Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsDesktop computingPassword Storage services
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10
ANglEAUT
2320 posts

Uber Geek

Trusted
Lifetime subscriber

  #3026639 24-Jan-2023 19:15
Send private message

mjb:
ANglEAUT: PS Anybody use their PW manager with a QNAP NAS. I can't get Bitwarden to identify the username field. It just stays bank.

 

Custom field, "username" in the "name" field, and your NAS username in the "value" field.

 

Nah, doesn't work for me.




Please keep this GZ community vibrant by contributing in a constructive & respectful manner.



michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3027684 26-Jan-2023 21:27
Send private message

OWASP just changed their recommendation for PBKDF2 work factors (iterations) to 600,000 (thanks to LastPass).

 

So, LastPass posted that their iteration count was set to 100,100: https://support.lastpass.com/help/about-password-iterations-lp030027 but, this turned out to be false with many customers reporting they were set to as low as 1 iteration but the most common iteration counts were 500 & 5000. Customers were not upgraded automatically meaning their vaults could be brute forced easily.

 

Bitwarden's older customers were set to 100,001 but in response to the recommendation from OWASP newer accounts are set to 350,000 iterations. They're still considering upgrading existing customers but you can do this yourself in your web vault under Security --> Keys (I upgraded mine to 350,000 as I found 600,000 was actually quite slow) - https://fosstodon.org/@bitwarden/109733968664841286

 

I encourage everyone using Bitwarden to up their security by setting your KDF iterations to 350,000.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

SumnerBoy
2074 posts

Uber Geek

ID Verified
Lifetime subscriber

  #3027697 26-Jan-2023 22:21
Send private message

Done - thanks for the tip.



mattwnz
20141 posts

Uber Geek


  #3027706 26-Jan-2023 23:54
Send private message

michaelmurfy:

 

OWASP just changed their recommendation for PBKDF2 work factors (iterations) to 600,000 (thanks to LastPass).

 

So, LastPass posted that their iteration count was set to 100,100: https://support.lastpass.com/help/about-password-iterations-lp030027 but, this turned out to be false with many customers reporting they were set to as low as 1 iteration but the most common iteration counts were 500 & 5000. Customers were not upgraded automatically meaning their vaults could be brute forced easily.

 

 

 

 

 

 

This post from 5 years ago says that existing customers would be upgraded to the new default 100,100 and they didn't need to do anything. https://blog.lastpass.com/2018/07/lastpass-bugcrowd-update/amp/ 

michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3027707 27-Jan-2023 00:00
Send private message

@mattwnz That never actually happened automatically. This is just a single example but there are many many more out there: https://www.reddit.com/r/Lastpass/comments/106p7le/by_default_the_number_of_password_iterations_that/

 

A person in my team at work had an iteration count of 1 (I work in security also so this was rather shocking to see). Admittedly this was because he never changed his (rather long) master password + used 2FA. The upgrade to 100,100 required a user to update their master password.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

mdf

mdf
3513 posts

Uber Geek

Trusted

  #3027785 27-Jan-2023 10:28
Send private message

JFC: https://www.theverge.com/2023/1/24/23569109/goto-hack-lastpass-breach-encrypted-backups-key

 

I could hope the fact I haven't been contacted yet is a good sign, but suspect that could also be down to simple omnishamblery.

 

Time to accelerate BW transition. 350K iterations already set.

Deamo
159 posts

Master Geek
Inactive user


  #3027790 27-Jan-2023 10:45
Send private message

oof, makes me glad I followed a recommendation to use 1password years ago.

 

The almost secure articles on password managers make for interesting reading, even if I understand little of it.

 
 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
GV27
5896 posts

Uber Geek


  #3027791 27-Jan-2023 10:47
Send private message

My genuine concern is that LP and said parent company may simply fold before I can get all my stuff off there and switched over to something else, in which case I lose the list of what may or may not be later compromised. 

duckDecoy
896 posts

Ultimate Geek

Subscriber

  #3027794 27-Jan-2023 10:59
Send private message

mattwnz:

 

michaelmurfy:

 

OWASP just changed their recommendation for PBKDF2 work factors (iterations) to 600,000 (thanks to LastPass).

