Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

LastPass Password Service Hacked

timothy posted more than 3 years ago | from the oh-were-your-eggs-in-that-basket? dept.

Security 268

Trailrunner7 writes "LastPass, a popular Web based password management firm, advised its customers to change the password they use to access the service following what the company said are signs that its network may have been compromised."

cancel ×

268 comments

Sorry! There are no comments related to the filter you selected.

KeePass (5, Informative)

x*yy*x (2058140) | more than 3 years ago | (#36038734)

KeePass [keepass.info] is really the best tool for handling passwords. Open source, crypted database, easy to use (CTRL+B for username to clipboard, CTRL+C for password), contains grouping and generates safe different passwords for every site. It's actually a great example of a well done open source project.

Using an online service for something like your passwords is just incredibly stupid. It's a really well known place to hack for someone who wants lots of passwords. Backup your encrypted password container to your own place, but never something like this.

Re:KeePass (0, Funny)

Anonymous Coward | more than 3 years ago | (#36038832)

KeePass is ok, but most of us who are not into shemales prefer Passsword Safe [wikipedia.org] .

Re:KeePass (1)

Anonymous Coward | more than 3 years ago | (#36038880)

I'm a shemale you insensitive clod.

Re:KeePass (1)

Anonymous Coward | more than 3 years ago | (#36038920)

KeePass is way better than the piece of shit I'm going to recommend to my shemale brethren, but most of us who are into shemales prefer Passsword Safe [wikipedia.org] .

Fixed that for you.

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039194)

You're REALLY recommending Password Safe over Keepass?

Re:KeePass (1)

theNAM666 (179776) | more than 3 years ago | (#36039212)

Sssh... Sshhthink istssst's ssshhafe?

Re:KeePass (2)

dloose (900754) | more than 3 years ago | (#36039906)

The extra S is for shemale

Re:KeePass (1)

Anonymous Coward | more than 3 years ago | (#36038868)

Better that Schneier's PasswordSafe? I've been using that for years...

Re:KeePass (1)

W1sdOm_tOOth (1152881) | more than 3 years ago | (#36039034)

I thought I had to use a password for an online service,,, Hold on, I am lost in the loop.

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039042)

Praystation.

Re:KeePass (1)

rockman_x_2002 (1791612) | more than 3 years ago | (#36039056)

I use KeePass primarily because it's the only one I've found for Android that works cross-platform anywhere the way I'd like to use it. KeePass plus a secured DropBox account to keep your password database synced across machines (or databases if you want added security with a secondary password for more private-like info) are an excellent combination. Throw in a key file that you keep locally on your person on either your phone or a small-capacity USB drive kept on a keychain for added security.

I did look at Password Safe, but at the time there was no Android version and I needed something I could keep on my phone and access my passwords there too. Keepass fits the bill quite nicely.

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039210)

b-folders does the job on Android quite nicely.....

keep a snapshot of your db in a TrueCrypt encrypted container file
synched to Dropbox.

yes - I know that if the pass phrases for any of them are
week, the whole thing doesn't make sense.

Re:KeePass (3, Funny)

PNutts (199112) | more than 3 years ago | (#36039832)

yes - I know that if the pass phrases for any of them are
week, the whole thing doesn't make sense.

My pass phrase is month which is four times as strong.

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039216)

Lob your Keepass file into Dropbox, then updates made on your phone get saved back into the cloud and are available everywhere else.

Re:KeePass (4, Insightful)

GungaDan (195739) | more than 3 years ago | (#36039244)

What's a "secured dropbox account?" Didn't we find out last week that Dropbox has the encryption keys to your stuff and will hand it over to pretty much anyone who asks nicely?

Re:KeePass (2)

x*yy*x (2058140) | more than 3 years ago | (#36039324)

KeePass password container is encrypted itself, so that shouldn't be a problem.

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039742)

Yeah, but on the other hand, LastPass is equally encrypted... It's not that different from a nice integration of KeePass + Dropbox.

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039520)

A secured dropbox account is one in which you have created a TrueCrypt volume, which Dropbox does not have the key to.

Re:KeePass (1)

icebike (68054) | more than 3 years ago | (#36039926)

I use KeePass primarily because it's the only one I've found for Android that works cross-platform anywhere the way I'd like to use it.

There are quite a few that do this. mSecure (from mSeven software) works on Android, iPhone, Windows, Mac, and allows you to sync all your devices with your own computer.

It will also support backup and restore to any regular file, and the database is encrypted. So your drop box plan continues to work.
Its is password protected rather the key-file protected. You may argue the wisdom of that, but too often the keyfile approach fails because those get stored on the same device.

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039250)

http://ubuntuforums.org/archive/index.php/t-208449.html [ubuntuforums.org]

#!/bin/bash
# This script creates a random password using sha1sum

echo "Enter the master password"
read -s MASTPASS

echo "Enter the reason"
read -s REASON

echo "Enter desired number of characters"
read -s DESNUM

echo
echo "Your random password is:"
echo $MASTPASS $REASON | sha1sum | cut -c1-$DESNUM
echo

Not massively secure, but obscure enough that it's not low hanging fruit and very simple.

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039448)

Or you can just stick your elbow into the keyboard a few times.

Re:KeePass (1)

migla (1099771) | more than 3 years ago | (#36039600)

Is there something wrong with

sudo apt-g[TAB] i[TAB] pwgen
pwgen

?

Re:KeePass (1)

MaskedSlacker (911878) | more than 3 years ago | (#36039274)

Some of us don't use windows.

Re:KeePass (1)

somersault (912633) | more than 3 years ago | (#36039480)

Ahem [keepass.info] .

Hint: try scrolling down. It's probably already in the repository for your distro if you use Linux.

Re:KeePass (1)

Rich0 (548339) | more than 3 years ago | (#36039944)

Really? I use Linux - the Chrome OS distro. Didn't notice it available for that...

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039512)

Well, if you are willing to use mono, it works pretty well with Linux.

Re:KeePass (1)

phlamingo (629479) | more than 3 years ago | (#36039286)

I went to LastPass because KeePass wouldn't read my stored passwords directly from FireFox settings.

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039754)

I went to LastPass because KeePass wouldn't read my stored passwords directly from FireFox settings.

There are plugins for that. Firefox's password storage is replaced entirely by KeePass on my setup. With that and dropbox, I get synced passwords for everything everywhere I go include my mobile phone, and passwords from firefox are easily available even if I don't have firefox available (unlike Sync)

Re:KeePass (1)

starsky51 (959750) | more than 3 years ago | (#36039412)

Maybe I'm paranoid, but I really don't like copying passwords to the clipboard. I'd much prefer some kind of automatic key pressing function.

Re:KeePass (1)

x*yy*x (2058140) | more than 3 years ago | (#36039500)

Well, most people type in their passwords so that is what viruses are looking for. Yeah, it's not really hard to implement something that looks for clipboard too, but it always helps being in the minority when it comes to computer security. Just like with Mac and Linux.

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039504)

KeePass can use random combinations of copy-paste and virtual keyboards (clipboard for three characters, then type two, then clipboard for one more, then an onscreen-keyboard sort of thing for the next five). If you're afraid of keyloggers or clipboard loggers, this'll beat most of them.

Re:KeePass (0)

Anonymous Coward | more than 3 years ago | (#36039570)

If you can't trust your clipboard, you have already lost the game.

Re:KeePass (1)

gfreeman (456642) | more than 3 years ago | (#36039738)

FUCK YOU, I just lost the game :(

Re:KeePass (1)

superswede (729509) | more than 3 years ago | (#36039766)

Maybe I'm paranoid, but I really don't like copying passwords to the clipboard. I'd much prefer some kind of automatic key pressing function.

From http://keepass.info/help/v2/autotype_obfuscation.html [keepass.info] :

"The Auto-Type feature of KeePass is very powerful: it sends simulated keypresses to other applications. This works with all Windows applications and for the target applications it's not possible to distinguish between real keypresses and the ones simulated by Auto-Type. This at the same time is the main disadvantage of Auto-Type, because keyloggers can eavesdrop the simulated keys. That's where Two-Channel Auto-Type Obfuscation (TCATO) comes into play.

TCATO makes standard keyloggers useless. It uses the Windows clipboard to transfer parts of the auto-typed text into the target application. Keyloggers can see the Ctrl-V presses, but do not log the actual contents pasted from the clipboard.

Clipboard spies don't work either, because only parts of the sensitive information is transferred on this way.

Anyway, it's not perfectly secure (and unfortunately cannot be made by theory). None of the currently available keyloggers or clipboard spies can eavesdrop an obfuscated auto-type process, but it is theoretically possible to write a dedicated spy application that specializes on logging obfuscated auto-type."

Re:KeePass (1)

maxume (22995) | more than 3 years ago | (#36039886)

If you are accessing passwords on hardware that you do not trust, you are not being paranoid.

Re:KeePass (1)

RobDude (1123541) | more than 3 years ago | (#36039538)

If you think KeePass isn't vulnerable to attacks you just aren't being creative enough.

Re:KeePass (1)

Agent0013 (828350) | more than 3 years ago | (#36039722)

Plus there is a KeePass for Android. It reads the same database as the PC version, so it is easy to migrate back and forth. It's called KeePassDroid.

Re:KeePass (2)

izomiac (815208) | more than 3 years ago | (#36039966)

IMHO, it's better to never write them down and just generate them algorithmically based on the site's domain or a memorable keyword. Several years ago I just kept a tabula recta [lifehacker.com] in my wallet. Nowadays, you can use something like SuperGenPass [supergenpass.com] .

Personally, I wrote my own equivalent of SuperGenPass that addresses some of the security concerns [stackoverflow.com] . That said, I use PassPack [passpack.com] with a tediously strong password to keep a backup in case I inadvertantly break compatibility, and a copy of the generator on my website.

Re:KeePass (1)

Radhruin (875377) | more than 3 years ago | (#36039976)

They will only get lots of passwords from people who are foolish enough to select a brute forcible password as their master. Picking a simple master password is stupid. Storing encrypted data on the internet isn't necessarily stupid.

Not to mention, if you generate random passwords for every service, it's not much labor to just go ahead and generate new ones when situations like this occur. All LastPass clients automatically update to use the new passwords, no big deal.

IMO the convenience of having a central password repository outweighs the dangers. It's a risk, certainly, but not a big one, as long as you have a sane master password.

Apparently... (2)

mmelbert (710945) | more than 3 years ago | (#36038804)

LastPass is using the same security group as Sony....

Daaaaamn. (0)

Anonymous Coward | more than 3 years ago | (#36039058)

A company like Sony could conceivably recover from a breach like this, but LastPass is a service explicitly targeted toward people who want their shit to be super-duper-secure. It's over.

Re:Apparently... (1)

ArhcAngel (247594) | more than 3 years ago | (#36039558)

Actually one of the admins at LastPass had a PSN account and used the same password.

Hacked? (1)

Chibo (762245) | more than 3 years ago | (#36038842)

It doesn't say that they were hacked for sure. Why the title proclaiming that it has?

Re:Hacked? (0)

Anonymous Coward | more than 3 years ago | (#36039030)

If it truly was "signs that its network may have been compromised" they would never NEVER tell the customers... Now if they realized they need to say something like - "There are signs that its network may have been compromised"... Let me translate the P.R. spin for you "We have been 0wnZ0r3d like a mo fo ya'll"

Re:Hacked? (1)

Phoshi (1857806) | more than 3 years ago | (#36039468)

Except that if you actually read TFA, you'll see that they don't know for sure any data was compromised, but if it was, it wasn't the password containers. This is preventative, to stop any theoretical attacks that could happen if they actually were compromised. Because, yes, PR - being secure is their thing. If there's even a chance they've been compromised they have to take serious action, because it'd only take one actual breach to sink them.

Re:Hacked? (1)

RobDude (1123541) | more than 3 years ago | (#36039590)

The company admits they had 'unexplained' traffic with more data coming from the database than going to the database. They were unable to track down the source of the traffic and have started some password changing strategy for the users.

I wonder... (1)

kpainter (901021) | more than 3 years ago | (#36038866)

Was the administrator password for LastPass "password"?

Re:I wonder... (0)

Anonymous Coward | more than 3 years ago | (#36038976)

No, it was "pasword", like in the summary.

Re:I wonder... (1)

rockman_x_2002 (1791612) | more than 3 years ago | (#36039080)

It would certainly be the last password I'd ever use.

Re:I wonder... (1)

jcoy42 (412359) | more than 3 years ago | (#36039228)

Pretty sure it was "changeme"

Another breach, eh? (1)

Anonymous Coward | more than 3 years ago | (#36038892)

I'm getting tired of getting letters from companies I do business with informing me that my data may have been compromised.

Do sysadmins do their jobs anymore? Do companies conduct internal penetration testing anymore? Do they do internal audits anymore? I doubt it. They are too concerned with the monetary systems that take our money. Properly configured firewalls, IDP, and router systems be damned.

Re:Another breach, eh? (1)

NeverVotedBush (1041088) | more than 3 years ago | (#36039374)

It's not the admins. It's management... Doing more with less...

When you are up to your ass in alligators, it is difficult to remind yourself that your initial objective was to drain the swamp.

Re:Another breach, eh? (1)

avgjoe62 (558860) | more than 3 years ago | (#36039436)

Of course not. IT departments have been cut to the bone and the budget to hire an outside security auditor is now the CEO's bonus for cutting IT costs. The few SysAdmins left working in most IT departments are too frazzled to pay much attention to security and management mostly looks at any spending on IT security like buying insurance - we won't spend that money until after the house has burned down because before then there's we don't care.

Just look at the earlier article here on Slashdot [slashdot.org] to see how much most companies value good SysAdmins.

If minding your own passwords is too hard... (1, Informative)

fatbuckel (1714764) | more than 3 years ago | (#36038942)

get off the internet. For crying out loud.

Re:If minding your own passwords is too hard... (0)

Anonymous Coward | more than 3 years ago | (#36039024)

Amen

meant in an entirely secular way

Re:If minding your own passwords is too hard... (1)

Seumas (6865) | more than 3 years ago | (#36039330)

By "minding your own passwords", do you mean "mentally keep a checklist of every password you use at every website and for every service you access in your head"? Or do you mean "use your own shit and hope it's secure on your machine and in whatever way you use to sync it to other machines that you access rather than a cloud service"?

Re:If minding your own passwords is too hard... (1)

creat3d (1489345) | more than 3 years ago | (#36039842)

I use different passwords for every site I have to log in and I can remember them all. Seriously, why would you need such a service? Sounds like giving away the keys to your home and hoping nobody comes to rob you.

Straight from the horse's mouth: (5, Informative)

karnal (22275) | more than 3 years ago | (#36038946)

Note: This is taken from http://blog.lastpass.com/2011/05/lastpass-security-notification.html [lastpass.com]

***f****f****f******f******f**f**f*f*******f******f*f**f******f******f********
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.

We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.

For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.

We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.

Again, we apologize for the inconvenience caused and will continue to take every precaution in protecting user data.

The LastPass Team.

UPDATE 1: We're overloaded handling support and the sheer load of password changes is slowing us down. We've implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know you'll be on the same IP without loss of security, and due to this overloading we think that's prudent to wait.

We're asking if you're not being asked to change your password then hold off -- we're protecting everyone.

Re:Straight from the horse's mouth: (1)

calderra (1034658) | more than 3 years ago | (#36039200)

Mod parent up. There is no direct threat to users, and this measure was taken out of an overabundance of caution. Lastpass does keep all of its passwords encrypted, and what they noticed was a potential attempt at brute force (dictionary) hacking, trying to guess people's passwords. If you have a strong password, your account is just as safe as it ever was.

Re:Straight from the horse's mouth: (5, Insightful)

Captain Spam (66120) | more than 3 years ago | (#36039416)

In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

Gotta be honest here: Even if this WASN'T anything, if I had trusted my passwords for everything to some other party like this, I'd very well want them to be more than a bit paranoid in protecting it. So I say, kudos.

Re:Straight from the horse's mouth: (2)

Gaygirlie (1657131) | more than 3 years ago | (#36039616)

This is really exemplary action; they're not entirely certain that there even is a threat to customers' data, but they take all the precautions they can and inform their users of the possiblity of a threat. We can only wish other companies were as careful!

Re:Straight from the horse's mouth: (2)

Daetrin (576516) | more than 3 years ago | (#36039642)

Well that's certainly a lot more informative than what Sony had to tell their users about what was compromised and whether it was encrypted, hashed, or totally clear.

Re:Straight from the horse's mouth: (0)

Anonymous Coward | more than 3 years ago | (#36039856)

***f****f****f******f******f**f**f*f*******f******f*f**f******f******f********

OK, I give up. What kind of code is that? Or is it just a string of censored f-words?

Re:Straight from the horse's mouth: (0)

Anonymous Coward | more than 3 years ago | (#36039884)

PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds.

What does 'rounds' mean in this sentence?

I guess I'm just old school... (1)

Gunkerty Jeb (1950964) | more than 3 years ago | (#36038960)

I use this thing called my brain to store passwords. Sometimes I lose one, but it never gets hacked.

Re:I guess I'm just old school... (4, Insightful)

Anonymous Psychopath (18031) | more than 3 years ago | (#36039230)

Either you have an excellent memory or you're reusing the same password on multiple sites. If you're a mere mortal, like me, and you don't want to reuse a few passwords over and over again, you need a password manager.

Re:I guess I'm just old school... (0)

Anonymous Coward | more than 3 years ago | (#36039372)

Or You could just quit signing up for every website. If I don't have to I'm not registering anywhere. And if a website requires it for example to post, then I look at what it would benefit me. Somewhere I almost never visit vs the need to remember another password?

Re:I guess I'm just old school... (0)

Anonymous Coward | more than 3 years ago | (#36039454)

You forgot another option: Use of 4-letter passwords or some normal word that comes to mind in the context.

Re:I guess I'm just old school... (1)

creat3d (1489345) | more than 3 years ago | (#36039960)

I'm pretty sure there's a lot of us "mere mortals" who can remember all their passwords (all different ones) without the need to entrust a cyber nanny with said passwords. Of course, if you have an account for Twitter, Delicious, Digg, Bebo, Bobe, Baba, Bubo, Meeme, Moomo, Mamo, and every other useless social crap out there... I could see the need for a password manager.

Re:I guess I'm just old school... (1)

Jeek Elemental (976426) | more than 3 years ago | (#36039308)

so how many brains have you lost so far??

Re:I guess I'm just old school... (1)

Thud457 (234763) | more than 3 years ago | (#36039452)

All but one of them.

One, his name is Spock, would also have been an acceptable answer.

Re:I guess I'm just old school... (1)

BLToday (1777712) | more than 3 years ago | (#36039310)

It hasn't been hacked YET. Or at least you believe it hasn't been hacked.

My bet is that the NSA and/or DARPA is working on something to hack your brain.

Re:I guess I'm just old school... (0)

Anonymous Coward | more than 3 years ago | (#36039356)

Bet you have a system or a pattern that can be used to figure out the rest of your passwords...

That's hacking your brain...

oh yeah? (1)

ClintJCL (264898) | more than 3 years ago | (#36039396)

INCEPTION!

Re:I guess I'm just old school... (0)

Anonymous Coward | more than 3 years ago | (#36039524)

$5 wrench

Wel... (1)

theNAM666 (179776) | more than 3 years ago | (#36038978)

Apparently the hackers got only paswords, and not passwords. No big deal then.

One key to rule them all... (1)

geekmux (1040042) | more than 3 years ago | (#36038984)

"...advised its customers to change the password they use to access the service..."

Wow, I only have to change one password? Whew, that's a relief! For a minute there, I thought I had to change them all. (/sarcasm)

Consolidated password management works, as long as YOU maintain 100% control. Use Truecrypt locally for securing your password file. Sync the encrypted file to the cloud of you want an "online" backup.

