Bitcoin Forum

Bad news, folks! I just saw this article about how a bunch of LastPass users got hacked and lost millions in crypto.  So LastPass is that password manager where you can store all your passwords and stuff securely online.  But they got breached last year when someone stole an employee's credentials. and  Since then, hackers have been targeting LastPass users who might kept their crypto wallet info on there - private keys, seed phrases etc. 

According to the article, at least 25 LastPass users were hit and the hackers made off with about $4.4 million in crypto across different blockchains - Bitcoin, Ethereum, BNB Arbitrum, Solana, Polygon.. and users wallets got completely cleaned out in just one day.  Can you imagine logging in one day and seeing your entire crypto portfolio gone?!

This is a wake up call if you've ever stored sensitive info like crypto keys on LastPass or similar services.  You gotta move your assets to a more secure spot, like a hardware wallet or something.  Seriously go do it! This stuff keeps happening over and over again. Don't be the next victim!

LastPass Hack Victims Lose $4.4M in a Single Day (https://www.coindesk.com/business/2023/10/30/lastpass-hack-victims-lose-44m-in-a-single-day/)

https://talkimg.com/images/2023/10/30/TOwVw.jpeg
https://x.com/zachxbt/status/1717901088521687330?s=20

Nobody should be using an online password manager; especially when it comes to sensitive information like private keys. There is no reason to trusting intermediaries when you have cryptography. Install KeePassXC (https://keepassxc.org/) on both your main computer and your mobile. Use a strong password to encrypt both password databases. Back them up. Both the databas(es) (digitally) and the encryption pass (on paper).

I have once backed up my phrase key in an online notepad platform called Evernote. I have used it for a couple of months and after some time my wallet was hacked. Some kind of script or something was implemented in my wallet. Every time I try to deposit any native token like ETH, BNB or BTC, they were automatically sent out to a specific wallet address that belongs to the hacker. After that I have done my research and found out that it is highly risky to keep any backup online.

Everything that is related to internet, anything could happen to them at any time. Doesn't matter how secure it is or how much you trust the platform, it is not 100% sure that nothing will happen to them. Not your key, not your coin. So how can you trust your key to someone else. Online platforms are not immune to hacking. No matter how much secure it is if the right person chooses to hack it then of course he can. So be aware and make offline backups.

I don't have any online backup of my phrase key. So I have nothing to worry about.

Each of us would have a different view, but I think it will be a stupid decision to store your cryptographic credentials with a third party. I don't believe any third party when it's related financially. I don't even feel comfortable using a custodial wallet. Why should we hand over our wallet credentials to a third party? Can't we write our wallet credentials in our personal notebook? If we can't secure our wallet credentials, then we don't have the right to use crypto. There are many trusted non-custodial wallets, but we need to secure the seed phrase. Otherwise, we can't secure our funds anyway. However, this is a lesson and an important notice for crypto users. Just avoid such actions.

The first thing anyone venturing into Internet related business should learn is security. By security, the issue of centralized and decentralized platforms should be taken seriously.  This hack have just proven once again that centralized platforms are not safe no matter how one view it.

I honestly wonder how someone will save sensitive information in am online platform. Anything connected to the Internet is already at risk, how much sensitive information that are willingly given to a third party.

Well, their loss is a lesson to others and I hope they recover the funds.

LastPass is hacked every year or so. I don't get why do people usee such a software without doing any kind of research

LastPass is not safe.


And the list goes on!

I am now using ProtonPass, which i believe is  a more serious company. But nobody should store seeds or private keys in a password manager.

With how LastPass has been since many months ago after hackers was able to have access to millions of users encrypted backups, some people were still thinking something like this will not happen.

Probably many of the encrypted backups have been decrypted.

This has began since August 22, 2022 and now finally.

https://www.kiplinger.com/personal-finance/lastpass-hack

Do not trust online backups because anything online can be hacked. Offline backups are secure enough.

people need to learn their lessons the hard way before they will come into their senses that using third party platforms is not the way to secure their funds or any other asset. it is always best to have total control of your assets by using noncustodial wallets. if you think you can't secure your seed phrases or passwords, maybe this asset is not for you. this is why i believe, a lot are still opting to use traditional banks because they don't want to be responsible in the security of their funds, and someone is taking care the storage for them.

