LastPass' corporate vault stolen via an employee's hacked Plex

Apparently the cause of the LastPass incident was LastPass failure to have employees maintain a sterile environment. One of the requirements for a sterile environment is that dedicated company computers be used to busyness work and nothing else. The employ computer that was compromised was his personal computer. A clear violation of maintaining a sterile environment. LastPass failed to train and/or enforce this critical security procedure. I hope that they have now hired a competent IT security company to assess there environment and then address all issues found. Then do annual compliance audits.

As for Plex being involved, Plex has not announced what there password compromise was. The important thing for anyone using Plex is to change there Plex password and even more important if thy reuse that password to change it everywhere it's used.

Anyone that cares about security would never dare use LastPass again.

So you will use another unproven password vault?

I'll go with the one that is open source and hasn't shown a propensity for being moronic.

Simply use a text file and save it encrypted. The if you like sync that file to the cloud. Then you rely on your self to be secure.

Bitwarden conducts security audits, but I haven't seen evidence of code audits.

Personally I use an OpenBSD host server running Vaultwarden (an open source Bitwarden compatible server coded in Rust).

It is up to you to assess your security needs, and then choose accordingly.

The hacker exploited a vulnerability in the Plex Media Server software that was patched in May 2020. 'The version that addressed this exploit was roughly 75 versions ago,' Plex says.

This is why Microsoft forces patches even though it can annoy people.

Exactly as I (and many others) suspected.

The problem with Plex updates is they need to be manually installed on some devices (i.e., Synology NAS). I really wish I could set it to autoupdate.

The problem is exposing the software to the internets.

Not every solution works for everyone. For many people, simply using an encrypted text file is not practical if you are going to have any attempt to use difficult passwords. I work in tech and have to remember hundreds of passwords and use different devices. Its simply not practical to manually look them up and hand type them in. I used Lastpass for years and 1Password for years before that when at the time they didn't work well on Windows. Most companies that have a hack, you conclude that afterwards they are probably the safest and secure out there because of the extra attention. Lastpass really blue this on every level with their practices and their handling. They have permanently lost my trust, but I'm not ready to throw out the entire industry. As a whole, I think they still are way more knowledgable than me on how to keep things secure.

Don't know why you would not cut and paste passwords in from an encrypted file. I also worked in IT and used the encrypted file method way before any password vault applications came out. Some companies get better after they are hacked. Others continue the same culture simply doing what ever is needed to shut the auditors up. Security is as much a culture as a set of policies and procedures.

Because it's a PITA on a phone.

A flaw that you are repeatedly warned about if you try to enable the feature, which is off by default... Trashy clickbait article from a trashy clickbait site.

Saw that news today. They do recommend not to use the feature and default it turned off (If you turn it on, there is a big old **WARNING:**Compromised pages can exploit autofill on page load). But they allow users to make that decision. If you read the article, it also explains the risk and that it is a minimal risk. I think they are planning to make a change. I actually like Bitwarden's keyboard shortcut better than the autofill approach anways.

Just because it’s open source doesn’t mean it’s more secure. Don’t fool yourself into thinking all open source is constantly being checked on by people just because it can. It is not.

Just look at the history of CVEs from some pretty boneheaded mistakes in open source projects that run the entire internet.

If anything, open source is more open for malicious actors to find the vulnerabilities.

And don’t take this as me not being a fan or steward of open source. My past speaks for itself

I followed in the same path as you to be honest. Yes, it's OpenSource meaning that the code is out there should someone want to develop an exploit for it, but their level of encryption and MFA integration gives me about as much sense of security as one can have short of a little book in my pocket with clues to passwords written down for me to guess. Not using the same password for a hundred sites and making sure to MFA anything that contains secure data is about as close as I can get.

Same here. I think common sense and diligence is the biggest thing you can do to protect yourself, and there is always a risk, even if you lock yourself in a closed room and don't communicate with the outside world.

LastPass lost the trust of the users for a variety of things they did. I would think they will not get that back, but maybe they have enough customers that are unable to leave to keep them going.