LastPass Vulnerability Exposes Account Details

Discussion in 'privacy problems' started by markedmanner, Feb 27, 2011.

Thread Status:
Not open for further replies.
  1. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Sure, what will you do once you forget? Go try remembering 50+ complex passwords, especially for sites you don't visit often.
     
  2. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    Well you could use containers.... oh wait.... you did that and the bug exposed your passwords (or there was a possibility to that). I guess you would be safer with a 25 password that you could remember rather than 50 one that you entrusted to someone else. Plus, if there is a decent algorithm (aes 128 or higher) then what difference does it make if you password can be broken in 100 gazzilion years or in "just" 10 gazzilion years.
    But it is nice to have one click login, perhaps even connected with Facebook option :) (never mind).
     
  3. altruist

    altruist Registered Member

    Joined:
    Feb 13, 2008
    Posts:
    25
    The problem is most people can't remember 10 'secure' passwords, let alone 25.

    The most I can probably do is about 5 before I start getting confused and forgetting them, if even that.

    When most people have to remember more passwords, they do one of the following, none of which is secure:
    1. Use the same passwords on various sites and logins.
    2. Use easier to remember, less secure passwords.
    3. Write down their passwords on post-it notes.

    Lastpass and other password managers let you have 100+ secure passwords for all sorts of different websites. If one website gets hacked, you only lose whatever on that specific site, rather than being compromised everywhere.

    I'm not saying lastpass is flawless, but it is one potential solution to a difficult problem. Personally I think every website should use keyfob authentication. But I am dreaming.
     
  4. x942

    x942 Guest

    I agree with what you are saying. I do store some passwords in a KeyPass database but those are for things (encrypted backups). The KeyPass database is encrypted with AES-256 BIT w/ a 64 Char ASCII Password + Keyfile(s). It is than stored on in an Encrypted file container (Where all of my VERY confidential [work related] data is) which is THAN on my encrypted 1TB HDD (Both with an additional 64 Char password (ASCII). The key file for Keepass(x) is encrypted with a GPG key (4096 bit 64 char ASCII pass again).

    ( The container part is because I am to lazy to move that stuff out of the container. I had the container and than encrypted my HDD with files in tact :p)
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    What does that mean?

    @x942: Really? He's clearly opposed to any password manager (container) other than your head.
     
  6. altruist

    altruist Registered Member

    Joined:
    Feb 13, 2008
    Posts:
    25
    http://www.google.com/search?q=keyfob authentication

    Sorry, I wish I knew how to explain it better than wikipedia. That said, I'm no expert, but if there's any questions from that page that aren't clearly answered I can try to answer them for you.

    To summarize it's a key-chain device with a number that changes every xx seconds. Banks in certain countries use them, I don't understand why they're not more widely used in North America. (Yet Paypal offers them for $5...)
     
  7. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    501
    Location:
    UK
    I was a last pass premium customer until this last problem. I am sure I read something about them being hacked for email addresses too only recently. I have gone back to 1password on my mac. I like a password vault, but I think as this hack has proved that the cloud is still too risky. For all who say it is safe, then why did they get people to change their passwords? I thought that password was the only one I was ever going to need?
    I also had the logging in problems and did not find support that helpful, in fact I am still awaiting one reply.
    Each to their own, for me its all back on my computer where only I am responsible for it. Too much to lose if it goes walkies.
     
  8. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,518
    Location:
    Paris
  9. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    501
    Location:
    UK
    Thats a good read and will comfort some. But the fact that it happened in the first place means it is possible to hack it, and it will continue to be a target due to the lucrative information worth millions that it holds. The one breach is enough to persuade me to go back to my own local password manager. I know thats not everyones view, but it is my own personal one.
     
  10. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,518
    Location:
    Paris
    All things being considered that's probably very wise! I'm happy that both my Bank and Brokerage account have their sites set up so password managers won't work- a separate login page appears so that no manger that I've tried "sees" that a login and password are needed.
     
  11. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    501
    Location:
    UK
    Thats a fair point. I think Lastpass is fine providing you don't put all your valuable eggs in one basket, and use it for non critical log ins.
    My banking is the same and has multi authentication log ins, which is much safer but cannot be remembered by lastpass and the like.
     
  12. altruist

    altruist Registered Member

    Joined:
    Feb 13, 2008
    Posts:
    25
    All banking passwords can be keylogged. Even those so called 'security questions.' There's like three security questions, banks don't provide keylogging protection, so it makes it very easy for them to log the answers to all three.

    I like password managers, like lastpass because they help to thwart keyloggers and the like (assuming you use the screen keyboard to log in).

    On the other hand, like someone here intelligently pointed out, if someone manages to crack lastpass, or captures your lastpass password, all your passwords are at risk.

    The ideal solution is key fobs. I don't understand why World of Warcraft has them available, but your own bank account doesn't. Is my bank really going to reimburse me if someone transfers all that money out and I don't notice it for a week?

    Some banks in European countries provide them. Why are we behind the times?
     
  13. Zeena

    Zeena Registered Member

    Joined:
    Apr 25, 2008
    Posts:
    409
    Location:
    UK
    Hi :)


    I've just had an email from LastPass :doubt:

    Titled... LastPass Security Incident

    This person has also had an email : http://forums.lastpass.com/viewtopic.php?f=12&t=76363
    But So Far...
    I'm not exactly reassured by the answer they've had.

