe, but also KeePass
@rfkgaming Жыл бұрын
keepass or other local hosted ones work just never loose the database
@rysieklee9866 Жыл бұрын
An updated video would be great but personally, I'd really like to hear about local options (especially open source) as this was something I didn't find much information on when I did my research last year.
@BrianTeague00 Жыл бұрын
I use Bitwarden, which is open source - you can run your own vault server if you like. I like it so much that I pay their annual fee for 2FA.
@blindtechworld Жыл бұрын
Take a look at bitwarden
@esquilax5563 Жыл бұрын
If you mean offline options, I'm very happy with KeePassXC
@rysieklee9866 Жыл бұрын
@@esquilax5563 Thanks, I'll have a look.
@MartinParnham Жыл бұрын
That thing about session IDs is a great shout, and I need to check mine. I am not a fan of LP linking the session to the password anyway as it doesn't always recognise. I am one of those people who tries not to save and autofill passwords - in other words I log in anew each time - which can be a pain in the arse but surely that has to be more secure!?
@BlackLabelExpat Жыл бұрын
In terms of 2FA I don't really like the hardware keys because it depends a little too much on the OS. I prefer the authentication apps on separate devices that are not connected to the internet. It's a bit more universal, and you can still write your key down on a paper and wipe your device add it back later.
@flynntsang Жыл бұрын
Hey there! What do you mean by the hardware keys are dependent on the OS?
@BlackLabelExpat Жыл бұрын
@@flynntsang Hardware keys are physical and require a physical receptor to identify and validate, they can cause compatibility issues if the software being authenticated is multi-OS and multi-device. For example, if you use a password manager that requires 2FA on multiple devices, such as Windows, Mac, Linux, Android, and iPhone, it may not be easy to register one hardware key for all devices. And what happens when you upgrade your devices in the future? Will they always be compatible with your current hardware key? On the other hand, an authentication software key is just data that can be used for any and all human inputs. Additionally, you can write down the key on paper and delete the app for increased security, only adding it when you need to use it. I'm not saying that hardware keys aren't useful, I have one myself. However, I think it's important to consider the downsides before making a decision, as it's more of a situational choice.
@xe-wf5iv Жыл бұрын
@@flynntsang For an OS to do anything it requires a driver to translate the messages the device is sending. There is no universal 2FA key that is recognized by every OS. There is also not even a universal 2FA key standard established on the internet. For example FIDO2 has a lot of promise... but hardly anyone uses the standard. The few sites that do have 2FA use OTP, which is very outdated and insecure at this point.
@timsexton Жыл бұрын
Affected users should always presume security hacks on their password manager vendor was worse than initially thought - on principle. Thanks for this useful information. *_TRUST !!_*
@peterlewandowski9912 Жыл бұрын
It's unfortunate - what really sucks is that for my job, I have to use a password manager that the company approves. LastPass is one of them, and I've been using them for almost 2 years! =(
@MrPontiac005 Жыл бұрын
😯
@ShannonMorse Жыл бұрын
I have a lot of close friends who are in the same boat.
@mohammedshengheer3730 Жыл бұрын
This is a big issue for businesses, other competitors in the password manager market should focus on the migration from LastPass and make it as easy as possible, while maintaining the same policies and settings from LastPass.
@Tech-geeky Жыл бұрын
😆 opps... that's a bad boss. There's still noting wrong but we all egt scared the moment someone has a proprietary source code. I think the biggest thing is users just have to start accepting breaches will always happen, no matter how great of a security model we have... There is such a thing as "security is good enough for the individual"
@pat999x Жыл бұрын
I use password management software that keeps my passwords on my local computer. I don't think that I am perfectly safe, but I am a small target
@MrPontiac005 Жыл бұрын
I'm glad I moved to Bitwarden before that happened based on your password manager recommended video.
@ShannonMorse Жыл бұрын
Great choice 😊
@cinnamon4183 Жыл бұрын
You should still double check your passwords. Even if you deleted your LP account, considering everything we've seen I wouldn't be surprised if it turns out LP have a very lax attitude regarding GDPR / Data Protection for backups.
@MrPontiac005 Жыл бұрын
@@cinnamon4183 excellent idea
@wizardofki Жыл бұрын
I guess the session hijacking was the scariest part of this breach. IMHO, I thought that Lastpass could have been more transparent (especially in August when they sent their first notification) about what was taken and the scope of the breach instead of, as you mentioned, letting users know that it was worse than they originally stated in subsequent communications. I previously thought that session hijacking was called browser hijacking. Still, a Web search on that term just returned good but usual advice about running an antivirus, firewall, VPN, and keeping your OS and software up-to-date. I have heard that session hijacking has gotten so sophisticated that hackers will set up a browser to look like your browser to Websites including fake IP addresses from your location.
