LastPass Password Service Hacked

← Back to Stories (view on slashdot.org)

LastPass Password Service Hacked

Posted by timothy on Thursday May 5, 2011 @06:55AM from the oh-were-your-eggs-in-that-basket? dept.

Trailrunner7 writes "LastPass, a popular Web based password management firm, advised its customers to change the password they use to access the service following what the company said are signs that its network may have been compromised."

268 comments

Min score:

Reason:

Sort:

KeePass by x*yy*x · 2011-05-05 06:55 · Score: 5, Informative

KeePass is really the best tool for handling passwords. Open source, crypted database, easy to use (CTRL+B for username to clipboard, CTRL+C for password), contains grouping and generates safe different passwords for every site. It's actually a great example of a well done open source project.

Using an online service for something like your passwords is just incredibly stupid. It's a really well known place to hack for someone who wants lots of passwords. Backup your encrypted password container to your own place, but never something like this.
1. Re:KeePass by Anonymous Coward · 2011-05-05 07:00 · Score: 0, Funny
  
  KeePass is ok, but most of us who are not into shemales prefer Passsword Safe.
2. Re:KeePass by Anonymous Coward · 2011-05-05 07:01 · Score: 1
  
  Better that Schneier's PasswordSafe? I've been using that for years...
3. Re:KeePass by Anonymous Coward · 2011-05-05 07:02 · Score: 1
  
  I'm a shemale you insensitive clod.
4. Re:KeePass by Anonymous Coward · 2011-05-05 07:03 · Score: 1
  
  KeePass is way better than the piece of shit I'm going to recommend to my shemale brethren, but most of us who are into shemales prefer Passsword Safe.
  Fixed that for you.
5. Re:KeePass by W1sdOm_tOOth · 2011-05-05 07:07 · Score: 1
  
  I thought I had to use a password for an online service,,, Hold on, I am lost in the loop.
  
  --
  If you're not confused, you're not paying attention
6. Re:KeePass by Anonymous Coward · 2011-05-05 07:08 · Score: 0
  
  Praystation.
7. Re:KeePass by rockman_x_2002 · 2011-05-05 07:08 · Score: 1
  
  I use KeePass primarily because it's the only one I've found for Android that works cross-platform anywhere the way I'd like to use it. KeePass plus a secured DropBox account to keep your password database synced across machines (or databases if you want added security with a secondary password for more private-like info) are an excellent combination. Throw in a key file that you keep locally on your person on either your phone or a small-capacity USB drive kept on a keychain for added security.
  I did look at Password Safe, but at the time there was no Android version and I needed something I could keep on my phone and access my passwords there too. Keepass fits the bill quite nicely.
8. Re:KeePass by Anonymous Coward · 2011-05-05 07:15 · Score: 0
  
  You're REALLY recommending Password Safe over Keepass?
9. Re:KeePass by Anonymous Coward · 2011-05-05 07:16 · Score: 0
  
  b-folders does the job on Android quite nicely.....
  keep a snapshot of your db in a TrueCrypt encrypted container file
  synched to Dropbox.
  yes - I know that if the pass phrases for any of them are
  week, the whole thing doesn't make sense.
10. Re:KeePass by theNAM666 · 2011-05-05 07:16 · Score: 1
  
  Sssh... Sshhthink istssst's ssshhafe?
11. Re:KeePass by Anonymous Coward · 2011-05-05 07:16 · Score: 0
  
  Lob your Keepass file into Dropbox, then updates made on your phone get saved back into the cloud and are available everywhere else.
12. Re:KeePass by GungaDan · 2011-05-05 07:18 · Score: 4, Insightful
  
  What's a "secured dropbox account?" Didn't we find out last week that Dropbox has the encryption keys to your stuff and will hand it over to pretty much anyone who asks nicely?
  
  --
  Eloi are stupid, throw morlocks at them!
13. Re:KeePass by Anonymous Coward · 2011-05-05 07:18 · Score: 0
  
  http://ubuntuforums.org/archive/index.php/t-208449.html
  #!/bin/bash
  # This script creates a random password using sha1sum
  echo "Enter the master password"
  read -s MASTPASS
  echo "Enter the reason"
  read -s REASON
  echo "Enter desired number of characters"
  read -s DESNUM
  echo
  echo "Your random password is:"
  echo $MASTPASS $REASON | sha1sum | cut -c1-$DESNUM
  echo
  Not massively secure, but obscure enough that it's not low hanging fruit and very simple.
14. Re:KeePass by MaskedSlacker · 2011-05-05 07:19 · Score: 1
  
  Some of us don't use windows.
15. Re:KeePass by phlamingo · 2011-05-05 07:19 · Score: 1
  
  I went to LastPass because KeePass wouldn't read my stored passwords directly from FireFox settings.
  
  --
  I had forgotten how much cooler teenagers look when they are smoking. Oh, wait ...
16. Re:KeePass by x*yy*x · 2011-05-05 07:22 · Score: 2
  
  KeePass password container is encrypted itself, so that shouldn't be a problem.
17. Re:KeePass by starsky51 · 2011-05-05 07:26 · Score: 1
  
  Maybe I'm paranoid, but I really don't like copying passwords to the clipboard. I'd much prefer some kind of automatic key pressing function.
  
  --
  There are 2 types of people in this world. Those who understand ternary and those who don't.
18. Re:KeePass by Anonymous Coward · 2011-05-05 07:28 · Score: 0
  
  Or you can just stick your elbow into the keyboard a few times.
19. Re:KeePass by somersault · 2011-05-05 07:29 · Score: 1
  
  Ahem.
  Hint: try scrolling down. It's probably already in the repository for your distro if you use Linux.
  
