LastPass Password Protector Just Got Hacked

[drescherjm]

Why would you store all of your passwords in the cloud? This is by far the worst use of the cloud ever.

I have 300+ passwords to remember and I use more than a dozen different machines in a week (about 1/2 of these being linux). In the past that meant that most sites got the same or similar password but eventually sites started having conflicting requirements which made it impossible for me to remember all of these passwords. LastPass fixed that.

 

[cdr_74_premium]

KeePass.

 

[amddragonpc]

Index cards.

 

[Jagger100]

There's very, very easy methods for remembering highly secure passwords. For the stuff I do, I have like a couple dozen passwords for work stuff and at least half that many for home stuff with no problems remembering unique passwords that are not easily cracked or guessed. Nothing at all has to be written down. You just have to use your brain-jar-thing-y to come up with some sensible underlying rules and implied hints based on where and what you're doing.

Any system like that is thought up by hackers and pre-hashed. If you don't guess your 'system' for pre-hashing more power to you. But as hard drive space and computing power go up, and even the method of guessing systems will get a system.

 

[Parja]

I don't see this as a big deal. I needed to change my master pass anyways.

Exactly. Much ado about not much of anything. If someone can break LastPass' encryption, then we've got a lot more to worry about.

No offense (it's not offensive if it's true), but you guys that are going to change all your passwords are fucking dumb.

Change your master password and call it a day.

 

[DocSavage]

Storing all your passwords online with a third party seems like an idea totally made out of a gigantic pile of dumb anyhow. If you really have too many passwords and accounts to remember, then you probably need to reconsider how you're living your life anyway.

I exported my lastpass data and there were over 200 entries.

 

[CreepyUncleGoogle]

Any system like that is thought up by hackers and pre-hashed. If you don't guess your 'system' for pre-hashing more power to you. But as hard drive space and computing power go up, and even the method of guessing systems will get a system.

No disagreement on that, its true that someone could eventually guess their way into how I formulate passwords. That's brute force though and no more or less vulnerable than any other brute force methods presently available. However storing passwords online in the care of someone else seems like one of the worst possible ways to solve that particular problem, far worse than an obscure system of password formulation that exists in only my head. I mean it's pretty obvious that using LastPass is just asking for problems which makes its use indefensible by comparison.

I exported my lastpass data and there were over 200 entries.

Yuck...paper tablet maybe?

 

[Jagger100]

No disagreement on that, its true that someone could eventually guess their way into how I formulate passwords. That's brute force though and no more or less vulnerable than any other brute force methods presently available. However storing passwords online in the care of someone else seems like one of the worst possible ways to solve that particular problem, far worse than an obscure system of password formulation that exists in only my head. I mean it's pretty obvious that using LastPass is just asking for problems which makes its use indefensible by comparison.

There's raw brute force and narrowed brute force. A system once spotted like joining two or three dictionary words by punctuation and moving the first letter of the 2nd word to the end of the word just had its brute force attack narrowed drastically.

If one of your 1 dozen passwords gets determined assuming there are only 12 places you use that each is therefore is unique. Because not having unique passwords for important places is the ultimate dumb. You think they couldn't put that pattern from one to determine the others?

You think with all captured passwords at their disposal they haven't spotted the 'systems' people use.

Really, your security is based on your self-bias your 'system' is unique in the world and a relatively small finite set of passwords (assuming no re-use).

 

[CreepyUncleGoogle]

There's raw brute force and narrowed brute force. A system once spotted like joining two or three dictionary words by punctuation and moving the first letter of the 2nd word to the end of the word just had its brute force attack narrowed drastically.

If one of your 1 dozen passwords gets determined assuming there are only 12 places you use that each is therefore is unique. Because not having unique passwords for important places is the ultimate dumb. You think they couldn't put that pattern from one to determine the others?

You think with all captured passwords at their disposal they haven't spotted the 'systems' people use.

Really, your security is based on your self-bias your 'system' is unique in the world and a relatively small finite set of passwords (assuming no re-use).

Maybe they can guess, but it's a lot better that someone has to guess than grab something off LastPass. Besides that, humans are generally pattern-ish creatures to begin with (even when trying not to be that way) so they're unintentionally using analyzable patterns in all their passwords AND THEN additionally exposing them by putting them under the care of a provider that allows them to be accessed from anywhere via the Internet.

 

[Quix]

There's raw brute force and narrowed brute force. A system once spotted like joining two or three dictionary words by punctuation and moving the first letter of the 2nd word to the end of the word just had its brute force attack narrowed drastically.

