lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
37e8274bffbd347c22b084a14454141cee746a76
hpr-knowledge-base/hpr_transcripts/hpr3989.txt

114 lines
7.1 KiB
Plaintext
Raw Normal View History

Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00
Episode: 3989
Title: HPR3989: LastPass Security Update 1 November 2023
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3989/hpr3989.mp3
Transcribed: 2025-10-25 18:21:25
---
This is Hacker Public Radio Episode 3989 for Thursday the 16th of November 2023.
Today's show is entitled, Last Pass Security Update 1 November 2023.
It is part of the series' privacy and security.
It is hosted by Avocad and is about 9 minutes long.
It carries a clean flag.
The summary is, Last Pass was hacked, what should you do?
You are listening to a show from the Reserve Q.
We are airing it now because we had free slots that were not filled.
This is a community project that needs listeners to contribute shows in order to survive.
Please consider recording a show for Hacker Public Radio.
Hello, this is Ahuka for Hacker Public Radio, another exciting episode.
And this is an episode that is coming to you from the Reserve Q.
So if you're hearing it, it means that we're short of shows.
And we would like you to start contributing.
This is a community project.
Hacker Public Radio is a collective of people who share shows with each other.
So everyone should be contributing.
And if you're hearing this, it's a sign that your time is up.
You should contribute something soon.
Maybe something about some of your interests in technology.
But enough of that for now.
I want to talk about a little hack that has occurred with the password manager known as Last Pass,
which I've used for a number of years.
And there have been hacks in the past.
I have recorded shows about some of that stuff.
In fact, one of the ones I did was show number 1810, 1810.
And I think there's still some useful stuff in that.
But what happened in this particular case,
someone was able to, first of all, target an employee of Last Pass.
And through that employee was able to get access into internal systems.
And got a hold of the encrypted password vaults that some individuals had stored in Last Pass.
Now, if you listen to show 1810, I go into some detail about how that is managed.
And up until now, that's always seemed fairly secure.
But one of the things we always talk about in security is that it's an arms race.
And what seems secure at one point can become insecure at another point.
And so what we think has happened is that,
and I've got a link in the show notes to an article by Brian Krebs, a security researcher,
talking about the fact that there's pretty strong evidence that people were storing their crypto pass phrases
in a Last Pass vault.
And that whoever got a hold of these vaults was able to crack them and get a hold of these passwords
and has made off with some millions of dollars worth of crypto.
Now, I'm not going to get it.
I've always thought crypto was a bit of a scam, but let's pass over that one for the moment.
And say, what does this mean for the average person?
And one of the things that we can say at this point is that the consensus of security researchers
is that Last Pass is no longer the most secure password manager.
So one of the things you could do, and it's not terribly difficult,
because Last Pass does have an option to export.
And you could export everything and put it into a password manager like one pass,
which is considered to be a little bit more secure.
Other alternatives, you could use something like key pass,
which is not stored on the internet unless you choose to store it that way.
Now, there are pluses and minuses here.
Something like Last Pass and One Password install as browser extensions,
and you can therefore automatically fill in information in any website you go to.
That's very convenient.
And in some ways, a very secure thing to do.
You have to always look at what the alternatives are.
If you weren't using a password manager at all, that is a terribly insecure kind of thing.
If you're using key pass, you don't have that integration with the browser.
You would have to, basically, if you use more than one device,
like a phone and a laptop, be a couple of devices, maybe a tablet,
it's a file that sits on the hard drive.
And so you'd have to somehow duplicate it across all your devices.
Or what you could do is something like put it in Dropbox,
but now we're back to your passwords all live on the internet.
That's an interesting problem.
Now, one of the things I'd like to talk about here is that focusing on which password manager is the most secure
is frequently not the most important question.
You know, the most important question is what is your overall security approach look like?
If you have reused passwords and you have weak passwords,
storing them in last pass isn't going to be terribly useful.
Or storing them in one password.
You can't expect the password manager to make up for your lack of diligence.
Now, one of the things last pass, and I'm still using it because I'm used to it,
and I don't feel compelling need to change, but I did get a notice from last pass saying
you have to increase the length of your master password.
So that's one of the ways they're responding to this.
The way that you can crack these things is if passwords are insufficiently long and complex.
So, you know, I dutifully went and changed that.
And then I started taking a look at, you know, some of my other passwords.
And I had gotten a little bit lax on the grounds that, you know, not all sites were terribly important.
You know, my bank password, I was very careful about.
But logging into, you know, a discussion board somewhere was like, and who cares about that?
But I've decided that was probably a mistake.
So I'm now going through and making all of my passwords very long and complex.
And last pass does make that fairly easy to do.
I have a built-in security analysis you can go through that's going to tell you that if you go to the security dashboard.
So one of the things that, you know, I really want to emphasize is, you know, security is an overall process that you go through.
And, you know, just relying on a single program and saying, well, if I use this program, I'll be secure.
That doesn't work.
You have to look at the whole picture of what you're doing.
Now, I'm going to end with just a little bit of a joke that I like where, you know, a boss comes to an employee and says,
how come you haven't done all those tasks I gave you?
And he places, what tasks? And the boss says, well, I sent you emails with all the tasks I wanted you to do.
And he places, oh, I deleted those.
Why did you delete them?
Well, it was the IT security training I got.
They told me that anytime you get emails that have typos and unexpected requests, it was a sign of a fishing attempt.
So that's your joke of the day. And with this, this is Ahuka for Hacker Public Radio, signing off and encouraging everyone to support free software.
Bye-bye.
You have been listening to Hacker Public Radio at Hacker Public Radio does work.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording a podcast, you click on our contribute link to find out how easy it really is.
Posting for HBR has been kindly provided by an honesthost.com, the internet archive and our sync.net.
On the Sadois status, today's show is released under Creative Commons, Attribution, 4.0 International License.
Reference in New Issue Copy Permalink