LastPass resets passwords following possible hack


Recommended Posts

LastPass resets passwords following possible hack

Precautionary change-up

Password management system LastPass has reset users' master passwords as a precaution following the discovery of a possible hack attack against its systems.

The move follows the detection of two anomalies ? one affecting a database server ? on LastPass's network on Tuesday that could be the result of a possible hack attack. LastPass detected that more traffic had been sent from the database than had been received by a server, an event that might be explained by hackers extracting sensitive login credentials, stored in an obfuscated (hashed) format.

The worst case scenario is that miscreants might have swiped password hashes, a development that leaves users who selected easier-to-guess passphrases at risk of brute-force dictionary attacks. Once uncovered, these login credentials might be used to obtain access to all the login credentials stored through the service, as LastPass explains in a blog post (extract below).

If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you ? the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute-forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address...

We realise this may be an overreaction and we apologise for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

LastPass's decision to reset passwords as a precaution has made it difficult for some legitimate users to log onto the service again. Tips on re-enabling accounts can be found in a blog post by Chris Boyd, a security researcher at GFI Security, here.

The password-management outfit has taken the possible attack and resulting service disruption as the opportunity to introduce a stronger password hashing system. Although LastPass isn't sure how hackers might have entered its network ? if indeed that's what happened ? an assault based on an initial break-in via its Voice over IP system is the company's best initial guess as to what might have gone wrong.

This week's security flap at LastPass.com follows a security breach just six weeks ago that created a means to extract the email addresses ? though not the passwords ? of enrolled users. The two incidents are not thought to be related. ?

Source: The Register

Link to comment
Share on other sites

They haven't reset them, otherwise you wouldn't be able to log in, right? You'd have to request a new password instead.

I was having probs logging in via the site, but eventually got in via the firefox add-on and changed my password.

Why does it take a kick up the arse for company's to improve their security?

http://blog.lastpass.com/2011/05/lastpass-security-notification.html

Link to comment
Share on other sites

Exactly why I don't use a service like LastPass. It's all fine and dandy until it gets hacked.

Yea, I've thought of this too. However I created a Lastpass account this week and started to fill it with a few sites I use to try it out, and I think it's really convenient since it fills all login fields automatically, something that KeePass doesn't.

Link to comment
Share on other sites

I have a strong non-dictionary based password. I'm not going to have all my passwords in one place and have "password" or "dafodil" as my master pass. :rolleyes:

Link to comment
Share on other sites

If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you ? the potential threat here is brute-forcing your master password using dictionary words...

LastPass is no different than uploading KeePass to your DropBox account. It uses strong encryption and as long as you choose a strong password, there's nothing to be worried about.

Link to comment
Share on other sites

I did a stupid mistake. I though the extension was broken on Chrome so I uninstalled/reinstalled and now I don't have any passwords locally and of course, I cannot login to change my password and they offer no reset option.

Link to comment
Share on other sites

I did a stupid mistake. I though the extension was broken on Chrome so I uninstalled/reinstalled and now I don't have any passwords locally and of course, I cannot login to change my password and they offer no reset option.

From LastPass Blog:

Update 3, ~4:30pm EST:

Logging in offline should be working everywhere if you have logged in using that client before, if you're having problems with this please attempt to login via the website: https://lastpass.com/?ac=1 that should now take you through an email process to enable your current IP.

If you're having problems getting your data with pocket, make sure you're selecting to login to the local file, not logging in at LastPass.com.

Link to comment
Share on other sites

Interestingly enough, I hadn't been able to log in with my original account....created a new account, under a new email address, and it works again. Of course, now I have to reenter (and change) a s**tload of passwords, but that's okay. XD

Link to comment
Share on other sites

Which is why you use KeePass on a local drive instead of LastPass on the cloud.

Local storage that's on a removable drive that you insert only when you need it = WAY more secure than cloud-based LastPass.

Link to comment
Share on other sites

Which is why you use KeePass on a local drive instead of LastPass on the cloud.

Local storage that's on a removable drive that you insert only when you need it = WAY more secure than cloud-based LastPass.

Of course, KeePass is probably more secure (unless your computer is stolen while you were logged in, etc...). But it is less convenient. I have multiple computers, and it is nice to have my passwords synced across them (and smartphones). Besides, LastPass only has the salted hash of your passwords. Not much of a problem if you have a good master password.

Link to comment
Share on other sites

I have a strong non-dictionary based password. I'm not going to have all my passwords in one place and have "password" or "dafodil" as my master pass. :rolleyes:

Having a yubikey also helps with the security, although the silly thing is you can just disable the 2 factor authentication by sending a verification email :-/

Personally I always think the reliance on your email account for disabling 2factor/resetting stuff is the weakest part of the system.

Saying that a lot of individual websites will use your email address to reset the password anyway so it's not that much of a problem just means they have to reset 1 login instead of lots.

Edit:

Ah yes I'm being stupid, you can disable the 2nd authentication factor via confirming an email link but you can't actually reset the master password that way, which makes sense given that they claim not to be able to decrypt your passwords at their end.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.