@Raika63 Жыл бұрын
Would love to get an overview of some of the alternatives. It's been a while since I looked and I feel like searching is just going to show me who has the best SEO unless I spend an inordinate amount of time digging for myself.
@shaunreich Жыл бұрын
I mentioned this elsewhere, but I would start and stop my search at bitwarden. See my comment at the top, I've found it to be much better. I'm not a shill I just am very pleased with them and it is free lol
@Endpoint101 Жыл бұрын
Bitwarden ftw
@jorgefrias6100 Жыл бұрын
Pocket Pass Manager for iOS, 100% local, access from other devices with an integrated web server, and you can import the passwords from other devices. Indi developers, and all the security stuff from open source. It's crazy good.
@modembuddy Жыл бұрын
So glad I stuck with one password for everything on this post-it attached to my monitor.
@firdaushbhadha2597 Жыл бұрын
HOLY CRAP! I remember Shannon from watching TWIT before Leo became super annoying (among other things). Thank you for starting your own channel so your voice is heard...
@ShannonMorse Жыл бұрын
🫢🫢🫢
@zadekeys2194 Жыл бұрын
Honestly, the app stores should start pulling software that has had a breach until a quality external audit had been passed.. it protects clients in many ways...
@Tech-geeky Жыл бұрын
People complain when something gets taken down "as is", accidentally or deliberate, and you want then to wait longer? Good luck to you sir... Everything is a balance, unfortunately.
@zadekeys2194 Жыл бұрын
@@Tech-geeky most people don't have a clue re modern digital security and how to keep themselves safe. Like a parent, you sometimes need to do what is best for them, and ignore their dislikes. Also, it's not like every 10th app is going to suddenly get taken away. It's probably 1 in every 1k apps.
@byrd203 Жыл бұрын
Heres what i recommend go to all of your accounts hit log out of all devices then relogin so that forces links to be invalid
@edwardfletcher7790 Жыл бұрын
That t-shirt is amazing, really cool hair match👍😆
@aaronmicalowe Жыл бұрын
Session hijacking can be greatly reduced by monitoring when the session is and making the date and time part of the session ID.
@DiceMasterChannel Жыл бұрын
2023 recommended password managers please. 🙏
@GregoryFolk Жыл бұрын
Great video! I'd love to see a video from you about the password managers available now and how secure they are or aren't now. Personally, I'm interested in a cloud based service, so I'd also love to see you break them down by type (local, cloud based, etc) and the trade offs of each type. Thanks! :)
@SirBlackReeds Жыл бұрын
Would it actually be good? The rule of thumb with these peacocking weirdos is to avoid them.
@craigbailey9487 Жыл бұрын
Thank you! I love the tech videos, but this is great information!😎
@MorbidGod391 10 ай бұрын
1:05 oh I remember how awful this was. It was the hack that kept of giving… giving to hackers, that is. :/
@PassionataDance Жыл бұрын
Password vaults should never be stored on cloud.
@calebmccool Жыл бұрын
Quick question: After a hack like this, is it too paranoid to change every password, username, email, 2FA, and credit/debit cards? I dealt with a hacker who took all personal info & then 'ransomed' my accounts. Very scary experience that I never want to go through again.
@rfkgaming Жыл бұрын
Nope you can change all that the credit you can keep same as if used and was not you can do a charge back and such
@jonnyhepcat Жыл бұрын
Great information! You gave me more to think about on this hack.
@ivanlawrence2 Жыл бұрын
"She KNOWS it's a MultiPass" :) (I just now noticed your "Multi Pass" in the background
@RadfordCastro1 Жыл бұрын
I just left those fools. They are not doing what's necessary to resolve the problem. They''re going to get hacked again. Love the mononoke shirt btw. Forest spirit ftw.
@altaporro Жыл бұрын
Excellent video. None of this is going to make sense until password manager companies are reasonably, legally liable for the damages they cause by screw ups like this.
@bassmaiasa1312 Жыл бұрын
Not just password managers. The whole tech industry is basically an organized cybercrime family.
@andyburns Жыл бұрын
Password manager companies could never afford the insurance to back that liability!
@mschwage Жыл бұрын
@@andyburns wow, so true! ... Things that make you go, "hmmm..."
@beltaxxe Жыл бұрын
I was looking forward to this one, thanks
@ShannonMorse Жыл бұрын
Hope you enjoyed it!
@noneyabusiness9636 Жыл бұрын
Shannon's Channel is underrated.
@garys2187 Жыл бұрын
It is great in every respect !!
@byrd203 Жыл бұрын
if you use a mac or iphone you can use the password manger built in to the mac or iPhone keychain works well on the current devices like phones macs and even pcs with the windows store app
@TheTaipan Жыл бұрын
New password manager vid would be great. Ill be moving away from Lastpass soon ;)
@ProblematicParag0n Жыл бұрын
lastpass is my last password manager now
@ShannonMorse Жыл бұрын
Are you considering switching?
@ProblematicParag0n Жыл бұрын
@@ShannonMorse yup, just gonna use the firefox one
@pcislocked Жыл бұрын
not a lastpass user, but any recommended way or tips to change 200+ passwords quicker? just curious
@flynntsang Жыл бұрын
It is a world of hurt and pain. I had a few techniques to minimize dupes when exporting from various pw managers to 1Password, like using spreadsheet text functions to extract domain names in URLs and then sorting by the domain name to find dupes. That way I had fewer to import. But the actual process is painful, painful, painful. My only tip is in 1Password you can create different vaults. As you verify a password, move it to a "clean" vault.
@pcislocked Жыл бұрын
oh. indeed, pain it is. i created folders in keepass to do the same thing you mentioned.
@verumignis4778 Жыл бұрын
"The source code was leaked" WHY THE HELL IS SOMETHING THAT HAS TO BE AS SECURE AS A PASSWORD MANAGER CLOSED SOURCE??????
@roobscoob47 2 ай бұрын
Thanks, Shannon~
@stanjackson007 Жыл бұрын
Madame , Security Morse 👩.... I 🙎🏾♂luv🖤❤ your Style of Thinking , & the Moves that can keep us all safe with Important Documents 🏮🏮🗞🖇📚 & Money 💰💸❗.... for that , ... I 🙎🏾♂thank👋🏾you ❗.... From S J 🙎🏾♂ = D M V Production 📺🎥📸📹❗...... PEACEEEEE 🙏🏾 💪🏾✌🏾❗💯
@yellowticket9673 Жыл бұрын
Now I know why I got an explosion of spam using my real name to my non-named email. I also got a text notification to my cell phone that I had spent $360 on an armoire...
@pullybungieharder Жыл бұрын
Thanks for the walkthrough of the issues.
@acrodrigues1 Жыл бұрын
I use the hell out of KeepassXC/DX on Linux and Droid.
@halfthehalfer Жыл бұрын
I would love to see a video about local solutions that I could use as to not have to use a cloud service. And as @Esper Wyrenth said if you could show the process of migrating everything that would be great. May would also be a good video idea to show the best ways to secure multiple accounts for different uses, such as having multiple emails for different things or any other good practices that would come along with that.
@joshuapk9808 Жыл бұрын
KeePassXC is one of the best local PW managers.
@kuhndj67 Жыл бұрын
SplashID… been around forever and can be completely non-cloud. Very basic but if you want all the “features” you have to deal with this risk.
@davidriosg Жыл бұрын
For most people it's really overkill to not use a cloud service, provided it's like Bitwarden that only store encrypted data and that your master password is complex (at least 14 random characters including symbols). A local only solution is potentially more secure but it's also waaaay more difficult to manage.
@halfthehalfer Жыл бұрын
@@davidriosg I'm okay with the management honestly. I care more about the security than having to keep up with it. I'll look at bitwarden though and see what it is about.
@JAFOpty Жыл бұрын
I stopped using LP since the 1st hack years ago....
@briancoverstone4042 Жыл бұрын
Do any password managers have a way to auto-rotate all your passwords? Then set up a scheduled rotation once a year?
@nzhook Жыл бұрын
The session ID in url can be a necessary evil, especially with the don't allow any cookies popups. Good and bad cookies and how security and privacy don't always mix well could be a whole video in itself.
@ShannonMorse Жыл бұрын
But hopefully sites are doing it right and won't fall to session fixation or anything. 🤪
@CriusDigital Жыл бұрын
Wow you got 700 subs in 2 days? Your Subscribers counter is doing its thing !
@ShannonMorse Жыл бұрын
Yup lol 👍
@alonzosmith6189 Жыл бұрын
Thank U for sharing this information.
@ShannonMorse Жыл бұрын
My pleasure
@ilannguaqjonathansen8208 Жыл бұрын
Or self-host PW manager with the likes of KeePass and such
@UndregoGrey Жыл бұрын
Switched to locally hosted bitwarden
@the_one_named_harris Жыл бұрын
I switched from last pass years ago because they wouldn’t let me log in for a whole day
@JonnyTheLarge Жыл бұрын
Awesome video Shannon. Just heads up, you missed the embed for the "Watch this about Yubikeys" etc. Love your content. Have an awesome day.
