Data at risk after migrating from LastPass?

Options
KJIsaacson
KJIsaacson
Community Member

In view of the LastPass intrusion, if I migrate my data to 1Password, must/should I change all of my passwords? In other words, since my passwords were theoretically at risk over at LastPass, do they remain at risk here? Thanks.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • @KJIsaacson

    The passwords themselves would be safely stored within 1Password. The issue would be if they were compromised prior. Due to the uncertainty, I would recommend changing your passwords if there is any doubt that they might have been compromised.

    tl;dr

    I would change all of my passwords if I were in this situation. Leaving nothing to chance would be my thought process.

  • KJIsaacson
    KJIsaacson
    Community Member
    edited December 2022
    Options

    As I thought. A lengthy, tedious process.

    Many thanks.

  • Always happy to help, @KJIsaacson. If there's anything further we can do to help (or any suggestions you'd like to offer on how we might smooth this kind of process in the future), do let us know.

  • Mycenius
    Mycenius
    Community Member
    edited December 2022
    Options

    if I migrate my data to 1Password, must/should I change all of my passwords? In other words, since my passwords were theoretically at risk over at LastPass, do they remain at risk here?

    The issue would be if they were compromised prior. Due to the uncertainty, I would recommend changing your passwords if there is any doubt that they might have been compromised.

    The issue @KJIsaacson is how strong was your Master Password in your LastPass vault - was it high entropy (i.e. random to some degree - the more the better) and long...? If not then there is a fair chance your particular vault may get cracked eventually - whether that's already happened or might happen in 3, 9, 19 months is hard to say... BUT that is only if yours is one of the ones lost - it might not be and you may have nothing to worry about.

    Check out the table below - this assumes reasonable entropy (randomness) - so if you used very common words or people's names, etc, it will be quicker to crack. You should aim to be "in the green" with your password (it's easier to do this with passphrases than passwords).

    If passwords aren't random enough then something that should take 3 years in the table below might be crackable in 2 minutes or less. The table shows the maximum time in the best case scenario favouring you - in the worst case favouring the bad actor you get cracked instantly or in a few seconds.

    I would change all of my passwords if I were in this situation. Leaving nothing to chance would be my thought process.

    Totally agree with @ag_tommy - not worth the risk - get the critical ones (banking, tax, work, sites with saved credit card info, etc, done first then work your way through the rest over a few days or a couple of weeks)...

    Source: Hive Systems: Are Your Passwords in the Green?

  • VerboortTech
    VerboortTech
    Community Member
    Options

    @Mycenius, Nice blog post reference. FYI, below is the PBKDF2 table (it didn't say how many iterations it assumed)

    Also, regardless of the length or complexity of your password, if someone else on the planet just happened to choose it as well, and it just happened made it into a password breach list, then time to crack drops to near-zero.

  • Mycenius
    Mycenius
    Community Member
    Options

    Hey @VerboortTech - yes I noticed the lack of iterations clarity too. Umm, yes you are right I believe the one I posted is a 2022 one, BUT it's the one with (obsolete?) MD5 hashes cracked by an RTX 3090 GPU (versus the older RTX 2080 GPU in the 2020 test). As opposed to the one you posted which is the more relevant (modern) PBKDF2 hash function cracked using the RTX 3090 GPU. Oops. My bad. 😉

    Also, regardless of the length or complexity of your password, if someone else on the planet just happened to choose it as well, and it just happened made it into a password breach list, then time to crack drops to near-zero.

    Absolutely - or uses good old favourites in it like password, guest, pokemon, etc... (P.S. check out the 2022 Top 200 most common passwords if you haven't already).

  • rbuckley
    rbuckley
    Community Member
    Options

    If there's anything further we can do to help (or any suggestions you'd like to offer on how we might smooth this kind of process in the future), do let us know.

    hi @PeterG_1P , it would make the process of changing passwords that may have been compromised in the Lastpass breach or similar future breaches a little easier if 1Password could keep track of passwords that may need changing. For example, if Watchtower had an 'expired' category and users could choose from passwords which havent been changed before a certain date to mark as 'expired'. Maybe there's a better word than expired for this kind of thing

  • Mycenius
    Mycenius
    Community Member
    Options

    👆🏻 👌🏻 👍🏻

  • Tertius3
    Tertius3
    Community Member
    Options

    You can sort any item list by edit date. If entries come up with your import date, you know you still have to update them.

  • Mycenius
    Mycenius
    Community Member
    Options

    @Tertius3

    You can sort any item list by edit date. If entries come up with your import date, you know you still have to update them.

    Yeah but I agree with @rbuckley because after that if you wan to change anything you haven't changed for say '3 years' there is no way to do it - because you can only sort/filter by last modified and that could be anything, not just the last time you changed the password

  • TambourineMan
    TambourineMan
    Community Member
    edited January 2023
    Options

    @PeterG_1P

    Always happy to help, @KJIsaacson. If there's anything further we can do to help (or any suggestions you'd like to offer on how we might smooth this kind of process in the future), do let us know.