That's pretty bad for storing sensitive keys any online site or 3rd party password manager always has risk and is vulnerable to any attacks.
I've used Evernote before for SEO purposes but not for storing any passwords or keys it makes your notes public or I think the owner of Evernote reads them.

The best storage for saving your seed backup or private keys digitally is by saving them into an offline device like old phones, encrypted USB flash drive or CD/DVD is also good storage if you want to save your keys for a long-term.

Online password managers are great if you know what you're doing.
Some of the things I've safely used them for:
-burner emails
-news sites that required an account to see the content
-online stores where you can buy without registering, but an account allows me to monitor my package
-sites that I knew I wouldn't use, but wanted to check out

Why wouldn't I use a normal password?
Because I have maybe 4 that I use in different combinations like with dates and special signs and I don't want to compromise them because those are the ones I always remember.
For the rest of them I use generated passwords or things that come to my mind at the time. Say I eat chicken with rice so my password will be chickenrice66 or something like that.
I don't remember these passwords after a week or so, and the password manager comes in handy.

So, people use online services to store their seed phrases/private keys? Ok, why don't you guys just give me your keys, I promise to keep them safe, whenever you wanted to access them, just give me the password, and I will let you access them.

---

I want to know what is the difference between me and last pass? Fine, I know I can't be there for you 24/7, but the security of your private keys is equal to the security of lastpass, why? Because of human element involved.

---

How can we educate people about this issue of trusting third parties with their funds? We'll grow white hair and die, people will continue to trust strangers, at least when you teach kids not to go with strangers they'd learn and listen, crypto community is less than kids in learning? Disappointment!

But it is a password manager! The main thing they are supposed to do is keep people's private stuff safe.  And LastPass was really popular and had a good reputation and tons of users and  so how could they mess up security that bad? I mean sure there are better options like that KeePassXC, but you still gotta trust whoever makes it.  I know its open source so anyone can check the code, but not everyone can do that.

To be honest, I dont even know if there is a viable alternative to a password manager, since we all deal with hundreds of different passwords almost every day.

This is why you should not use closed source software for storing any sensitive information like  passwords.

Also why you should never use hardware wallet that is NOT open source such as Ledger hardware wallet, which had at least one or two data breaches in the past.

The moral of the story is -- stay far away from closed source products such as Lastpass and Ledger!

Yeah, I know. I have learned it the hard way. There are some other method that I have came up with for storing private key online. Not the best and not the most secure one but it could provide great amount of security against hackers. It is hard to crack. Although I'm not going to reveal my whole secret but I will share another one that could give us the same kind of security.

We have 12 or 24 words in a private key. We can divide them into four or eight parts. We have three words in a group like that. We can easily randomize this group like 4213. After that we just need to remember this sequence of 4213. Then we can add four five or six even ten words between each group. That way we'll have a long list of words. If you put that list on the internet and the sequence is only known to you then it will be hard for any hackers to crack it. So I don't think keeping your private key online is a risk if it's done right.

That way we are immune to lose it and can access it anywhere we go. Because anything that is physical could be destroyed or lost. But multiple online backups could be accessed easily. Although this sounds so easy and theoretically it can't be cracked, I will never suggest anyone to back up their private key online.
I have suffered it so I know how it feels. Recently I am using air gapped device for storing my key and storing my assets.

LastPass password manager is closed source and I don't know why someone would trust such app with the safe storage of his/her seed phrase, private keys and other sensitive information. I could store my login details of websites in a password manager but what I will not do is to store the seed phrase of my wallet in it. Even if LassPass were to be an open source application, I'm totally against the idea of storing the seed phrase online. I don't know how difficult it is for people to just write down their seed phrase on a piece of paper and keep it safe.

