LastPass Password Protector Just Got Hacked

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Aren't these the guys that are supposed to keep all your passwords safe?

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
 

DocSavage

2[H]4U
Joined
Dec 18, 2002
Messages
2,409
This is worrying. I have damn near everything but my email and bank account on lastpass.
 

Highwind

[H]ard|Gawd
Joined
Sep 9, 2010
Messages
1,303
Second that. I don't think the business world at large will ever be caught up to security demands. No matter how many times this happens.

I like my passwords stored like my other data... locally.
 

DocSavage

2[H]4U
Joined
Dec 18, 2002
Messages
2,409
Looks like I'm going to be spending the evening changing all of my passwords.

Anybody have any phone app password manager recommendations?
 

TheSoldier

Limp Gawd
Joined
Dec 9, 2011
Messages
175
Looks like I'm going to be spending the evening changing all of my passwords.

Anybody have any phone app password manager recommendations?

I use 1password. The file is transferred through Dropbox and locally encrypted. Quite expensive for a start-up. If you are worried about security you need to give up phone use and use truecrypt to encrypt the 1password file
 

Demon10000

Supreme [H]ardness
Joined
Aug 20, 2006
Messages
4,502
I don't know what bothers me more... the fact that they got hacked, or I had to read about it here instead of in my email,....
 

bexamous

[H]ard|Gawd
Joined
Dec 12, 2005
Messages
1,670
I use 1password. The file is transferred through Dropbox and locally encrypted. Quite expensive for a start-up. If you are worried about security you need to give up phone use and use truecrypt to encrypt the 1password file

Huh sounds like lastpass. :p
 

tazeat

[H]ard|Gawd
Joined
Jul 3, 2007
Messages
1,263
If you trust the crypto and this was in your risk tolerance, it's not that big of a deal... If you don't, you're probably pretty worried right now.
 

tazeat

[H]ard|Gawd
Joined
Jul 3, 2007
Messages
1,263
If you trust the crypto and this was in your risk tolerance, it's not that big of a deal... If you don't, you're probably pretty worried right now.

(If you're a LastPass user that is)

... would edit post and all but yeah...
 

SineDave

Limp Gawd
Joined
Jun 9, 2004
Messages
364
I have enough faith in the encryption and salting to not be worried. Guess that's just me. I use 2 factor for anything critical.
 

cansurfer

n00b
Joined
May 18, 2013
Messages
10
If your master password was silly enough to be able to be economically brute-forced hashed just once, you'd need to worry maybe. But 100,000 times plus client side?

Otherwise, you're still FAR, more likely to have your Lastpass master password compromised by something like a key-logger or camera than with this leak.

I am annoyed that Lastpass had such a breach, but hardly worried.
 

Spidey329

[H]F Junkie
Joined
Dec 15, 2003
Messages
8,683
If your master password was silly enough to be able to be economically brute-forced hashed just once, you'd need to worry maybe. But 100,000 times plus client side?

Otherwise, you're still FAR, more likely to have your Lastpass master password compromised by something like a key-logger or camera than with this leak.

I am annoyed that Lastpass had such a breach, but hardly worried.

Yeah. If you read the actual notice, it was just usernames stolen. Master passwords are being reset as a precaution, but the user data was untouched. Furthermore, they forcing any non-known devices for your account to be authenticated.

I don't see this as a big deal. I needed to change my master pass anyways.
 

debaucher

[H]ard|Gawd
Joined
Jan 13, 2002
Messages
1,636
I use 1password. The file is transferred through Dropbox and locally encrypted. Quite expensive for a start-up. If you are worried about security you need to give up phone use and use truecrypt to encrypt the 1password file
Huh sounds like lastpass. :p

I use 1password as well.
I don't use the dropbox feature (as I don't want my passwords on the net even if they are encrypted) but sync through a USB cable so none of my passwords ever go out to the "web".
I could also do wifi sync over my personal wifi, but I am paranoid so I keep it simple.

The cost is a bit much, but I have liked it overall for the past 2 years I have used it

D.
 

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
 

drescherjm

[H]F Junkie
Joined
Nov 19, 2008
Messages
14,845
This is the second time I can remember a breach of lastpass. I reset my master password and cleaned up a few old passwords. I do not keep any financial passwords in lastpass however although that means they are weaker passwords for my financial sites. Although most of these also use multifactor authentication methods.
 

AceGoober

Live! Laug[H]! Overclock!
Joined
Jun 25, 2003
Messages
22,583
Heh, I've never recommended a third party password protection program to anyone. Sent the link to every one of my customers to show them why. Thanks, [H]!
 

BryanSTG

Gawd
Joined
Jul 29, 2009
Messages
778
Why would you store all of your passwords in the cloud? This is by far the worst use of the cloud ever.
 

bexamous

[H]ard|Gawd
Joined
Dec 12, 2005
Messages
1,670
Why I keep all my passwords on a post it note, am i rite?

