Topic: LastPass 1Password Security Crypto Challenge + Bounty - page 2. (Read 249 times)

If the purpose of the topic is to know if LastPass/1Password can be hacked, it is better to assume that and therefore do not give a lot of information to such services.
In general, there are two aspects that must be distinguished, the first is privacy and the second is privacy.

If you are not interested in privacy, add a password in your brain, for example, xcvbvv, with the first three word of the service as to Facebook, xcvbvvfab, with the password that is stored in such services, which will provide you with additional protection.

But if you're talking about privacy, it's best to stay away from LastPass/1Password service, assume that it can be hacked and run self-hosted password manager.

LastPass have long history of security breach, Wikipedia alone (https://en.wikipedia.org/wiki/LastPass) mention there are at least 6 security breach.


If you have hard time trusting 3rd party or have privacy concern, consider self-hosted password manager such as KeePassXC.

Here is the Hacker News thread about this: https://news.ycombinator.com/item?id=29705957

Somewhere in the replies, it says the logins were due to a vulnerability in the Lastpass extension (autofill specifically), dating from about 5 years ago[1] and has long been fixed and released in an update[2]

The master password is not stored on Lastpass's servers so this becomes a bug bounty for the Lastpass extension, not the servers.

---

[1]: https://news.ycombinator.com/item?id=12171547
[2]: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

The other day I tweeted a security tip to remind folks not to use real answers to password reset security questions, and suggested they can store their answers in a tool like LastPass. No sooner did I tweet this then I got this response



I had never heard of this #LastPassHack so when I looked up to it - it send me to a hacker news article from Dec 26, 2021, apparently talking about the apparent compromise of users master passwords.

Except - This should be impossible - since LastPass should not be storing in anyway the users Master Password, so this brought into question a service I have been using and storing data in for many years... could they be lying to me?  should i switch to another service like 1password?

To help answer this question, I decided to setup a little crypto bounty.  If you know how to discover the master passwords of a LastPass or 1password account. I invite you to prove this yourself (anonymously)

I setup 2 accounts, one for LastPass and one for 1password. Inside each of them, I stored the backup phrase for 2 wallets. The 1password one is bitcoin, and the LastPass one is Ethereum.

Bitcoin Bounty Balance: https://bitcoinexplorer.org/address/1PKF8K1e1BFsBpkjXEWVoGgCdWuqqCKc5C ( 0.00107999 BTC at the time of deposit)

Ethereum Bounty Balance: https://www.etherchain.org/account/29cea040fAC4839DAc550558d1A88Afe27bb1466 (0.01702 ETH at the time of deposit).

All you have to do is discover the passwords used for either, access the crypto, and then do a withdrawal of the wallet to win the bounty and prove that one or more of these services are indeed leaking master passwords somehow.

The email addresses used for these vaults are:



The password length is the same for both accounts, and both use the same number of numbers and special characters.

Disclaimer - This is not an invite to hack either of these services, but if you do know how to exploit some type of security flaw this is your opportunity to 'put your money where your mouth is'

If you agree with and want to join in, feel free to make additional deposits to the bounty using these QR Codes



Warning: Money deposited here will not be refunded!