LastPass Password Protector Just Got Hacked

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Aren't these the guys that are supposed to keep all your passwords safe?

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
 
This is worrying. I have damn near everything but my email and bank account on lastpass.
 
Second that. I don't think the business world at large will ever be caught up to security demands. No matter how many times this happens.

I like my passwords stored like my other data... locally.
 
Looks like I'm going to be spending the evening changing all of my passwords.

Anybody have any phone app password manager recommendations?
 
Looks like I'm going to be spending the evening changing all of my passwords.

Anybody have any phone app password manager recommendations?

I use 1password. The file is transferred through Dropbox and locally encrypted. Quite expensive for a start-up. If you are worried about security you need to give up phone use and use truecrypt to encrypt the 1password file
 
I don't know what bothers me more... the fact that they got hacked, or I had to read about it here instead of in my email,....
 
I use 1password. The file is transferred through Dropbox and locally encrypted. Quite expensive for a start-up. If you are worried about security you need to give up phone use and use truecrypt to encrypt the 1password file

Huh sounds like lastpass. :p
 
If you trust the crypto and this was in your risk tolerance, it's not that big of a deal... If you don't, you're probably pretty worried right now.
 
If you trust the crypto and this was in your risk tolerance, it's not that big of a deal... If you don't, you're probably pretty worried right now.

(If you're a LastPass user that is)

... would edit post and all but yeah...
 
I have enough faith in the encryption and salting to not be worried. Guess that's just me. I use 2 factor for anything critical.
 
If your master password was silly enough to be able to be economically brute-forced hashed just once, you'd need to worry maybe. But 100,000 times plus client side?

Otherwise, you're still FAR, more likely to have your Lastpass master password compromised by something like a key-logger or camera than with this leak.

I am annoyed that Lastpass had such a breach, but hardly worried.
 
If your master password was silly enough to be able to be economically brute-forced hashed just once, you'd need to worry maybe. But 100,000 times plus client side?

Otherwise, you're still FAR, more likely to have your Lastpass master password compromised by something like a key-logger or camera than with this leak.

I am annoyed that Lastpass had such a breach, but hardly worried.

Yeah. If you read the actual notice, it was just usernames stolen. Master passwords are being reset as a precaution, but the user data was untouched. Furthermore, they forcing any non-known devices for your account to be authenticated.

I don't see this as a big deal. I needed to change my master pass anyways.
 
I use 1password. The file is transferred through Dropbox and locally encrypted. Quite expensive for a start-up. If you are worried about security you need to give up phone use and use truecrypt to encrypt the 1password file
Huh sounds like lastpass. :p

I use 1password as well.
I don't use the dropbox feature (as I don't want my passwords on the net even if they are encrypted) but sync through a USB cable so none of my passwords ever go out to the "web".
I could also do wifi sync over my personal wifi, but I am paranoid so I keep it simple.

The cost is a bit much, but I have liked it overall for the past 2 years I have used it

D.
 
security.png
 
This is the second time I can remember a breach of lastpass. I reset my master password and cleaned up a few old passwords. I do not keep any financial passwords in lastpass however although that means they are weaker passwords for my financial sites. Although most of these also use multifactor authentication methods.
 
Heh, I've never recommended a third party password protection program to anyone. Sent the link to every one of my customers to show them why. Thanks, [H]!
 
Why would you store all of your passwords in the cloud? This is by far the worst use of the cloud ever.
 
Why I keep all my passwords on a post it note, am i rite?

They have the master password's hash but its with per-user salts so who knows. Brute forcing means doing 5,000 rounds of client-side PBKDF2-SHA256, and 100,000 rounds of server-side PBKDF2-SHA256 to check one pass so it would take forever. Between now and forever change your master password and problem solved if you're worried about this.

Bigger issue is they got your password hint, which history has shown us people can make god awful 'hints'.
 
I have this thing called a floor safe and another thing called a Notepad. Not hacker is gonna "crack" it unless they wish to face me first.

Password managers are just like ANY piece of software in existence. I trust my Notepad.
 
I don't know what bothers me more... the fact that they got hacked, or I had to read about it here instead of in my email,....

Maybe you need to check your email? As I got a notice about it in mine.

Also, no encrypted user data was taken. So they would have to break their encryption for access to your master password, which:

"We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."
 
Maybe you need to check your email? As I got a notice about it in mine.

Also, no encrypted user data was taken. So they would have to break their encryption for access to your master password, which:

"We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."

Let's wait for the inevitable follow-up announcement in which it turns out the hack was much worse than originally reported, just like that other hack this week, you know the one... and the hack before that, and the hack before that...
 
Let's wait for the inevitable follow-up announcement in which it turns out the hack was much worse than originally reported, just like that other hack this week, you know the one... and the hack before that, and the hack before that...

Its funny that for any other business it would be just "news" but considering LastPass bases their business around password security it could be all the nails needed for a coffin.

Why people think any piece of software is truly safe is beyond me. You can have the most unbeatable method for creating a password but its only as safe as to where or what you entered it into.
 
I'm not worried. I have a good strong master password so I'm not even going to bother changing it. There are safety measures in place for situations like this. The hashes, salt, encryption, and 2 step authentication are all too much to try to extract the info by brute force.

Then there is the hiding in plain numbers. This is what every American actually believes in. Hoping that it will be somebody else who gets their identity stolen instead of themselves.
 
I'm glad I use a BlackBerry device and BlackBerry's own Native app Password Keeper to store all my passwords.

Far as I know, BlackBerry Password Keeper hasn't been hacked, ever.
 
I have this thing called a floor safe and another thing called a Notepad. Not hacker is gonna "crack" it unless they wish to face me first.

Password managers are just like ANY piece of software in existence. I trust my Notepad.

This "Notepad" intrigues me, where might I find one?
 
Storing all your passwords online with a third party seems like an idea totally made out of a gigantic pile of dumb anyhow. If you really have too many passwords and accounts to remember, then you probably need to reconsider how you're living your life anyway.
 
Maybe you need to check your email? As I got a notice about it in mine.

I received the mail 8 hours ago. They didn't send it to every customer in on round. So, like many other people, I read about it third party instead of hearing directly from them.
 
Looks like I'm going to be spending the evening changing all of my passwords.

Anybody have any phone app password manager recommendations?

Sounds like only your the master is vulnerable and it will take some computing and brute forcing to break it although if your reminder is your password, you're screwed.

Change your master password and your e-mail's password for good measure or better switch your email to another email acount and they shouldn't be able to do shit.
 
Storing all your passwords online with a third party seems like an idea totally made out of a gigantic pile of dumb anyhow. If you really have too many passwords and accounts to remember, then you probably need to reconsider how you're living your life anyway.

Because passwords you can remember are so secure.
 
Because passwords you can remember are so secure.

There's very, very easy methods for remembering highly secure passwords. For the stuff I do, I have like a couple dozen passwords for work stuff and at least half that many for home stuff with no problems remembering unique passwords that are not easily cracked or guessed. Nothing at all has to be written down. You just have to use your brain-jar-thing-y to come up with some sensible underlying rules and implied hints based on where and what you're doing.
 
Back
Top