    I am seeking a Lastpass replacement. I was tried Dashlane and it said it assisted in changing passwords but I never tried that feature.

    Does 1Password do that?

  • Mycenius
    Mycenius
    Community Member
    edited January 2023
    Options

    @VerboortTech in case it may be of interest I started a thread about how bad Last Pass's iteration regime's faliure was/is and how a user can verify the iterations actually used in the 1Password vault. It's here: LastPass Iteration Failures: Can you verify the PBKDF2 Iterations used on your 1Password Vault?

  • pwak
    pwak
    Community Member
    Options

    I just came to 1Password from LastPass and I am in the process of changing all my passwords. Since I don't see any way to sort by password last changed, I am tagging each with a 'Password Changed' tag as I do them. I would love to be able to sort by date of last password change instead of just the date modified.

  • TambourineMan
    TambourineMan
    Community Member
    Options

    For those having to change their LastPass passwords, a helpful trick is not to use the website's change password mechanism, but rather to say "forgot password." It can be quicker.

    I have had to research what affects a password's crackability. Some already discussed in this thread. I think some of the factors are:

    • length
    • character set (just words or characters lower case, a mix of upper and lower, numbers, and symbols (and arguably common keyboard symbols versus extended ones)
    • randomness: whether the password is human conceived or computer generated random (crackers learn how we make passwords)
    • how the password was hashed (SHA or some other) and salted/padded (PBKDF2, etc.) and the method (including transmission) 126 bit v. 256 bit AES encryption or some other
    • number of iterations
    • entropy

    Any or all of these can make a password easier or more difficult to crack

    I think 1password's are made even stronger by incorporating the long random secret key which is done without subsequent user interaction.

    Most of these factors affect what is called entropy which has not been mentioned. There are sites which will calculate the entropy of a password for brute force cracking versus dictionary, rainbow table, or user profile. (Despite the disclaimer that what you enter doesn't go anywhere:

    DO NOT ENTER YOUR ACTUAL PASSWORD even though they say it's safe to do so. (Make up one similar.)

    https://www.omnicalculator.com/other/password-entropy

    https://alecmccutcheon.github.io/Password-Entropy-Calculator/

    DO NOT ENTER YOUR ACTUAL PASSWORD at these sites

    An entropy of 25 is very bad. 75-100 is very good.

    So, which of the following two passwords is stronger,
    more secure, and more difficult to crack (by brute force)?

    D0g.....................

    PrXyc.N(n4k77#L!eVdAfp9

    Go here for the answer:

    https://www.grc.com/haystack.htm

  • KJIsaacson
    KJIsaacson
    Community Member
    Options

    Thanks for all of the responses. Sorry I haven't said thanks before now! This does bring me to an additional question: The vulnerability of Secure Notes.

    If I had a number of secure notes with LastPass, how safe are they now that I've migrated to 1Password. It seems to me that if my LastPass vault was compromised, the secure notes became vulnerable. What to do?

    Thanks.
    Ken

  • Ben
    Options

    Hi folks!

    I am seeking a Lastpass replacement. I was tried Dashlane and it said it assisted in changing passwords but I never tried that feature. Does 1Password do that?

    1Password does have a feature where on login items you've saved for supported websites we'll offer a change password button which will take you directly to the change password page for that site (after logging in, if necessary).

    I just came to 1Password from LastPass and I am in the process of changing all my passwords. Since I don't see any way to sort by password last changed, I am tagging each with a 'Password Changed' tag as I do them. I would love to be able to sort by date of last password change instead of just the date modified.

    Thanks for the feedback on this. Sorting by last modified would be the closest we offer at the moment, but I'll absolutely pass this suggestion to our product team for consideration.

    Most of these factors affect what is called entropy which has not been mentioned. There are sites which will calculate the entropy of a password for brute force cracking versus dictionary, rainbow table, or user profile. (Despite the disclaimer that what you enter doesn't go anywhere:

    I wouldn't put much weight behind these. Unless you know the details of how a password was generated, it isn't possible to reliably calculate the entropy. Any result will be, at best, a guess. This is even further complicated by the fact, as you noted, you shouldn't provide your actual passwords to 3rd party websites.

    The important thing when considering password strength is how truly random it is. It it is something that was pulled from a human head, it is invariably going to be less random than something machine generated with a good password generator, such as the one in 1Password.

    If I had a number of secure notes with LastPass, how safe are they now that I've migrated to 1Password. It seems to me that if my LastPass vault was compromised, the secure notes became vulnerable. What to do?

    Correct. Any secrets in notes should be changed/invalidated as well. Unfortunately that isn't possible in all cases. Things like social security numbers cannot generally be changed, and if so then there really isn't much to do beyond any applicable protections against identity theft and acknowledging that the information may be "in the wild."

