Equivalent domains in password managers

Equivalent domains is a feature of most password managers that you should be using, both for your security and your convenience.  (1Password notably does not support this feature.)  I'll reference Bitwarden below since I consider it the best password manager for most people.

Go to Account Settings in the Bitwarden web vault (but not in any of the apps) and you'll see a page called Domain Rules.  It lets you configure equivalent domains.  The top of the page is for equivalent domains you add to your account while the bottom other page shows equivalent domains that are built into Bitwarden.

As an example, these are some of the equivalent domains that I have loaded into my Domain Rules page:

  • canadiantire.ca, sportchek.ca, marks.com
  • expedia.ca, expedia.com
  • opentable.ca, opentable.com
  • pinterest.com, pinterest.ca
  • microsoft.com, bing.com, hotmail.com, live.com, msn.com, windows.com, windowsazure.com, office.com, skype.com, azure.com, onenote.com, onedrive.com, microsoftonline.com

Each row is two or more domains that you're telling Bitwarden to treat as equivalent for autofill.

Why is using equivalent domains good for security?  Let's say you do not have this row configured: <hertz.com, hertz.ca>.  If you have created a Bitwarden login for hertz.ca and you later want to use the hertz.com website, BW won't autofill for you, because the domains don't match.  So you'll be forced to manually copy and paste the password, which is always a very dangerous thing to do.

Be very careful adding when new rows, or new domains to existing rows!  If you add a row <mybanksite.com, evilsite.com>, bad things will happen: if you are on an evilsite.com page, BW will happily autofill your userid and password for mybanksite.com!


World Backup Day 2023

Today is World Backup Day.  

Data backup is incredibly important today given how much of human activity is online.  Here are a few suggestions to reduce the risks of losing your important data.  (Data is "important" if losing it would negatively impact you.)

  1. Ensure that all your important data is backed up to at least two different places, at least one in the cloud and at least one local (e.g., an external hard drive).  
  2. Manual backup -- weekly at a minimum -- can work if you're diligent and set a reminder in your calendar, but automated daily backup is much better.
  3. For data that lives on your computer or an external drive, your first backup should be to a cloud provider.  Your second backup can be cloud or local.
  4. Have an offline local backup.  Offline means that the storage device (e.g., external drive, flash drive) is physically connected to your computer only during the actual backup operation.  This provides protection against corruption, deletion by mistake, and ransomware. 
  5. If you have data that lives in the cloud, you need at least one backup too, which could be on your computer or an external drive.  Your password manager falls under this: export its database occasionally -- but only if your computer drive is encrypted; see below.
  6. Cloud sync (often free, e.g., Google Drive) is not the same as cloud backup (usually paid, e.g., Backblaze).  True backup will keep deleted files and old versions of your files for at least 6 months (and ideally longer), supports point-in-time restore, and lets you choose which folders to back up.  Cloud sync providers usually keep these for no more than 30 days, don't support PIT restore, and often only back up files you place in the single fixed folder.
  7. For sensitive data you're backing up to the cloud -- or if you don't want to have to think about which data is sensitive or not -- use a cloud provider with end-to-end encryption (E2EE), also called Zero Knowledge.
  8. For local backups (e.g., to external drives), ensure that the data is encrypted.  (Critically, also ensure that your computer's drive is encrypted.  Windows Home doesn't do that and Windows Pro doesn't do it by default; so if someone steals your computer they'll get all your data.)
  9. For mobile devices you can reduce data backup concerns by ensuring that all important data on your device actually comes from (is synced from) the cloud, or, say in the case of new photos not yet transferred to your computer, is automatically backed up to the cloud.  Don't leave any unbacked-up data on your device for too long.
  10. A backup is not useful if the restore from it fails when you need it, so run test restores on your data occasionally.  This applies to both local and cloud backups.
  11. Manage your backup process: keep a list of all your data sources and where each source is backed up to and how often.  This will help you identify gaps in your backups.
  12. Looking at the broader picture, you can reduce the cost, effort, and risks for data backup by reducing the amount of data you have.  Don't keep data longer than it's useful to you for.
  13. Organizations: The larger the organization, the more stringent their backup requirements are, for both technology and processes.  One small example of the latter is that the organization's security policies should include detailed requirements for backup of the organization's data.
This is an update of my World Backup Day 2021 post: World Backup Day, and suggestions.


