Sign in to follow this  
Followers 0
Frank B.

LastPass resets passwords following possible hack

18 posts in this topic

LastPass resets passwords following possible hack

Precautionary change-up

Password management system LastPass has reset users' master passwords as a precaution following the discovery of a possible hack attack against its systems.

The move follows the detection of two anomalies ? one affecting a database server ? on LastPass's network on Tuesday that could be the result of a possible hack attack. LastPass detected that more traffic had been sent from the database than had been received by a server, an event that might be explained by hackers extracting sensitive login credentials, stored in an obfuscated (hashed) format.

The worst case scenario is that miscreants might have swiped password hashes, a development that leaves users who selected easier-to-guess passphrases at risk of brute-force dictionary attacks. Once uncovered, these login credentials might be used to obtain access to all the login credentials stored through the service, as LastPass explains in a blog post (extract below).

If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you ? the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute-forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address...

We realise this may be an overreaction and we apologise for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

LastPass's decision to reset passwords as a precaution has made it difficult for some legitimate users to log onto the service again. Tips on re-enabling accounts can be found in a blog post by Chris Boyd, a security researcher at GFI Security, here.

The password-management outfit has taken the possible attack and resulting service disruption as the opportunity to introduce a stronger password hashing system. Although LastPass isn't sure how hackers might have entered its network ? if indeed that's what happened ? an assault based on an initial break-in via its Voice over IP system is the company's best initial guess as to what might have gone wrong.

This week's security flap at LastPass.com follows a security breach just six weeks ago that created a means to extract the email addresses ? though not the passwords ? of enrolled users. The two incidents are not thought to be related. ?

Source: The Register

Share this post


Link to post
Share on other sites

Exactly why I don't use a service like LastPass. It's all fine and dandy until it gets hacked.

Share this post


Link to post
Share on other sites

They haven't reset them, otherwise you wouldn't be able to log in, right? You'd have to request a new password instead.

I was having probs logging in via the site, but eventually got in via the firefox add-on and changed my password.

Why does it take a kick up the arse for company's to improve their security?

http://blog.lastpass.com/2011/05/lastpass-security-notification.html

Share this post


Link to post
Share on other sites

Exactly why I don't use a service like LastPass. It's all fine and dandy until it gets hacked.

Yea, I've thought of this too. However I created a Lastpass account this week and started to fill it with a few sites I use to try it out, and I think it's really convenient since it fills all login fields automatically, something that KeePass doesn't.

Share this post


Link to post
Share on other sites

Not good, but I reset my already strong password nonetheless.

Share this post


Link to post
Share on other sites

I have a strong non-dictionary based password. I'm not going to have all my passwords in one place and have "password" or "dafodil" as my master pass. :rolleyes:

Share this post


Link to post
Share on other sites
If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you ? the potential threat here is brute-forcing your master password using dictionary words...

LastPass is no different than uploading KeePass to your DropBox account. It uses strong encryption and as long as you choose a strong password, there's nothing to be worried about.

Share this post


Link to post
Share on other sites

I did a stupid mistake. I though the extension was broken on Chrome so I uninstalled/reinstalled and now I don't have any passwords locally and of course, I cannot login to change my password and they offer no reset option.

Share this post


Link to post
Share on other sites

I did a stupid mistake. I though the extension was broken on Chrome so I uninstalled/reinstalled and now I don't have any passwords locally and of course, I cannot login to change my password and they offer no reset option.

From LastPass Blog:

Update 3, ~4:30pm EST:

Logging in offline should be working everywhere if you have logged in using that client before, if you're having problems with this please attempt to login via the website: https://lastpass.com/?ac=1 that should now take you through an email process to enable your current IP.

If you're having problems getting your data with pocket, make sure you're selecting to login to the local file, not logging in at LastPass.com.

Share this post


Link to post
Share on other sites

Thanks! It's working!

Share this post


Link to post
Share on other sites

Not working for me

Share this post


Link to post
Share on other sites

Interestingly enough, I hadn't been able to log in with my original account....created a new account, under a new email address, and it works again. Of course, now I have to reenter (and change) a s**tload of passwords, but that's okay. XD

Share this post


Link to post
Share on other sites

Which is why you use KeePass on a local drive instead of LastPass on the cloud.

Local storage that's on a removable drive that you insert only when you need it = WAY more secure than cloud-based LastPass.

Share this post


Link to post
Share on other sites

Does keepass automatically enter your user info for websites?

Share this post


Link to post
Share on other sites

Does keepass automatically enter your user info for websites?

No, not without a 3rd party plugin as far as I know.

Share this post


Link to post
Share on other sites

Which is why you use KeePass on a local drive instead of LastPass on the cloud.

Local storage that's on a removable drive that you insert only when you need it = WAY more secure than cloud-based LastPass.

Of course, KeePass is probably more secure (unless your computer is stolen while you were logged in, etc...). But it is less convenient. I have multiple computers, and it is nice to have my passwords synced across them (and smartphones). Besides, LastPass only has the salted hash of your passwords. Not much of a problem if you have a good master password.

Share this post


Link to post
Share on other sites

I have a strong non-dictionary based password. I'm not going to have all my passwords in one place and have "password" or "dafodil" as my master pass. :rolleyes:

Having a yubikey also helps with the security, although the silly thing is you can just disable the 2 factor authentication by sending a verification email :-/

Personally I always think the reliance on your email account for disabling 2factor/resetting stuff is the weakest part of the system.

Saying that a lot of individual websites will use your email address to reset the password anyway so it's not that much of a problem just means they have to reset 1 login instead of lots.

Edit:

Ah yes I'm being stupid, you can disable the 2nd authentication factor via confirming an email link but you can't actually reset the master password that way, which makes sense given that they claim not to be able to decrypt your passwords at their end.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.