https://pjmedia.com/news-and-politics/gregbyrnes/2023/02/28/lastpass-vault-breached-via-employees-home-computer-giving-keys-to-the-kingdom-to-hackers-n1674308

"Millions of LastPass users may be at risk after a major breach of the
home computer of one of their top employees. This employee was only
one of four people in the company with access to their corporate
vault. The breach may have come through a home Plex media account,
according to Ars Technica*, and appears to have been perpetrated by
the same hackers who breached LastPass security on a smaller scale
last August. At about the same time, Plex’s security was also
breached."

*https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/

This is wjy I don't use password mangagers. I keep my
passwords/phrases in a PGP file on my comp.
Yeah, I gotta copy paste after opening the PGP, but it is safer than
using password "protector" dumbware like LastPass.

On Tue, 28 Feb 2023 20:04:06 -0600, mike@notyahooie.com said in
Message-ID: <9gctvhheefdqp9ria0p1kh5gh41gqqjm9d@4ax.com>:

> https://pjmedia.com/news-and-politics/gregbyrnes/2023/02/28/lastpass-vault-breached-via-employees-home-computer-giving-keys-to-the-kingdom-to-hackers-n1674308
>
> "Millions of LastPass users may be at risk after a major breach of the
> home computer of one of their top employees. This employee was only
> one of four people in the company with access to their corporate
> vault. The breach may have come through a home Plex media account,
> according to Ars Technica*, and appears to have been perpetrated by
> the same hackers who breached LastPass security on a smaller scale
> last August. At about the same time, Plex’s security was also
> breached."
>
> *https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/
>
> This is wjy I don't use password mangagers. I keep my
> passwords/phrases in a PGP file on my comp.
> Yeah, I gotta copy paste after opening the PGP, but it is safer than
> using password "protector" dumbware like LastPass.

The problem isn't password managers, per-se -- the problem is relying on a cloud-
based provider like LastPass. BTW, using PGP is a *great* idea for protecting
your passwords and other confidential data, especially if you use symmetric
encryption to do so, using a Diceware™ passphrase.

Back in the day, in a moment of madness, I seriously considered using LastPass,
but ultimately what turned me off, and made me change my mind, was the cloud-
based nature of the service. I just don't feel comfortable storing /any/ data in
the cloud, regardless of its' sensitivity.

On 2/28/23 20:04, mike@notyahooie.com wrote:
> https://pjmedia.com/news-and-politics/gregbyrnes/2023/02/28/lastpass-vault-breached-via-employees-home-computer-giving-keys-to-the-kingdom-to-hackers-n1674308
>
> "Millions of LastPass users may be at risk after a major breach of the
> home computer of one of their top employees. This employee was only
> one of four people in the company with access to their corporate
> vault. The breach may have come through a home Plex media account,
> according to Ars Technica*, and appears to have been perpetrated by
> the same hackers who breached LastPass security on a smaller scale
> last August. At about the same time, Plex’s security was also
> breached."
>
> *https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/
>
> This is wjy I don't use password mangagers. I keep my
> passwords/phrases in a PGP file on my comp.
> Yeah, I gotta copy paste after opening the PGP, but it is safer than
> using password "protector" dumbware like LastPass.

Write your passwords down and keep them in a real safe. A decent
fireproof safe can be had for $250. Bolt it to the floor and fill the
bottom half with a ton of bricks or bags of sand. Nobody is carrying it
away like that. A small, 6-gun safe can be filled up halfway with 1500
lbs of fire brick or sand, then the paperwork and password backups can
be kept in a fireproof lockbox inside the safe on top of the bricks. The
double fireproof setup will guarantee that your paperwork will not burn,
and the bricks will absorb and distribute most of any heat that does
seep in, spreading it out and reducing the air temperature inside the
safe in the event of a fire. Even if your house or office burns to the
foundation, your backups will be in good shape.

I keep multiple safes in different locations to protect my vital
information and redundant backups. I have two dozen USB backups spread
out among my safes. If one stops working I buy two new drives and
replace the broken one with two more. That's why I'm up to two dozen
already.

I rotate the USB drives between the safes and office, swapping out the
rotation every time I go the rounds. People must think I am a gun nut,
when they see two gun safes in my office, but I don't even tell them
there are no guns in the gun safes.

My disk encryption passwords are not written down anywhere or in any
password manager. I don't even keep them in my safes. They are long,
complex passwords, 32+ chars long. I have had no problem remembering a
handful of such passwords for many years. Nobody can steal a password
that is not on disk or paper.

I can not see why anyone would trust their passwords to the cloud. It's
like betting your life that there isn't an encryption bug. Not for me!

