LastPass hacked

Discussion in 'other security issues & news' started by Nanobot, Jun 15, 2015.

  1. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Depending on your threat model and who wants those passwords, an encrypted container can be a liability. A user can be compelled or coerced into opening it or providing the master password. Malware can capture it. If that container is opened, your adversary gets all the passwords stored there.

    There are advantages to hiding passwords in plain sight in the manner I described. There's no cryptographic attack when there's no encryption. There's no master password that can be captured or forced out of you. If your system is compromised, the malware can only capture the password that you used. The rest stay hidden. In the example I used, there's 6 source files with over 300,000 total random characters. Somewhere in there are a dozen passwords of unknown lengths and locations. Find them. There's a plausible deniability aspect to this arrangement as well. I created those source files by encrypting text documents. They can easily be decrypted. There's nothing to prove or suggest that they serve another purpose, like source material for passwords.
     
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,115
    Location:
    USA
    Four or five times? Can you document that?

    Whether or not the statement made by LastPass about the recent incursion is a "lie" should come out in time. When valuable information is stolen it is usually exploited and surfaces somewhere. Has stolen information ever been found that can be linked directly to a LastPass hack? Are there documented cases of LastPass users having their financial accounts compromised?
     
    Last edited: Jun 17, 2015
  3. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,115
    Location:
    USA
    I read the (currently) ten page thread in the LastPass forum in the Feedback section and IIRC there were two posts stating problems with changing the master password (MP) and losing access to their accounts. There's not enough information to know what actually happened in those instances, but in any case a problem changing the MP has nothing to do with the hacking incident. Perhaps the failures were caused by the LastPass servers being overloaded by many users trying to change the MP at the same time, but that's just speculation. FWIW I changed my MP yesterday and then increased the password iterations. Both operations required re-encrypting my vault and uploading to the LastPass server, and I didn't have a problem.
     
    Last edited: Jun 17, 2015
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,115
    Location:
    USA
  5. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,885
    Location:
    Stockholm Sweden
    I was never worried since I use two factor authentication and only have two computers, one tablet and mobile that can connect to lastpass. No worries if anyone gets my master password (unless they get the devices that are authorized to use lastpass) just changed email adress to an "alias" on my normal mail account.
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Yep, no problem whatsoever here too.
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,115
    Location:
    USA
    Yes, 2FA improves security significantly. And for those who want to take it further there's 3FA. See this post about using partial passwords in LastPass and manually completing them with a personal algorithm:

    https://www.wilderssecurity.com/threads/do-you-trust-last-pass.369448/page-3#post-2420487

    By the way, thanks for the tip about using an alias; I just setup an email alias to use exclusively with LastPass.
     
    Last edited: Jun 18, 2015
  8. Alexhousek

    Alexhousek Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    636
    Location:
    USA--Colorado
    I recognize that this thread is about Last Pass. And, I am a Last Pass user and have been for a couple years. However, my question is regarding Roboform. Is Roboform any more or any less secure than Last Pass? I used to use Roboform, but refused to use it after they changed their model and broke their promise about "free upgrades for life for paid subscribers" several years ago.

    I'm now wondering if it might be wise to switch from Last Pass back to Roboform?
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I like the comment about Kaspersky even being hacked. To me it seems like their is a new revolution among hacking. AND I don't think it highly underfunded anymore. You must know those that hacked Kaspersky and even those that hacked the federal employees record keeping dept. were state funded, right?
    All the high profile hacking is state funded. Now do they hire the best black hats like EX_Poff , spelling , Microsoft, I do know.
    CloneRanger would remember.
     
  10. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Steve Gibson of the Security Now podcast covered Lastpass in episode 256.

    I am no expert on these matters, but Steve Gibson was very impressed by it.

    Episode 256 is here:

    https://twit.tv/shows/security-now/episodes/256

    here:

    https://www.youtube.com/watch?v=r9Q_anb7pwg

    transcript of show, there is an audio recording link at the top of the page also:

    https://www.grc.com/sn/sn-256.htm

    and the security incident at Lastpass is mentioned in the latest episode, 512:

    https://twit.tv/shows/security-now/episodes/512?autostart=false

    (press the play button)

    It really starts at about 09:50 in, though it gets a couple mentions earlier on.

    Personally, I use both Lastpass and Keepass.
     
  11. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    I think that's a very noteworthy point about the large scale funding for such hacking attacks.

    In fact, the thought had crossed my mind that this attack might be some type of well-funded smear campaign against Lastpass.
     
  12. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    In the LastPass forum. Google these titles. The number of users that post to the forums or even know about the forums is likely very small. I stopped trying to post there with issues years ago because they rarely answer in my experience.

    "LastPass doesn't recognize this device, please check your email to verify."

    "Wrong Password" when trying to change master password

    "Login for passwordreset not working"
     
  13. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    Certainly if someone is locked out because they told all their customers to change their master password and their system couldn't handle the traffic it IS their problem.

    They have 3.5 million customers on Chrome alone.

    I'd say it's a safe bet that 99.9% of them don't even know there is a forum.

    This same thing happened in 2011 http://goo.gl/cbdHvb
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Just about all of the security packages, privacy software, etc depend on and are integrated with cloud servers. Users have been enticed and almost forced to adopt solutions that rely on those servers. Now that the typical security package depends on those servers, we find they can and are being hacked at will. Nothing like creating an easy path into peoples systems, one with system privileges. People need to take these hacks as a warning of things to come and get rid of cloud dependent security packages.
     
  15. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,115
    Location:
    USA
    Like I said we don't actually know why some people had problems, but more generally what is the point? LastPass isn't a perfect system and shouldn't be relied upon exclusively. LastPass users can easily protect their master passwords by using two factor authentication. With 2FA enabled even if the master password is stolen and decrypted it doesn't matter; the bad guys still do not have access (of course after an incident changing the master password is still a good idea IMHO).
     
    Last edited: Jun 18, 2015
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,115
    Location:
    USA
    Regarding LastPass on the mobile, do you have a way to use 2FA with it?
     
  17. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    It's a great service - no doubt. Probably better than anything else out there.
     
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,115
    Location:
    USA
    Yes!

    One of the problems I see with LastPass is they set the bar too low. For instance many forms of two factor authentication are available for free, but it doesn't require it; at this point I think they should because virtually everyone has a smartphone (and for those that don't there's a printed grid option). I feel that multi-factor authentication is the way forward for now, because the servers cannot be made perfectly secure. It also gives more control back to the user. There are a number of other ways that a LastPass account can be made more secure, but users have to choose to implement them.
     
  19. Lagavulin16

    Lagavulin16 Registered Member

    Joined:
    Nov 26, 2014
    Posts:
    96
    Location:
    Emerald City
    Finally, the two most pertinent questions posed in this entire thread and nary a wink in acknowledgement from anyone; let alone an honest and direct reply to the inquiries. From already hacked Chase Bank, Bank of America, Albertson's, Home Depot, Sony, Walmart, HealthCare.gov, Veteran's Affairs, to Anthem Health Insurance, yada yada... Shame on you LastPass, how dare you!! :argh:
     
  20. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    192
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ noone_particular Re Post #51

    Fair enough, but the methods i described are fine for me.

    @ boredog

    Hi, yeah you mean EP_X0FF. As you know, he was head hunted my MS to go & work for them, for a few years anyway. Originally he said "it's awesome" now he's free to say what he thinks about their OS etc, & frequently does !!!
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    I completely agree, I would never store passwords online. But it also depends on the type of user. I do all my stuff like emailing, shopping and banking, only from my own PC at home.
     
  23. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,115
    Location:
    USA
  24. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    5 out of my 98 sites I have stored with Lastpass were listed as being "compromised" when I ran the Security Check on Lastpass.

    They were *ALL* of my email sites stored with Lastpass. None of my web-login sites, discussion board sites, or Disqus, Twitter, Facebook, newspaper sites (yes, you can tell I'm only dippng my toes in the water as far as Privacy is concerned when I admit {*blush*} to having a Facebook account or two , I like to be a bit of a submarine) were attacked.

    All were email accounts; 5 of the 98. Maybe this indicates somethingo_O

    None of my email addresses were actually hijacked, undoubtedly due to the combination of pseudo-two factor authentication imposed by Lastpass after the attack and the amount of computer processing time it would take to target me in particular, all my email accounts were all functioning as if nothing had happened, but it seems to me that the attack was on email accounts.

    (I have changed Lastpass Master password and passwords of email accounts over the past 3 days).

    I find it weird that only my email accounts were attacked, because there would normally be an @ sign in my other stored login credentials.
     
  25. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Maybe best to keep passwords on a separate air-gapped (and sneaker-net gapped, remember Stuxnet) older computer.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.