Opalsec Jan 7, 2023

The #breach of #LastPass revealed a poorly maintained product riddled with flaws, delivered by a company unable to explain their own failings.

Attackers were able to steal unencrypted customer data including their IP addresses and site URLs, as well as the encrypted password vaults themselves.

The product - used by over 100,000 businesses and 33 million individuals - has left long-term customers with outdated security settings, which translates directly to an increased risk of their vaults being cracked.

It's time to jump ship if you haven't already, here's why: https://opalsec.substack.com/p/last-call-for-lastpass?sd=pf

Huge shoutout @WPalant for his detailed analysis of LastPass as a product, and dissecting the evasive language in their latest advisory.

#infosec #CyberAttack #Hacked #cyber #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #cybersecurity

Last Call for LastPass

We examine the flaws endemic to LastPass' product, and their bungled response to and disclosure of their recent compromise.

Opalsec
Show threadNebJan 7, 2023

@Opalsec @WPalant

Unfortunately, my university won't let me switch. How does everyone feel about using Chrome as a password vault?

Show threadWladimir Palant

@Duric It’s okay'ish. I wrote about it under https://palant.info/2018/03/13/can-chrome-sync-or-firefox-sync-be-trusted-with-sensitive-data/. Their original solution was horrible, but they’ve since improved it. So now it’s ok as long as you set a passphrase to protect the passwords (this is not the default setting).

You still have to keep in mind that passwords are the only thing protected. Everything else you choose to sync with Google servers will be unencrypted.

@Opalsec

Can Chrome Sync or Firefox Sync be trusted with sensitive data?

When using Chrome Sync or Firefox Sync, you should always choose a long randomly generated passpharse. Otherwise, your passwords won't be sufficiently protected.

Almost Secure
Jan 7, 2023 at 3:35pmWeb
Show threadNebJan 7, 2023

@WPalant @Opalsec

Thanks for the feedback. Appreciate it. I do use passphrases and I do use chrome at home.

One more question, if I may. Can you set a separate master password on Chrome, like you can with LastPass? By default, Chrome uses your devices password.

Show threadWladimir PalantJan 7, 2023

@Duric Good question. I’ve only looked into Chrome for desktop, not the mobile version. No idea how it works there.

@Opalsec