AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
![]() So either I have to keep with up changing two passwords or be ok with my primary vault being for passwords that are not shared and having dozens of vaults shared with various people which would be just about all my passwords. But now I have the same password in two vaults whose passwords are now out of sync when one changes. If its like Solar Winds, then Lastpass should be ditched and would be considered not-trusted in my product lineups.įrom what I remember with 1P8, If I have something in my vault I want to share, it needs to go into another vault shared with that user. I'll hold my opinion on LastPass as a solution for now, as I am still researching on the 'how' this whole thing occurred. That includes Susan from HR who might only have system user access but is also an Admin in your HR platform. So everyone should be changing passwords org wise if you stored any of that data in lastpass. Lets say your company is not interesting to hackers, normally, but at the same time you use a large set of websites that an interesting company uses (Like Salesforce), well your company will be grouped in and could potentially see a breech based on associated data. If the this data is associated with the password databases and then indexed, they can easily decide what group of data to target first. This worries me more then the databases themselves. Even though encrypted, with the tools available they can be decrypted at some point in the future.Ĭleartext customer associated data was exfiltrated. Saying nothing of collaboration groups that pool resources and time together. While passwords 15char+ may not be processed in any suitable time that would be justifiable by the hackers (costs), if orgs are not taking steps to change their passwords(all of them) they are at risk.īut with how fast GPUs are now, there are multiple password processing libraries running on RTX4090's now, next-gen hardware will make it better/faster, its just a matter of time before this creeps up and affects some random-ass business that wasn't paying attention to the news or ignored the communications from lastpass. This whole lastpass thing is even more dangerous because the vaults were downloaded and can be processed at any time in the future. Same goes for SolarWinds, Kaseaya, Log4J.etc as lots of uninteresting targets got swept up. It really pisses me off because MOST of this is 100% avoidable. ![]() Most companies would never be in the cross hairs of hackers, but since everything is "Cloud-as-a-service" and that pushes more and more off prem, orgs that are normally not interesting enough became swept up and are targeted as a 'value-add'. This is my main problem with "security" cloud providers. Its more about "are you interesting enough" to be targeted. I throw my stuff in a VeraCrypt container (with keyfile + passphrase) as a backup. This will ensure that if your desktop gets compromised, you have some mitigation in place.įinally, don't forget to back up/export all PW data in unencrypted form to a secure place. One you use on your desktop for passwords, and another which is only used on devices for your 2FA codes. I like the second factor the 128 bit key adds to things. kdbx file and trying to brute force it.įor an enterprise solution, 1Password, BitWarden, and Keeper are decent. kdbx file on a cloud provider, use a keyfile that only is copied to your endpoint devices, have a sturdy pass phrase, and that will provide solid protection against someone grabbing your. If you just need something for yourself, a KeePass app like KeepassXC, Strongbox, or similar might do the job. From my testing, and take this with a grain of (256-bit) salt: I'm sure this question is going to be asked over and over. ![]() When it's officially considered stable and supported by them, I think it'll be the best option available for most businesses. It's currently still beta, but it's much easier to administer, uses much less resources, can run on ARM and can also works with Postgres/MariaDB/MySQL. Now, there is this extremely nice recent development of Bitwarden offering a new lightweight all-in-one "unified" image. It's also fully free software, but there's no paid support available for it, so you're trading those two things. Not a big deal if you're gonna deploy to 1000 users and have the extra time & hardware associated with that, but way overkill if it's only gonna be used by 20 people in IT internally. For all intents and purposes, it is most of their full SaaS-tier service with all the extra complexity that brings. It needs specifically MSSQL and a whole mess of containers or standalone services that have to be kept in sync, along with some scripts that try to do so. The upstream/official self-hosted Bitwarden enterprise server is a somewhat painful product to run. Not them, but I'd recommend the same thing.
0 Comments
Read More
Leave a Reply. |