Lastpass.Com Potentially Compromised, Users Urged To Change Master Passwords

[george]

LastPass potentially hacked, users urged to change master passwords

Free password management program LastPass, a browser extension that manages passwords and automates form filling, has been subjected to an external attack which could see user email addresses, their server salt and salted password hashes stolen by attackers.

Posting on the company blog, the LastPass team explains that evidence of an attack was first noticed on Tuesday after the server logs were checked and anomalies identified and processed. Network traffic, over a period of a few minutes, spiked on one of the non-critical LastPass machines. Not able to identify the cause, the team noticed a similar traffic spike in the opposite direction, suggesting that the data on the machines was somehow accessed.

LastPass explains what it thinks might have been comprised:

We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.

Users with a “strong, non-dictionary based password or pass phrase” should not be affected, LastPass believes that to gain access to passwords, attackers will need to brute-force its user’s master passwords to gain access to user data.

LastPass urges all of its users to change their passwords to counter the threat and has brought into place an additional level of security to identify if the user is accessing the site from an IP address they have used before, also requiring email address to be validated. The company believes this could fox potential attackers if the access masters passwords, as they would not have access to a user’s email account or IP address.

As a result of the compromise, LastPass is taking the opportunity to introduce extra encryption on its servers:

We’re also taking this as an opportunity to roll out something we’ve been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We’ll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we’ll continue to find ways to reduce how large a target we are.

The biggest problem LastPass has faced is identifying what happened. Its servers were more open than they needed to be and their log files do not give them much to go on. The company has made sure to rebuild its boxes, shut down and move services and verify the source code on its websites.

Unfortunately none of that will help if attackers are able to gain access to more than just a password. If you are a LastPass user, we recommend that you change your password immediately and frequently check the LastPass blog to await more information from the team.

LastPass Company Blog: http://blog.lastpass.com/2011/05/lastpass-security-notification.html

Update 4, ~10pm EST:

Lastpass.com CEO interview with PCWorld covers more details on what happened, what the thought process has been, and what this means for users: http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html

-- 2011-05-06, via thenextweb.com

[FarangBuddha]

This is pretty much why I have stopped using stand alone password managers and password manager browser extensions or built-in functionality. I mean, if you put your passwords into these programs for ease of use and access, they are only as safe as the program itself from hacking or if stored on some remote server, the robustness of their security.

Better just to have one super secure long-string password for banking and financial websites and then one other for everything else...and just keep it in your head.

[username36]

This is typically a problem of PC's that have been infected by a trojan virus.

[Wavefloater]

It amazes me that anybody would trust their passwords and any personal information to be managed by someone else, especially a web site.

[EODghost]

It amazes me that anybody would trust their passwords and any personal information to be managed by someone else, especially a web site.

No kidding. Write them down, pad and paper. You can't hack that, just keep it in the safe from your G/F

[StrandedBusinessPerson]

It amazes me that anybody would trust their passwords and any personal information to be managed by someone else, especially a web site.

[/quo

I think your point is valid in the last case - a website. I use 1Password and it's pretty solid, with all data encrypted on your devices, and the info is never in the cloud (unless you count wi-fi syncing between devices). But with that said, it's not a free product like lastpass. The only thing I worry about with 1Password (and I a,m all Apple) is that one of my devices gets stolen or lost, as I am sure any program is hackable, and then the crims would have it all. Guard that stuff with ur life!

[wpcoe]

Free password management program LastPass, a browser extension that manages passwords and automates form filling, has been subjected to an external attack which could see user email addresses, their server salt and salted password hashes stolen by attackers.

What the heck does "salt" mean in this context?

[Tanlic]

It means you've added something to it like your original password was for example...UNEDUCATED you could add zy5 to the end of it to make it less likely to be hacked.

Those of us who fought against the Roman Empire know they used to SALT the drinking water in the wells around their garisons when being attacked you their enemie could use it.

That's why we invented Barr's Irn Bru

[FunkyGuru]

Free password management program LastPass, a browser extension that manages passwords and automates form filling, has been subjected to an external attack which could see user email addresses, their server salt and salted password hashes stolen by attackers.

What the heck does "salt" mean in this context?

If you understand the concept of Public Key Private key, it will explain. If not, here is my humble attempt.

Data needs to be encrypted, locked, and for locking you need a key. For unlocking too you need a key.

Now think of a lock, which has two keys. One key can Lock only. Cannot Un Lock. The other, the master key, can do both.

