Jump to content

Lastpass hacked

Darklord Rooke

By Darklord Rooke
in General Discussion

 Share

Recommended Posts

Darklord Rooke Fuwa Master

Darklord Rooke

Posted
Posted

Password-storing cloud biz LastPass is urging its users to change their master passwords after hackers broke into its network.

 

The intrusion reportedly happened on Friday afternoon, but many LastPass users are only learning about it now. LastPass last had a security scare in 2011.

 

"In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed," CEO Joe Siegrist said in a blog post on Monday. "The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

 

As a result, the company is requiring all users who login to the service from a new device or IP address verify their identities via email or two-factor authentication.

 

Users will also be prompted to reset their master passwords, and LastPass is reminding them that if they used their master passwords as a password on any other site, to change the passwords on those sites, too.

 

Passwords to other sites that were stored on LastPass, however, aren't thought to have been compromised.

 

LastPass says it protects its authentication hashes with 100,000 rounds of server-side PBKDF2-SHA256 cryptography, which it says "makes it difficult to attack the stolen hashes with any significant speed."

 

Still, it's not impossible for someone brute-force the process and discover your master password. However, if your master password is complex, you should be safe – it will take an attacker far too long to crack your passphrase. Setting up two-factor authentication kills the problem dead, anyway.

 

"We are confident that our encryption measures are sufficient to protect the vast majority of users," Siegrist added.

 

Some LastPass users weren't pleased with how they found out about the breach. In comments posted to the company's website on Monday, many expressed dismay that they learned of the incident viaReddit, Twitter, and elsewhere, rather than via direct email from LastPass.

 

"What the hell guys?" one user who identified himself as "Ian" wrote. "I'm not annoyed that you got breached, I'm annoyed that as a paying customer, I found out about it via Facebook."

 

Others complained of problems when trying to change their master passwords, or being locked out of their accounts after making the change.

 

LastPass says that in addition to requiring users to use extra authentication steps and to change their master passwords, an email is being sent out to every user explaining the issue. ®

 

http://www.theregister.co.uk/2015/06/15/lastpass_data_breach/

Link to comment
Share on other sites
sanahtlig Fuwa Master

sanahtlig

Posted
Posted

I actually use Lastpass and rely on it for my password safe needs.  I got the following e-mail a few hours ago.

 

Dear LastPass User,
 
We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.
 
We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords. 
 
We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass. 

 

 

I'm not too worried, since I used a password reminder that wouldn't be of use even to my family.  I might enable multi-factor authentication, though that would hinder my ability to login on public computers (like the computers in physicians' offices).  I'm not fond of the current multi-factor authentication options; there doesn't seem to be a way to authenticate with a text message like I do for my Google account.

 

What people need to keep in mind is that even with the security lapses a password vault like LastPass is orders of magnitude more secure than the strategy used by most Internet denizens: reusing the same small set of passwords across multiple sites.  With LastPass I've created unique passwords for just about every one of the 100-200 sites I have accounts at.  Sites get compromised all the time, with passwords available in plain sight for hackers to use to infiltrate accounts on other sites.  If you don't have unique passwords for every site you've ever visited, you're in much more danger security-wise than if you were a LastPass user after this breach.

Link to comment
Share on other sites
sanahtlig Fuwa Master

sanahtlig

Posted
Posted

Whoever stores their passwords via third party and online really deserves to lose them. The very idea of LastPass is stupid.

Saying someone deserves to have something bad to happen to them for <insert petty reason here relating to "you should've known better"> is the epitome of online trolling.  That's like saying that women who walk home alone late at night deserve to get raped.

Link to comment
Share on other sites
Kelebek1 Fuwa Elite

Kelebek1

Posted
Posted

Not really. I said you get what's coming to you if you do something incredibly stupid. Walking home at night is not incredibly stupid. That attempt at equivalency is ridiculous.

 

I was going to expand in my original post, as that was just a summation of my opinions, but here you go, a bit of reasoning as to why I said that.

 

Firstly we don't know what algorithms have flaws, vulnerability, even cracked. The *only* reason we know RSA wasn't secure is because of Snowden leaking it. You think that's going to keep coming around, and the NSA won't keep anything private? They're working hard on the others, especially AES (hell, the NSA authorised it themselves), and won't stop either. There are many many other competent agencies, both legal and illegal around the world who do the same. We don't ultimately know which algorithms are safe and which are not, but how does LastPass handle that? If it's made public that an algorithm, let's say a smaller-bit version of AES, like AES-128 is majorly broken, what will LastPass do with its massive database of passwords stuck in AES-256? How does it update over time in the same way? It can't remain AES-256 forever. Not all of their passwords will update either, there will inevitably be some left in the old format, due to the users not logging it to make the update or however it's handled, leaving them vulnerable.

 

Secondly, people get fucking weird with security, and massively overblow the value of the things they own. 99.9% of the sites you register at, your account doesn't mean shit. You do not need AES-2048 to encrypt your Fuwanovel password, or your Reddit account? Get real. The only places you need a unique account are places that have your real information in, which includes any site you pay on. If you have 100+ sites you're feeding your credit card information into, you're doing the internet fucking wrong, and that in itself is a massive cause for concern, if you're plastering your bank details, or your real information, all over the web like that. Calm it down, and you can keep it manageable.

 

Thirdly, LastPass gets around nothing. If the website you're registering on doesn't store its passwords very well, then no matter how big your LastPass encryption, you've done nothing, it's still stored vulnerable on the site. All you've done is add an *extra* vulnerability step by using LastPass and storing that password online in the first place. The issue of safe storage has to come down to the website itself at the end of the day. Just write down your passwords if you need to. The sort of person to break into your house and nick your silverware, computer and TV isn't the sort of person to hunt around drawers for a password list to steal your online accounts. If you're going to talk about keyloggers in that case, well both methods are vulnerable to that. Yes, the LastPass way has a smaller attack surface, but you still need to type them in. Why not do the same thing as LastPass, but store them offline, like havoc?

Link to comment
Share on other sites
havoc Fuwa Elite

havoc

Posted
Posted

Not really. I said you get what's coming to you if you do something incredibly stupid. Walking home at night is not incredibly stupid. That attempt at equivalency is ridiculous.

 

I was going to expand in my original post, as that was just a summation of my opinions, but here you go, a bit of reasoning as to why I said that.

 

Firstly we don't know what algorithms have flaws, vulnerability, even cracked. The *only* reason we know RSA wasn't secure is because of Snowden leaking it. You think that's going to keep coming around, and the NSA won't keep anything private? They're working hard on the others, especially AES (hell, the NSA authorised it themselves), and won't stop either. There are many many other competent agencies, both legal and illegal around the world who do the same. We don't ultimately know which algorithms are safe and which are not, but how does LastPass handle that? If it's made public that an algorithm, let's say a smaller-bit version of AES, like AES-128 is majorly broken, what will LastPass do with its massive database of passwords stuck in AES-256? How does it update over time in the same way? It can't remain AES-256 forever. Not all of their passwords will update either, there will inevitably be some left in the old format, due to the users not logging it to make the update or however it's handled, leaving them vulnerable.

 

Secondly, people get fucking weird with security, and massively overblow the value of the things they own. 99.9% of the sites you register at, your account doesn't mean shit. You do not need AES-2048 to encrypt your Fuwanovel password, or your Reddit account? Get real. The only places you need a unique account are places that have your real information in, which includes any site you pay on. If you have 100+ sites you're feeding your credit card information into, you're doing the internet fucking wrong, and that in itself is a massive cause for concern, if you're plastering your bank details, or your real information, all over the web like that. Calm it down, and you can keep it manageable.

 

Thirdly, LastPass gets around nothing. If the website you're registering on doesn't store its passwords very well, then no matter how big your LastPass encryption, you've done nothing, it's still stored vulnerable on the site. All you've done is add an *extra* vulnerability step by using LastPass and storing that password online in the first place. The issue of safe storage has to come down to the website itself at the end of the day. Just write down your passwords if you need to. The sort of person to break into your house and nick your silverware, computer and TV isn't the sort of person to hunt around drawers for a password list to steal your online accounts. If you're going to talk about keyloggers in that case, well both methods are vulnerable to that. Yes, the LastPass way has a smaller attack surface, but you still need to type them in. Why not do the same thing as LastPass, but store them offline, like havoc?

Link to comment
Share on other sites
Down Fuwa Master

Down

Posted
Posted

minor question, which nuttjob stores his credit card info anywhere else than in his head?

Secondly, which nutjob allows a site to hold on to his bank information just so he can pay easier next time?

(example, coupling your paypal account to your bank account, not a perfect example but a good enough one)

Non tech-savvy people who leave everything on default and don't realize it.

Example: every time I order on amazon I have to go delete myself my credit card information, otherwise they hold onto it by default. I'm sure a lot of people just leave it as is.

Link to comment
Share on other sites
solidbatman Fuwa Master

solidbatman

Posted
Posted

Non tech-savvy people who leave everything on default and don't realize it.

Example: every time I order on amazon I have to go delete myself my credit card information, otherwise they hold onto it by default. I'm sure a lot of people just leave it as is.

My bank is really really good about monitoring fraud charges. So I leave my card in as is. If there is even suspicion that my card may have been stolen, they deactivate it and send a new one at once with one day shipping. So yeah, my bank is really good at keeping an eye on things.

 

As for passwords, I have a wildly different password for everything, and they all are written down on a sheet of paper. Storing passwords with an online service is sheer lunacy, no matter how encrypted

Link to comment
Share on other sites
Narcosis Fuwa Master

Narcosis

Posted
Posted

Internet. Serious business.

People nowadays are becoming way too paranoid in terms of internet security. The truth is that a vast majority of average users can feel relatively safe, no matter the circumstances; they aren't the target of thiefs, hackers or any organisations and will never be. I always found the idea to store sensitive personal data on the net ridiculous. Shit like FB, G+ or any other crap sites storing and manipulating that data in massive ammounts can never feel secure, no matter how good protection mechanisms they implement.

I always stored my passwords in a personal notebook and only my family knows about it, in case something could happen. It's the only way to ensure maximum safety on the internet.

Link to comment
Share on other sites
nohman Fuwa Master

nohman

Posted
Posted

Well the 'piece of paper' way is a no no in many ways at work. And if you get into the habit of writing down passwords you won't be safe in work. 

 

Yeah, I do realize it's impractical on a few different levels. Like if I lose it, among other things.

I don't have everything written down anyway, I do have things like my  bank and school passwords memorized.

Link to comment
Share on other sites
Kelebek1 Fuwa Elite

Kelebek1

Posted
Posted

I'll trust the experts, thanks.  But you're all welcome to continue ranting if you want.

 

So what? Just because they assume it can't be broken now, doesn't mean it can't be or won't be in the future. That data is going to sell for millions, and whoever buys it isn't doing it to protect you. You know what would be better? Not having your passwords there in the first place, then there's no ifs or buts about it.

 

 

Well the 'piece of paper' way is a no no in many ways at work. And if you get into the habit of writing down passwords you won't be safe in work. 

 

Work is different to what LastPass is meant for though. LastPass is for storing many, many passwords, i.e for everything online. At your work, you'd pretty much only ever have 1 password at a time, maybe a separate one for actually getting into the building or something, and then one for your network, but that's all. The idea isn't to never remember any password ever, it's just to push off the biggest amount of them (and the least secure, random internet forums etc), out of your head. I think you'll have pretty big problems in your life if you can't even remember 1 password for your work, i.e what you'll be doing like 5 days almost every single week of every year. Don't write down your work stuff, but personal things like net accounts, there's no problem with that.

Link to comment
Share on other sites
sanahtlig Fuwa Master

sanahtlig

Posted
Posted

I had a friend who worked IT for a loans company.  They're heavily regulated, and they have to follow strict password guidelines.  These guidelines prevent them from using password managers, so instead they tape sticky notes with passwords to their monitors and work surfaces (they're forced to maintain multiple passwords for different purposes, and to change them every 3 months or so).

Link to comment
Share on other sites
Zakamutt Fuwa Master

Zakamutt

Posted
Posted

Well, if you feel like the paper method there's always leaving password hints instead of just writing the actual passwords down. Obviously this depends on you having a memorable password in the first place, which in this case tends to be pass phrases. If anyone actually gets to the passwords I legit care about (since I started getting important passwords as part of muh fuwa position, this includes my Fuwa account), they would have to be fairly clever and have studied me for a while... or the site would have gotten broken into, rip in weaklinkeroni. I do split passwords into weak and strong tier ones depending on how much I care though, so $randomsite isn't going to get that much attention.

Link to comment
Share on other sites
Lewycool Fuwa Elite

Lewycool

Posted
Posted

Well, if you feel like the paper method there's always leaving password hints instead of just writing the actual passwords down. Obviously this depends on you having a memorable password in the first place, which in this case tends to be pass phrases. If anyone actually gets to the passwords I legit care about (since I started getting important passwords as part of muh fuwa position, this includes my Fuwa account), they would have to be fairly clever and have studied me for a while... or the site would have gotten broken into, rip in weaklinkeroni. I do split passwords into weak and strong tier ones depending on how much I care though, so $randomsite isn't going to get that much attention.

^ In before password is password

Link to comment
Share on other sites
Chronopolis Fuwa Elite

Chronopolis

Posted
Posted

Well, if you feel like the paper method there's always leaving password hints instead of just writing the actual passwords down. Obviously this depends on you having a memorable password in the first place, which in this case tends to be pass phrases. If anyone actually gets to the passwords I legit care about (since I started getting important passwords as part of muh fuwa position, this includes my Fuwa account), they would have to be fairly clever and have studied me for a while... or the site would have gotten broken into, rip in weaklinkeroni. I do split passwords into weak and strong tier ones depending on how much I care though, so $randomsite isn't going to get that much attention.

Yea I think with a bit of effort you can make passwords phrases such that you'll never forget it with the hint or set of hints you write down, nor will anyone be able to guess it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...