Be Careful with LastPass

Ritho · 05. May 2011, 09:44 PM

I just mentioned this in the thread here but thought it better to start a new thread to continue the discussion.

LastPass has had its critics, and many of their arguments have fallen on deaf ears. You really trust the guys there that much? It seems that those of us who have cautiously said, "No thanks!" were nearly vindicated. I have said it many times. Never underestimate the creativity of cyber-criminals. If some of the most secure installations in the world can be hacked, so can LastPass.

Anyway. I am willing to bet, a lot of individuals will close their accounts. To close for comfort.

http://www.theregister.co.uk/2011/05...assword_reset/
http://sunbeltblog.blogspot.com/2011...ur-master.html

05. May 2011, 10:22 PM

http://blog.lastpass.com/2011/05/las...ification.html

They spotted an anomaly and are taking precautionary measures.

"If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing. "

"To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP."

"We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

J_L · 06. May 2011, 12:01 AM

Nothing surprising at all. There's always a risk when using online passwords, and this can easily happen to any online websites such as your e-mail, bank, etc., not just LastPass.

Rizar · 06. May 2011, 12:21 AM

At least we know that LastPass is security conscious. It must have been a tough decision with the increased chance that users might switch to another service.

I noticed that they are giving users the option to keep their master password (accepting the risks) after they click to re-enable their account by email. But the default action is to prompt them to change their password.

Ritho · 06. May 2011, 06:12 AM

My biggest concern would be, that they admit they were hacked, and someone was in their system looking at privileged information for the second time in six weeks. If your bank was writing to tell you that, but said it is no big deal, would you not be a little concerned? Of course they are going to use as much pr language as possible, but it was more than just an "anomaly."

They just decided it is necessary to change to a more secure hashing technology too. Which while it sounds percautionary it also sounds like whoever hacked them knew what to look for and if they had been successful in and out it could have been very bad.

06. May 2011, 02:46 PM

Quote:

Originally Posted by Ritho

My biggest concern would be, that they admit they were hacked, and someone was in their system looking at privileged information for the second time in six weeks. If your bank was writing to tell you that, but said it is no big deal, would you not be a little concerned? Of course they are going to use as much pr language as possible, but it was more than just an "anomaly."

Who said it was no big deal?

Quote:

Originally Posted by Ritho

They just decided it is necessary to change to a more secure hashing technology too.

I would be more concerned if they didn't change.

Quote:

Originally Posted by Ritho

Which while it sounds percautionary it also sounds like whoever hacked them knew what to look for and if they had been successful in and out it could have been very bad.

Listening to the CEO, he believes that they were successful, in at least transferring some data. The master password has to be cracked in order to decrypt the passwords, though.
http://www.pcworld.com/article/22726...ible_hack.html

Quote:

With the level and the scale of the transfer, we don't think a lot of data could have been taken--but certainly enough to cover people's usernames and [encrypted] passwords. That would be enough to set up a potential attacker so they could start going through and looking for people with weak master passwords without having to hit our servers. That's really the threat that we're concerned about and why we're handling it the way we are.
We know the machines involved have the users' encrypted blob data as well as the data for their usernames, their password hashes, and the salt for those hashes. Because of that and the size of the data, we don't think more than a couple hundred blobs could have been taken.

[Author's note: Salting is a technique that is used to make it harder for people to misuse stolen passwords. A randomly generated key is added to the password before it is obscured, or hashed.]

We're trying to look at what is the worst possible case and how we can mitigate any risks coming out of that. Could this be just some kind of weird glitch? It could. But we haven't had any of those before, and we've been watching this a long time.

Terarus · 06. May 2011, 02:47 PM

I was actually impressed with their response. They did make quite an effort informing everyone of the issue and then go ahead with implementing mitigating responses; I personally find such management quite appealing and perhaps more trustworthy (though with any other password manager and cloud computing the associated risks) to be with in the future.

@ ritho: even if the hackers took the data they needed, the issue does not affect those with strong passwords as the password is taken in encrypted form; which is why lastpass has the option to keep their master passwords for people who believe they cannot be brute forced - my master password is gibberish up to 25 characters so I'm not worried. You're right about the risk of placing everything in the cloud but in terms of password managing, I believe it is still a sound approach if you follow good password creation practices and make ones that cannot be easily or impossible to brute force.

torres-no-tan-magnifico · 06. May 2011, 06:09 PM

At this point in time I have not heard anything from lastpass and when I attempted to change my master password I couldn't because of the heavy traffic on their site. In fact, I only found out about the possible hacking from this here thread!

I am glad I have never stored my banking details with them as this scenario can happen anytime hackers put their minds to it. However, I will continue to use lastpass and will change my password ASAP as I would prefer to err on the side of caution.

06. May 2011, 06:55 PM

Neil Rubenking at PCMAG wrote up a small piece on it.
http://www.pcmag.com/article2/0,2817,2384950,00.asp

Rizar · 07. May 2011, 02:16 AM

I also haven't been able to change my password, and every time I launch my browser LastPass is opening a tab requesting me to change it. And then telling me that their site is overloaded.