Key security measures for a small organization

A small non-profit recently asked me for recommendations for improving their password security.  They wrote:

Do you make recommendations on password security software for businesses?  We are looking to increase our security and password protection, but are getting so many different opinions on best options.  Last Pass was popular and has been recommended in the past, but apparently has had some security breaches as well.

 My reply was as follows.  (This would apply equally to a for-profit organization.)

Bitwarden and 1Password are the password managers I tend to suggest.  Because of the LastPass data breach I no longer suggest LastPass.  Organizations should typically use the Teams version of their chosen password manager so that the service can be managed for the organization.

 For a bit more background you can see my blog post on the LastPass breach:

The big LastPass data breach and what to do about it (gsharratt.com)

This is a good article with more info: 

The 2 Best Password Managers of 2023 | Reviews by Wirecutter (nytimes.com)

Two-factor authentication (2FA) is the other critical part of security for account credentials.  My blog post has more info, including lots of info on Authy:

Set up two-factor authentication (2FA) - another nice COVID-19 project (gsharratt.com)

A core third leg of security is device security, including strong passwords/PINs for all devices and full-disk encryption (FDE) for all computers, so that no data is compromised if computers are stolen or lost.  If you have Macs they likely already have FDE, but if you have Windows PCs they would need BitLocker in order to support FDE.   Search for “BitLocker” in this blog post:

Core security advice for general users [aka security hygiene] (gsharratt.com)

Hopefully you have an IT person or an IT managed service provider, and they can help you set up FDE for all computers.  They might possibly also be able to help you set up a password manager and 2FA.

This blog post contains an overview of other security controls that you could consider:

Security hygiene for a small professional office (gsharratt.com)

Note that the above are just generic suggestions that are typically suited to small organizations, since I know little about your organization and so can’t give advice.


How to export from Authy

If you ever want to export your TOTP seeds from Authy, this page shows how to do it:


You could use that method move your seeds to another (TOPT) authenticator app.  

However, I continue to believe that Authy is the best authenticator app, as long as (a) you choose a strong Backups Password (its master password), e.g., 16+ random characters, and (b) you store the Backups Password somewhere other than your password manager’s vault.  

Why (b)?  If you store the Backups Password only in your PM's vault, you are in a spot of trouble if you ever need to reinstall both apps (PM and Authy) at the same time, because you can't log into either app until you've logged into the other one.  (Of course, there is no reason not to also store the Backups Password in your password manager's vault.)

There should be no need to export TOTP tokens from Authy on a regular basis because every cloud account that offers 2FA should also offer a recovery mechanism in case that 2FA fails.  The mechanism is usually a set of one or more 2FA recovery codes.


The big LastPass data breach and what to do about it

You may not want to spend time reading such a long post as this and carrying out the actions suggested below, but if you're a LastPass user this breach is a big deal and deserves your full attention.  At the very least I suggest reading this post in its entirety so that you can decide what and how bad your risks are, and how much effort they are worth to mitigate.

What happened?

If you're a LastPass user, you'll want to be aware of a (recent?) major data breach that occurred sometime in the last four months, in which (probably all) customer vault data was stolen.  This is one of a (large and increasing) number of analyses of the breach available:

Note especially that the data breach contained not only your end-to-end encrypted (E2EE) vault (with user ids, passwords, and notes for all the entries) -- as you'd expect from any password manager breach -- but also a lot of unencrypted information for each user: 
  • company name
  • end-user name
  • billing address
  • email address (you probably want to assume that this is both the main email id and, if set up, the security email id)
  • telephone number
  • the number of iterations for PBKDF2 
  • the IP addresses from which the user has accessed the LastPass service (you probably want to assume that this is not only the last access but also history, for an unknown period of time)
  • the full URL stored in every entry in the vault
  • LastPass Authenticator seeds and phone numbers database, but only if you enabled the Cloud Backup option for LastPass Authenticator

The last two items above, and especially the last one, present special security and privacy risks.

You might want to also read the (very thin) LastPass notice itself:

LastPass hasn't stated how many customers were affected, so it's best to assume that it's "all", or at least that you have been affected.  But note that, according to this notice, if you are a Business customer that has implemented LastPass Federated Login Services, you are not affected by this breach.

