Time to change your master password, LastPass was hacked

[ThaiLife]

Password-management service LastPass announced today that it "discovered and blocked suspicious activity" on its network on Friday. While the company says that there is no evidence that user vault data (a user's stored passwords) was taken or that accounts were accessed, it did acknowledge that user email addresses, authentication hashes, password reminders and server per user salts were compromised. LastPass is confident that its encryption is strong enough to make attacking those stolen hashes with any speed difficult. But yeah, if you're a LastPass customer you should change your password. Even though LastPass recommends you change your password if you have a weak master password or use that password on multiple sites, you really should change your master password -- and switch on multifactor authentication -- just in case.

http://www.engadget.com/2015/06/15/lastpass-hacked/

[CaptHaddock]

Which is why it is too risky to keep passwords in anybody's cloud.

[h90]

Which is why it is too risky to keep passwords in anybody's cloud.

Yes I don't get why someone would put passwords or sensitive data on a cloud managed by an unknown company and transferred every time over the internet. It is safer to stick a paper on the side of the monitor.....(not that I recommend that).

There are several solutions for remembering passwords.

[Crossy]

My passwords may not be the ultimate in strength, but they are memorable, contain numerics and special characters, and live in my head which (at least as yet) has not been hacked.

[KhunBENQ]

Which is why it is too risky to keep passwords in anybody's cloud.

Yes I don't get why someone would put passwords or sensitive data on a cloud managed by an unknown company and transferred every time over the internet. It is safer to stick a paper on the side of the monitor.....(not that I recommend that).

There are several solutions for remembering passwords.

Honestly I trust a sheet of paper in my safe more than some "cloud".

The paper at the monitor can be safe if you live in a remote Isan village

Do it like the Thais: write all letters as capitals (like they look on the keyboard).

It once took me a while to find out why a WiFi password I found on a poster did not work.

Like: "DHEJTS".

I stubbornly typed the capitals.

What was the password? -> dhejts

Password safe is a textfile in a Truecrypt volume (together with other sensitive data).

Masterpassword 16 characters, well structured.

Volume sync'ed to the laptop. Copy to external drive sporadically.

Edited June 16, 2015 by KhunBENQ

[dddave]

I grew up during the time when US phone numbers were alpha-numeric, like FA(irlawn)2-1234 and I remember all the ones we had. They make great passwords and you can stick that yellow note to the wall knowing ain't nobody going to know "Dad's work #"

[Chicog]

I grew up during the time when US phone numbers were alpha-numeric, like FA(irlawn)2-1234 and I remember all the ones we had. They make great passwords and you can stick that yellow note to the wall knowing ain't nobody going to know "Dad's work #"

Yes, I tend to use passwords gleaned from my office wall.

For example one of my calendars has "Telex:nnnn xxxx" on it, and I could just use a portion of that as the password.

Hidden in plain sight.

[mmh8]

yep, the whole password manager idea /business has always been asking for trouble. I'm surprised it has taken this long to occur and be made public, it was an article from a us FBI computer dept official that did it for me, she stated she would carry out 0 transactions on her computer, and if you ever speak to a pentester or researcher they will always explain how yes we have one honey trap, and a computer for surfing, but nothing important is kept on any of our computers......

The same goes for cloud document storage, hmmm I'm sure those confidential reports do not belong in the cloud and company xx will be very happy to know they are now public.

for any of you not wearing tin foil hats to avoid passing brain scanners ... well you have been warned....

[MKAsok]

Anyone who understands how Lastpass works will realise this is not a big deal.

[RKASA]

A little black book - I don't even allow the browser to remmeber them.

This is also why you don't want to use your finger print.

Everything is a text file in the end and once they have that they have your finger print - try changing that one.

[SoiBiker]

Which is why it is too risky to keep passwords in anybody's cloud.

Yes I don't get why someone would put passwords or sensitive data on a cloud managed by an unknown company and transferred every time over the internet. It is safer to stick a paper on the side of the monitor.....(not that I recommend that).

There are several solutions for remembering passwords.

The trouble with your method is that I don't carry a computer monitor around with me wherever I go.

[Chicog]

Anyone who understands how Lastpass works will realise this is not a big deal.

You'd be amazed how many dumb password hints people use.

[MKAsok]

^True, but this is a user issue and not an inherent weakness in the encryption or its implementation by Lastpass.

[SoiBiker]

Anyone who understands how Lastpass works will realise this is not a big deal.

You'd be amazed how many dumb password hints people use.

You'd be amazed how many people do dumb things like write their passwords down.

[Chicog]

^True, but this is a user issue and not an inherent weakness in the encryption or its implementation by Lastpass.

Yes it is if they've been compromised.

[h90]

Which is why it is too risky to keep passwords in anybody's cloud.

Yes I don't get why someone would put passwords or sensitive data on a cloud managed by an unknown company and transferred every time over the internet. It is safer to stick a paper on the side of the monitor.....(not that I recommend that).

There are several solutions for remembering passwords.

The trouble with your method is that I don't carry a computer monitor around with me wherever I go.

you could use a number only password and write it on the back of your credit card.....every bad guy will think it is the code for the credit card

[MKAsok]

Yes it is if they've been compromised.

No it isn't. If a user is idiotic enough to use a password hint that will reveal their actual password, they have no reasonable expectation of protection by Lastpass, since password hints are, by necessity, exempt from encryption.

No sane provider of such a service would ever guarantee that their system will never be compromised in any way and to expect this to be the case is entirely unrealistic. The point is the encryption works and it's been properly implemented (as this breach has proven).