It is a shame that a service that keeps your private data secure could be hacked in this way. After that, the announcement is from the 25th. Therefore, unless you follow the news, you may end up being the last to know. In general, I do not trust password management programs and it is better to use one of them. Provided that it is not online, that it is open source, and that you can set it up in an environment that will not be connected to the Internet.

LastPass is not a platform to store passwords and stuff secure online, if it was the platform wouldn't have experienced hacks 3 times within 14 months because hackers can only manipulate or tamper platform with no code vulnerabilities or simultaneously upgrade their system but the company used their data encryption and multi-factor authentication options to gain the attention of alot of cryptocurrency investor.

Thank you for this update. People who have saved their keys with lastpass should do the needful immediately to avoid losing their assets. This is yet another case that vindicate the need to saving your keys privately without involving a third party.  From the comments and reply i have read so far, seems the lastpass has been prone to hack and the has been a thing of back  to back hacking reoccurring without any much resistance. Does it mean that they  never bother or care abut the data and details of their users very much important to always be a target of hackers  on a regular basis. Possibly, there must be  rat in the house.

Third parties should not be the right resolution to saving passwords and sensitive information as they can not guarantee their own safety not to talk of customers safety. Many third parties have suffered hack and as a result of that, lost huge amount of funds under their custody and some have not been able to recover form the incidence while some are gradually standing back on their feet. The series of hack should be a lesson to the crypto community to start practicing self savings and self custody of assets and funds.

Everyone needs a password manager. There are great and they added much more security,  as they generate passwords automatically.

The problem is that lastpass is not safe by itself.  You want use a password manager. Just don't get the worst one.

It seems crazy to me why anyone would store such large amount of assets in a password manager
that is widely known to have serious security issues. Do people not read the news?

I would never use a Ledger again for the same reasons: Ledger is not only closed source but also suffered data breaches in the past.
Ledger was the first hardware wallet I ever used back in 2018 but switched to Trezor last year due to Ledger's widely reported security problems.

Lastpass is a password manager that keeps getting hacked every year, but it's baffling that so many people still choose it.

I agree with you, whether open source and confirmed safe or never hacked, but using online storage platforms to store seed phrases is a bad idea. I don't know what method people use to store it, but in my opinion, it's best that Seed Phrase is always stored offline. There is no guarantee those online platforms will never be hacked. Password managers should only be used to store simple passwords, they should not be used to store extremely important things like seed phrases.

I'm on an iphone and do you have any app suggestions for iOS devices since I don't see KeePassXC for iOS or Android?

So, what's this now? (Rhetorical). Anything that is usually online is not safe because it can easily be breached. Just one mistake, and those hackers will gain access to the security that can make them steal a whole lot of money, like they have done from LastPass. Ledger Hardware Wallet tried to introduce the cloud storage of private keys, but after receiving some criticism, they did not further the plans again. But according to what I read on Cointelegraph (http://), they (ledger hardware) were supposed to roll out a cloud-based private key recovery tool this month, which I don't intend to use that wallet due to their crazy idea. Who knows if they will also get back one day because of that new invention?

The safest way to secure an asset is to keep every bit of their secret information offline. Create your Bitcoin address and generate your private key or secret phrase on an AirGap device, and let it only be your cold storage wallet.

This is just the beginning, such incidences will only rise from here. Hackers are targeting everything related to crypto that can be targeted in bulk. This is because even old people are associated with crypto and they are easy target of these hackers.

There is nothing too good when keeping the asset online. whatever it's; data, password, money, and especially crypto, there is no point when we still keep and believe the application online. the example above (LastPass) is a small thing that we often hear. So when you are active on media social, you will hear more than above. Many users on media social did not exploit it because they were embarrassed and didn't want to look stupid. They still believe the cloud or any application password online is saving them from oblivion, but in fact it is not really safe instead it makes him lose even more.

I don't know why people today are so lazy to write down passwords on paper, even if it's safer and they don't need money to subscribe to the application.

This is sad but whoever stores their crypto backups / seeds / passwords to wallets etc in an ONLINE password manage totally misunderstood tthe self-custody aspect of crypto / Bitcoin.
I still believe password managers do have some value - for throwaway logins or stuff that is just very convenient to access via some basic account. Anythign related to your identity or any real value does not belong there however.