I believe your master password remains active until you get a chance to change it and as long as you login from your local machines.

It may be a bigger mess for them by the end of it. I always hated their website; it's so overloaded with junk that it barely loads over my connection. Fire the programmer behind that site!

05. May 2011, 09:44 PM	#1 (permalink)
Ritho Foundation Editor Join Date: Apr 2008 Location: Planet Earth Posts: 1,391	Be Careful with LastPass I just mentioned this in the thread here but thought it better to start a new thread to continue the discussion. LastPass has had its critics, and many of their arguments have fallen on deaf ears. You really trust the guys there that much? It seems that those of us who have cautiously said, "No thanks!" were nearly vindicated. I have said it many times. Never underestimate the creativity of cyber-criminals. If some of the most secure installations in the world can be hacked, so can LastPass. Anyway. I am willing to bet, a lot of individuals will close their accounts. To close for comfort. http://www.theregister.co.uk/2011/05...assword_reset/ http://sunbeltblog.blogspot.com/2011...ur-master.html __________________ The smallest good deed is better than the greatest intention.

05. May 2011, 10:22 PM	#2 (permalink)
Abandoned Guest Posts: n/a	http://blog.lastpass.com/2011/05/las...ification.html They spotted an anomaly and are taking precautionary measures. "If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing. " "To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP." "We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later." Last edited by JohnnyDollar; 05. May 2011 at 10:34 PM.

06. May 2011, 12:21 AM	#4 (permalink)
Rizar Editor Join Date: Dec 2008 Location: Space Posts: 368	At least we know that LastPass is security conscious. It must have been a tough decision with the increased chance that users might switch to another service. I noticed that they are giving users the option to keep their master password (accepting the risks) after they click to re-enable their account by email. But the default action is to prompt them to change their password. __________________ Live long and prosper.

06. May 2011, 06:12 AM	#5 (permalink)
Ritho Foundation Editor Join Date: Apr 2008 Location: Planet Earth Posts: 1,391	My biggest concern would be, that they admit they were hacked, and someone was in their system looking at privileged information for the second time in six weeks. If your bank was writing to tell you that, but said it is no big deal, would you not be a little concerned? Of course they are going to use as much pr language as possible, but it was more than just an "anomaly." They just decided it is necessary to change to a more secure hashing technology too. Which while it sounds percautionary it also sounds like whoever hacked them knew what to look for and if they had been successful in and out it could have been very bad. __________________ The smallest good deed is better than the greatest intention.

06. May 2011, 06:09 PM	#8 (permalink)
torres-no-tan-magnifico Copy Editor Join Date: Sep 2009 Posts: 622	At this point in time I have not heard anything from lastpass and when I attempted to change my master password I couldn't because of the heavy traffic on their site. In fact, I only found out about the possible hacking from this here thread! I am glad I have never stored my banking details with them as this scenario can happen anytime hackers put their minds to it. However, I will continue to use lastpass and will change my password ASAP as I would prefer to err on the side of caution. __________________ Torres-no-tan-magnifico

06. May 2011, 12:01 AM	#3 (permalink)
J_L Co-Author, Best Free Security List Join Date: Dec 2008 Posts: 1,475	Nothing surprising at all. There's always a risk when using online passwords, and this can easily happen to any online websites such as your e-mail, bank, etc., not just LastPass.

06. May 2011, 02:47 PM	#7 (permalink)
Terarus Senior Member Join Date: May 2009 Posts: 157	I was actually impressed with their response. They did make quite an effort informing everyone of the issue and then go ahead with implementing mitigating responses; I personally find such management quite appealing and perhaps more trustworthy (though with any other password manager and cloud computing the associated risks) to be with in the future. @ ritho: even if the hackers took the data they needed, the issue does not affect those with strong passwords as the password is taken in encrypted form; which is why lastpass has the option to keep their master passwords for people who believe they cannot be brute forced - my master password is gibberish up to 25 characters so I'm not worried. You're right about the risk of placing everything in the cloud but in terms of password managing, I believe it is still a sound approach if you follow good password creation practices and make ones that cannot be easily or impossible to brute force.

06. May 2011, 06:55 PM	#9 (permalink)
Abandoned Guest Posts: n/a	Neil Rubenking at PCMAG wrote up a small piece on it. http://www.pcmag.com/article2/0,2817,2384950,00.asp

07. May 2011, 02:16 AM	#10 (permalink)
Rizar Editor Join Date: Dec 2008 Location: Space Posts: 368	I also haven't been able to change my password, and every time I launch my browser LastPass is opening a tab requesting me to change it. And then telling me that their site is overloaded. I believe your master password remains active until you get a chance to change it and as long as you login from your local machines. It may be a bigger mess for them by the end of it. I always hated their website; it's so overloaded with junk that it barely loads over my connection. Fire the programmer behind that site! __________________ Live long and prosper.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode