I seem to remember that the passwords were encrypted so, all they got was the passwords people use for their password manager which because people were using the password manager and therefore had random passwords it didn’t really matter hugely.
Comment on God ****** dammit, here we go again
Malfeasant@lemmy.world 3 weeks agoAnd when that password manager gets cracked?
echodot@feddit.uk 3 weeks ago
KairuByte@lemmy.dbzer0.com 3 weeks ago
Just as an example, 1Password has a secondary encryption key that they can’t even recover. If you lose it, you’re fucked. I doubt the chances of that being cracked are any good at all.
sugar_in_your_tea@sh.itjust.works 3 weeks ago
Bitwarden has no secondary key, and the master key is never sent to the server. All they get is an email address and encrypted data. If you forget your key, your passwords cannot be accessed, which means an attacker is screwed too.
There are tons of ways to give yourself ways to “recover” your password that don’t compromise you in a breach scenario:
- logged in devices - they have the key decrypted and can generate a new one, re-encrypt, and overwrite the data server-side
- store a physical copy of the password at home somewhere (notebook?)
- share passwords with a trusted person (SO) for critical shared accounts
- securely store an unencrypted backup of your password vault (say, on a personal computer with full disk encryption)
Maybe that’s how 1password works, idk, but I do recommend verifying that there’s no password recovery option on whatever password manager service you use.
ayyy@sh.itjust.works 3 weeks ago
Got any examples? Because I have…some…examples of password reuse being a real-life problem.
jellygoose@lemmy.ca 3 weeks ago
LastPass recently, check Addie Lamarr’s channel on YouTube.
Aetherion@lemmy.world 3 weeks ago
LastPass is the maximum shit. They got hacked like 3 times in a year and my company‘s password notes got leaked.
We are now with Bitwarden and this was the biggest security hardening measure we have taken.
sugar_in_your_tea@sh.itjust.works 3 weeks ago
Make sure whatever password manager you use doesn’t store the key on their servers. Bitwarden does this correctly (if you lose your PW, Bitwarden can’t recover it), and I’m sure some competitors do as well. LastPass apparently didn’t.
kazerniel@lemmy.world 3 weeks ago
Yeah, I left LastPass after like 15 years when I’ve come across some news headlines that it had got breaches more than once while I was using it O.o
Been a happy user of Bitwarden for a couple years now. I love that little “copy custom field name” function, so I don’t have to go hunting around in the HTML code if a site is using weird field names.