  --
  which is totally what she said
20. Re:KeePass by x*yy*x · 2011-05-05 07:31 · Score: 1
  
  Well, most people type in their passwords so that is what viruses are looking for. Yeah, it's not really hard to implement something that looks for clipboard too, but it always helps being in the minority when it comes to computer security. Just like with Mac and Linux.
21. Re:KeePass by Anonymous Coward · 2011-05-05 07:31 · Score: 0
  
  KeePass can use random combinations of copy-paste and virtual keyboards (clipboard for three characters, then type two, then clipboard for one more, then an onscreen-keyboard sort of thing for the next five). If you're afraid of keyloggers or clipboard loggers, this'll beat most of them.
22. Re:KeePass by Anonymous Coward · 2011-05-05 07:31 · Score: 0
  
  Well, if you are willing to use mono, it works pretty well with Linux.
23. Re:KeePass by FrankSchwab · 2011-05-05 07:31 · Score: 1
  
  Don't have to:
  http://sourceforge.net/projects/keepass/forums/forum/329220/topic/4503818
  
  --
  And the worms ate into his brain.
24. Re:KeePass by Anonymous Coward · 2011-05-05 07:31 · Score: 0
  
  A secured dropbox account is one in which you have created a TrueCrypt volume, which Dropbox does not have the key to.
25. Re:KeePass by RobDude · 2011-05-05 07:33 · Score: 1
  
  If you think KeePass isn't vulnerable to attacks you just aren't being creative enough.
26. Re:KeePass by Anonymous Coward · 2011-05-05 07:35 · Score: 0
  
  If you can't trust your clipboard, you have already lost the game.
27. Re:KeePass by migla · 2011-05-05 07:37 · Score: 1
  
  Is there something wrong with
  sudo apt-g[TAB] i[TAB] pwgen
  pwgen
  ?
  
  --
  Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
28. Re:KeePass by Agent0013 · 2011-05-05 07:43 · Score: 1
  
  Plus there is a KeePass for Android. It reads the same database as the PC version, so it is easy to migrate back and forth. It's called KeePassDroid.
  
  --
  
  -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
29. Re:KeePass by gfreeman · 2011-05-05 07:44 · Score: 1
  
  FUCK YOU, I just lost the game :(
  
  --
  Ceci n'est pas un sig.
30. Re:KeePass by Anonymous Coward · 2011-05-05 07:44 · Score: 0
  
  Yeah, but on the other hand, LastPass is equally encrypted... It's not that different from a nice integration of KeePass + Dropbox.
31. Re:KeePass by Anonymous Coward · 2011-05-05 07:45 · Score: 0
  
  I went to LastPass because KeePass wouldn't read my stored passwords directly from FireFox settings.
  There are plugins for that. Firefox's password storage is replaced entirely by KeePass on my setup. With that and dropbox, I get synced passwords for everything everywhere I go include my mobile phone, and passwords from firefox are easily available even if I don't have firefox available (unlike Sync)
32. Re:KeePass by superswede · 2011-05-05 07:45 · Score: 1
  
  Maybe I'm paranoid, but I really don't like copying passwords to the clipboard. I'd much prefer some kind of automatic key pressing function.
  From http://keepass.info/help/v2/autotype_obfuscation.html:
  "The Auto-Type feature of KeePass is very powerful: it sends simulated keypresses to other applications. This works with all Windows applications and for the target applications it's not possible to distinguish between real keypresses and the ones simulated by Auto-Type. This at the same time is the main disadvantage of Auto-Type, because keyloggers can eavesdrop the simulated keys. That's where Two-Channel Auto-Type Obfuscation (TCATO) comes into play.
  TCATO makes standard keyloggers useless. It uses the Windows clipboard to transfer parts of the auto-typed text into the target application. Keyloggers can see the Ctrl-V presses, but do not log the actual contents pasted from the clipboard.
  Clipboard spies don't work either, because only parts of the sensitive information is transferred on this way.
  Anyway, it's not perfectly secure (and unfortunately cannot be made by theory). None of the currently available keyloggers or clipboard spies can eavesdrop an obfuscated auto-type process, but it is theoretically possible to write a dedicated spy application that specializes on logging obfuscated auto-type."
33. Re:KeePass by PNutts · 2011-05-05 07:49 · Score: 3, Funny
  
  yes - I know that if the pass phrases for any of them are
  week, the whole thing doesn't make sense.
  My pass phrase is month which is four times as strong.
34. Re:KeePass by maxume · 2011-05-05 07:52 · Score: 1
  
  If you are accessing passwords on hardware that you do not trust, you are not being paranoid.
  
  --
  Nerd rage is the funniest rage.
35. Re:KeePass by dloose · 2011-05-05 07:52 · Score: 2
  
  The extra S is for shemale
36. Re:KeePass by icebike · 2011-05-05 07:53 · Score: 1
  
  I use KeePass primarily because it's the only one I've found for Android that works cross-platform anywhere the way I'd like to use it.
  There are quite a few that do this. mSecure (from mSeven software) works on Android, iPhone, Windows, Mac, and allows you to sync all your devices with your own computer.
  It will also support backup and restore to any regular file, and the database is encrypted. So your drop box plan continues to work.
  Its is password protected rather the key-file protected. You may argue the wisdom of that, but too often the keyfile approach fails because those get stored on the same device.
  