What are the risks?

Before we get to what you can do, it's important to understand that as a LastPass user your vault is now out in the wild (and whether your LastPass account had 2FA enabled at the time of the breach makes no difference.)  Attackers will go to work to try to crack the data, and, depending on how strong your master password (MP) was at the time of the breach, your breached vault will be decrypted soon, later, or never.  And, separately, attackers now have a list of all the accounts in your vault, via the unencrypted URLs.  And they also have the other personal information listed above.

Nothing you do now can change this.  In particular, changing your current MP now or deleting your LastPass account now won't make any difference to the data that's already there.  But there are still many actions you can take to mitigate the resulting risks, including changing weak or reused passwords on clouds accounts listed in your vault.

The risks that you face right now stem from at least these sources:
  • the LastPass breach itself,
  • weaknesses in your use of LastPass,
  • weaknesses in your use of cloud accounts and the Internet in general, and
  • weaknesses in LastPass's security and privacy.

What to do?

Based on the information released by LastPass and on others' analyses, and making some assumptions/guesses, this is my rough view on some mitigation actions you can take beginning right away.  The order of these actions could be debated, but this will give you a good place to start from.  Ideally, though, you'd want to read some other analyses too, to help you decide what and how bad your risks are, and how much effort they are worth to mitigate.

Be (even more) on the lookout for phishing attempts, since attackers now have a list of all your accounts; ensure you fully understand how phishing works and how you can reduce your risk; and become more cybersecurity aware and knowledgeable generally 

If the MP on your account (which is the one on your current vault) is weak (or reused), you're at an ongoing risk of attack from the Internet, so:

change your MP to a strong one (and don't use for it any password you've ever used before)

If you have TOTP 2FA on your LastPass account, then, based on LastPass's advice:

regenerate your TOTP authenticator's seed, as described here: Regenerate a key for the Google Authenticator in LastPass - LastPass Support -- but Authy is a better choice than Google Authenticator

but if you're using LastPass Authenticator to protect LastPass, move instead to a new TOTP authenticator app, e.g., Authy 

If you don't have 2FA on your LastPass account, you're again at an ongoing risk of attack from the Internet, so

turn on 2FA in your account; a good option for most people is TOTP 2FA, such as Authy -- LastPass Authenticator is not a good option  :)

If you use LastPass Authenticator, switch all accounts using it to a new authenticator app/service, such as Authy (the best option), Google Authenticator, or Microsoft Authenticator. 

This is mandatory (because of the breach) if you had LastPass Authenticator Cloud Backup enabled; if you didn't, it's still highly desirable.

Do not choose the authenticator built into your future new password manager (see below), because you want defense in depth.

If the MP on your breached vault was weak (or reused), your breached vault might be decrypted by an attacker, so:

for every important account in your breached vault that has a weak or reused password and either doesn't have 2FA enabled or (if you think the seeds might have been stolen) uses LastPass Authenticator:

change those passwords to strong and unique ones

(To find weak or reused passwords, use the Security Dashboard tool from inside your LastPass vault.  This of course searches only your current vault, not your breached vault.)  

The old Password Iterations setting on LastPass accounts was too low, so:

In your LastPass vault > Account Settings > Show Advanced Settings > Password Iterations, change the value to 600,000.  (It's a good idea to first do a vault export as a backup just in case something goes wrong with the vault re-encryption that this change will trigger.)

Because all the URLs in your vault were included in the breach, for every important account in your breached vault -- unless you've deleted the account since the breach -- review the URL: it might contain something it shouldn't, like a token or password.  If it does, you might want to change the password on the account.  You can't know what exactly was in your vault at the time of the breach, so the best you can do is review your current vault.  (Added 2023-01-03)

For every important account in your current vault (which attackers now have a list of from your breached vault) that has a weak or reused password, an attacker might be able to figure out the password, so:

change those passwords to strong and unique ones

Note that 2FA does provide additional protection but never rely on it to save you from a weak password

Turn on 2FA for all your accounts that support it, using your new authenticator app/service

Register all your email addresses with the Have I Been Pwned service; it will notify you if any of those addresses is part of a future data breach. 

Have I Been Pwned: Check if your email has been compromised in a data breach

Switch to a new password manager, such as Bitwarden (free/paid) or 1Password (paid)

(Note that there's no particular urgency to move off LastPass, as long as you've completed the actions above.)

N.B. The LastPass breach does not mean that password managers, or even cloud-based password manages, are a bad idea: properly used, they are the best mix of security and convenience for managing your ever-growing set of account credentials. (Passwords themselves, though, are inherently insecure but a much better replacement is slowing being introduced, viz. Passkeys.) Yes, Bitwarden and 1Password could be hacked just as happened with LastPass. Your protection – for LastPass, Bitwarden, 1Password, and any other Zero Knowledge / end-to-end encrypted (E2EE) service -- is a strong master password. 

Don't use your LastPass MP -- either the current one or the one on your breached vault --- for your new password manager!  You need to choose a new MP.

Bitwarden and 1Password are highly regarded, are likely better at disclosure of security and privacy breaches, appear to have better security (including internal processes) and encryption, encrypt the URLs in the vault, and have regular third-party audits done.  1Password has a stronger encryption key scheme, viz. its Secret Key.  Bitwarden is open source.

1Password's Secret Key can be thought of as some random characters -- roughly 6 -- added behind the scenes to your master password.  This provides some additional protection for server-side breaches such as the one that happened to LastPass.

The process is relatively simple: export your LastPass vault then import that data into your new password manager.  File attachments don't export with the vault so need to be separately dealt with.  

When you're certain that you've moved all your vault data over, delete your LastPass account.  If you use LastPass Authenticator, switch all remaining accounts using it to your new authenticator app/service before deleting the account.

For every account in your new password manager vault that has a weak or reused password (at this point only less important accounts should remain), unless it's truly unimportant:

change those passwords to strong and unique ones

What's weak vs. strong?

It's complicated!  You could do some reading starting from this Google search:

"strong password" "weak password" "entropy" - Google Search

Weak and strong are not black and white, and there are many different views on the subject, but you could start with these very, very, very rough ideas -- just my guesses -- about whether a password is "weak" or "strong".  There are of course many possible caveats, special cases, and exceptions.  Tweak these ideas as you see fit.

For regular cloud account passwords, weak could mean, at a bare minimum:

the password looks reasonably random (and with at least 3 of lower case, upper case, digits, and symbols) but is less than 12 characters long, or

the password does not look reasonably random and is less than 15 characters long

For your password manager MP, which is protecting information of higher sensitivity than your other cloud accounts, weak could mean, at a bare minimum:

the password looks reasonably random (and with at least 3 of lower case, upper case, digits, and symbols) but is less than 17 characters long, or

the password does not look reasonably random and is less than 20 characters long

How to create a strong password or MP? 

The above is for the case where you are evaluating the strength of an existing password in order to decide whether to change it.  But when you are creating a new password, you probably want it to be much stronger than the above:

For regular cloud accounts, simply use the password generator built into your password manager: have it generate a random password using all 4 of lower case, upper case, digits, and symbols, and of length, say, 30 characters.  Choosing a randomly-generated password of that length essentially guarantees that it is unique, i.e., not reused.

For your new password manager MP, you need something strong enough but also very memorable, which can be a challenge. Here is my favorite algorithm: make up a long story you won't forget (maybe something that happened to you, that you did, that you want to do, etc.), add some punctuation, take the first letter of each word, and do some substitutions of several of those letters into digits and symbols.  This should give you a MP that is long and looks reasonably random, but which you won't forget (after a bit of practice).  I suggest 20 characters as a bare minimum, but more is better, and the more random it looks, the better too.  Try to use uncommon letters and uncommon symbols, e.g., not punctuation.

(This algorithm is derived from: Essays: Passwords Are Not Broken, but How We Choose them Sure Is - Schneier on Security, 2008)

Misc. Notes

There's a nice timeline of the breach here: LastPass Hacked – What Now? - Security Boulevard



2023-02-28: Updated text related to LastPass Authenticator to reflect new information from LastPass that the seeds and phone numbers database was part of the breach, and that LastPass recommends regenerating a TOTP seed protecting the LastPass service itself.