Discussion in 'other software & services' started by Montmorency, Jun 21, 2012.
What do you mean by "hacked"? Was it ever confirmed that anyone's data was compromised?
they go access to the encrypted files and could download them and start bruteforcing/cracking them
Can you link to information that documents that?
just google... i dont have any links
It was never confirmed that the single time they were actually hacked whether or not anyone got anything.
And bruteforcing anything over 8 characters isn't even possible given the way LastPass is set up.
But with Rainbowtables/Word lists it is "easily" possible.
And I am pretty sure I have read (I think it even was LastPass's own security mail which told me to change my password as hacker could have got access to the db) something about them being hacked.
It still isn't easy because for every 1 password you have to try you have to try it at least 500x by default for LastPass users. So take however long your typical SHA256 hash takes and multiple it by 500. That's how long a single hash takes.
Unless your attacker is using a massive cracking system 8 characters + a full feature set is enough to stop even a fast cracking scenario for a while. Adding only one more letter makes both pretty difficult (nearly 1000 hours for trillion per second, over 1000 MONTHS for 1billion)
Avoiding dictionary attacks isn't difficult. Simple password padding is all it takes. Maybe your attacker has "password" in their dictionary but they won't have <<<<<password00000 - they'd have to bruteforce those two characters, which adds a ridiculous amount of time to the process.
I also assume there's a salt so rainbow tables wouldn't work. I also don't see how they could because the number of rounds used is variable - you could rainbow table for 500 but then I'd just use 1,000 and you'd have to do another 500 rounds.
Cracking password is fairly "easy" these days.
Cracking a password like this "Fgpyyih804423" takes 160 seconds with rainbowtables.
A few more examples:
thequickbrownfoxjumpsoverthelazydog = 700 seconds
Not to mention cracking via some botnet (so thousand of computers cracking for you).
Well I just did. Cant find that any users passwords has been leaked and it has been more than a year ago since that breach. Usually the ones who copies and cracks databases brag about it and provide evidence for having done so. Cant find any evidence that the breach has done any harm in real life, maybe you can direct us to such claims so that your posts doesn't get mistaken for FUD, Google doesn't seem to help.
And since then LP has strengthened even more with stronger cryptography. Here some info about the event back in the day for people who havent heard of it.
LastPass are the innovators. The fact is that other password vendors are following in their footsteps, and security vendors (Webroot, Avast, Norton, etc. ) are starting to either license LastPass or similar password manager, or they're implementing their own, using the same methods of storing your encrypted data in the cloud so that you have access to it from anywhere on any device.
Lastpass for me.
can used with yubikey.
Well, since I'm the OP of this thread let me share my thoughts and final decision (I'm not going into the argument of which is more secure, both must have their flaws).
KeePass on its own is not as easy to use as LastPass. The later will save and fill logins in a much more transparent way. It is, as well, more user friendly.
But when you install KeeFox things change dramatically and usability is very close to LastPass's (after a learning curve).
I also consider KeePass to be more configurable (even if some options are not obvious for the average user).
All in all these two apps are arguably the best pass managers around.
Personally I'm choosing KeePass.
Thanks to all who gave their input, it has been a very stimulating discussion.
Good that you got the info you needed. The most important thing is not if you use Lastpass or Keepass or whatever, the important thing is that you take responsibility for your own safety online.
Thanks to threads like this I decided to try Keepass to see if it would be more convinient for me (that is one of my biggest criteria to use any software ), but unfortunately it doesnt seem to manage to import the (to CSV) exported lastpass passwords
I could easily import the lastpass database into keepass, so is possible and easy but sadly and can't remember what I did.
Thanks for the info. It should of course be possible, may be something with my setup. I have been experimenting quite hard with my windows setup, I will try the same in Linux.
My feeling exactly!
I think it is an ideal situation for you to be able to utilize Wilders this way, and I am encouraged that over 100 responses actually helped you to arrive at a decision as opposed to hindered you!
I also appreciate when an OP takes the time to get back to the thread with his decision. Good job, Montmorency.
Crumbs... I'm blushing
Ha ha. You're welcome. You should grow to really appreciate KeePass.
Good luck with it.
Remember to select "two-channel auto-type obfuscation" for all entries, and also make sure to select "Enter master key on secure desktop".
That is exactly what I meant with:
Bit by bit I'm finding options, tweaks, bells and whistles.
This program grows on you.
Old thread, but you can't use rainbow tables against LassPass because the passwords are salted (twice) before hashing.
See this interview.
Yeah salted LastPass.
Getting back on this older thread. There is an interesting article on Lastpass on:
Some people, in fact quite a significant number, donot wish to have their passwords/master passwords stored elsewhere. Even if it is encrypted a million times. It is out there somewhere and 'they' promise it is safe.
Maybe it is.
I am one of those (old-fashioned?) people feeling uncomfortable/uneasy with that idea. Having to depend on some server and where my email address is my user-id etc. (can be guessed easily)
That said, I do agree, both Lastpass and the Lastpass website, they definitely look fantastic! No doubt about that. If you donot worry about depending on a server somewhere, well, LastPass is one of the very best choices. A yearly fee of 12 dollar isn't expensive.
Keepass is free.
Am not sure about their browser integration though.
I keep my keepass password database in Dropbox so it's available on all my computers and android devices. I use a keyfile + password for protection, so even if someone hacked into my dropbox account and obtained the database file, they wouldn't be able to open it with password recovery software unless they somehow obtained my keyfile, which is only located locally on my devices.
I used to think that way, but then I realized that even though I consider myself to be pretty skilled with a computer, I'm sure the IT staff at LastPass spends 100% of their time keeping my info safe. Even though they are a huge target they have much greater resources than I do. The odds of someone getting my passwords from them is probably lees likely than them getting into my machine and getting them. I have been using LastPass for about a year now and couldn't be happier. Use a good password and there shouldn't be too many worries.
Separate names with a comma.