The fact of the matter is there is no perfect solution to the password problem. Password managers like Lastpass and Keepass are simply the 'least worse' solution.

[Chicog]

Yes it is if they've been compromised.

No it isn't. If a user is idiotic enough to use a password hint that will reveal their actual password, they have no reasonable expectation of protection by Lastpass, since password hints are, by necessity, exempt from encryption.

No sane provider of such a service would ever guarantee that their system will never be compromised in any way and to expect this to be the case is entirely unrealistic. The point is the encryption works and it's been properly implemented (as this breach has proven).

The fact of the matter is there is no perfect solution to the password problem. Password managers like Lastpass and Keepass are simply the 'least worse' solution.

I'm sorry but if you read their release there is absolutely no mention of how long this breach lasted, so neither you nor anyone else for that matter have any idea what has been taken and used.

Personally, I'd be changing every password in my Lastpass vault if I had one.

There are better ways to protect your passwords than relying on someone in the cloud to look after all of them for you.

Personally I have about three passwords for critical accounts and then for stuff that isn't important, BBs, forums, etc., I use another one that is easy to remember, and if that gets compromised I couldn't give a toss.

I wouldn't dream of storing them where someone can steal them.

There is no such thing as a secure system, so I store my passwords where they cannot be got at, i.e. nowhere.

Of course there is waterboarding, but I don't think I'm that important.

[NeverSure]

LastPass receives the passwords encrypted and never knows what they are. Someone please correct me if I'm wrong.

"LastPass is an evolved Host Proof hosted solution, which avoids the stated weakness of vulnerability to XSS as long as you're using the add-on. LastPass strongly believes in using local encryption, and locally created one way salted hashes to provide you with the best of both worlds for your sensitive information: Complete security, while still providing online accessibility and syncing capabilities. We've accomplished this by using 256-bit AES implemented in C++ and JavaScript (for the website) and exclusively encrypting and decrypting on your local PC. No one at LastPass can ever access your sensitive data. We've taken every step we can think of to ensure your security and privacy." security.stackexchange

I use it for accounts that aren't really important for security such as this one. I have lots of them and it's handy. For accounts I really don't want someone in, I block LastPass and remember them. If I forget one there's always a way to change a forgotten password. I have six I remember, all different.

[NeverSure]

LastPass asks me for my master password to get into or use any sites I told it to. I change that periodically which is what is recommended now. That unlocks it on my computer, one domain at a time as I use it. To change any password I need that master password. It's all on my computer except the encrypted passwords and I'm not sure what anyone is worried about.

I understood that what LassPass lost was things like email addresses which all of my online accounts know.

Where did I go wrong here?

[NeverSure]

One thing worth mentioning is that I'm being more cautious about emails. Some of those were lost and might be used by hackers as that's what these people are. As always I don't click on something I'm not sure of including links to favorite sites. The link could be falsely labeled and could be sending information or something worse.

My router normally won't let anything in that I didn't request, but when Outlook sends and receives it's requesting, and if I click a link I'm requesting. Email is therefore vulnerable.

[katana]

This isn't the first time it's happened. LastPass was also hacked back in 2011 with warnings to change your passwords.

http://www.slashgear.com/lastpass-hacked-users-warned-to-change-master-passwords-05150293/

[MKAsok]

@NeverSure - There's a good explanation here if you're interested in knowing more.

[Chicog]

"We've taken every step we can think of"

Be nice if they could explain how they were breached.

Because they didn't think of that one, did they?

[mmh8]

mkasok how is it not a big deal? can you explain in non teccie language? because what was stolen was still encrypted?

[MKAsok]

^Basically, yes. The risk of the bad guys being able to decrypt your master password before you had an opportunity to change it is so small as to be non-existent in practical terms.

Did you see my link above? It's explained pretty clearly in that post.

[h90]

One thing worth mentioning is that I'm being more cautious about emails. Some of those were lost and might be used by hackers as that's what these people are. As always I don't click on something I'm not sure of including links to favorite sites. The link could be falsely labeled and could be sending information or something worse.

My router normally won't let anything in that I didn't request, but when Outlook sends and receives it's requesting, and if I click a link I'm requesting. Email is therefore vulnerable.

I wouldn't be too sure about that, a windows system always requests tons of things and there is a lot background communication with the internet all the time.

I have a white list of boards on the router, everything else is blocked...not clicking links in emails, Thunderbird as email client.

If I have to open some dogy USB stick or similar I make it on the android tablet or linux laptop, of course disconnected from the internet.

They tried in Farangistan: Calling some bank branch without knowing anything, telling they are from the headquarter IT department and asked for the log in and password. They got it in many cases even the phone in the branch showed that it is an outside number (they have an own country wide phone system so you can see clearly that is not from the headquarter).

[mmh8]

 

^Basically, yes. The risk of the bad guys being able to decrypt your master password before you had an opportunity to change it is so small as to be non-existent in practical terms.

Did you see my link above? It's explained pretty clearly in that post.

 

so you beleive cloud is still safe in general?

[Chicog]

 

^Basically, yes. The risk of the bad guys being able to decrypt your master password before you had an opportunity to change it is so small as to be non-existent in practical terms.

Did you see my link above? It's explained pretty clearly in that post.

 

so you beleive cloud is still safe in general?

No. But there is safety in numbers unless you are considered a high value target.

[lostinisaan]

Anyone who understands how Lastpass works will realise this is not a big deal.

You'd be amazed how many dumb password hints people use.

Guess you're referring to TVF usernames...