Also, I do believe there are hardware solutions - didn't Trezor have a built-in password manager? Not sure if they continued this service, though

I've been using a password manager for years (not LastPass by the way) because it's extremely useful, every time I need some kind of information it's right there, and I never had any problem. The only thing I would never store, no matter how much I trust the app, is the seed, it's just not worth taking such a big risk. If they steal the info some credit card info, ok, no problem, I'll get a refund, but if they steal your seed we all know how it ends.

Good early warning from you OP.

Yes. It makes people very disappointed. I am 100 percent sure at this time There is no single system that is proven to be safe. Whatever that is. The mistake many people make is placing too much trust in recommendations and reviews written about a product.

Well, when it comes to online wallet services today, like those built into most exchanges, there is always a risk that the service will go out of business or steal our funds and claim that we revoked them.

It’s not only lastpass that you should avoid storing anything sensitive. Even having your passwords saved on your browser is risky because anyone with access to the computer whether remote or physical can easily uncover them without any additional passwords.

You really are better off just keeping your passwords in a diary somewhere in your house pretty much. Sure they are handy those password managers but all it will take is some bug and everyone’s private info can be stolen and leaked.

Cloud storage is a really bad idea when it comes to backing up your Bitcoin private keys. There are many wallets which offer to back up your encrypted seed in the cloud but it is completely unnecessary. Your seed phrase written on paper or a metal plate and kept in a safe place is all you need to be able to restore access to your funds.

For password management there are much better solutions than LastPass including open source self-hosted options. Passwordless logins are even starting to become a thing.

I never used LastPass, I was actually very surprised that their app doesn't let their users store their data locally. Or do they, and online storage is merely one of its features for convenience and accessability?

But OK, I would probably use something like that for hot-wallets containing small amount amounts of Bitcoin for playing Craps in a casino, but never for storing my Bitcoin life-savings.

I don't use LastPass. I don't even keep important passwords in my browser's password manager.
All the important passwords are stored in my head. ;D LastPass being hacked proves that you can't trust any centralized entity with your sensitive information. It's weird that LastPass was hacked last year, but I haven't heard anything about this event.
There must be a way for the victims of this hack to find out who emptied their wallets. I'm sure that the police will find the hackers sooner or later.

Lastpass does PBKDF2 on your password before storing it so if your Lastpass settings had at least 100k rounds (the default since like 2018, and also the value before the breach happened) configured and you used a super-strong password, or even a mildly strong password, it will take centuries for hackers to break into your vault.

It is likely that the hacked accounts were using some lower rounds of PBKDF2 - for a long time, Lastpass had it set to about 5000 or something, and then raised the default value over the years. Now it's 600k, but that's hardly relevant as the vaults have been stolen already.

Also if you even think about storing sensitive things like seed phrases online, you better encrypt it with a second layer of encryption such as GPG. There's no way anyone is ever going to break through that if you secure it properly. But still move your funds anyway if you can do it safely.

It certainly does keep happening, I cant believe that firstly someone or a group of
people would offer this service and secondly that other people would actually
use it and put  100% faith into a platform just because they said it was a secure
way to store your info and out of laziness.

I wonder if those people who got hacked had a face palm moment when they realised
the error they made in not taking full control of their info.

This situation is really annoying! This is yet another break, loss, or breach of trust that we are talking about. LastPass was meant to be a stronghold, but it was broken into, and the results were terrible. Thats a lot of crypto lost for nothing. A fake sense of safety? It gets old and annoying hearing about security leaks over and over again.

Because of this event, we need to take a hard look at our security measures and make some changes. Moving assets isnt enough; we need to completely rethink how we do things. Hardware wallets add an extra level of protection and control that is badly needed. People are being seriously asked to step up and protect possessions. We shouldnt be lazy. Lets act, protect, and secure.

Maybe for some accounts that doesn't deal with any financial matters then we can use those password manager to help us out store our password. But for using it to safekeep our important accounts which our money is there well I really have doubts about future security of those apps since we don't know how they will end up on future so usually on case like this I would rather use notebook and write all important information like password,private key and etc, then put it on my small vault for security. Really to bad there are still people believing its safe since anything could happen on online apps whatever they say its secured and can't get hack.

People should not be lazy regarding dealing on their important accounts so that they would not regret the past actions and will not worry about any hacking especially if something hacking issues like this happen  to a platform.

Adding a second layer of encryption would be good, but for a long time I have thought that the vulnerability is in Chrome extensions or other extensions. They are cute and add features to browsing, but they are bad in terms of privacy, and I honestly do not know how hackers can benefit from services like LastPass if they recommend that users add a second layer of encryption.

I have a theory that they are selling data and covering it up by saying that the service has been hacked.

People care about synchronization more than whether the service is closed or open source. People want to access all services from all devices without leaving the password for each device.

A password manager selling its own vaults which leads to major losses for its own customers? That's a bit far fetched if you ask me, because if that were true, it would certainly mean the end of LastPass (if not already).

As far as extensions go, you need to somehow make sure that first you download the real, authentic version, and I'm not really sure of the process for which to verify the signatures of what you are downloading. At least not for stuff on the Chrome Web Store.

Such a disappointing product and service, I know that it's inevitable that breaches will happen but given that they've got breached so easily, it's just disappointing to me as I like the idea of password managers to help you in securing your accounts by having a diverse password without the worry of forgetting the access but it seems that things for me is going to change, you can't trust what they sell anymore, I guess I'm back to using pen and paper storage for my passwords. Christmas came early for these hackers with how much they've stolen from the users of LastPass.

LassPass is not a wallet so no assets were kept their. They victims stored their seed phrase and private keys on the password manager which was compromised when LassPass got hacked.

I just went through KeePassXC website and it's not supported on mobile. KeePass, Padloc and Passbolt are open sourced password managers that are available on mobile versions. You can use them to save your passwords but I wouldn't advise you to save your seed phrase or private keys on them. For maximum security, anything seed phrase or private keys should be kept offline.

Also, I just visited KeePassXC's website, they don't have a mobile version but they directly recommend apps for 2 popular phone operating systems. Strongbox and KeePassium for iOS, KeePassDX and KeePass2Android for Android operating system. I haven't tried these apps yet but it's worth a try. But even if they are open source and secure, we should never store important things like private keys there. As for the seed phrase and private key, there is no safer way to store them than keeping them offline at all times.

I believe that not all of these people had their seeds in LastPass. Some of them might have their exchange and email logins and passwords. This allowed the attackers to access their exchange accounts and withdraw money.
Currently people are holding cryptocurrencies on lending and staking platforms as well and it's enough to have access to email account to reset password on these sites and withdraw funds, since the confirmation often comes to that same email.

Also, don't underestimate people. They still fall victim to emails sent by Nigerian princes and send money to new investment platforms promoted by Elon Musk and Jeff Bezos ;)

That is my thinking too. It has been over a year since the LastPass hack happened.  There is no telling what kind of data the hackers got their hands on in that time and  id bet the farm that the database has spread all over the dark web at this point, with hundreds or maybe thousands of shady characters trying to crack it and to get into those accounts.  

I bet most LastPass users probably didnt even know their info was stored in the cloud.  Your average LastPass user likely isnt tech savvy.  They installed the extension without thinking twice about where their data would go. The browser extension works in the background - and not much different than the built-in password manager.  And let us not forget that LastPass was supposed to be mega secure too.  Tons of pros said it was top of the line.  Whether thats true or not, LastPass was definitely the popular choice for managing passwords.  

This makes me fear for those of us who store our passwords on browsing apps. This will definitely be a motivation to those who still retained their conservative lifestyle of journaling.
Anyway, anyone who doesn't notice their BTC or Crypto assets stolen from this LastPass hack, doesn't really really care about their asset. This is also a why, why notifications and authentication apps be used so as to assure safety of any crypto based asset of such.