They have the master password's hash but its with per-user salts so who knows. Brute forcing means doing 5,000 rounds of client-side PBKDF2-SHA256, and 100,000 rounds of server-side PBKDF2-SHA256 to check one pass so it would take forever. Between now and forever change your master password and problem solved if you're worried about this.

Bigger issue is they got your password hint, which history has shown us people can make god awful 'hints'.
 

Godmachine

[H]F Junkie
Joined
Apr 7, 2003
Messages
10,472
I have this thing called a floor safe and another thing called a Notepad. Not hacker is gonna "crack" it unless they wish to face me first.

Password managers are just like ANY piece of software in existence. I trust my Notepad.
 
D

Deleted member 184142

Guest
I don't know what bothers me more... the fact that they got hacked, or I had to read about it here instead of in my email,....

Maybe you need to check your email? As I got a notice about it in mine.

Also, no encrypted user data was taken. So they would have to break their encryption for access to your master password, which:

"We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."
 

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
Maybe you need to check your email? As I got a notice about it in mine.

Also, no encrypted user data was taken. So they would have to break their encryption for access to your master password, which:

"We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."

Let's wait for the inevitable follow-up announcement in which it turns out the hack was much worse than originally reported, just like that other hack this week, you know the one... and the hack before that, and the hack before that...
 

Godmachine

[H]F Junkie
Joined
Apr 7, 2003
Messages
10,472
Let's wait for the inevitable follow-up announcement in which it turns out the hack was much worse than originally reported, just like that other hack this week, you know the one... and the hack before that, and the hack before that...

Its funny that for any other business it would be just "news" but considering LastPass bases their business around password security it could be all the nails needed for a coffin.

Why people think any piece of software is truly safe is beyond me. You can have the most unbeatable method for creating a password but its only as safe as to where or what you entered it into.
 

snowcrash

Gawd
Joined
Apr 30, 2011
Messages
712
I'm not worried. I have a good strong master password so I'm not even going to bother changing it. There are safety measures in place for situations like this. The hashes, salt, encryption, and 2 step authentication are all too much to try to extract the info by brute force.

Then there is the hiding in plain numbers. This is what every American actually believes in. Hoping that it will be somebody else who gets their identity stolen instead of themselves.
 

ZeroBarrier

Limp Gawd
Joined
Mar 19, 2011
Messages
256
I'm glad I use a BlackBerry device and BlackBerry's own Native app Password Keeper to store all my passwords.

Far as I know, BlackBerry Password Keeper hasn't been hacked, ever.
 

motomonkey

[H]ard|Gawd
Joined
Jan 17, 2009
Messages
1,474
I have this thing called a floor safe and another thing called a Notepad. Not hacker is gonna "crack" it unless they wish to face me first.

Password managers are just like ANY piece of software in existence. I trust my Notepad.

This "Notepad" intrigues me, where might I find one?
 

CreepyUncleGoogle

Supreme [H]ardness
Joined
Mar 10, 2013
Messages
6,871
Storing all your passwords online with a third party seems like an idea totally made out of a gigantic pile of dumb anyhow. If you really have too many passwords and accounts to remember, then you probably need to reconsider how you're living your life anyway.
 

Demon10000

Supreme [H]ardness
Joined
Aug 20, 2006
Messages
4,502
Maybe you need to check your email? As I got a notice about it in mine.

I received the mail 8 hours ago. They didn't send it to every customer in on round. So, like many other people, I read about it third party instead of hearing directly from them.
 

Jagger100

Supreme [H]ardness
Joined
Oct 31, 2004
Messages
7,620
Looks like I'm going to be spending the evening changing all of my passwords.

Anybody have any phone app password manager recommendations?

Sounds like only your the master is vulnerable and it will take some computing and brute forcing to break it although if your reminder is your password, you're screwed.

Change your master password and your e-mail's password for good measure or better switch your email to another email acount and they shouldn't be able to do shit.
 

Jagger100

Supreme [H]ardness
Joined
Oct 31, 2004
Messages
7,620
Storing all your passwords online with a third party seems like an idea totally made out of a gigantic pile of dumb anyhow. If you really have too many passwords and accounts to remember, then you probably need to reconsider how you're living your life anyway.

Because passwords you can remember are so secure.
 

CreepyUncleGoogle

Supreme [H]ardness
Joined
Mar 10, 2013
Messages
6,871
Because passwords you can remember are so secure.

There's very, very easy methods for remembering highly secure passwords. For the stuff I do, I have like a couple dozen passwords for work stuff and at least half that many for home stuff with no problems remembering unique passwords that are not easily cracked or guessed. Nothing at all has to be written down. You just have to use your brain-jar-thing-y to come up with some sensible underlying rules and implied hints based on where and what you're doing.
 
Top