  --
  Sig Battery depleted. Reverting to safe mode.
37. Re:KeePass by Rich0 · 2011-05-05 07:54 · Score: 1
  
  Really? I use Linux - the Chrome OS distro. Didn't notice it available for that...
38. Re:KeePass by izomiac · 2011-05-05 07:55 · Score: 2
  
  IMHO, it's better to never write them down and just generate them algorithmically based on the site's domain or a memorable keyword. Several years ago I just kept a tabula recta in my wallet. Nowadays, you can use something like SuperGenPass.
  
  Personally, I wrote my own equivalent of SuperGenPass that addresses some of the security concerns. That said, I use PassPack with a tediously strong password to keep a backup in case I inadvertantly break compatibility, and a copy of the generator on my website.
39. Re:KeePass by Radhruin · 2011-05-05 07:55 · Score: 1
  
  They will only get lots of passwords from people who are foolish enough to select a brute forcible password as their master. Picking a simple master password is stupid. Storing encrypted data on the internet isn't necessarily stupid.
  Not to mention, if you generate random passwords for every service, it's not much labor to just go ahead and generate new ones when situations like this occur. All LastPass clients automatically update to use the new passwords, no big deal.
  IMO the convenience of having a central password repository outweighs the dangers. It's a risk, certainly, but not a big one, as long as you have a sane master password.
40. Re:KeePass by blop · 2011-05-05 07:56 · Score: 2
  
  PasswordSafe has less functionality than KeePass except that there is a compatible command line client for it (pwsafe).
  I often use pwsafe from a remote shell and I would switch to a KeePass database if I could find a CLI for it...
41. Re:KeePass by mlts · 2011-05-05 07:57 · Score: 1
  
  You could do a `dd if=/dev/random bs=1 count=256` in there somewhere for some cryptographically secure entropy as well.
42. Re:KeePass by blueg3 · 2011-05-05 07:58 · Score: 1
  
  I'm not sure you appreciate the meaning of the word "random". That's not random at all.
43. Re:KeePass by Anonymous Coward · 2011-05-05 08:03 · Score: 0
  
  That's pretty stupid for several reasons. apt-get install makepasswd.
44. Re:KeePass by Anonymous Coward · 2011-05-05 08:04 · Score: 0
  
  And what about the non-mono version?
45. Re:KeePass by Anonymous Coward · 2011-05-05 08:06 · Score: 0
  
  You may not understand how Lastpass works. All the hackers can acquire by hacking them is a large amount of pseudorandom noise, all of the passwords are hashed using a private key on the users system.
46. Re:KeePass by icebike · 2011-05-05 08:07 · Score: 1
  
  Well on windows (and perhaps linux as well), any character put into the keyboard message loop is widely available to any application. Key loggers can get these as well, because they are simply messages, which every process can eaves drop on. (Which is how key-loggers usually work, even the hardware ones).
  
  --
  Sig Battery depleted. Reverting to safe mode.
47. Re:KeePass by starsky51 · 2011-05-05 08:09 · Score: 1
  
  That is really slick. We're using KeepassX in work, which doesn't have the Autotype feature. I'd always assumed it was on par with the standard version. Time to switch!
  Thanks.
  
  --
  There are 2 types of people in this world. Those who understand ternary and those who don't.
48. Re:KeePass by Anonymous Coward · 2011-05-05 08:11 · Score: 0
  
  Then stop being a retard and download it directly.
49. Re:KeePass by Opyros · 2011-05-05 08:11 · Score: 1
  
  I thought I saw just such a thing on Freshmeat recently — yes, here it is. It appears to need some Perl libraries which aren't available everywhere, though.
50. Re:KeePass by praxis · 2011-05-05 08:17 · Score: 1
  
  Yes, it's *probably* already in the repository for your distro if you use Linux. If it's not, why not contribute it?
51. Re:KeePass by nabsltd · 2011-05-05 08:19 · Score: 1
  
  There are quite a few that do this.
  But, I believe KeePass is the only Android password manager that both open source and no cost.
52. Re:KeePass by schlesinm · 2011-05-05 08:25 · Score: 1
  
  I use LastPass because I want access to my passwords at work and Dropbox is blocked. LastPass does the same thing as KeePass+Dropbox, and I can access it from anywhere.
  
  --
  My company home page
53. Re:KeePass by Rich0 · 2011-05-05 08:27 · Score: 1
  
  Sure - just provide me a link.
  Hint, it doesn't exist. At least, not to my knowledge. Chrome OS only supports running chrome-based applications and extensions, and Keepass is neither.
54. Re:KeePass by Rich0 · 2011-05-05 08:29 · Score: 1
  
  Simple - the only repository that exists for Chrome OS is the Google Web Store. It only supports Chrome applications or extensions, and Keepass has not been implemented as a Chrome application or extension. You don't need to use the Web Store, but Chrome OS still only runs Chrome applications or extensions.
  Lastpass is available as a Chrome extension, and works just fine.
55. Re:KeePass by Jahf · 2011-05-05 08:33 · Score: 1
  
  Except I can keep my KeePass master password completely separate from my DropBox password. Yes, LastPass is forcing you to change your master password, but until you do that, you are exposed. If someone gets my DropBox password then all they have access to is my encrypted KeePass file.
  So long as you memorize your KeePass and DropBox passwords, and make sure they are completely unrelated to each other, you are doing better (imo) than LastPass. Additionally you can add the step (as mentioned above) of having a local auth file for KeePass (meaning you need to have a copy of that file AND know the password).
  
