+Warwagon MVC Posted June 16, 2015 MVC Share Posted June 16, 2015 LastPass officials warned Monday that attackers have compromised servers that run the company's password management service and made off with cryptographically protected passwords and other sensitive user data. It was the second breach notification regarding the service in the past four years. No, cryptographically scrambled passwords are not hard to decode. In all, the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses, LastPass CEO Joe Siegrist wrote in a blog post. It emphasized that there was no evidence the attackers were able to open cryptographically locked user vaults where plain-text passwords are stored. That's because the master passwords that unlock those vaults were protected using an extremely slow hashing mechanism that requires large amounts of computing power to work. "We are confident that our encryption measures are sufficient to protect the vast majority of users," Siegrist wrote. "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed." By contrast, many sites have used extremely fast hashing algorithms that provide minimal protection. Despite the rigor of the LastPass hashing regimen, the job of cracking a single hash belonging to a specific, targeted individual would be considerably less difficult and potentially within the ability of determined attackers, especially if the underlying password is weak. To prevent such attacks, LastPass officials are requiring all users who log in from new devices or IP addresses to first verify their account by e-mail unless they have multifactor authentication enabled. As an added precaution, LastPass is also prompting users to update their master passwords. LastPass users who haven't already done so should strongly consider enabling multifactor authentication. http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/ Link to comment Share on other sites More sharing options...
trag3dy Posted June 16, 2015 Share Posted June 16, 2015 Update: In an e-mail to reporters, Ars resident password expert Jeremi Gosney said the real-world risks the breach posed to end users was minimal. He based his assessment on the LastPass response to the breach and the system that was in place when it happened. He paid particular attention to the 100,000-round hashing routine, which he said was among the strongest he has ever seen. Gosney, a password security expert at Stricture Group, wrote: Link to comment Share on other sites More sharing options...
+BudMan MVC Posted June 16, 2015 MVC Share Posted June 16, 2015 Check your email How many of millions of users do they have.. Prob takes a bit to get an email to all of them Sikh 1 Share Link to comment Share on other sites More sharing options...
trag3dy Posted June 16, 2015 Share Posted June 16, 2015 I got the email a few hours ago, after I made that post. Link to comment Share on other sites More sharing options...
+Zagadka Subscriber² Posted June 16, 2015 Subscriber² Share Posted June 16, 2015 Glad I removed the data from those sites that I used to use... just don't trust their security in exchange for convenience. Encrypted local is the worst I'll risk. Link to comment Share on other sites More sharing options...
Gabe84 Posted June 16, 2015 Share Posted June 16, 2015 I received their e-mail, should I change my log in credentials? Link to comment Share on other sites More sharing options...
vanx Posted June 17, 2015 Share Posted June 17, 2015 I received their e-mail, should I change my log in credentials? PM them to me, I'll do it for you Link to comment Share on other sites More sharing options...
primexx Posted June 17, 2015 Share Posted June 17, 2015 PM them to me, I'll do it for you hunter2 Link to comment Share on other sites More sharing options...
Taliseian Posted June 17, 2015 Share Posted June 17, 2015 I've used LassPass for a couple of years now. Personally, I like the ability to have them stored in a way I can access them whenever I need. I've also made sure to enable Two-Factor Authentication. Even if someone does get my login name and password, they still would be unable to access my account unless they had access to the Authenticator. I even use Two-Factor for those MMOs that use it and a lot of other places like DropBox that offer it. Just a thought for those who are concerned.... T FunkyMike 1 Share Link to comment Share on other sites More sharing options...
Pupik Posted June 17, 2015 Share Posted June 17, 2015 Never used LassPass. Is it like KeePass? Going to suck if the hackers could use that information. Link to comment Share on other sites More sharing options...
Recommended Posts