Now this entire concept applied to encrypting date, what happens is a random 'string' or 'phrase' is generated. It is nothing but set of characters in not particular order. They can be anything from a-z, A-Z, 0-9 and all other marks like ?!@#$%%^&*() and so on so forth. This string, is used as a key to lock the data.

In some types of data encryption methods, this key is called 'Salt'.

Sorry forgot to emphasis importance of salt.

If one has access to salt data, he/she can easily open the encrypted data files. It is like having the key to the lock.

I hope I could explain. :jap:

Edited May 6, 2011 by FunkyGuru

[wlcart]

Free password management program LastPass, a browser extension that manages passwords and automates form filling, has been subjected to an external attack which could see user email addresses, their server salt and salted password hashes stolen by attackers.

What the heck does "salt" mean in this context?

"salt" refers to algorithm used in encrytping and storing a password in a database.

If your password is '1234567' it will not simply be put into the database as '1234567' but rather using "salt" converted to a long string like 'sdeFgeScsTsgdeSfdad'. That way if someone hacks into the database at least all the passwords will not be in plain text easy to steal.

In this case sounds like not only did the hackers get the long encrypted strings of passwords but they also have the key to unlock them. Not good.

[Lite Beer]

This is the reason why I did not use LastPass for banking accounts.

[MKAsok]

I use Lastpass and will continue to do so. They've handled this pretty well in my view, although now is probably the time for a 3rd party audit.

There's no issue here unless you used a weak master password, in which case you're an idiot anyway, something which can hardly be blamed on Lastpass.

[grahamhc]

It amazes me that anybody would trust their passwords and any personal information to be managed by someone else, especially a web site.

No kidding. Write them down, pad and paper. You can't hack that, just keep it in the safe from your G/F

That is my method as well - pen and paper. And for extra safety, I add an extra character at a certain point, known only to me, to prevent anyone else using that hard copy, should I leave it on my desk.

[anterian]

I can never remember my ATM PIN, but my fingers can. I place my hand on the keyboard and they do it automatically. My son is the same, I wonder if this is a common phenomenon?

[scania]

Exactly, what is the problem. Just write it down on a paper. Internet is not safe for things like that.

It amazes me that anybody would trust their passwords and any personal information to be managed by someone else, especially a web site.

No kidding. Write them down, pad and paper. You can't hack that, just keep it in the safe from your G/F

[Crushdepth]

What the heck does "salt" mean in this context?

A salt is a piece of random junk that gets added to your password to make it harder to guess, if someone captures your password hash and runs an offline dictionary attack against it. It helps to protect people who used lame passwords. For example 'poodle' would be guessed almost instantly, but if you add a long piece of junk to the end of that, it becomes almost impossible to guess.

This only works if the salt string remains secret (in this case, it probably isn't).

[arrowsdawdle]

There are good key scramblers out there to encrypt keystrokes for nominal activity, or you can use your cursor to enter pwds out of sequence. A basic minimum for strong passwords is 13 characters including uppercase, lowercase, numbers, and symbols like $ and @ etc. Online transactions can be made secure by booting with Puppy Linux and bypassing your OS.

[arrowsdawdle]

I can never remember my ATM PIN, but my fingers can. I place my hand on the keyboard and they do it automatically. My son is the same, I wonder if this is a common phenomenon?

In fact, when the old rotary dial telephones were replaced by keypad dialing it turned out that people could remember phone numbers much easier since the keypad introduced a unique pattern to each number set that was nonexistent with the rotary dials.

[arrowsdawdle]

It amazes me that anybody would trust their passwords and any personal information to be managed by someone else, especially a web site.

No kidding. Write them down, pad and paper. You can't hack that, just keep it in the safe from your G/F

Can't hack that? Wanna bet? With 350 workstations to manage, sometimes the user was not available when work was required and a simple look under the mousepad, under the keyboard, or in the top drawer nearly always yielded the password. To impress on them the need to not do that, when they returned to the workstation and found a Notepad message that they had been hacked they frantically called for help and were reminded that it could have been a bad guy.

[huma79]

I also use lastpass and will continue using it. This news report is extremely misleading! A few megabytes of strange traffic patterns by their IDS does not necessarily mean they were hacked. The fact that they announced this is why I will definitely stick with using lastpass!

Re-using the same password *will* result in your accounts eventually being compromised, the question is just when.

[huma79]

It amazes me that anybody would trust their passwords and any personal information to be managed by someone else, especially a web site.