 

So, LastPass posted that their iteration count was set to 100,100: https://support.lastpass.com/help/about-password-iterations-lp030027 but, this turned out to be false with many customers reporting they were set to as low as 1 iteration but the most common iteration counts were 500 & 5000. Customers were not upgraded automatically meaning their vaults could be brute forced easily.

 

 

 

 

 

 

This post from 5 years ago says that existing customers would be upgraded to the new default 100,100 and they didn't need to do anything. https://blog.lastpass.com/2018/07/lastpass-bugcrowd-update/amp/ 

 

 

I can confirm this was NOT done.  Mine was set to 5000 and not upgraded by LastPass.

Mehrts
1063 posts

Uber Geek

Trusted

  #3027804 27-Jan-2023 11:36
Send private message

michaelmurfy:

...but you can do this yourself in your web vault under Security --> Keys

 

I encourage everyone using Bitwarden to up their security by setting your KDF iterations to 350,000.



Thanks for the tip, changed mine now.

Senecio
2710 posts

Uber Geek

ID Verified
Lifetime subscriber

  #3027839 27-Jan-2023 13:05
Send private message

Done.

 

Also got around to cancelling my LastPass subscription and deleting my vault. Feels good to have complete separation.

duckDecoy
896 posts

Ultimate Geek

Subscriber

  #3027840 27-Jan-2023 13:05
Send private message

For those that have migrated to BitWarden:

 

I have some passwords saved for various sites that I also have additional Notes added to.    So in LastPass under the site password I can see username, password, and then another field at the bottom called NOTES.    In some cases I will need those notes, for example if you have a RealMe account you also need to have created a PIN for when you ever need to change/recover your password.   I put things like this into the NOTES field for each password entry.

 

 

 

Does BitWarden import NOTES into their saved site passwords?   Or will I need to go through each site and check if there were any notes and manually make an entry somewhere in BitWarden.

mdf

mdf
3513 posts

Uber Geek

Trusted

  #3027844 27-Jan-2023 13:11
Send private message

duckDecoy:

 

For those that have migrated to BitWarden:

 

I have some passwords saved for various sites that I also have additional Notes added to.    So in LastPass under the site password I can see username, password, and then another field at the bottom called NOTES.    In some cases I will need those notes, for example if you have a RealMe account you also need to have created a PIN for when you ever need to change/recover your password.   I put things like this into the NOTES field for each password entry.

 

 

 

Does BitWarden import NOTES into their saved site passwords?   Or will I need to go through each site and check if there were any notes and manually make an entry somewhere in BitWarden.

 

 

Yep, both notes to logins/passwords and separate secure notes seem to transfer with the export from LP / import to BW default settings. This is based on a random survey of things I have notes for, I've not been through everything exhaustively (I have another 6 months on my LP subscription just in case anything is missing and I do need to get back to that). All in all, the transition was shockingly easy - I had expected much more pain than this.

mdf

mdf
3513 posts

Uber Geek

Trusted

  #3027845 27-Jan-2023 13:12
Send private message

GV27:

 

My genuine concern is that LP and said parent company may simply fold before I can get all my stuff off there and switched over to something else, in which case I lose the list of what may or may not be later compromised. 

 

 

You can export from Lastpass to a CSV right now. Not at all secure obviusly but potentially better than the alternative.

johno1234
2794 posts

Uber Geek


  #3027858 27-Jan-2023 13:30
Send private message

OK, took the dive into Bitwarden. Exported Lastpass to CSV and had a big cleanout of old cr*p. Imported into BW. Could not be easier. Added Google Authenticator. So far so good.

 

Next thing would be to avoid having to enter the long Master Password on every autofil on IOS. How do I do that?

 

 

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright