LastPass Vulnerability Exposes Account Details

Sure, what will you do once you forget? Go try remembering 50+ complex passwords, especially for sites you don't visit often.

 

Well you could use containers.... oh wait.... you did that and the bug exposed your passwords (or there was a possibility to that). I guess you would be safer with a 25 password that you could remember rather than 50 one that you entrusted to someone else. Plus, if there is a decent algorithm (aes 128 or higher) then what difference does it make if you password can be broken in 100 gazzilion years or in "just" 10 gazzilion years.
But it is nice to have one click login, perhaps even connected with Facebook option (never mind).

 

The problem is most people can't remember 10 'secure' passwords, let alone 25.

The most I can probably do is about 5 before I start getting confused and forgetting them, if even that.

When most people have to remember more passwords, they do one of the following, none of which is secure:
1. Use the same passwords on various sites and logins.
2. Use easier to remember, less secure passwords.
3. Write down their passwords on post-it notes.

Lastpass and other password managers let you have 100+ secure passwords for all sorts of different websites. If one website gets hacked, you only lose whatever on that specific site, rather than being compromised everywhere.

I'm not saying lastpass is flawless, but it is one potential solution to a difficult problem. Personally I think every website should use keyfob authentication. But I am dreaming.

 

I agree with what you are saying. I do store some passwords in a KeyPass database but those are for things (encrypted backups). The KeyPass database is encrypted with AES-256 BIT w/ a 64 Char ASCII Password + Keyfile(s). It is than stored on in an Encrypted file container (Where all of my VERY confidential [work related] data is) which is THAN on my encrypted 1TB HDD (Both with an additional 64 Char password (ASCII). The key file for Keepass(x) is encrypted with a GPG key (4096 bit 64 char ASCII pass again).

( The container part is because I am to lazy to move that stuff out of the container. I had the container and than encrypted my HDD with files in tact )

 

What does that mean?

@x942: Really? He's clearly opposed to any password manager (container) other than your head.

 

http://www.google.com/search?q=keyfob authentication

Sorry, I wish I knew how to explain it better than wikipedia. That said, I'm no expert, but if there's any questions from that page that aren't clearly answered I can try to answer them for you.

To summarize it's a key-chain device with a number that changes every xx seconds. Banks in certain countries use them, I don't understand why they're not more widely used in North America. (Yet Paypal offers them for $5...)

 

I was a last pass premium customer until this last problem. I am sure I read something about them being hacked for email addresses too only recently. I have gone back to 1password on my mac. I like a password vault, but I think as this hack has proved that the cloud is still too risky. For all who say it is safe, then why did they get people to change their passwords? I thought that password was the only one I was ever going to need?
I also had the logging in problems and did not find support that helpful, in fact I am still awaiting one reply.
Each to their own, for me its all back on my computer where only I am responsible for it. Too much to lose if it goes walkies.

 

If you are using LastPass you should read this:

http://download.cnet.com/8301-2007_4-20060191-12.html

I use LastPass myself and feel that this potential security breech is being handled very properly.

 

Thats a good read and will comfort some. But the fact that it happened in the first place means it is possible to hack it, and it will continue to be a target due to the lucrative information worth millions that it holds. The one breach is enough to persuade me to go back to my own local password manager. I know thats not everyones view, but it is my own personal one.

 

All things being considered that's probably very wise! I'm happy that both my Bank and Brokerage account have their sites set up so password managers won't work- a separate login page appears so that no manger that I've tried "sees" that a login and password are needed.

 

Thats a fair point. I think Lastpass is fine providing you don't put all your valuable eggs in one basket, and use it for non critical log ins.
My banking is the same and has multi authentication log ins, which is much safer but cannot be remembered by lastpass and the like.

 

All banking passwords can be keylogged. Even those so called 'security questions.' There's like three security questions, banks don't provide keylogging protection, so it makes it very easy for them to log the answers to all three.

I like password managers, like lastpass because they help to thwart keyloggers and the like (assuming you use the screen keyboard to log in).

On the other hand, like someone here intelligently pointed out, if someone manages to crack lastpass, or captures your lastpass password, all your passwords are at risk.

The ideal solution is key fobs. I don't understand why World of Warcraft has them available, but your own bank account doesn't. Is my bank really going to reimburse me if someone transfers all that money out and I don't notice it for a week?

Some banks in European countries provide them. Why are we behind the times?

 

Hi


I've just had an email from LastPass

Titled... LastPass Security Incident

This person has also had an email : http://forums.lastpass.com/viewtopic.php?f=12&t=76363
But So Far...
I'm not exactly reassured by the answer they've had.

To Be Honest!
Never could get along with LastPass - & - Haven't used it in ages

I'm defo going to uninstall from my computer as I've never bothered with it via IE.
Not used with Firefox since doing a clean install of Firefox 4.
&...
If I could delete my LastPass account without even signing in... I'd Do It Now!
However...
Kind of get the feeling that Panicking is the wrong thing to do right now.
They must be overrun with people changing their details.
And If anything...
Might find myself in even more of a muddle


Question...
Has anyone else here had the same email as me?

Sandboxed...
But still reluctant to open the email
In case I'd simply be confirming to the baddies that my email address is real.


Thanks!

Zeena

 

No, I haven't so far. I suggest that you read the updated blog entry on http://blog.lastpass.com/2011/05/lastpass-security-notification.html.

Please note that any data on the Lastpass servers is encrypted. Any encryption/decryption is done on your computer. This means:You might only have a problem

1. if your encrypted data was really stolen (rather unlikely as only little data, if any, was stolen) and
2. if you have a weak master password that is prone to a dictionary attack and
3. if the Lastpass security measure that should prevent an attacker coming from a different IP range from accessing your data did not work.

Otherwise you have nothing to fear.

 

Hi tlu


Yep! - Have Read The Blog


Just to be on the safe side... I've decided I'm not going to open the email.

My password is Strong - & - Also use the Grid.


Thanks!

Zeena

 

I also received an email today about the LastPass security incident, allegedly from LastPass, with instructions to go to a website and verify my identity, change my master password.

HOWEVER:

I am not a LastPass user
The website the email sends me to has unverifiable credentials for SSL (per Opera)
The extended email headers do not identify the sender as LastPass

Otherwise looks very authentic

So I reported it as a possible fraud site via Opera
But may still be authentic-I don't remember that I didn't ever try LastPass and discard it.

UPDATE: Attachment shows What Opera says about the site.

 

Hi sded


Rather Worrying!

Also...
Think the LastPass Forum must be rather overloaded right now... As I'm not able to get there

No problems getting to any other websites.

Zeena

 

Yes, I received the same email yesterday and I changed my LastPass password to a more complex one.

I think LastPass has done a good job communicating what happened and, at least for now, I still plan to keep using LastPass.

 

Just got an e-mail supposedly from lastpass. The email was NOT from them and IS a phishing attempt. BE WARNED spammers are definitely taking advantage of this now.

***PLEASE NOTE THIS EXACT ATTACK NOTED BELOW MAY BE INTERNAL******

The email directs you to a reset link but actually shows you an error message. This page tells you that there are to many people connected and to wait for it to refresh. as soon as you open a new tab it uses "tab napping" attack to change the page to look like a password reset form from last pass. details are sent back to the attack and NOT last pass.


I post this just to enlighten everyone that may not realize these attacks are starting to target last pass users. This above attack is believed to be an internal attack against my company and we are working on confirming that. In testing we found the web page as attempts to exploit an older IE 8 buffer overflow to download malware on the computer(s). However the exploit is malformed and doesn't executed properly.


Just stay alert and watch out for attacks like these

 

I use LastPass along with a Yubikey token, so even if my password was stolen my account would be safe. I have two other different tokens, one for my bank account and one for eBay/PayPal as well, so I'm pretty well covered...

 

@sded: Sign in, then see the security information. Obviously the front page isn't going to be as secure as password vault. Also, browsers such as Opera aren't error-proof.

 

Never understood the need for lastpass. Why not simply store them locally? Chrome (and every other browser) encrypts your passwords on your disk... no reason to put that info on a server somewhere.

 

There are at least 3 reasons:

1. It's very comfortable if you're using different browsers and/or OS's. And it's also available for your mobile phone.
2. You always have 2 (encrypted) copies of your login data: on your harddisk and on the Lastpass servers. If your harddisk crashes and you haven't backupped your data, there is still the copy on the Lastpass servers.That adds some security.
3. In my experience, the automatic fill-in of login fields works better on several sites with Lastpass than with the FF password manager.

 

well what i have been doing for years is having a base password and using an equation (which i store in my head) and applying that to the base password, this way you dont need to rely on 3rd parties remembering the password for u.

here's how its done.

choose a base password, for ex. MILKYWAY

then choose an equation, for ex. the first 2 letters of the web address before the BASE and the last 2 letters of the web address after the BASE and the total amount of letters in the top level domain goes in as a number at the end of the BASE, so the password for;
hotmail would be hoMILKYWAYil6
google would be goMILKYWAYle6
wilders would be wiMILKYWAYrs15
and so on....

this way the only thing you need to remember is the base password and the equation. in the above example this would be MILKYWAY and first 2 and last 2 letters and total letter count for adding at end

simples

 

obviously you can tweak that which ever way you desire, plus this way if someone finds out your password for 1 website then they will not find out the password for anymore as the equation is in your head only.