    Ben

  • Mycenius
    Mycenius
    Community Member
    edited January 2023
    Options

    A good analogue way to generate passwords yourself physically is to use The Diceware Passphrase Home Page and 1 or more normal 6-sided die/dice. So very tactile. Basically make 5 dice rolls in succession so you generate a 5-digit number (like 34523) and then look it up in the full list of words (there are some alternate lists on the site too). You do this 4, 5 or 6 times to get your words in sequence (depending how long you want your passphrase to be) and then just put a (different) random number or symbol (or otherwise a dash) between each one to complete a contiguous string. This will give you as good a random high entropy (but memorable) passphrase as you can get. Obviously you'd normally just do this for the few key things (like your 1PW Master Password/Passphrase), but you could do it to generate all your passwords...

  • Ben
    Options

    Indeed! The diceware system was one of the inspirations for our memorable password generator in 1Password. 😊

    Ben

  • TambourineMan
    TambourineMan
    Community Member
    Options

    @Mycenius Thank you for the link to Diceware. I got a kick out of the tip to roll down your shades when rolling the dice. I have many LP passwords to change.

    I had been looking at KeePass and (online) Strong Password Generator. While KeePass is open source and I think the passwords are generated entirely within the local computer, the Diceware method would seem even more secure (and doable if I can find my decades old 6 sided dice [and close my blinds]]. LOL

    One advantage of the two I cited is not all websites will accept all lengths or character sets and KeePass allows you to tailor symbol character sets to maximum the site accepts. I think the more/larger character sets the better and with 1PW having to type complicated passwords is not an issue.

    Obviously longer is also better, but WRT Diceware some websites limit length to 16 or 20 characters so using dictionary words even with a few symbols is not optimum, but combined with 2FA, MFA or Google prompts random dictionary words might be sufficient.

  • Mycenius
    Mycenius
    Community Member
    Options

    👍🏻😊

  • dogAndPonyShow
    dogAndPonyShow
    Community Member
    Options

    A lot of good feedback here. I was going to suggest some of those links aswell.

    I'd also mentioned that when you export a password database from LastPass or other password managers... the CSV files will be completely unencrypted on your computer/device.... so definitely securely wipe it when you're done.

    For the Omni calculator, also take a read of the 'Password entropy is NOT all that matters' section. A password/passphrase could have high entropy, but could also appear in leaked/online dictionaries - which would effectively make the entropy zero!

    Properly random passphrases, combined with padding with numbers or symbols - is a pretty good way to go. Humans can't really come up with words completely randomly....

    The Omnicalculator.com site recommends 60-80 bits of entropy for important accounts... and up to 100 for crucial ones.

    This is also another interesting one: https://lowe.github.io/tryzxcvbn/

    ...which breaks down the sequences of the passphrase/word into potential dictionary/bruteforce patterns and which type of dictionaries words might originate from.

    as example:
    ridiculous-chance-waterwheel-barracuda - apparently 'centuries' (offline attack)
    **ridiculous ** is from 'us_tv_and_film' dictionary, which doesn't make a lot of immediate sense!

  • dogAndPonyShow
    dogAndPonyShow
    Community Member
    Options

    A lot of good feedback here. I was going to suggest some of those links aswell.

    I'd also mentioned that when you export a password database from LastPass or other password managers... the CSV files will be completely unencrypted on your computer/device.... so definitely securely wipe it when you're done.

    For the Omni calculator, also take a read of the 'Password entropy is NOT all that matters' section. A password/passphrase could have high entropy, but could also appear in leaked/online dictionaries - which would effectively make the entropy zero!

    Properly random passphrases, combined with padding with numbers or symbols - is a pretty good way to go. Humans can't really come up with words completely randomly....

    The Omnicalculator.com site recommends 60-80 bits of entropy for important accounts... and up to 100 for crucial ones.

    This is also another interesting one: https://lowe.github.io/tryzxcvbn/

    ...which breaks down the sequences of the passphrase/word into potential dictionary/bruteforce patterns and which type of dictionaries words might originate from.

    as example:
    ridiculous-chance-waterwheel-barracuda - apparently 'centuries' (offline attack)
    **ridiculous ** is from 'us_tv_and_film' dictionary, which doesn't make a lot of immediate sense!

  • secureappa
    secureappa
    Community Member
    Options

    Regarding diceware or memorable passwords, I've always wondered if it has less entropy than using the first letter of a "memorable sentence". Each word in a diceware or 1password "memorable" password is a choice of one word out of the list. So, depending on how long the list is it actually isn't giving you as much entropy as you might think. Isn't it better to have a memorable sentence and take the first letter from each word? I'll use the first sentence from the Wikipedia for diceware as an example, which is "Diceware is a method for creating passphrases, passwords, and other cryptographic variables using ordinary dice as a hardware random number generator." Taking the first letter of each yields "Diamfcp,p,aocvuodaahrng". I would argue it is only slightly less memorable than "ridiculous-chance-waterwheel-barracuda". Doesn't it contain more entropy for less letters typed?

This discussion has been closed.