It is coming up to 3 months since I upgraded to FTTP so I thought I would check my NBN speeds to see if there has been any drop off.
I am pleased to see that there has been no change:
Category: Uncategorized
PASSWORD MANAGER
A PASSWORD MANAGER IS ESSENTIAL – NO ARGUMENTS and will remain so until the new “passwordless” system “Passkeys” is fully implemented. It is encouraging to see that all the big tech companies are supporting Passkeys.
I first became fully aware of the need for a password manager from the host of the Security Now podcast, Steve Gibson. He recommended LastPass and that is what I have been using for years.
LastPass has had issues and customers’ encrypted vaults have been stolen. This is a concise explanation from Gizmodo. https://gizmodo.com/hackers-lastpass-users-password-vaults-change-now-1849926968
If you had a weak master password, you are very much at risk. The danger is that the hackers have all the time in the world to attempt to crack the encrypted vaults and you should start to go through and change passwords now.
Even if you had a stronger password, it is still advisable to change your passwords starting with the important ones and then working through the others. Importantly, you have to do this even if you change to another password manager.
Even though problems were reported some months ago, going on the information made available at the time, Steve Gibson said he was retaining LastPass. As a result, I continued to follow his advice and still have been using LastPass until his podcast episode 904. Steve is now moving to Bitwarden.
I have given it a lot of thought and considered three possible courses of action:
1. Staying on LastPass (but changing all passwords);
2. Moving to Bitwarden (and also changing passwords);
3. Moving to 1Password (and also changing passwords).
No 1 Staying on LastPass.
First, if you have the time, listen to the podcast and read other reports on the breach of LastPass. The main risk is having a weak master password that makes it easier to “brute force” the encrypted vaults that were stolen. I had a strong master password, and my financial passwords were not stored on LastPass. Therefore, my risk would be low. On the other hand, my email passwords, government accounts and other important passwords were stored there.
The main reason why most security pundits are recommending to people that they leave LastPass, is lack of trust in LastPass. The first reports, some months ago, suggested that problems were not that serious. However more recent reports have changed that.
Initially, I was not going to move, but instead, change all my passwords. I have a strong master password and do not have my financial log in credentials in LastPass.
However, what influenced me the most were comments that the current breach will open up LastPass to lawsuits that could force it to shut down. Also, strong passwords may be OK now, but there can be no guarantee that cracking technology will not improve.
LastPass started out as a mainly “free” program that relied on selling a more advanced version – i.e the “Freemium” model. It was later sold and then on sold. A few years ago, I decided to pay as I do not trust “FREE”. You get what you pay for.
Sometimes, but not always, a buyer is more interested in maximising income than the original founders.
No 2 Moving to Bitwarden
Bitwarden also operates under the Freemium model and that is why I thought long and hard about a move. Steve Gibson mentions this, but he says that, as an “Open Source” program, there is less likelihood that someone would be willing to buy it. Also, the first tier of payment is very reasonable, so, hopefully, people will pay. Premium Membership is USD$10 per year and comes with 2FA on log in, 1gb of storage and a couple of other things. This compares to about USD$30 per year for others.
No 3 Moving to 1Password
This is a very well regarded and popular program and has no free tier. Therefore, there is an established profit model from the outset, thereby reducing the chance that the founders will “cash in” by selling it. On the other hand, as it grows in popularity, there is no guarantee that it won’t sold.
DECISION
I have decided to:
1. Cancel my paid subscription with LastPass but leave the account open for the present time;
2. Start using Bitwarden and pay the small Premium Membership fee of USD$10 (AUD$15-50) per year;
3. Immediately change the passwords (using Bitwarden but not LastPass) for Emails, Government Accounts, Domain and shares. Then go through all the others and gradually change all (and at the same time set up 2FA if available).
4. Then, after the passwords are changed, there is little point in keeping LastPass (as it will have the old passwords).
I will give Bitwarden a long trial and, if satisfied, I will keep it at least until I hear it has been sold. If I do not like it or it gets sold, I will move to 1Password.
RECOMMENDATION
I will leave up to the individual whether or not to leave LastPass. These breaches can happen to anyone and hopefully they will learn from the experience. But I do strongly recommend you complete the following at the very least:
- Ensure the master password is strong. At least 16 characters – mixed and random and not used for anything else;
- Immediatley change the passwords for all important accounts. Emails, Government Accounts, Finance, Banking, PayPal etc, and any site that you might have given credit card information to;
- Then go through the remainder and change those passwords;
- Take the opportunity to use long strong passwords (generated by the password manager) to include all characters;
- Also set up 2FA if available;
- Be very careful of Emails and texts etc, TRUST NO ONE. The hackers got all the web site URLs – this information was not encrypted;
- AND if you stay with LastPass do this – Log into LastPass and go to Account Settings (Left Panel) / Advanced Settings (bottom)
Scroll down (on the way, make sure Country Restrictions are set for your country) until you get to “Password Iterations”. The default should be set to 100100. BUT I set mine to 300101. Make sure to click Update whether you make any changes or not. Old master passwords were set to a lower “Iteration” number.
NOTE – Generally, changing passwords is not too hard but time consuming. My main issue is that I am still getting used to Bitwarden. LastPass is easier – but I am used to it.
ALSO BE CAREFUL to the read the pasword rules. I came across one that only allowed 16 charachters. I was trying to use many more charachters and I got locked out.
Also, from bitter experience, do not trust the automatic update offered by the Password Manager (Both Bitwarden and LastPass). Record the old and new passwords on say a Word document. Then after the change , update the Password Manager manually and test a log in before deleting the Word document. ALSO with Bitwarden, after you change the details in Bitwarden, go to Settings and run a Sync – Settings (Bottom right) / Sync (click the arrow thing) / Sync Vault Now.
P.S. 13th Jan 23
I have completed password changes for all important accounts and am progressing well with the others.
One thing I have noticed is that I have opened very many shopping accounts. I thought that I would just close them but – no such luck! It is impossible to simply close this type of account, almost without exception. In future, I will be far more cautious before I open any account. Luckily, I used PayPal as the method of payment, so I don’t have to worry about credit card details.
BUT, I have learnt a valuable lesson.
SEE UPDATE PASSWORDS – Whycal’s Blog (whysun.com)