  --
  It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
56. Re:KeePass by Anonymous Coward · 2011-05-05 08:39 · Score: 0
  
  Since you are using something that has not been shipped yet, why don't STFU and try compiling the source?
57. Re:KeePass by ZerothAngel · 2011-05-05 08:41 · Score: 1
  
  I guess the main benefit of the GP's method is that you won't actually need a "safe" to store your passwords. You can re-generate the same password anytime, anywhere, as long as you remember the master password and "reason."
  However, a problem with this implementation is that generated passwords will be hexadecimal only. Not really much entropy per character there (4 bits vs. 6.5x bits for all ASCII printable chars). Just extend the generated password length, I guess.
  Personally, I'd use HMAC-SHA-256 or HMAC-SHA-512 or something. Then derive the password from the hash using as many characters as allowed, i.e. alphanumeric or alphanumeric + symbols, etc. I guess something like that might not be easily expressible in a shell script, though. But hey, that's why we have other scripting languages. (Python comes to mind, since hashlib and hmac are part of the base system.)
  But yeah, as someone else pointed out, "random" is not the right word for this.
58. Re:KeePass by Anonymous Coward · 2011-05-05 08:47 · Score: 0
  
  "works on Android, iPhone, Windows, Mac"
  Missing an important one there... Take a guess...
59. Re:KeePass by Anonymous Coward · 2011-05-05 08:48 · Score: 0
  
  I don't think you understand what brute force means. ALL passwords can be brute forced, given enough time and iterations. That's why lock out is important. As I have read, lock out after 100 attempts as opposed to 3 is better. Statistically speaking, brute force will not crack a password in 100 attempts. A user will give up trying well before 100. So if your logs show 100 attempts, you have a definitive hack attempt.
60. Re:KeePass by rjstanford · 2011-05-05 08:49 · Score: 4, Funny
  
  I use LastPass because I want access to my passwords at work and Dropbox is blocked. LastPass does the same thing as KeePass+Dropbox, and I can access it from anywhere.
  And now, apparently, so can everybody else! That is convenient.
  
  --
  You're special forces then? That's great! I just love your olympics!
61. Re:KeePass by Anonymous Coward · 2011-05-05 08:59 · Score: 0
  
  Chrome OS is a very nonstandard Linux OS and you know it. If you wanted security you wouldn't be using Google's own OS anyway, so please quit trolling.
62. Re:KeePass by deroby · 2011-05-05 09:01 · Score: 1
  
  You mean that I would have to remember like 2 passwords ???
  Oh, come on, what is this ?? The middle ages ???
  
  --
  If there is one thing to be learned on slashdot, it has to be sarcasm.
63. Re:KeePass by Anonymous Coward · 2011-05-05 09:04 · Score: 0
  
  ./configure, make && sudo make install not working for you?
64. Re:KeePass by scragz · 2011-05-05 09:04 · Score: 1
  
  Looks like you just found out the big problem with Chrome OS. You barely run Linux then, in the sense of being a distro that has WILDLY different build requirements from all other desktop distros. It's almost like saying, "Sure I run Linux, the DD-WRT distro, just give me a link".
65. Re:KeePass by Pieroxy · 2011-05-05 09:14 · Score: 2
  
  "works on Android, iPhone, Windows, Mac"
  Missing an important one there... Take a guess...
  BeOS ?
  
  --
  Write boring code, not shiny code!
66. Re:KeePass by metamatic · 2011-05-05 09:41 · Score: 1
  
  http://www.keepassx.org/
  
  --
  GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
67. Re:KeePass by Mike+Van+Pelt · 2011-05-05 09:47 · Score: 1
  
  I've used both pwsafe and KeePass... I never cared for KeePass, and had just moved all my passwords back to pwsafe when I found out about LastPass, got convinced it was "secure enough" by Steve Gibson, and never looked back.
  The big deal for me at the time, once past the "secure enough" thing, was that pwsafe was Windows only. KeePass did not have a means of syncing passwords that might be changed on multiple machines. Even with pwsafe, I had to carry my database around and sync it with my other machines by hand, and they were constantly getting out of sync.
  LastPass keeps passwords up to date on every machine you use it on. It's just about every platform -- every platform I have wanted to use it on, anyway; Windows, Mac, Linux, Android.
  I don't see any reason to give up on them due to this -- they seem to me to be acting with an excess of paranoia. (Not that there's anything wrong with that, given their product... nothing wrong with it at all.) And I certainly do not have a password that would easily be brute-forced -- annoyingly long, with numbers, mixed case, and punctuation.
  Dang, I sure hope they figure out this was a false alarm and rescind the "you must change your password" thing. I spent a lot of time working on this very secure password that I won't forget.
68. Re:KeePass by Anonymous Coward · 2011-05-05 10:03 · Score: 0
  
  "Some of us don't use windows."
  That's a pity...
69. Re:KeePass by MagusSlurpy · 2011-05-05 10:20 · Score: 1
  
  No it's not, with five letters it's only 25% stronger.
  
  --
  My sister opened a computer store in Hawaii. She sells C shells by the seashore.
70. Re:KeePass by luder · 2011-05-05 10:35 · Score: 1
  
  I'm very happy with KeePass. It enabled me to have a poor man's authentication token:
  Instead of using a password to unlock the database, I use a key file stored in an SD card. I mapped one of my laptop's multimedia buttons to the hot key that triggers the global auto-type feature, so that when I need to authenticate somewhere I just have to press that button and hit enter to unlock the database. The authentication is done automatically and the database stays unlocked for 5 minutes. When I leave the computer I take the card with me and when I get back all I need to do is insert it again. Pretty cool.
  This system makes it tolerable to use a master key in Firefox and Thunderbird.
  I keep the most important passwords (homebanking, for example) in a different database, requiring both a key file and a password to unlock it.
71. Re:KeePass by Anonymous Coward · 2011-05-05 10:48 · Score: 0
  
  Well, the attacker has to break in into every single keepassx database, one by one. After he somehow managed to get the database from the user.
  That's somewhat different than hacking a single website.
72. Re:KeePass by heypete · 2011-05-05 11:00 · Score: 1
  
  Woosh.
73. Re:KeePass by Anonymous Coward · 2011-05-05 11:08 · Score: 0
  
  Double 'e' is not as strong as two different letters, and a random string of five letters would be stronger than an English word of five.
74. Re:KeePass by Runaway1956 · 2011-05-05 11:20 · Score: 1
  
  Welcome to the cloud. You're meant to be lost. All your data are belong to us now, don't worry!
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
75. Re:KeePass by airjrdn · 2011-05-05 11:25 · Score: 1
  
  What do you do when a site gets hacked and your algorithm can no longer be used there? How do you remember that siteA now uses algorithm 2, etc.?
  
  --
  
  My Tech Posts on Twitter
76. Re:KeePass by syousef · 2011-05-05 12:06 · Score: 1
  
  No it's not, with five letters it's only 25% stronger.
  You missed the joke. A month is 4 weeks hence the claim of it being 4 times as strong.
  
  --
  These posts express my own personal views, not those of my employer
77. Re:KeePass by Vrtigo1 · 2011-05-05 12:25 · Score: 1
  
  KeePass has worked very well for me. I am a network engineer and I started using it to store all of our various IT passwords, now we have a single KeePass db stored on a secure folder on a server that all of our IT admins use to keep track of passwords. It works great. The only complaint I have is that the version we're using doesn't seem to actually close the file when you close the app. The next time you open the same db, you get a warning that the file is already open. You can just tell it to assume ownership of the file, but it's still an annoyance. This may have been fixed in a more recent version, but I haven't had time to check and subsequently upgrade everyone else using it.
78. Re:KeePass by izomiac · 2011-05-05 12:29 · Score: 1
  
  You're right in that it's annoying. One has three options: change the master password for just that site, change it for all sites ahead of schedule, or, for my algorithm, change the initialization vector. That's a shortcoming of the algorithmic approach, so a hybrid approach with non-encrypted site-specific settings might be useful.
79. Re:KeePass by adolf · 2011-05-05 12:29 · Score: 1
  
  TrueCrypt+Dropbox is handy, but doesn't work with my Droid.
  The whole point, for me, of storing passwords remotely to begin with is so I can easily get to them remotely. If I were no longer interested in that, I think I'd just go back to using local storage for such things.
  
  --
  Kid-proof tablet..
80. Re:KeePass by Anonymous Coward · 2011-05-05 12:40 · Score: 0
  
  Just because it isn't included in the distro does not mean you can't download it and run it.
  You can run it on Linux with Mono installed. Look at the supported operating systems [http://keepass.info/download.html]
81. Re:KeePass by MagusSlurpy · 2011-05-05 12:44 · Score: 1
  
  I was being droll.
  
  --
  My sister opened a computer store in Hawaii. She sells C shells by the seashore.
82. Re:KeePass by JSBiff · 2011-05-05 13:14 · Score: 1
  
  Chrome OS isn't Linux in the usual sense. It's an extremely, extremely stripped down version of Linux with virtually all of the normal userspace tools removed. You choose to use that, and you get stuck with that choice. Please don't ever again complain about something not being available for Linux because it's not on Chrome OS or I will find your car and put dead fish in the trunk. *grin*
  That said, I wouldn't be too terribly surprised if someone could come up with an html+javascript implementation of Keepass. It's open source and the file format and algorithms are documented.
  In any case, for just about every remotely common platform which allows real apps to be installed, there's an implementation of KeePass. If you use Chrome OS, you should be used to not having anything available for your platform.
83. Re:KeePass by Anonymous Coward · 2011-05-05 13:21 · Score: 0
  
  I was trying to set this up for a friend that uses a Mac only to find that it wont copy and paste properly. What a pita IMO.
84. Re:KeePass by Professor_UNIX · 2011-05-05 15:03 · Score: 1
  
  Use KeePassX instead. (http://www.keepassx.org/). It is open source and doesn't require the lame-brain mono crap.
85. Re:KeePass by Unequivocal · 2011-05-05 15:04 · Score: 1
  
  I use passwordsafe in Ubuntu via Wine and it works just fine. The only thing that doesn't work is autotyping, which is sad but not that bad. Performance is fine.
  I sync my Ubuntu and Windows machines via SpiderOak, so that when I make changes to pwsafe on one machine, the changes show up on the other machine when I log in there. Whole system works pretty well, and since SpiderOak uses zero prior knowledge encryption, it would be fairly hard for someone to hack the cloud version of my pwsafe database as well.
86. Re:KeePass by dudpixel · 2011-05-05 15:36 · Score: 1
  
  I thought chrome OS was built on ubuntu?
  in any case, you're actually just showing that chrome OS has limitations. we all knew that from the start. Most of us use lots of software, not just a browser. Chrome OS is not designed to replace all our stuff, its a fairly web-purposed OS, and is designed for a fairly specific use-case.
  I think we'll see it merged with Android before long... in order to satisfy the "non-web" apps requirement of all current OSes.
  
  --
  This seemed like a reasonable sig at the time.
87. Re:KeePass by dudpixel · 2011-05-05 15:44 · Score: 1
  
  windows is a mess. always has been.
  case in point - install it on someone's pc, then come back 6 months later and see if it isn't full of crap, running slower, and even carrying a few trojans and other undetected crap.
  Sure, it works, but it lacks polish. These days windows 7 (and likely 8) is just a nice skin on top of years of legacy crap - which was all designed for the way things worked 16+ years ago.
  Have a look at the install/uninstall mechanisms - there still isn't a standard way to do it, and it just relies on a lot of goodwill from app developers to do things right.
  I realise that means more freedom to the developer but at some point we have to accept that software quality and developer freedom are somewhat incompatible goals.
  Try showing someone how to use windows, and before long you'll find yourself telling them "i dont know why it does that, but if you keep trying it'll work the 2nd or 3rd time" and such things. We get used to the short-comings and work around them, and somehow people still think windows is good. Its not - its just that we dont have a better solution, and no, buying a more expensive computer with a completely different interface is not necessarily a solution for most people.
  
  --
  This seemed like a reasonable sig at the time.
88. Re:KeePass by Anonymous Coward · 2011-05-05 21:16 · Score: 0
  
  I'm a clod you insensitive shemale.
  And leave sensitive hefemales in soviet russia.
89. Re:KeePass by Anonymous Coward · 2011-05-05 21:25 · Score: 0
  
  It's a lot harder to attack something that's stored offline
90. Re:KeePass by Richard_at_work · 2011-05-05 21:44 · Score: 1
  
  No, we didn't "find out last week", it was always known that Dropbox did centralised encryption - it was only the idiots that came to that realisation "last week", every other user with a hint of intelligence knew it from the moment they signed up to the service.
  It was yet another example of news by stupid, for stupid.
91. Re:KeePass by Anonymous Coward · 2011-05-05 22:18 · Score: 0
  
  It's a "boss jockey dropsy".
92. Re:KeePass by grahamtriggs · 2011-05-05 22:23 · Score: 1
  
  Using an online service is not incredibly stupid - it's a managed risk.
  Yes, it is possible for someone to hack it and retrieve data - but as long as they are doing it the right way, and you choose a strong master password that is hard to brute force, it's incredibly difficult for anyone to do anything useful with it.
  And, on the basis that the online service has been implemented correctly, it's far, far more likely that someone will break in and retrieve usable data from from the myriad of services that you might sign up to.
  So whilst there is a risk, it's still the most secure you can be without sacrificing the convenience of being able to access your hard-to-remember passwords for a wide range of services from any machine with internet access.
  And for a few of the most key services, you could always take the radical approach of not storing those details in the management service, and, you know, remember them.
93. Re:KeePass by Rich0 · 2011-05-06 00:23 · Score: 1
  
  That would be because there isn't any source for a Chrome extension - you'd have to rewrite most of the application. Or, just use a different one.
94. Re:KeePass by keitosama · 2011-05-06 00:28 · Score: 1
  
  Lastpass is available as a Chrome extension, and works just fine.
  Except if you care about securing your passwords, apparently.
95. Re:KeePass by Rich0 · 2011-05-06 00:29 · Score: 1
  
  Uh, half of the point of Chrome OS is security. It uses secure boot and full disk encryption, with different accounts encrypted separately.
  My point is that I have a problem - I'd like to use lots of random passwords and sync them across all my devices. One of them runs Chrome OS. Keepass does not meet my requirements, and Lastpass does. That's why I use Lastpass.
  I'm under no illusions that Lastpass is perfect - but it seems to be the best option I have. The alternative is to re-use passwords which seems to be a worse option.
  If Keepass were available for Chrome I'd be pretty likely to use it.
96. Re:KeePass by Rich0 · 2011-05-06 00:31 · Score: 1
  
  Uh, Chrome does not support X11 applications, so no. :)
  You would need to re-write the code as a Chrome extension.
97. Re:KeePass by Rich0 · 2011-05-06 00:33 · Score: 1
  
  Looks like you just found out the big problem with Chrome OS. You barely run Linux then, in the sense of being a distro that has WILDLY different build requirements from all other desktop distros. It's almost like saying, "Sure I run Linux, the DD-WRT distro, just give me a link".
  Well, I knew about that problem going in. However, it doesn't change the fact that Keepass doesn't meet my requirements. Otherwise I love the platform and it would probably be my first choice.
  Chrome integration is a must, and that means I'll have to wait until somebody ports it, or do it myself. I prefer to work on other projects, so I use Lastpass in the meantime...
98. Re:KeePass by Rich0 · 2011-05-06 00:37 · Score: 1
  
  Chrome OS does not support Mono, and it does not support running native code or X11-based applications locally. In theory it will support them running remotely at some point in time.
  Keepass would need to be ported to a 100% pure Chrome extension to work on Chrome OS. That's just the nature of the best - it is like an Android or iOS phone - completely different API from any other desktop OS and applications need a fair amount of rewriting to support it.
  I guess the ultimate testimony to the failure of Java is that we've had about 3-5 new major OSes launched in the last two years and none of them run binaries that run on other platforms, although half of them run apps primarily written in a derivative of Java.
99. Re:KeePass by Rich0 · 2011-05-06 00:40 · Score: 1
  
  Of course I'm used to it. :)
  But, that's why I don't use Keepass. My initial problem was figuring out a way to sync passwords with my Chrome-based laptop. Previously I just kept them in a gpg-protected text file on a single server that I'd NX into.
  I looked at Keepass before using Lastpass precisely for the reasons that everybody likes it. The problem is that it didn't meet my requirements, and Lastpass does.
  When somebody eventually ports it I'm sure I'll end up running it. My point was that Keepass isn't a solution for everybody, even if it is a solution for 99% of everybody. I'm pretty accustomed to being part of that 1% though, and many other Slashdotters probably are as well.
  Hey - if all I cared about was availability of apps I'd probably be running Windows.
100. Re:KeePass by Rich0 · 2011-05-06 00:47 · Score: 1
  
