LastPass hacked

Discussion in 'other security issues & news' started by Nanobot, Jun 15, 2015.

  1. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    332
    I have been looking in to it, looks pretty good, uses 256bit AES encryption, I will probably switch to it for both desktop and iPhone as it works with Apple's Touchid.
     
  2. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,909
    Location:
    USA
    I don't think intruders can crack my master password and I am using 100,000 Iterations, this is way past embarrassing :gack: :blink:, I always have been Leary of keeping passwords on servers but it is their responsibility to use adequate security....it seems they have fallen short.
     
    Last edited: Jun 16, 2015
  3. artoor

    artoor Registered Member

    Joined:
    Oct 13, 2012
    Posts:
    113
    Location:
    Poland
    I've been using it on Windows for over 2 years now, on Android and iOS as well and it works great for me :) I don't use Dropbox to store my database - only local copy. WiFi synchronisation between my devices - simply - great solution that fits me best.
     
    Last edited: Jun 16, 2015
  4. Tadoussac

    Tadoussac Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    121
    I use KeePass + Syncthing to synchronize my password database among my various devices. Syncthing is a peer-to-peer application, so nothing is stored on a central server outside of the user's control. All communications between devices is TLS encrypted in-transit.
     
  5. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,053
    Location:
    USA
    I wouldn't assume that they were somehow remiss. Hacking is becoming more and more sophisticated. Two factor authentication is a necessity IMHO and it can be implemented in the free version of LastPass.

    The PC Mag article is a good read, as it points out the importance of not only a strong password but an obscure password hint.

    You can harden LastPass by going into advanced settings and enabling features such as country restriction and auto-logoff options. There is also the LastPass security challenge which goes through all of the website credentials in your "vault" to find weak and duplicate passwords.
     
    Last edited: Jun 16, 2015
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,718
    Location:
    .
    OK... yeah. KeyFox and chromeIPass. Cheers :)
     
  7. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,718
    Location:
    .
    AES does multiple rounds of transforming each chunk of data, and it uses different portions of the key in these different rounds. The specification for which portions of the key get used when is called the key schedule. The key schedule for 256-bit keys is not as well designed as the key schedule for 128-bit keys. And in recent years there has been substantial progress in turning those design problems into potential attacks on AES 256.
    Nonetheless AES-256 is being widely deployed since it conveniently lies at the intersection of good marketing and pragmatic security. In upgrading from AES-128 to AES-256 vendors can legitimately claim that their products use maximum strength cryptography, and key lengths can be doubled (thus squaring the effort for brute force attacks) for a modest 40% performance hit.
     
  8. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    187
    Also notice that there's nothing published or commented in the news to suggest that LastPass was/is at fault. All the posters here that all of a sudden need to jump ship with an "alternative" remind me of a bunch of drama queens on a deliriously tasteless soap opera that need a revenge date to show their bewildered ex a thing or two. :rolleyes:
     
    Last edited: Jun 16, 2015
  9. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    The article says it was password reminders that were stolen. This doesn't surprise me, password reminders are often childs play to crack, exponentially less secure than the password itself.
    I prefer to use local storage, keypass is very good. The same encrypted store works on both the windows version and the linux keypassx.
     
  10. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    Yes, because 'the news' knows everything.
     
  11. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    187
    They've been looking hard and digging around. All good journalists thrive for the story that burns so if LastPass could be implicated as being negligent or at fault in any way, they would've jumped on that schytte like white on proverbial rice. And now, back to the Days of our Hives.

    p.s. & btw @Nanobot... BV was, like, one of the best movies ever.
     
    Last edited: Jun 16, 2015
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,053
    Location:
    USA
    I expect you're correct that many people don't understand that the password reminder must be only a hint so as not to make it easy to guess the password. More generally the problem is making password managers usable for people with limited skills. Ideally you would eliminate potential attack vectors such as a password reminder option, but too many people can't do without. This isn't the fault of the password manager though. LastPass can be made much more secure if the user understands the mechanisms and best practices.
     
  13. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    541
    Location:
    United States
    I agree with you that its better to manage and store personal or sensitive data yourself than risk exposing that data across third-party systems. The only flaw with this logic, is that fundamentally the operating system, hardware, and all of the software running on your computer is essentially third-party. So regardless of whether you store information client-side or server-side, you are always at risk of exposing your personal and sensitive data to some other third party. The determining factor here is going to come down to what is more important to people: the convenience of accessing their credentials and other data from anywhere or the security and privacy of there data. The previous discussion on password managers made this point pretty clear, as some users insisted on the convenience of LassPass, dash lane, or some other solution, while others insisted on using memorization techniques to eliminate the need almost entirely. I think the argument is a moot, considering a keylogger or a implementation failure (i.e., the federal governments storage of DoD employees personal data in plaintext) server-side is all someone needs to access your data. If you can avoid sensitive activities online, then you should do so. But its good to stay on top of these types of events when planning for the future. Sorry to hear that this happened. Hopefully last pass users are not negatively impacted too much. Never hurts change login information after an event like this.
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If your equipment is compromised, it's not going to make much difference what you use. For websites, there's no real way around the browser handling the password, even if it's not storing it. There isn't much any of us can do about how any given site or server stores passwords. The big difference is that if one of those sites get hacked, only the data you have there is at risk. With a password manager that uses online servers, a hack there can expose everything.

    The convenience factor doesn't make a lot of sense to me. How hard is it to put a copy of your passwords on each of your devices? Is it that much more difficult than installing an application that makes them available on the same device? IMO, password managers are an unnecessary addition to your attack surface, part of which is beyond your control.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    If you must store PW's, why not locally in an encrypted container/folder. For eg, Axcrypt/7Zip etc etc. Just remember 1 master PW to open it. Even a long one can be remembered, if you think about how to easily do it !
     
  17. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,718
    Location:
    .
    Or just use KeyPass... that's easy ;)
     
  18. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    293
    Location:
    Blue Ridge, Va
    I agree 100%
     
  19. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    If you look at the LastPass forums there are people locked out of their accounts, people who haven't been able to change their master password - which was also the case for me. I created a new account after deleting my account and imported the csv file from my usb stick.

    If I had been able to change my master password right off I would have stopped there. After seeing kasperskys own network being hacked without them knowing it for months I'm not sure anything is really safe. Just being cautious on my end.
     
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,053
    Location:
    USA
    Why were people locked out of their accounts? Can you please link to what you're referring to?
     
  21. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    Indeed. It is 4th or 5th time LastPasss has been hacked, but people will keep using it, because it is much more convenient compared to offline solutions.
     
  22. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,281
    Location:
    EU
  23. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    Official statements usually lie, but people tend to believe them, because that is, what they are expected to do.
    No company would admit a fail, it would ruin their business, even if the proofs are well known and obvious.
     
  24. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    187
    @TairikuOkami In general and to varying degrees, your above-captioned "statement" does not apply to LastPass's country of origin. Nice try, though.
     
  25. Paranoid Eye

    Paranoid Eye Registered Member

    Joined:
    Dec 15, 2013
    Posts:
    175
    Location:
    io
    keepass + keepass database stored in encrypted container or drive with plausible denibility
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.