Lastpass anyone?
- Thread starter xiqual
- Start date
The plaintext passwords were not compromised, because those only live on the users' systems. They got access to the encrypted versions of the master passwords, and the reminder text. If your master password is something like '12345', you need to go change that shit.
So much this. Encrypted with a password that only you know and a key that only sits on your hardware. PassIFox and chromeIPass plugins. You can easily integrate it with Filezilla so you never type or store passwords in it.
Why would there be plaintext passwords anywhere? They should all be encrypted too and it's the master password that decrypts them. If they're not encrypted, they're doing it wrong.
When you log into your stuffs, you need plaintext. The plaintext for the master keys are not on their servers.
Regardless, nobody in their right mind would store their passwords with a 3rd party online solution.
I believe they are encrypted. You use a master password to unlock your vault for the browser plugin/iPhone app (depending on your settings, each time you open your browser/go inactive for x minutes). I think the reason no passwords were compromised (beyond the encrypted master ones, which are safe as long as you use an XKCD pass) is as you're saying.
I use lastpass for tools and blogging sites, etc.. but not for my main accounts. It saves time rather than going into excel or google drive or whatever else people use to get passwords.
I just wish they weren't idiots!
I just wish they weren't idiots!
Try KeePass instead of the excel spreadsheets. I used to do the same thing until a few years ago when my workstation got a virus and 8 sites on my server were hacked because the virus got the plaintext passwords stored in Filezilla that I had been pasting in there. If for no other reason, KeePass is much faster. You can also use it on Google Drive or Dropbox as it's encrypted and the key only exists somewhere on your hardware.
You can easily put store your own keepass database online and access it. https://www.digitalocean.com/commun...ord-file-with-nginx-on-an-ubuntu-14-04-server
Couple that with KeePass Portable which you can run off a USB stick w/o needing to install - Downloads - KeePass (Download Professional 2.xx Portable)
Open URL -> https://www.cones.gaywebmaster.org/keepass.kbdx
There are hotkeys in KeePass to make it copy the user/password to clipboard or to Auto-Type it in for you without needing a browser plugin.
You pretty much have no excuse.
Couple that with KeePass Portable which you can run off a USB stick w/o needing to install - Downloads - KeePass (Download Professional 2.xx Portable)
Open URL -> https://www.cones.gaywebmaster.org/keepass.kbdx
There are hotkeys in KeePass to make it copy the user/password to clipboard or to Auto-Type it in for you without needing a browser plugin.
You pretty much have no excuse.
^^ What he said.
You're not going to get better than KeePassX. Heavily encrypted, key is on your hardware, only you know the password. Plus easy shortcuts to copy passwords, auto-type them, etc. I have no clue what the majority of my passwords are, as they're all 32 random characters, and I never type them, so even if a key logger ends up on my computer all it's going to pick up is copy & paste commands.
You're not going to get better than KeePassX. Heavily encrypted, key is on your hardware, only you know the password. Plus easy shortcuts to copy passwords, auto-type them, etc. I have no clue what the majority of my passwords are, as they're all 32 random characters, and I never type them, so even if a key logger ends up on my computer all it's going to pick up is copy & paste commands.
Really? Fuck!
Well, I guess we have SSH keys, but if they're capable of installing a key logger, obviously they're capable of grabbing the SSH keys as well.
IIRC KeeFox interfaces with Keepass by letting it connect via TCP which bypasses the need of the clipboard. If you have a keylogger on your computer then you're probably already beyond help.