Sourbelly
Liam @ GamingOnLinux 🐧🎮LastPass had a breach.
You should just go ahead and use Bitwarden already.
https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/
lashman@gamingonlinux you can tag them here as well ;) @bitwarden
__Miguel_@gamingonlinux Or if you're self-hosting, Vaultwarden is also an option :)
arturobg@gamingonlinux Do you think this can't happen to Bitwarden?
Nick Ali@arturobg @gamingonlinux it keeps happening to LastPass over and over.
Jonathan Kamens 86 47@arturobg @gamingonlinux We don't have to assume, we have data. Take a look at how many times #LastPass has had to disclose a #breach vs. how many times #BitWarden has. The former is much higher than the latter.
Islander@jik @arturobg @gamingonlinux Any online stored database is potentially vulnerable. We use locally hosted password managers, one for our system management stuff that can do RBAC permissions for view/write/change.delete along with a just in case backup on a standalone device and we make Keepass available to users - it's even on our corporate app store. ALL databases are maintained on premise. I'd never sanction a password database that was hosted in the cloud. It's utter folly to do so.
Amanita Green 🍄@gamingonlinux Or literally any open source solution that doesn't store ALL OF your P A S S W O R D S on a random server somewhere you have zero control over.
Essem 
@gamingonlinux another one????????
andyvgrI setup Vaultwarden to keep it all local on the lan
JO Miranda@gamingonlinux I was uncomfortable with LastPass years ago, so I transitioned to 1Password, which is...fine.
Benoit J@gamingonlinux the most important part of any hack on password managers is to change all your passwords, or at least the ones that are valuable.
with such valuable information, all password managers are prime target for attacks and it's most likely not if, but when they'll get hacked.
@gamingonlinux after they told me that PayPal would no longer be accepted and would raise my subscription to the current listed price (member since 2014, been paying $12/year until now), plus this breach are enough reasons to push me to BitWarden. Way to treat their long-time customers.
alex hayes@hrbrmstr can i get your take on this?
hrbrmstr 🇺🇦 🇬🇱 🇨🇦@alexpghayes @gamingonlinux Def pass on LastPass.
Their breach response was atrocious, *especially* since they're a "cybersecurity" company.
They should know better.
Nobody should use them.
I use Bitwarden and intend to set up my own personal BW server on my Tailscale network in '23 (it's all FOSS).
Also: sending good thoughts re: grading 250 papers on confidence intervals.
@hrbrmstr @gamingonlinux hmmm okay. might give it a try. just got the whole family going with lastpass so i'm not sure if i can everyone to switch over. is there a writeup somewhere i can point them to? i'm worried "the people i trust on mastodon told me too" won't be the most compelling reason
@hrbrmstr @gamingonlinux am also worried about how it's gonna look to go from "infosec people say to use a password manager" to "lol not that one that one is maybe unsafe"
@alexpghayes @gamingonlinux there hasn't been alot of public commentary on it that's as hyper-critical as a bunch of us who criticized them for their response transparency.
If you've already convinced a bunch of folks to use a password manager (and LastPass specifically) then i wouldn't go through the pain of changing.
None of the good ones store what matters most: the master passphrase/password you use to decrypt your own vaults.
@alexpghayes @gamingonlinux So, it' more of a "if you haven't use a password manager before or are considering switching password managers, for the love of henry, please do not reward LastPass' sloppy cybersecurity incident response practices by using them now".
Sahbi ʕ •ᴥ•ʔor you could just... use a memorable password scheme?
i know someone did the math on the whole XKCD correct-horse thing and technically its less secure, but given how often stolen credentials are acquired from data breeches where the power level of your password doesnt matter, I'd posit the pros outweigh the cons in that you can easily memorize a massive list of passwords using the correct-horse method but you MUST rely on 3rd party for massive randomized passwords
Famicom 
@sahbisauce @gamingonlinux you can host your own bitwarden server, you don't have to rely on anyone else.
sure, but thats still a point of failure when you could just keep everything in your head.
the only thing you have to worry about then is the angry FBI agent with a large wrench
@sahbisauce unfortunately, my head has more holes than a sieve. Sometimes I straight up forget names of people whom I've known for decades. There's no way I'll manage to keep 50 passwords in there, no matter how memorable they are.
☄️~Stardust Diving~🌌@gamingonlinux if you're going to store passwords in the cloud at least store them in a cloud service you control
@gamingonlinux or you could just use keepass-xc if manual or no sync's not an issue
Hojjat 
@gamingonlinux I moved from LastPass to KeePass2 (now KeePassXC) years ago. It's awesome. But I recommend Bitwarden to non-tech-savvy friends and family.
flan 🦦💻@gamingonlinux rip bozo
Dźwiedziu@gamingonlinux
KeePassXC and KeePassDX (Android) plus Syncthing ^_^J
KeePassXC and KeePassDX (Android) plus Syncthing ^_^J
tyil@gamingonlinux You realize that #Bitwarden isn't magically immune to any sort of breach simply by not being #LastPass, right?
@gamingonlinux That "Zero Knowledge" bit is the key to me. I'm a regular guy, so personal info on me is all over the place. But my understanding is that my passwords are a secure as they were before this breach. My stupidly-long passphrase is doubtless breakable by a nation-state but who else can handle that kind of crack, really?
Bobby B.@gamingonlinux at this point my concern is more about how companies respond WHEN they are breached and not that they did. It is probably just a matter of time before Bitwarden has a breach.
Jonathan Beverley@gamingonlinux KeepassXC is great, but Availability is critical with password storage. If you lose your database, you've just lost access to dozens of sites. Don't be recommending people use it without some sort of foolproof recovery plan.
logan@sagefault @gamingonlinux just use an encrypted file with gpg or whatever then you can store it literally anywhere and you don't have to worry about no stupid manager.
@sagefault @gamingonlinux put it on 3 usb sticks and 2 sd cards and have a local copy and maybe store a copy in your private server or whatever 😆
nristen@gamingonlinux
So far it looks like the actual password data was not compromised (they claim to use true e2ee). Letting customer data get compromised though indicates poor business management though. Their focus is too much on profit and not enough on operational security.
I am learning that I am the one person who really cares about my privacy and security.
Selfhosted solutions are the answer.
So far it looks like the actual password data was not compromised (they claim to use true e2ee). Letting customer data get compromised though indicates poor business management though. Their focus is too much on profit and not enough on operational security.
I am learning that I am the one person who really cares about my privacy and security.
Selfhosted solutions are the answer.
Fink 
@gamingonlinux nah not a breach.
Lastpass had _another_ breach. As in every year if I'm not mistaken...
Lastpass had _another_ breach. As in every year if I'm not mistaken...