@ShannonMorse Жыл бұрын
I fell asleep I'll add it in this morning 😅
@JonnyTheLarge Жыл бұрын
@@ShannonMorse no probs. I don't blame you. Great video though. Re last pass, we use it in our business but looking to move to something else. We do understand however that our data is safe because we are federated. Would you agree?
@jordancrowley9536 Жыл бұрын
I switched to Bitwarden when lastpass changed their business model
@TronSAHeroXYZ Жыл бұрын
What if the password site gets hacked? Password Savers defeat the purpose of having a password in the first place.
@word42069 Жыл бұрын
Great video!! This is my ultimate issue with cloud password managers… lots of eggs in one basket. I’m not inherently opposed to the idea but I don’t believe in putting too much information in one place or tied to one account.. keep yourself wide. I also don’t save my login info anywhere and use yubikey 2FA for my most secure accounts!
@BradleySmith1985 Жыл бұрын
Rainbow list with a Decrypt bot can get in. its just going to be a mater of time. so yes change all your passwords you had on last pass. once there in there in. they will get your master pass and will unlock all your data.
@justcommenting4981 Жыл бұрын
I love Princess Mononoke. One of my few remaining DVDs.
@aaronmicalowe Жыл бұрын
Don't use password managers. Just memorize them. Putting all your eggs in one basket is just dumb.
@yourma-uh5um Жыл бұрын
That's easy enough if you use one password for all of your accounts, but if you want to keep your online accounts secure and compartmentalize each account so one hack doesn't lead to another account being hacked then you need to use different passwords. Using random, super long strings of characters as your passwords for each account and storing those passwords in an encrypted file/database on a local machines the best way to secure your passwords. You can even set up 2FA on some managers using either a secondary password or biometric such as a fingerprint reader. Someone will need access to your device and user account where the database is kept and they will need to know your master password and have your severed finger/thumb on hand to access it.
@kbruff2010 Жыл бұрын
How do you switch and take all your information without you without exposure?
@Tyler_Shaw Жыл бұрын
Can you link your roundup of password managers?
@gd.ritter Жыл бұрын
If you have a Yubikey on your LastPass account, does that still protect you from brute force if they have the encrypted data in their possession? I guess I don't know if the MFA key is just queried to log in or does it get integrated somehow into the encryption itself?
@kildozer2012 Жыл бұрын
This is exactly why I'm staying old school and keeping my user names and passwords written down in a PHYSICAL notepad. There is no such thing as a perfect system to protect yourself from these types of attacks, even what I'm doing. All it would take for my passwords to be stolen is someone breaking into my house but that's much harder than someone sitting at their desk.
@RolandHazoto Жыл бұрын
There is a perfect system though. Just make a formula that only you would understand that you use to create a new password for every site. For example: A word related to the site, followed by your cat's name, followed by a string of numbers and/or symbols derived from the site name/url. It's not the strongest example, but I think you get the idea.
@kildozer2012 Жыл бұрын
@@RolandHazoto Not a bad idea in all honesty
@reefhound9902 Жыл бұрын
@@RolandHazoto Except then the problem becomes in remembering which word you used, for hundreds of sites.
@RolandHazoto Жыл бұрын
@@reefhound9902 hey meng, it was just an example, not an instruction manual xD
@jorgefrias6100 Жыл бұрын
You need to try, Pocket Pass Manager, it's a local exclusive password manager. If you need the keys on another device the phone creates a local webpage so you can access from the computer. The passwords never travel the internet!
@michaelkrizmanich8010 Жыл бұрын
This video sounds like a sales pitch for delete me.
@alphabee8171 Жыл бұрын
Don't sessions have expirations?
@noenken Жыл бұрын
Great information! I bet a certain Jerry will be very interested in this. ;-)
@emaij Жыл бұрын
And where is Karim Toubba?
@gorilladev Жыл бұрын
I can't understand why people opt in to save their passwords on third party entities.
@ErichSchulz Жыл бұрын
I have switched from Lastpass to Bitwarden when the first breach was announced. Do anyone have a recommendation on a MFA app that would be a good replacement for Lastpass Auth or Authy?
@GothPanda Жыл бұрын
Believe it or not, Bitwarden itself will do MFA for you. You just have to add the shared secret to the site like you would a password, and it'll generate codes for you, and even let you copy them like you can the username or password. It's putting all the eggs in one basket, which may or may not be a good idea, but it does do it.
@ken-rx6hb Жыл бұрын
Aegis Authenticator is great if you'd rather not do what Trevor mentioned! I enjoy it because it can do automatic encrypted backups.
@GothPanda Жыл бұрын
@@ken-rx6hb That actually does sound like a darn good feature! I'll have to check it out for the couple of MFA's I'd like to keep outside of Bitwarden
@lea7802 Жыл бұрын
+1 to Aegis, is really good check it out.