No Soy <no@soy.invalid> wrote:

> My disk encryption passwords are not written down anywhere or in any
> password manager. I don't even keep them in my safes. They are long,
> complex passwords, 32+ chars long. I have had no problem remembering a
> handful of such passwords for many years. Nobody can steal a password
> that is not on disk or paper.

Great up until the moment a stroke resets that part of your memory.

On Wed, 1 Mar 2023 17:15:42 +0100 (CET), Nomen Nescio
<nobody@dizum.com> wrote:

>No Soy <no@soy.invalid> wrote:
>
>> My disk encryption passwords are not written down anywhere or in any
>> password manager. I don't even keep them in my safes. They are long,
>> complex passwords, 32+ chars long. I have had no problem remembering a
>> handful of such passwords for many years. Nobody can steal a password
>> that is not on disk or paper.
>
>Great up until the moment a stroke resets that part of your memory.

It doesn't take a stroke. if I don't use a *very* familiar password
for a while, one I thought I'd never forget, I find I've forgotten it.

On Wed, 1 Mar 2023 06:21:02 +0000 (GMT), The Stuff of Legend
<Use-Author-Supplied-Address-Header@[127.1]> wrote:

>On Tue, 28 Feb 2023 20:04:06 -0600, mike@notyahooie.com said in
>Message-ID: <9gctvhheefdqp9ria0p1kh5gh41gqqjm9d@4ax.com>:
>
>> https://pjmedia.com/news-and-politics/gregbyrnes/2023/02/28/lastpass-vault-breached-via-employees-home-computer-giving-keys-to-the-kingdom-to-hackers-n1674308
>>
>> "Millions of LastPass users may be at risk after a major breach of the
>> home computer of one of their top employees. This employee was only
>> one of four people in the company with access to their corporate
>> vault. The breach may have come through a home Plex media account,
>> according to Ars Technica*, and appears to have been perpetrated by
>> the same hackers who breached LastPass security on a smaller scale
>> last August. At about the same time, Plex’s security was also
>> breached."
>>
>> *https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/
>>
>> This is wjy I don't use password mangagers. I keep my
>> passwords/phrases in a PGP file on my comp.
>> Yeah, I gotta copy paste after opening the PGP, but it is safer than
>> using password "protector" dumbware like LastPass.
>
>The problem isn't password managers, per-se -- the problem is relying on a cloud-
>based provider like LastPass. BTW, using PGP is a *great* idea for protecting
>your passwords and other confidential data, especially if you use symmetric
>encryption to do so, using a Dicewareâ„¢ passphrase.
>
>Back in the day, in a moment of madness, I seriously considered using LastPass,
>but ultimately what turned me off, and made me change my mind, was the cloud-
>based nature of the service. I just don't feel comfortable storing /any/ data in
>the cloud, regardless of its' sensitivity.
>

What gets me about this "cloud' stuff is that the "cloud" is just
another server somewhere else on earth just like any other server.

I guess there are enough fools who believe that "cloud" actually means
the server is somewhere up in an actual cloud, nearer to God, and God
is keeping it secure.

Jeesh!

On 28 Feb 2023, The Stuff of Legend
<Use-Author-Supplied-Address-Header@[127.1]> posted some
news:20230301062102.BA2BA1200C3@fleegle.mixmin.net:

> On Tue, 28 Feb 2023 20:04:06 -0600, mike@notyahooie.com said in
> Message-ID: <9gctvhheefdqp9ria0p1kh5gh41gqqjm9d@4ax.com>:
>
>> https://pjmedia.com/news-and-politics/gregbyrnes/2023/02/28/lastpass-v
>> ault-breached-via-employees-home-computer-giving-keys-to-the-kingdom-t
>> o-hackers-n1674308
>>
>> "Millions of LastPass users may be at risk after a major breach of
>> the home computer of one of their top employees. This employee was
>> only one of four people in the company with access to their corporate
>> vault. The breach may have come through a home Plex media account,
>> according to Ars Technica*, and appears to have been perpetrated by
>> the same hackers who breached LastPass security on a smaller scale
>> last August. At about the same time, Plex’s security was also
>> breached."
>>
>> *https://arstechnica.com/information-technology/2023/02/lastpass-hacke
>> rs-infected-employees-home-computer-and-stole-corporate-vault/
>>
>> This is wjy I don't use password mangagers. I keep my
>> passwords/phrases in a PGP file on my comp.
>> Yeah, I gotta copy paste after opening the PGP, but it is safer than
>> using password "protector" dumbware like LastPass.
>
> The problem isn't password managers, per-se -- the problem is relying
> on a cloud- based provider like LastPass. BTW, using PGP is a *great*
> idea for protecting your passwords and other confidential data,
> especially if you use symmetric encryption to do so, using a
> Diceware™ passphrase.