I remember someone in the forum suggesting Lastpass to use to secure their password way back years ago.   Luckily, I did not follow that suggestion.  For me, any online storage has a high possibility of getting hacked.  If it is secure today, we don't know if it is still secure in the next years.  Hackers are getting smarter by the day, if the security does not evolve then it is more likely that it can be breached one day.  Just like what happens in LastPass.

One lesson should be learned here, storing anything in cloud services is susceptible to hacking so we shoul avoid using this kind of service if we can.

KeePassXC is like a total rewrite of the original KeePass password manager.  The developers rewrote everything from scratch so it could work natively on Linux, Windows, and Mac instead of just Windows. But turns out the developers decided not to make their own mobile app because there's already some really good KeePass apps for Android and iPhone. 

For Android, they recommend KeePassDX (https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) or KeePass2Android (https://play.google.com/store/apps/details?id=keepass2android.keepass2android).  Both seem solid based on reviews. 

And on iPhone Strongbox (https://itunes.apple.com/us/app/strongbox-password-safe/id897283731) or KeePassium (https://apps.apple.com/us/app/keepassium-keepass-passwords/id1435127111) are their top picks.  I checked out Strongbox briefly and it looked slick and simple to use.

Anyway, the key thing is that all these mobile apps are open source and compatible with KeePassXC.  So they can sync up and work together nicely.

Dang~~~ Lesson learned once again. Hackers will always  be there look at the weakness and its our task to safe guard our passcodes. It is sad that maybe owners use hardware wallet yet they still put their keys online what's the point in doing so. That might be their retirement or future of their children that we are talking about, nevertheless let's just learn once again on this kind of incidents.

I am just coming across this news right now, and need i say that this is absolutely shocking? This is indeed shocking, as I myself have been a very active user of LastPass all through 2018 to (i think 2021), and even up until now, some of the passwords to my email addresses are still passwords obtained from LastPass.

I sure have not noticed anything like a hack on any of my emails but i guess this is a warning for me to change them, though i am no longer using LastPass, but somehow, i think this passwords may still be on their platform, thank you OP for bringing this topic up here, this is indeed a wakeup call for us all, i also will be working on buying my first hardware wallet, all this online hacks have become one too many to not give attention to.

I'm also a fan of Lastpass but this isn't the first time they've been hacked and their customer data stolen. Almost every year I hear about this password manager being hacked and I have given up on it since 2020 until now. It's the worst app I've ever used.

Owning a hardware wallet is definitely something any bitcoin investor should do. But what's more important in this story is that we should never store seed phrases or important things using online storage services. The risks of online storage are too great and we should not risk it just for the sake of convenience.

Well, I wouldn't exactly say LastPass is the worst app I've ever used, because it did many things right.  Their password generation and seamless integration with browsers was great.  But that's worthless if your private info gets compromised.

If you still use this password manager (or did in the past but reuse those passwords), the best course of action would be to switch to something like KeePassXC or KeePass2.  And change all the passwords LastPass saved, like right now.  If this news about hacked wallets connects to LastPass's hack last year there's no telling what other info could get exposed later.  Things may look okay today but your credentials are still at risk.

I'm not a tech person, but can you help me understand a little, what's the difference between Lastpass and these applications? Currently, I'm using bitwarden password manager and it's also open source, but I don't know if it's more secure enough than Lastpass. In addition, I saw that the reddit community recently announced that the most voted application is Totalpassword, do you know about it?

Of course, I use them to store passwords because memorizing or storing hundreds of passwords manually is not easy, and I never use it to store my seed phrases.

I used to use LastPass as primary password manager, couple months ago I moved everything sensitive after reading Taylor Monahan's tweet, she mentioned LastPass was common link in drained accounts long before ZackXBT that you have quoted, it's just that she was unsure then if it was really the cause.

I had to manually move entries, because lastpass export does not work correctly, entries kept missing. I wonder myself why did I use this password manager who can't get basic thing right.