No kidding. Write them down, pad and paper. You can't hack that, just keep it in the safe from your G/F

Can't hack that? Wanna bet? With 350 workstations to manage, sometimes the user was not available when work was required and a simple look under the mousepad, under the keyboard, or in the top drawer nearly always yielded the password. To impress on them the need to not do that, when they returned to the workstation and found a Notepad message that they had been hacked they frantically called for help and were reminded that it could have been a bad guy.

Absolutely.. in fact, nearly all password hacks are the result of people doing stupid things like writing them down or putting them in a TXT file on their desktop. These aren't the ones that get on the news, but they are the most common by far.

[BB1950]

I really appreciate the OP for the information. :jap: I hadn't heard about this.

Something sounds a little fishy about this. If Lastpass does not store the master password on their servers and staff cannot gain access to master passwords and the password vaults are encrypted, like Lastpass claims. Why the urgency to force change master passwords? How could the master passwords be compromised if they are not stored anywhere? All that could be stolen is a bunch of encrypted files with no keys. Something is not right.

There is something else that bothers me. One time I had a problem with icons not displaying properly in the vault. I contacted Lastpass and they told me they re-synced the icons on the server and to re-check my vault. If the files are encrypted on the server and Lastpass staff cannot access the vaults. How could they re-synchronize the icons in the vault on the server.

This is why I have never trusted LastPass for my secure data. I only use it as a means to simplify the logging on to sites that are not critical. I don't and never will trust 'cloud' computing. You have absolutely no control when you release information into the 'cloud'. Look at the Sony mess of a few days ago. I also avoid social websites just for these reasons.

[manarak]

users, use your brain.

anything that is stored in the "cloud" is hackable.

Do not use the cloud for:

- confidential communications (email)

- confidential documents (business, personal)

- passwords

- business documents

- use no excel, word, etc. that is cloud based.

...

[sulasno]

I am considering using KeePass;

as for using Lastpass on banking sites, I don't sweat ; all transactions require OTP

[blackthorn2005]

I have just tried to change my Lastpass passwoor, I cannot, I get this message:

Edit SettingsSorry! We are a bit overloaded right now. Try again in a few hours."

[MKAsok]

users, use your brain.

anything that is stored in the "cloud" is hackable.

This is true. But it's not really a question of whether it's 'hackable.' Of course it is, otherwise there would be no need to encrypt the information. The real issue is whether the information is decryptable in any practical sense. Given a strong master password the risk is negligible.

[Crushdepth]

How could the master passwords be compromised if they are not stored anywhere?

They store the *hash* of your master password. If a bad guy gets the hash, he can set a computer to hash every word in every dictionary he can get hold of and various permutations thereof. When he finds a hash that matches yours, he knows what your password is.

If you use a long random password, this attack is not feasible. But if you use lame passwords it is very, very easy. Usually a dictionary attack will net well over 50% of passwords, given a bit of time.

[oldskool73]

What the heck does "salt" mean in this context?

Only FunkyGuru gave you the correct answer:

http://en.wikipedia.org/wiki/Salt_(cryptography)

And while the name might have come from salting food in wartime, no one really knows:

http://stackoverflow.com/questions/244903/why-is-a-password-salt-called-a-salt

[lubbkis]

Never write down password - remember them. Use passwords that include digits, upper case and lower case letters. Change important passwords regularly.

Sound impossible, especially for those of us whose memories are not as good as they were.

Instead of remembering the passwords, remember a process for generating them.

Do you have a list of memorable things that has digits, upper case and lower case letters. What about the addresses you lived at in the 1990s (don't use your current address or anything that describes you or any information in the records being kept.) If you dont, consider substituting some letters with numbers e.g. "i" with 1, "e" with 3", s" with 5. Will you substitute all relevant letters or just the first 3 or second through fifth? Which letters will you use upper case for - perhaps the third and fifth. Having set an algorithm, apply it to a list e.g. The names of the streets on a walk you frequently take, the last six hotels you stayed in, your favourite whiskies.

Now when you get "password not recognised", check that cap locks is off and cycle through the possibilities from your consistently used algorithm. Don't change the algorithm, just the passwords.

Finally, are there some numbers you will never forget. When I was a kid in the UK, the Co-op, a mutually owned shop chain, paid dividends to their customers based on what they bought. Every time I went to the shop for my folks I had to repeat the number. Fifty years on the memory of that number persists as I repeated it so often. Now I use it as something memorable.

[KnooKie]

see this thread from the LastPass CEO

http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html