Re:One key to rule them all... (4, Informative)

mailman-zero (730254) | more than 3 years ago | (#36039204)

Consolidated password management works, as long as YOU maintain 100% control. Use Truecrypt locally for securing your password file. Sync the encrypted file to the cloud of you want an "online" backup.

LastPass is basically the exact same thing. It's encrypted locally and sent to them AFTER encryption. They don't store the plaintext passwords. The danger is the same either way if a user doesn't use a strong enough password.

Re:One key to rule them all... (0)

Anonymous Coward | more than 3 years ago | (#36039420)

No, because if you encrypt your own material you hold the keys. If you let someone else do it, they hold the keys. And who knows how good they are at keeping them safe.

You always know how good you are (or, how bad you are) at keeping your own keys safe.

Keepass(x), gpg encrypted file backup with the gpg keys backed up on a CD in a bank safety deposit box. (and if you're daring, a copy of the key on a usb jump drive you keep on your person at all times)

Re:One key to rule them all... (1)

RobDude (1123541) | more than 3 years ago | (#36039870)

Pick your poison....

If you go with LastPass - you get great integration/ease of use and you can access your passwords from any place with internet access. For that ease of use, you run the risk of LastPass's servers being hacked and hoping that the encryption they use is strong enough and that your password isn't vulnerable to a dictionary-type attack.

If you take your approach - you get limited integration/ease of use and you can only access your passwords from any place where you can access gpg.

In either case, if your local machine is compromised all of your passwords are stolen.

Re:One key to rule them all... (0)

Anonymous Coward | more than 3 years ago | (#36039254)

Wut.
Their window of opportunity to access the data closes once your password changes. Lastpass does only store your encrypted passwords, it needs your master pass to unencrypt them. Assuming you're not an idiot and your master pass isn't bruteforcable in the time before you change your password (if it's bruteforceable full stop), then your passwords are safe. They said not enough data could have been stolen for entire databases to be compromised if indeed there was an attack.

This. (1)

Jon.Laslow (809215) | more than 3 years ago | (#36039298)

Seriously. I can't stand the thought of someone else having every password I use for everything. I use a system to generate passwords in a semi-hard-to-predict fashion for services I don't really care about, and have a number of 'strong' passwords for things that are important. Those passwords (and the information on where to use them) gets stored in a TrueCrypt container that I periodically update and sync with my VPS and my Dropbox. The TrueCrypt volume key isn't recorded anywhere - it's in my head, which is the safest place for it (because, seriously, if someone is actually going to go to the effort of torturing me to get my passwords, they're going to be in for a big let down).

Re:This. (1)

llZENll (545605) | more than 3 years ago | (#36039578)

Its just like anything else, be smart about it. It doesn't force you to use it for every site so don't. I use it for all my forums, some email, some social sites, basically anything that if stolen, doesn't matter, well over 100 sites. I don't use it for anything connected to any part of my finances, credit cards, or my big selling or buying sites (ebay,amazone,etc), a much smaller 10-20 sites. Using it this way is worry free and does simplify things. You still have multiple passwords, but at least the ones for non financial sites are automatic now on all my computers, and I no longer use the same password for these sites.

Re:One key to rule them all... (0)

Anonymous Coward | more than 3 years ago | (#36039902)

This is the same way LastPass works. They hash your password, then use your hashed password as the encryption key to encrypt the real encryption key, then all of your data is encrypted using the 2nd encryption key. All of your data is inaccessible without your original password.

Bullshit article and submission. (1)

Seumas (6865) | more than 3 years ago | (#36039054)

Lastpass released this information yesterday and they did not state that they were hacked as the submitter does nor do they state that they were probably hacked as the article does. They stated that there was a mismatch in the amount of traffic between some of the servers and that whenever this occurs, they do an investigation, which usually turns out to be nothing. They felt it was probably nothing, but since they were unable to (so far) determine exactly what accounted for the difference in data transfers, they wanted to take the safe road and enforce a password change on all accounts.

ORIGINAL LASTPASS STATEMENT FROM MAY 4TH
(source: http://blog.lastpass.com/2011/05/lastpass-security-notification.html [lastpass.com] )


We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.

We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.

For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.

We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.

Again, we apologize for the inconvenience caused and will continue to take every precaution in protecting user data.

The LastPass Team.

They didn't pull a sony (3)

binkzz (779594) | more than 3 years ago | (#36039092)

It isn't as bad as it seems, and kudos for them to be upfront and open about it:

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password. We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script. In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs. If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing. To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.

Re:They didn't pull a sony (1)

lwsimon (724555) | more than 3 years ago | (#36039380)

Wow. I'm going to check out their service then - that's obscenely ethical.

Re:They didn't pull a sony (1)

Seumas (6865) | more than 3 years ago | (#36039536)

The other slight concern would be that if you're using their printed personal grid as a second factor of authentication, any data breach might have included a copy of your personal grid, which they could then use. Of course, that would only be useful if they also bruteforced your password, since they have to be used in combination. The solution is simple enough - go into your account settings and generate/print a new personal authentication grid. Or . . . at least . . . do that when they aren't overloaded from all the traffic and you can access your settings.

Hmmm (-1)

Anonymous Coward | more than 3 years ago | (#36039130)

I find this thread hard to masturbate to.

pity!! (1)

liqs8143 (2028036) | more than 3 years ago | (#36039198)

sad to see so many organizations facing attacks from hackers! pity!

Somebody misread their slogan (0)

Anonymous Coward | more than 3 years ago | (#36039246)

as "The Last Password You'll Have to Hack".

Headline Edit (4, Informative)

mailman-zero (730254) | more than 3 years ago | (#36039332)

LastPass Pasword Service may have been Hacked.

This is a good story, but the story isn't that they were definitely hacked. It's entirely possible that the anomalous data transfers they mentioned were caused by internal testing and not properly documented, based on the limited information we have available.

Here is a transcript wherein Steve Gibson talks at length about why LastPass is secure [grc.com] .

I noticed something happened last night (2)

raulfragoso (790076) | more than 3 years ago | (#36039348)

I'm a LastPass user and last night I was forced to change my master password. Initially I was a bit suspicious about the request, so I took all the measures to make sure it was a genuine request from LastPass.com. When I was sure it was a safe request, I changed my master password to something even stronger than it was. I'm a paying user for their premium services, and in my opinion I must admit that their reaction to that casualty and possible data breach has been very open and reasonable. I would be very angry if instead they had an attitude like PSN. At least they took proactive countermeasures and are being honest to their customers, that attitude really deserves some kudos.

So why ... (1)

garry_g (106621) | more than 3 years ago | (#36039542)

... does anyone believe storing sensitive informaiton in the "cloud" or the Internet?

The "cloud" (0)

Anonymous Coward | more than 3 years ago | (#36039612)

Is not a good place to store sensitive information. Fly by night startup website operators are especially suspect. Better to write it down than trust them.

Ridiculous (1)

Chad Birch (1222564) | more than 3 years ago | (#36039638)

Oh for the love of god, this is way out of hand.

They weren't "hacked", they saw a tiny anomaly in their network traffic (which honestly, most companies wouldn't even have noticed), and decided to notify you about it and handle it in the most paranoid way possible. It's such a small thing that I wouldn't have expected most companies to even tell anyone it happened.

But somehow them behaving in a very commendable way for a security company has blown up into an absolute PR nightmare for them, with sites like BusinessWeek posting articles with the title "LastPass Loses Passwords for 1.25 Million Customers" [businessweek.com] , which aren't even remotely correct. This is why companies don't disclose security breaches, because people are too dumb to understand the details, it gets sensationalized for no reason, and comes back to bite them hard.

Their implementation of this was pretty poor (trying to force almost everyone to change their password, when their server can't handle password changes at that rate), but their overall intentions were extremely good, and only make me even more confident in their service.

Site Overloaded (1)

Kamiza Ikioi (893310) | more than 3 years ago | (#36039686)

They just got slasdotted, efuct, dugg, and twitter bombed all at once. Read more [lastpass.com] .

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>