  I thought chrome OS was built on ubuntu?
  Believe it or not it is based on Gentoo. :) Not that you'd recognize it. However, it isn't a surprising choice as Gentoo is an ideal starting point if you want to completely change things up since it is a bit like Linux From Scratch but with more tools for maintenance. You can completely strip out just about anything from it.
  
  in any case, you're actually just showing that chrome OS has limitations. we all knew that from the start. Most of us use lots of software, not just a browser. Chrome OS is not designed to replace all our stuff, its a fairly web-purposed OS, and is designed for a fairly specific use-case.
  I think we'll see it merged with Android before long... in order to satisfy the "non-web" apps requirement of all current OSes.
  True, but password syncing in the browser is a major feature. I prefer Lastpass to Chrome's own password syncing, since it is more cross-platform, and also because it completely ignores the don't-cache-passwords setting on most websites. I've gone looking for the relevant lines of the chromium source to disable that feature but none of my attempts have worked thus far. What good is a password syncing service if websites can disable it - of course any web admin doesn't want you saving your password. Good users always pick different random passwords for every site and don't write them down. Alas, such users don't exist and won't until we're cyborgs with Keepass embedded in our brains, at which point somebody will still want to disable password caching in our brains.
  I wouldn't be surprised to see Android merge at some point - not the whole OS, but perhaps the ability to install android apps as chrome apps. They use a similar trust model/etc.
101. Re:KeePass by Rich0 · 2011-05-06 00:50 · Score: 1
  
  What is my alternative? I can't run Keepass, so my next best option is to just pick a few passwords and re-use them on many sites. Now instead of having to hack the site of the super-paranoid Lastpass admins who notify people when there is even a hint of intrusion, they just have to hack any one of my more important sites and they can access all the others.
  If I'm aware of the Lastpass breach I can go ahead and change my passwords - almost certainly in less time than it takes to access my passwords.
  I don't use Lastpass for my most critical accounts, either.
102. Re:KeePass by Anonymous Coward · 2011-05-06 01:30 · Score: 0
  
  I have been using this for about six months works well .. but THANK YOU for spelling out the shortcut keys it will save me a lot of time.
103. Re:KeePass by JSBiff · 2011-05-06 03:09 · Score: 1
  
  Fair enough.
104. Re:KeepAss by formfeed · 2011-05-06 03:56 · Score: 1
  
  Not sure, I would trust a program called KeepAss.
105. Re:KeePass by Anonymous Coward · 2011-05-06 04:40 · Score: 0
  
  You are inviting the fallacy that since perfect security is impossible, security is pointless. Sure it's vulnerable to key loggers, social engineering, clipboard attacks, and possibly things like swap or temp file harvesting - but it still beats notepad.exe or a sticky note.
106. Re:KeePass by WuphonsReach · 2011-05-06 05:30 · Score: 1
  
  Easier is to just put the credentials inside a text file where the contents are encrypted with your GPG key. Since it's plain text and encrypted, you can email copies to your personal account, print out a copy for the safe deposit box, or stuff it into any backup system. Heck, I store them in SVN so that I can synchronize the password folder across multiple machines.
  
  Nothing complicated. No proprietary software. GPG is cross-platform, and PGP can fill in if needed, and it's worked for decades.
  
  The only question is how many passwords you put in a single text file and whether you allow the filenames to reflect what site the contents are associated with.
  
  The alternative is keeping passwords inside an encrypted TrueCrypt (or other disk encryption) container, but when the container is open, all of the passwords are vulnerable.
  
  --
  Wolde you bothe eate your cake, and have your cake?
107. Re:KeePass by WuphonsReach · 2011-05-06 05:33 · Score: 1
  
  Consider simply switching to files where the contents are encrypted with your GPG key. Store the files in a version control system, and use that to synchronize across multiple machines. (I generally do 1 site per file, but I don't care whether the site names are known.)
  
  The other advantage is that you can share credential files with other users by encrypting to multiple GPG keys. In a small shop with only a handful of people who need to know an admin password, you can just encrypt the file containing the password with everyone's GPG keys.
  
  --
  Wolde you bothe eate your cake, and have your cake?
108. Re:KeePass by hobarrera · 2011-05-06 12:02 · Score: 0
  
  And those of us who use *nix, use KeePassX
109. Re:KeePass by hobarrera · 2011-05-06 19:01 · Score: 0
  
  It's not unusual that you CAN'T install software in an OS that's NOT general purpose. I can't install keepass on dd-wrt either.
110. Re:KeePass by hobarrera · 2011-05-06 19:47 · Score: 0
  
  It uses the Linux kernel, but it's not a GNU/Linux distro. Note "GNU/", which is usually omited when speaking about GNU/Linux
111. Re:KeePass by MaskedSlacker · 2011-05-06 20:04 · Score: 1
  
  Why? It doesn't do what I need: perl/python out of the box and full git functionality (I'd add a simple cli cron job system but I've recently been told there's a windows 'at' command that does this). If it doesn't serve my needs why would I use it?
  I see no need to get into an OS flame war--it doesn't meet my needs. So why would I use it?
112. Re:KeePass by MaskedSlacker · 2011-05-06 20:15 · Score: 1
  