That's why I keep my seed phrase and password from OWNR wallet on paper. You never want to keep things like that online. My social media data is in Excel, but I wouldn't feel safe to keep my seed phrase like that.

Yes, the last pass was really hacked last year in the month of December. But even though that happened, LastPass was still able to protect their customers' data using strong encryption, and it was not compromised as far as I know.

Maybe if there are still users who will use their last pass despite the events of the issue last year, it would be better for them to update their last pass accounts to the latest version. But if I'm the only one who can follow you, find someone else because there's already been a hole or it's still damaged somehow.

If Lasttpass can protect user data and it is not compromised then is the article the OP is referring to fake? If that article is not true, I believe Lastpass will object and even sue because it will ruin their reputation. There is no need to update to the latest version, but people using laspass should delete their account and all data on that app. To avoid worse accidents in the future. Lastpass is showing its weaknesses in the same area as other applications.

I have always been a conscious person when it comes to online password backup. This is never a good option for anyone because the consequences can be bigger than what we ever seen. I don't even back up any of my important password or whatever on any password backup store or even on an email. If everything get hacked, we might lose access to our important accounts and portfolios that could worth so much than what we expected. The LastPass hacked had don an outrageous reactions to people that was affected and I hope those who knew this earlier would have transfer their funds from their actual wallets.

If you don't use any password storage apps, how can you remember all your passwords? How can you use it when you're on a business trip, vacation, or away and need to access a few personal accounts? I think very few people wouldn't use a password manager, and using them isn't necessarily a bad thing. It is important that we choose open source, trustworthy applications...and apps from Keepass are among the password managers worth using. Not all is bad.

The code is closed source, so I can make any claim and it will be difficult to prove otherwise. Facebook has sold user data and still has growth in its user base. I am certain that if FTX returns to work, you will find some people willing to trust them again, and this is not the first time lastpass has been hacked may not be the last one


https://bitcointalk.org/index.php?topic=5424994.msg61386195#msg61386195
Even opensouce option, you may need to add  a second layer of encryption

That's why I don't ever trust even once in an online password manager. As an IT professional, I know the risk and danger of storing passwords or seed phrases in password managers. First,  of course, the application or website is being managed by other people; it of course has the risk of being breached or hacked. It is a common sense, especially now that hacking and scamming are prominent.


If you are a cryptocurrency holder and are storing seed phrases and passwords online, this is a wake-up call thanks to the topic, and op he discovered this news and posted it here immediately, so if you do that, then stop it right now, any minute, or anytime. We never know your passwords or valuable keys can be stolen by those who take advantage of the technology. Instead of relying on password managers or even an online note, find another option or way to keep your passwords or anything that is a credential to your accounts.

Personally, I use a password manager. It's convenient not having to remember passwords or use weak ones I can actually recall.  But I know everyone has their own system and not all are created equal from a security standpoint. I'm curious what your preferred method is and any password wisdom you'd share! How do you balance security and convenience when it comes to managing credentials?

Turn on two-factor authentication (2FA) anywhere you can.  It doesn't take much time to set up but gives you way more security.  Also, regularly review and update your passwords. That's a good practice, imho.

I deleted all my data as well as my Lastpass account as soon as I switched to another app, but I don't know if it was actually deleted from their servers, it's hard to know.

Lastpass is also a reputable application, but the confusing thing is that in recent years they have been quite bad at protecting customer data. I say Lastpass is the worst because compared to other password managers, they are the most attacked. Currently I'm also using the free version of bitwardern but I see people mentioning kesspassXC quite a lot. Maybe I'll take the time to learn about it.

If the website is actually important it should have a 2FA feature as well, at that point even if you have the password you can't do much about it. Not sure what kind of memory you have but if your password are actual words it's not safe at all. If you are capable to remember several passwords made with random letters, numbers and special characters then kudos to you, that's impressive.

If we only have a few passwords then we won't need a password manager but if we have hundreds of passwords to remember, then I don't believe anyone would not use any password manager. That's really hard to believe, and what's more, not every password manager is as vulnerable to hacking and as insecure as Lastpass. As some people have suggested like protonpass, bitwarden, KeepassXC...all are safe and worth using. But it's also important to note that extremely important things like seed phrases should absolutely not be stored there, avoid storing them online.

I did the same. But the thing is, if our data is already leaked (even if it's in encrypted form) it doesn't matter if LastPass deleted everything from their servers. The data is already out there!


I believe the main difference between Bitwarden and KeePassXC is that the latter operates offline by default, while Bitwarden, just like LastPass, stores your data in the cloud. So the KeePassXC is more secure. The downside is that if you want to sync your data across multiple devices, you'll have to set up backup solutions and handle security on your own.

BitWarden can also be self-hosted. They provide installation scripts and a Docker image and all that. Preferably, if you have a server locally and a LAN, this is how you should be using BitWarden since it enables you to sync your passwords to all your other devices in the area, without even connecting to the internet in the process.

That is not only impressive but also extraordinary and I believe that very few people can actually do that. Even when we remember phone numbers, we can only remember a few phone numbers of our loved ones, while like me, there are hundreds of passwords and extremely complex passwords such as capital letters, numbers, characters...I don't think anyone will remember such passwords. I don't know if he was joking or telling the truth, because it's extremely difficult and also very dangerous because if we forget, there will be no second way to get it back.

Like I said, I'm not a tech person and I don't know the difference between these apps other than that bitwarden and Lastpass are different in open source and closed source. So I tried searching the reddit community to see which apps were best recommended. This is an article I found on reddit and Totalpassword is actually a fairly new name to me. And I also see people here talking about keepassXC more.

https://www.reddit.com/r/passwordmanagerapps/comments/17004y6/best_password_manager_according_to_reddit_in_2023/

I can't access that link either, but I just tried Google "Best password managers Reddit recommends in 2023" and it shows up to 4 to 5 similar topics and all both are recommended for Total Passwords. I've also never heard of it before, I think it might be paid promotional posts rather than reviews from real Reddit users. Aside from a brief introduction to the pros and cons of each app, those threads don't provide any evidence that Reddit users participated in the voting.

I'm also using bitwarden but I don't know how to use the self-host option ;D ;D.

There is nowhere else that's safer with your private keys and recovery seeds than you handling it yourself, some one stole the company's worker credential is just stupid, as you can all see, writing down your recovery seed in a paper is better than entrusting it on any platform, this is for people that can't do a thing themselves, either they are ignorant or they are too lazy to take the time responsibility.

Either the link OP dropped is sketchy or not, people still do this stupid things today, even if the password company is running on a block chain don't ever trust them, recovery seeds and private keys doesn't exists so that people can keep in the hands of strangers.

While I have used some trusted password mangers I still get some scam attempts on my accounts, pass code got sent to my email address when I am not trying to login, the only thing keeping me safe is they have no access to my email account.

Nice find. It looks like someone perform SEO spam which target google search engine. In addition, all of them have similarity where they only include link to "total password". So i'm sure now that this password manager shouldn't be trusted. But FWIW, when using DuckDuckGo with same search keyword, the result is slightly better.


And most people don't have to, since self-host usually costs more (due to cost of VPS or hosting service). But FYI, Bitwarden is kind enough to create tutorial about self-host option which can be seen at https://bitwarden.com/blog/host-your-own-open-source-password-manager/ (https://bitwarden.com/blog/host-your-own-open-source-password-manager/).

Deleting your information from your LassPass account does not mean that you're actually safe because they've cloud storage and everything is been backed up there. If you've important account login details stored on the app, my advice is for you to change your password immediately to avoid been locked out of your account by an intruder. Also, if you store your seed phrase or private keys on the app and you're lucky to still have your assets intact, quickly create a new wallet and move your funds.

I'm even using their free version and what's even better is that with the free version :D :D, we also get sync to all devices, and unlimited storage...It can be said that if someone is looking for a free password management application to save money, bitwarden is the most perfect choice we have.
I see people mentioning KeepassXC a lot and I'm planning on switching to it, but I think I'll keep using Bitwarden. Thank you for your useful information about bitwarden.