Is Anyone Concerned About Their Password Manager (LifeLock and LastPass compromised)?

[dioxide45]

I always wondered what would happen if password manager were hacked. I mean, you store all your passwords in one place, they seem like an easy target. Well, two of the big names in password management have been compromised, Lastpass and now LifeLock by Norton. If you can't trust your password manager to keep passwords safe, what can you trust?

 

[mjm1]

That has been my concern with using one of the password managers. Is anything really safe?

Best regards.

Mike

 

[klpca]

I am totally concerned. I use 2FA on everything but I have heard that even that isn't foolproof. I froze our credit a few years ago so at least I don't have to worry about that. Currently I check the credit card accounts and the checking accounts every day.

Btw, T-mobile was hacked again - my husband said "we haven't even received our $100 settlement yet"! My Chase Sapphire card was compromised two weeks ago. It's a merry-go-round. Time to sit down and change all of those passwords again. A few years ago we had to change all of our passwords one night because of a bad hack. It took us three hours to change everything. One thing for sure - it's kind of ridiculous that we are forced to create crazy passwords but all of the hacking is on the other side. It seems like we need a better way to protect ourselves.

 

[easyrider]

Concerned enough to have our credit locked. We haven't had a problem for quit a while and the credit card company was on it before we knew what happened. My worry was having our identities tampered with when I lost my wallet and fishing/hunting licenses. The fishing license has my ssn on it. Some one did try to open a line of credit but was denied. So far so good.

Bill

 

[simpsontruckdriver]

My (late) mother-in-law had a flawless password manager: a notebook next to her PC. No one can hack into pen-and-paper!

TS

 

[tombanjo]

Here is the story

Thousands of Norton LifeLock customer accounts hacked

Another password manager takes a hit

www.techradar.com

 

[callwill]

"A global leader in consumer Cyber Safety | NortonLifeLock" LoL!

 

[dioxide45]

My (late) mother-in-law had a flawless password manager: a notebook next to her PC. No one can hack into pen-and-paper!

TS

Good from the management standpoint. but a secure password is more than just the password manager. It depends on how long and secure the passwords were. They could still hack the websites she was logging in to. If she used the same password for multiple sites, she would have been just, if not more, susceptible to a hack.

My wife has an aunt with a password manager like this, she was locked out of her accounts more often than not.

 

[RX8]

I use the password manager on my iPhone. That so far has a better security track record than Lastpass and Lifelock.

 

[billymach4]

I have never trusted any of the paid PW apps. Don't trust the browser password manager's either.
It's just common sense that the PAID pw managers have a HUGE target on their back. More marketing
than security.

 

[CalGalTraveler]

Is Lifelock the same as Norton Password Manager?

 

[billymach4]

Good from the management standpoint. but a secure password is more than just the password manager. It depends on how long and secure the passwords were. They could still hack the websites she was logging in to. If she used the same password for multiple sites, she would have been just, if not more, susceptible to a hack.

My wife has an aunt with a password manager like this, she was locked out of her accounts more often than not.

I would argue that getting locked out albeit an inconvenience is a secure method .
Most sites at least provide you the ability to reset your password.

This will force the user to change their password. And provide an authorized back door back in.
Getting locked out and having to reset your pw is a good thing.

 

[dioxide45]

I would argue that getting locked out albeit an inconvenience is a secure method .
Most sites at least provide you the ability to reset your password.

This will force the user to change their password. And provide an authorized back door back in.
Getting locked out and having to reset your pw is a good thing.

I watched a video recently that seemed to indicate that a stronger password is more important than changing your password. Longer and stronger passwords are, at least for now, almost impossible to hack if all the hacker has is an encrypted password. That even if there is a breach, it may not be necessary to actually change a strong password. Simply changing your password from abc123 to abc456 for the sake of change is useless.

 

[billymach4]

Stronger passwords 25 characters are the way to go.

 

[billymach4]

 

[Laurie]

I always thought storing them all at one cyber place was a bad idea. Many of mine are memory-stored, not written anywhere. I do forget sometimes on ones I don't use frequently, and have to reset. But at least the only way to hack them all at once will be by hypnosis.

 

[SmithOp]

I have a ARAG account that monitors dark web activities, get alerts occasionally that my email address is out there so I have to go through changing a lot of passwords. I don't use these password managers so didn't get notified of this breach.

 

[klpca]

Anyone using tax software is also at high risk of identity theft. They have all of the keys to the kingdom - your ssn, your banking and trading institutions, your employer, your home address, your kids info - everything in one convenient location. That worries me as much as this. I can change my passwords, do 2FA, but my actual identity and other personal information not so much. The businesses that aggregate our information need to do a much better job at protecting our data.

 

[Talent312]

I keep all my pwds in a pwd-protected spreadsheet on my 'puter.
I have a hardcopy in a safe.
.

 

[CalGalTraveler]

I worry most about my investment accounts. Forget ID theft. What happens if they drain your life savings?

I change passwords about once a year on key accounts and use 2FA. This is a good new years reminder to do this now.

 

[SmithOp]

I worry most about my investment accounts. Forget ID theft. What happens if they drain your life savings?

I change passwords about once a year on key accounts and use 2FA. This is a good new years reminder to do this now.

My accounts are with Fidelity, linked to my local credit union checking account. If I want to change the linked account it takes 30 days to take effect. They send me email and snail mail in the interim notifying me of the change. I am comfortable that is secure enough to keep anyone draining the accounts.

 

[klpca]

I worry most about my investment accounts. Forget ID theft. What happens if they drain your life savings?

I change passwords about once a year on key accounts and use 2FA. This is a good new years reminder to do this now.

Honestly the financial account passwords should be changed more frequently on important accounts (imo). For those I try to change every month or two. I have noticed that when I call in to Schwab they also use voice ID in case someone tries to call in to change something.

 

[HitchHiker71]

There are pros and cons regardless of which method is chosen really. I'm a fan of randomized strong passwords - like most browser password caches will assign when changing passwords if chosen - but then almost everyone ends up storing those randomized passwords into the browser password caches and/or a third party password caching system like LastPass - which is what I currently do. That way if a particular account is compromised - only that one account is negatively impacted since only that one account utilizes that random strong password created for it. But if the password cache system is compromised - all of those random strong passwords are potentially exposed. I'm a big fan of Account Key type technology that eliminates passwords altogether - but most websites don't support this. I use it with my Yahoo account for example: https://help.yahoo.com/kb/SLN25781.html. The Yahoo app will prompt me whenever anyone or anything (bots) attempts to login to my Yahoo account - and I can simply accept or decline the request. A few websites support this type of account key technology - CapitalOne supports it as well for third party system integrators. In the absence of Account Key type support - I use MFA whenever possible. That way even if the password is compromised - without the "something you have" MFA piece - account authentication still isn't going to work. I typically use the Microsoft Auth app for MFA.

 

[VegasBella]

I just changed my master password and a few super important ones.
But I'm not really worried they're going to use things like my password to TUG to do nefarious things. And if they do, I'm sure TUG would shut that down asap.
Also, they got access to the files but they were still encrypted. They'd have to get past that to actually use the data.

 

[Talent312]

I don't get the deal about changing passwords periodically.
If no one "found" your password in the last 90 days, I'd
think that means it's still a good password going forward.
.