Sucks when you die and your executor must settle your estate. You just
handed a government the majority, if not all of your hard earned assets
because nobody could access your financials for lack of password details.

The government doesn't care. They will wait the seven years to gleefully
take your money. Of course you won't care that your family was destitute
or even homeless because you're dead.

> Back in the day, in a moment of madness, I seriously considered using
> LastPass, but ultimately what turned me off, and made me change my
> mind, was the cloud- based nature of the service. I just don't feel
> comfortable storing /any/ data in the cloud, regardless of its'
> sensitivity.

Oh come on. You know India managed cloud resources are safe. Just ask
IBM, HPE, Dell and Kyndryl. They will tell you so.

On Wed, 1 Mar 2023 21:03:08 +0100 (CET), anonymous <anon@anon.anon> said in
Message-ID: <9ffc61bdcd72716096a65cf5ca2e9abe@dizum.com>:

> On 28 Feb 2023, The Stuff of Legend
> <Use-Author-Supplied-Address-Header@[127.1]> posted some
> news:20230301062102.BA2BA1200C3@fleegle.mixmin.net:
>
>> On Tue, 28 Feb 2023 20:04:06 -0600, mike@notyahooie.com said in
>> Message-ID: <9gctvhheefdqp9ria0p1kh5gh41gqqjm9d@4ax.com>:
>>
>>> https://pjmedia.com/news-and-politics/gregbyrnes/2023/02/28/lastpass-v
>>> ault-breached-via-employees-home-computer-giving-keys-to-the-kingdom-t
>>> o-hackers-n1674308
>>>
>>> "Millions of LastPass users may be at risk after a major breach of
>>> the home computer of one of their top employees. This employee was
>>> only one of four people in the company with access to their corporate
>>> vault. The breach may have come through a home Plex media account,
>>> according to Ars Technica*, and appears to have been perpetrated by
>>> the same hackers who breached LastPass security on a smaller scale
>>> last August. At about the same time, Plex’s security was also
>>> breached."
>>>
>>> *https://arstechnica.com/information-technology/2023/02/lastpass-hacke
>>> rs-infected-employees-home-computer-and-stole-corporate-vault/
>>>
>>> This is wjy I don't use password mangagers. I keep my
>>> passwords/phrases in a PGP file on my comp.
>>> Yeah, I gotta copy paste after opening the PGP, but it is safer than
>>> using password "protector" dumbware like LastPass.
>>
>> The problem isn't password managers, per-se -- the problem is relying
>> on a cloud- based provider like LastPass. BTW, using PGP is a *great*
>> idea for protecting your passwords and other confidential data,
>> especially if you use symmetric encryption to do so, using a
>> Diceware™ passphrase.
>
> Sucks when you die and your executor must settle your estate. You just
> handed a government the majority, if not all of your hard earned assets
> because nobody could access your financials for lack of password details.
>
> The government doesn't care. They will wait the seven years to gleefully
> take your money. Of course you won't care that your family was destitute
> or even homeless because you're dead.

You must take me for a complete idiot. I've made appropriate arrangements, which
have been in place for quite some time now.

>> Back in the day, in a moment of madness, I seriously considered using
>> LastPass, but ultimately what turned me off, and made me change my
>> mind, was the cloud- based nature of the service. I just don't feel
>> comfortable storing /any/ data in the cloud, regardless of its'
>> sensitivity.
>
> Oh come on. You know India managed cloud resources are safe. Just ask
> IBM, HPE, Dell and Kyndryl. They will tell you so.

I don't care what anyone says -- I simply don't trust cloud-based services, and
that isn't going to change anytime soon.

YMMV

Hi Mike,

have you read anything about an login attempt generating a MFA approve
prompt on the employees MFA device?

On 3/1/23 03:04, mike@notyahooie.com wrote:
> https://pjmedia.com/news-and-politics/gregbyrnes/2023/02/28/lastpass-vault-breached-via-employees-home-computer-giving-keys-to-the-kingdom-to-hackers-n1674308
>
> "Millions of LastPass users may be at risk after a major breach of the
> home computer of one of their top employees. This employee was only
> one of four people in the company with access to their corporate
> vault. The breach may have come through a home Plex media account,
> according to Ars Technica*, and appears to have been perpetrated by
> the same hackers who breached LastPass security on a smaller scale
> last August. At about the same time, Plex’s security was also
> breached."
>
> *https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/
>
> This is wjy I don't use password mangagers. I keep my
> passwords/phrases in a PGP file on my comp.
> Yeah, I gotta copy paste after opening the PGP, but it is safer than
> using password "protector" dumbware like LastPass.
>
>
>
>