    To Be Honest!
    Never could get along with LastPass - & - Haven't used it in ages :cautious:

    I'm defo going to uninstall from my computer as I've never bothered with it via IE.
    Not used with Firefox since doing a clean install of Firefox 4.
    &...
    If I could delete my LastPass account without even signing in... I'd Do It Now!
    However...
    Kind of get the feeling that Panicking is the wrong thing to do right now.
    They must be overrun with people changing their details.
    And If anything...
    Might find myself in even more of a muddle :(


    Question...
    Has anyone else here had the same email as me?

    Sandboxed...
    But still reluctant to open the email :doubt:
    In case I'd simply be confirming to the baddies that my email address is real.


    Thanks!

    Zeena
     
  14. tlu

    tlu Guest

    No, I haven't so far. I suggest that you read the updated blog entry on http://blog.lastpass.com/2011/05/lastpass-security-notification.html.

    Please note that any data on the Lastpass servers is encrypted. Any encryption/decryption is done on your computer. This means:You might only have a problem

    1. if your encrypted data was really stolen (rather unlikely as only little data, if any, was stolen) and
    2. if you have a weak master password that is prone to a dictionary attack and
    3. if the Lastpass security measure that should prevent an attacker coming from a different IP range from accessing your data did not work.
    Otherwise you have nothing to fear.
     
  15. Zeena

    Zeena Registered Member

    Joined:
    Apr 25, 2008
    Posts:
    409
    Location:
    UK
    Hi tlu :)


    Yep! - Have Read The Blog ;)


    Just to be on the safe side... I've decided I'm not going to open the email.

    My password is Strong - & - Also use the Grid.


    Thanks!

    Zeena
     
  16. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    I also received an email today about the LastPass security incident, allegedly from LastPass, with instructions to go to a website and verify my identity, change my master password.

    HOWEVER:

    I am not a LastPass user
    The website the email sends me to has unverifiable credentials for SSL (per Opera)
    The extended email headers do not identify the sender as LastPass

    Otherwise looks very authentic :(

    So I reported it as a possible fraud site via Opera
    But may still be authentic-I don't remember that I didn't ever try LastPass and discard it.

    UPDATE: Attachment shows What Opera says about the site.
     

    Attached Files:

    • last.jpg
      last.jpg
      File size:
      35.2 KB
      Views:
      402
    Last edited: May 10, 2011
  17. Zeena

    Zeena Registered Member

    Joined:
    Apr 25, 2008
    Posts:
    409
    Location:
    UK
    Hi sded :)


    Rather Worrying! :(

    Also...
    Think the LastPass Forum must be rather overloaded right now... As I'm not able to get there :doubt:

    No problems getting to any other websites.

    Zeena
     
  18. Ed_H

    Ed_H Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    662
    Location:
    Chicago, IL
    Yes, I received the same email yesterday and I changed my LastPass password to a more complex one.

    I think LastPass has done a good job communicating what happened and, at least for now, I still plan to keep using LastPass.
     
  19. x942

    x942 Guest

    Just got an e-mail supposedly from lastpass. The email was NOT from them and IS a phishing attempt. BE WARNED spammers are definitely taking advantage of this now.

    ***PLEASE NOTE THIS EXACT ATTACK NOTED BELOW MAY BE INTERNAL******

    The email directs you to a reset link but actually shows you an error message. This page tells you that there are to many people connected and to wait for it to refresh. as soon as you open a new tab it uses "tab napping" attack to change the page to look like a password reset form from last pass. details are sent back to the attack and NOT last pass.


    I post this just to enlighten everyone that may not realize these attacks are starting to target last pass users. This above attack is believed to be an internal attack against my company and we are working on confirming that. In testing we found the web page as attempts to exploit an older IE 8 buffer overflow to download malware on the computer(s). However the exploit is malformed and doesn't executed properly.


    Just stay alert and watch out for attacks like these ;)
     
  20. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    I use LastPass along with a Yubikey token, so even if my password was stolen my account would be safe. I have two other different tokens, one for my bank account and one for eBay/PayPal as well, so I'm pretty well covered...:cool:
     
  21. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    @sded: Sign in, then see the security information. Obviously the front page isn't going to be as secure as password vault. Also, browsers such as Opera aren't error-proof.
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Never understood the need for lastpass. Why not simply store them locally? Chrome (and every other browser) encrypts your passwords on your disk... no reason to put that info on a server somewhere.
     
  23. tlu

    tlu Guest

    There are at least 3 reasons:

    1. It's very comfortable if you're using different browsers and/or OS's. And it's also available for your mobile phone.
    2. You always have 2 (encrypted) copies of your login data: on your harddisk and on the Lastpass servers. If your harddisk crashes and you haven't backupped your data, there is still the copy on the Lastpass servers.That adds some security.
    3. In my experience, the automatic fill-in of login fields works better on several sites with Lastpass than with the FF password manager.
     
  24. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    well what i have been doing for years is having a base password and using an equation (which i store in my head) and applying that to the base password, this way you dont need to rely on 3rd parties remembering the password for u.

    here's how its done.

    choose a base password, for ex. MILKYWAY

    then choose an equation, for ex. the first 2 letters of the web address before the BASE and the last 2 letters of the web address after the BASE and the total amount of letters in the top level domain goes in as a number at the end of the BASE, so the password for;
    hotmail would be hoMILKYWAYil6
    google would be goMILKYWAYle6
    wilders would be wiMILKYWAYrs15
    and so on....

    this way the only thing you need to remember is the base password and the equation. in the above example this would be MILKYWAY and first 2 and last 2 letters and total letter count for adding at end

    simples :)
     
  25. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire

    obviously you can tweak that which ever way you desire, plus this way if someone finds out your password for 1 website then they will not find out the password for anymore as the equation is in your head only.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.