Solved The LastPass breach settlement is real. Here’s what you should know

gunrunnerjohn · May 2, 2026

Edwin said:
Password Managers are overrated! Just go analog, write 'em down in a notebook, it's the safest solution.

And also a major PITA if you're truly using secure passwords! Manually typing in the 12 character password of random upper case, lower case, numbers, and special symbols is not something I want to do all the time.

BarryGuff · May 3, 2026

Even better than writing them down is to use https://www.passwordcard.org and write down the code.

This generates a card you can physically print to make coded passwords:

https://imgur.com/rACE2eb

So if I wanted an 8-character password for my Gmail login, I might use "Diamond-Green-Left" as my code, which means my Gmail password would be "Peh2WmGK" (per the screenshot above).

Nobody can get my passwords unless they have both my Password Card and my book of codes for it. Everything is offline/air-gapped.

cheaterslick · May 3, 2026

Edwin said:
Just go analog, write 'em down in a notebook, it's the safest solution.

I've done that at times. Especially if I have to (rarely) get into banking or local government websites...

Some websites are more valuable to protect than others.

Stigg · May 3, 2026

I remember when people were saying that LastPass security was unbreakable.
Secure, encrypted or not. It's just a dumb idea to be storing your passwords on someone else's computer.

BarryGuff · May 3, 2026

Stigg said:
I remember when people were saying that LastPass security was unbreakable.

No matter how strong a password is, they can sometimes be reset with the "forgotten password" feature of the website in question, mainly those send a reset link to your email account. So if someone has access to your email account, then they can reset the passwords of all your other accounts.

echo2446 · May 3, 2026

BarryGuff said:
So if someone has access to your email account, then they can reset the passwords of all your other accounts.

This is a reason to:

Protect your email account as well as you can — treat it like your password manager account if possible.
Use 2FA everywhere, or at least everywhere important.

Even passkey recovery typically still requires your email; there’s currently no way around that.

Edwin · May 3, 2026

High security is just as much a PITA as typing 24 random characters into a dialog box!

BarryGuff · May 20, 2026

In addition to PasswordCard (which I mentioned above), there's also a paid option called Qwertycards.

Alejandro85 · May 22, 2026

The root problem here is using online password managers, that fundamentally publish your vault on "the cloud" (ie, someone's else computer) and you access it remotely. Then your safety depends on how well implemented is this protection. From the LastPass breach, it seemed that it didn't protect it very well. Other online managers were also breached in the past, but sometimes only encrypted data was leaked, at least, they took security much better.

If you remain with offline password managers you get all their benefits without the risk of being hacked if there is a problem on their site. Also if oyu use an open source one there is greater reasurance that proper security techniques have been used.
My passwords are encrypted in a local file that I only ever have access.

XxXxX · May 22, 2026

it needs to be remembered password managers be it online or local
be they encrypted on written down on paper are only protecting the front door
most seasoned hackers/burglars/thieves will use the back door.

hence the best security you or anyone else has is common sense.
best of luck Steve ..

DTG1 · May 22, 2026

I use keepass to store passwords, its not integrated into anything, just a straight forward manager.

MalwareT · May 22, 2026

gunrunnerjohn said:
I'm pretty sure that you'll find that the browser's password manager is less secure than the dedicated password vaults.

That's what I've heard too. I never use the browser's password manager.

MalwareT · May 22, 2026

echo2446 said:
This is a reason to:

Protect your email account as well as you can — treat it like your password manager account if possible.

Use 2FA everywhere, or at least everywhere important.

Even passkey recovery typically still requires your email; there’s currently no way around that.

Now they're saying that text message 2FA is not really secure.

echo2446 · May 22, 2026

MalwareT said:
Now they're saying that text message 2FA is not really secure.

Yes — recommended order is FIDO2 (hardware/webauthn) > TOTP/push authenticator apps > email > SMS. SMS 2FA is weaker because of: 1) SIM‑swap or phone theft, 2) third‑party data leaks, and 3) SMS interception.

XxXxX · May 23, 2026

more and more mobile phones are now using RCS messaging which is encrypted.

Messaging with RCS on Android: What You Need to Know | Android

Discover RCS on Android, upgrade your conversations with high-resolution images, interactive elements, and more! Learn how to enable RCS, its features, and how it compares to SMS.

www.android.com

best of luck Steve ..

echo2446 · May 23, 2026

XxXxX said:
more and more mobile phones are now using RCS messaging which is encrypted.

That’s an internet‑messaging protocol, not how service providers typically send 2FA codes to phones.

XxXxX · May 23, 2026

echo2446 said:
That’s an internet‑messaging protocol, not how service providers typically send 2FA codes to phones.

i will check how my OTP's are sent next time the bank sends me one
because as far as i am aware all the messages that i have received thus far are RCS.

but all of my passwords are saved within the browser and i use a 2FA authenticator extension within the browser
but as a secondary method i also have text OTP's enabled on my logins as well, if that is available.

best of luck Steve ..

trevo · May 23, 2026

XxXxX said:
i will check how my OTP's are sent next time the bank sends me one
because as far as i am aware all the messages that i have received thus far are RCS.

I think you'll find they are just SMS text messages.

XxXxX · May 23, 2026

trevo said:
I think you'll find they are just SMS text messages.

but in the UK all copper phones lines are being removed and the whole network is being replaced with fibre
that means no land lines its all nearly digital now across the whole country.

so any and all texts will go by wifi via your mobile phone provider or by a fibre connection via your ISP, which is now mostly RCS encrypted text in the UK
but my bank only sends an OTP once every several logons, unless i delete all the cookies and reset the account back up.

best of luck Steve ..

Solved The LastPass breach settlement is real. Here’s what you should know

Well-known member

My Computers

Member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Member

My Computer

Well-known member

My Computer

♦ ♦

My Computers

Member

My Computer

New member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Active member

My Computer

Active member

My Computer

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Just a Computer User

My Computers