Topic: LastPass hack - move your crypto assets to a more secure place right now! - page 3. (Read 514 times)

Lastpass does PBKDF2 on your password before storing it so if your Lastpass settings had at least 100k rounds (the default since like 2018, and also the value before the breach happened) configured and you used a super-strong password, or even a mildly strong password, it will take centuries for hackers to break into your vault.

It is likely that the hacked accounts were using some lower rounds of PBKDF2 - for a long time, Lastpass had it set to about 5000 or something, and then raised the default value over the years. Now it's 600k, but that's hardly relevant as the vaults have been stolen already.

Also if you even think about storing sensitive things like seed phrases online, you better encrypt it with a second layer of encryption such as GPG. There's no way anyone is ever going to break through that if you secure it properly. But still move your funds anyway if you can do it safely.

I don't use LastPass. I don't even keep important passwords in my browser's password manager.
All the important passwords are stored in my head. LastPass being hacked proves that you can't trust any centralized entity with your sensitive information. It's weird that LastPass was hacked last year, but I haven't heard anything about this event.
There must be a way for the victims of this hack to find out who emptied their wallets. I'm sure that the police will find the hackers sooner or later.

I never used LastPass, I was actually very surprised that their app doesn't let their users store their data locally. Or do they, and online storage is merely one of its features for convenience and accessability?

But OK, I would probably use something like that for hot-wallets containing small amount amounts of Bitcoin for playing Craps in a casino, but never for storing my Bitcoin life-savings.

Cloud storage is a really bad idea when it comes to backing up your Bitcoin private keys. There are many wallets which offer to back up your encrypted seed in the cloud but it is completely unnecessary. Your seed phrase written on paper or a metal plate and kept in a safe place is all you need to be able to restore access to your funds.

For password management there are much better solutions than LastPass including open source self-hosted options. Passwordless logins are even starting to become a thing.

It’s not only lastpass that you should avoid storing anything sensitive. Even having your passwords saved on your browser is risky because anyone with access to the computer whether remote or physical can easily uncover them without any additional passwords.

You really are better off just keeping your passwords in a diary somewhere in your house pretty much. Sure they are handy those password managers but all it will take is some bug and everyone’s private info can be stolen and leaked.

Good early warning from you OP.

Yes. It makes people very disappointed. I am 100 percent sure at this time There is no single system that is proven to be safe. Whatever that is. The mistake many people make is placing too much trust in recommendations and reviews written about a product.

Well, when it comes to online wallet services today, like those built into most exchanges, there is always a risk that the service will go out of business or steal our funds and claim that we revoked them.

I've been using a password manager for years (not LastPass by the way) because it's extremely useful, every time I need some kind of information it's right there, and I never had any problem. The only thing I would never store, no matter how much I trust the app, is the seed, it's just not worth taking such a big risk. If they steal the info some credit card info, ok, no problem, I'll get a refund, but if they steal your seed we all know how it ends.

This is sad but whoever stores their crypto backups / seeds / passwords to wallets etc in an ONLINE password manage totally misunderstood tthe self-custody aspect of crypto / Bitcoin.
I still believe password managers do have some value - for throwaway logins or stuff that is just very convenient to access via some basic account. Anythign related to your identity or any real value does not belong there however.

Also, I do believe there are hardware solutions - didn't Trezor have a built-in password manager? Not sure if they continued this service, though

There is nothing too good when keeping the asset online. whatever it's; data, password, money, and especially crypto, there is no point when we still keep and believe the application online. the example above (LastPass) is a small thing that we often hear. So when you are active on media social, you will hear more than above. Many users on media social did not exploit it because they were embarrassed and didn't want to look stupid. They still believe the cloud or any application password online is saving them from oblivion, but in fact it is not really safe instead it makes him lose even more.

I don't know why people today are so lazy to write down passwords on paper, even if it's safer and they don't need money to subscribe to the application.

This is just the beginning, such incidences will only rise from here. Hackers are targeting everything related to crypto that can be targeted in bulk. This is because even old people are associated with crypto and they are easy target of these hackers.

So, what's this now? (Rhetorical). Anything that is usually online is not safe because it can easily be breached. Just one mistake, and those hackers will gain access to the security that can make them steal a whole lot of money, like they have done from LastPass. Ledger Hardware Wallet tried to introduce the cloud storage of private keys, but after receiving some criticism, they did not further the plans again. But according to what I read on Cointelegraph, they (ledger hardware) were supposed to roll out a cloud-based private key recovery tool this month, which I don't intend to use that wallet due to their crazy idea. Who knows if they will also get back one day because of that new invention?

The safest way to secure an asset is to keep every bit of their secret information offline. Create your Bitcoin address and generate your private key or secret phrase on an AirGap device, and let it only be your cold storage wallet.

I'm on an iphone and do you have any app suggestions for iOS devices since I don't see KeePassXC for iOS or Android?

Lastpass is a password manager that keeps getting hacked every year, but it's baffling that so many people still choose it.

I agree with you, whether open source and confirmed safe or never hacked, but using online storage platforms to store seed phrases is a bad idea. I don't know what method people use to store it, but in my opinion, it's best that Seed Phrase is always stored offline. There is no guarantee those online platforms will never be hacked. Password managers should only be used to store simple passwords, they should not be used to store extremely important things like seed phrases.

It seems crazy to me why anyone would store such large amount of assets in a password manager
that is widely known to have serious security issues. Do people not read the news?

I would never use a Ledger again for the same reasons: Ledger is not only closed source but also suffered data breaches in the past.
Ledger was the first hardware wallet I ever used back in 2018 but switched to Trezor last year due to Ledger's widely reported security problems.

Everyone needs a password manager. There are great and they added much more security,  as they generate passwords automatically.

The problem is that lastpass is not safe by itself.  You want use a password manager. Just don't get the worst one.

Thank you for this update. People who have saved their keys with lastpass should do the needful immediately to avoid losing their assets. This is yet another case that vindicate the need to saving your keys privately without involving a third party.  From the comments and reply i have read so far, seems the lastpass has been prone to hack and the has been a thing of back  to back hacking reoccurring without any much resistance. Does it mean that they  never bother or care abut the data and details of their users very much important to always be a target of hackers  on a regular basis. Possibly, there must be  rat in the house.

Third parties should not be the right resolution to saving passwords and sensitive information as they can not guarantee their own safety not to talk of customers safety. Many third parties have suffered hack and as a result of that, lost huge amount of funds under their custody and some have not been able to recover form the incidence while some are gradually standing back on their feet. The series of hack should be a lesson to the crypto community to start practicing self savings and self custody of assets and funds.

LastPass is not a platform to store passwords and stuff secure online, if it was the platform wouldn't have experienced hacks 3 times within 14 months because hackers can only manipulate or tamper platform with no code vulnerabilities or simultaneously upgrade their system but the company used their data encryption and multi-factor authentication options to gain the attention of alot of cryptocurrency investor.

It is a shame that a service that keeps your private data secure could be hacked in this way. After that, the announcement is from the 25th. Therefore, unless you follow the news, you may end up being the last to know. In general, I do not trust password management programs and it is better to use one of them. Provided that it is not online, that it is open source, and that you can set it up in an environment that will not be connected to the Internet.

LastPass password manager is closed source and I don't know why someone would trust such app with the safe storage of his/her seed phrase, private keys and other sensitive information. I could store my login details of websites in a password manager but what I will not do is to store the seed phrase of my wallet in it. Even if LassPass were to be an open source application, I'm totally against the idea of storing the seed phrase online. I don't know how difficult it is for people to just write down their seed phrase on a piece of paper and keep it safe.

Yeah, I know. I have learned it the hard way. There are some other method that I have came up with for storing private key online. Not the best and not the most secure one but it could provide great amount of security against hackers. It is hard to crack. Although I'm not going to reveal my whole secret but I will share another one that could give us the same kind of security.

We have 12 or 24 words in a private key. We can divide them into four or eight parts. We have three words in a group like that. We can easily randomize this group like 4213. After that we just need to remember this sequence of 4213. Then we can add four five or six even ten words between each group. That way we'll have a long list of words. If you put that list on the internet and the sequence is only known to you then it will be hard for any hackers to crack it. So I don't think keeping your private key online is a risk if it's done right.

That way we are immune to lose it and can access it anywhere we go. Because anything that is physical could be destroyed or lost. But multiple online backups could be accessed easily. Although this sounds so easy and theoretically it can't be cracked, I will never suggest anyone to back up their private key online.
I have suffered it so I know how it feels. Recently I am using air gapped device for storing my key and storing my assets.