If one of your 1 dozen passwords gets determined assuming there are only 12 places you use that each is therefore is unique. Because not having unique passwords for important places is the ultimate dumb. You think they couldn't put that pattern from one to determine the others?

You think with all captured passwords at their disposal they haven't spotted the 'systems' people use.

Really, your security is based on your self-bias your 'system' is unique in the world and a relatively small finite set of passwords (assuming no re-use).

Which is why you use cryptographically random passwords. No dictionary words, ever.

 

[nodle]

People are making this out bigger than what it needs to be. Change your master password and you should be using 2 form authentication anyways.

https://helpdesk.lastpass.com/multifactor-authentication-options/

 

[DocSavage]

People are making this out bigger than what it needs to be. Change your master password and you should be using 2 form authentication anyways.

https://helpdesk.lastpass.com/multifactor-authentication-options/

This may be true in this case, but we've been seeing a lot of hacks lately of targets that should have been safe. Even if my lastpass passwords are secure this time, it may not be a good idea to keep using it going forward.

 

[DocSavage]

On a side note, how many people here are comfortable with chrome remembering passwords?

 

[Dildonose]

LastPass is the most secure convenient way I have yet to find that allows me to use strong unique passwords on each and every sight I need them. Glad to see they are up to the task at repelling dickheads trying to steal our personal info.

 

[rezerekted]

I always figured this would happen one day and is why I use KeepassPortable and not Lastpass.

 

[Deleted whining member 223597]

On a side note, how many people here are comfortable with chrome remembering passwords?

Not too worried, what bothers me more is that it saved credit card info that I never asked it to.

 

[Burticus]

I use a crayon and a big spiral notebook to keep my passwords safe.

 

[raz-0]

Yeah. If you read the actual notice, it was just usernames stolen. Master passwords are being reset as a precaution, but the user data was untouched. Furthermore, they forcing any non-known devices for your account to be authenticated.

I don't see this as a big deal. I needed to change my master pass anyways.

It was "email addresses, password reminders, server per user salts, and authentication hashes were compromised." So basically the ability to crack your login to lastpass given enough time and resources. Change your password, and it shouldn't be a big deal other than probably yet more phishy spam. The authentication hash should be suitably robust enough to give you some time to do this.

 

[LBJM]

Looks like I'm going to be spending the evening changing all of my passwords.

Anybody have any phone app password manager recommendations?

Don't use a password manager app. Use old school secure offline methods for password storage.

 

[Deleted member 184142]

Let's wait for the inevitable follow-up announcement in which it turns out the hack was much worse than originally reported, just like that other hack this week, you know the one... and the hack before that, and the hack before that...

And yet, years later of me using their service, not a single account has ever been cracked.

The power and time needed to try and brute force just one master password is not worth it. When you are doing wide scale mass attacks you are going to go for low hanging fruit, you are not going to spend months, or even years trying to crack the encryption, and if someone thinks I am important enough for that kind of devotion, well, I guess they deserve getting in.

If you have even a remotely strong master password, you will be fine, and if you feel the need, change your master password just to be on the safe side, so now, months or years later, after they crack the encryption (assuming they ever do) and get your master password for your account...Oh...it's been changed. Trust me when I say these people are not going to waste the time.

 

[Jagger100]

This may be true in this case, but we've been seeing a lot of hacks lately of targets that should have been safe. Even if my lastpass passwords are secure this time, it may not be a good idea to keep using it going forward.

I think certain countries have taken their gloves off and are not only doing state sponsored hacking but allowing private entities a free hand.

I wonder if someone is just moving quickly to capitalize on the OPM data. Bring the OPM data together with this and you can really ruin someone's day.

 

[rat]

This is worrying. I have damn near everything but my email and bank account on lastpass.

Don't be worried.

Even if someone were to have your master password hash, each person's MP hash is individually salted on top of being rehashed some 10,000+ times before being stored by LastPass on their servers.

They themselves can't even decrypt it. They can only hash and salt your input and see if it matches before they authenticate you.

Even though it's on a shitty blogpost site, this does explain it well:

http://www.forbes.com/sites/katevin...s-hacked-exposing-encrypted-master-passwords/

LastPass employs per user salts, which means an attacker would have to attempt to crack each encrypted master password individually. ”Further, because a user’s password is hashed thousands of times before being sent to LastPass, and is again hashed 100,000 times before being stored, guesses can’t be done at significant speed,” LastPass press contact Erin Style explained via email.

I changed my MP, reencrypted my DB and I'm not the least bit worried.