  I'm looking at it, and I like it. I just wish it integrated into my browser. There's also the portability, syncing issue, I can setup LastPass on any computer I happen to be using in a matter of minutes, no dice if I don't have my keepass database on a filesystem readable by the computer system I'm using atm (all my external hdds are ext4 with full disk encyption).
  The reality is that LastPass is an order of magnitude more convenient, and, having looked deeper into their implementation due to today's issue, I don't buy that it's that big an issue. They don't store decryption passwords at all. For recovery they store (based on the admittedly vague description on their account recovery site) a keyfile on your local computer (not cloud) to decypt a separately encrypted backup copy. They don't keep the keyfile for you. If you don't have the master password or that recovery keyfile there is no recovering your account because they cannot decrypt it. Assuming they're being honest about all of this, I fail to see how that isn't secure enough for anyone other than a Chinese dissident (I could say or Al Qaeda terrorist, but I don't want to Godwin the point. There are legitimate reasons to be THAT paranoid, but they don't apply to me, or 99% of everyone else).
  How is LastPass any different from storing your keepass database in your DropBox container? I honestly don't see a difference in actual security (again, assuming LastPass is being honest about their implementation), and LastPass is HUGELY more convenient.
113. Re:KeePass by Rich0 · 2011-05-06 23:30 · Score: 1
  
  Sure, but if you're running such an OS, you need an alternative - like Lastpass.
  As I've posted elsewhere, for various reasons Keepass would have been my first choice - but it just wasn't a choice for me.
114. Re:KeePass by wwphx · 2011-05-07 09:21 · Score: 1
  
  Thank you for this info. I used CryptoPad for the Palm that provided an encrypted notepad and was very disappointed to not find a similar program for iOS. I'll definitely be checking this out further.
  
  --
  When you sympathize with stupidity, you start thinking like an idiot.
115. Re:KeePass by blop · 2011-05-07 11:43 · Score: 1
  
  Thanks, that looks promising!
Apparently... by mmelbert · 2011-05-05 06:59 · Score: 2

LastPass is using the same security group as Sony....
1. Re:Apparently... by ArhcAngel · 2011-05-05 07:34 · Score: 1
  
  Actually one of the admins at LastPass had a PSN account and used the same password.
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
2. Re:Apparently... by makomk · 2011-05-05 08:48 · Score: 1
  
  Apparently not. They appear to be an awful lot more paranoid than Sony...
Hacked? by Chibo · 2011-05-05 07:00 · Score: 1

It doesn't say that they were hacked for sure. Why the title proclaiming that it has?
1. Re:Hacked? by Anonymous Coward · 2011-05-05 07:07 · Score: 0
  
  If it truly was "signs that its network may have been compromised" they would never NEVER tell the customers... Now if they realized they need to say something like - "There are signs that its network may have been compromised"... Let me translate the P.R. spin for you "We have been 0wnZ0r3d like a mo fo ya'll"
2. Re:Hacked? by Phoshi · 2011-05-05 07:29 · Score: 1
  
  Except that if you actually read TFA, you'll see that they don't know for sure any data was compromised, but if it was, it wasn't the password containers. This is preventative, to stop any theoretical attacks that could happen if they actually were compromised. Because, yes, PR - being secure is their thing. If there's even a chance they've been compromised they have to take serious action, because it'd only take one actual breach to sink them.
3. Re:Hacked? by RobDude · 2011-05-05 07:36 · Score: 1
  
  The company admits they had 'unexplained' traffic with more data coming from the database than going to the database. They were unable to track down the source of the traffic and have started some password changing strategy for the users.
4. Re:Hacked? by thedonger · 2011-05-05 07:56 · Score: 3, Funny
  
  My climbing gym web site was hacked recently and used for a phishing scam and general fun for the script kiddies. The annoying part is that, even with absolutely nothing critical to lose (other than site up-time due to our host taking the site down), there is still a lot of work to do just to make sure they didn't leave another back door. I know this because...I missed the backdoor. They dropped a nice PHP script on the server that gave them unrestricted access.
  Anyway, the point is that just thinking one has been breached is shitload of work for someone, and probably a good reason to beat the bad publicity of a full breach with a press release that at first sounds worse than it well may be.
  
  --
  Help fight poverty: Punch a poor person.
I wonder... by kpainter · 2011-05-05 07:01 · Score: 1

Was the administrator password for LastPass "password"?
1. Re:I wonder... by Anonymous Coward · 2011-05-05 07:05 · Score: 0
  
  No, it was "pasword", like in the summary.
2. Re:I wonder... by rockman_x_2002 · 2011-05-05 07:09 · Score: 1
  
  It would certainly be the last password I'd ever use.
3. Re:I wonder... by jcoy42 · 2011-05-05 07:16 · Score: 1
  
  Pretty sure it was "changeme"
  
  --
  Never trust an atom. They make up everything.
Another breach, eh? by Anonymous Coward · 2011-05-05 07:02 · Score: 1

I'm getting tired of getting letters from companies I do business with informing me that my data may have been compromised.
Do sysadmins do their jobs anymore? Do companies conduct internal penetration testing anymore? Do they do internal audits anymore? I doubt it. They are too concerned with the monetary systems that take our money. Properly configured firewalls, IDP, and router systems be damned.
1. Re:Another breach, eh? by NeverVotedBush · 2011-05-05 07:24 · Score: 1
  
  It's not the admins. It's management... Doing more with less...
  
  When you are up to your ass in alligators, it is difficult to remind yourself that your initial objective was to drain the swamp.
2. Re:Another breach, eh? by avgjoe62 · 2011-05-05 07:27 · Score: 1
  
  Of course not. IT departments have been cut to the bone and the budget to hire an outside security auditor is now the CEO's bonus for cutting IT costs. The few SysAdmins left working in most IT departments are too frazzled to pay much attention to security and management mostly looks at any spending on IT security like buying insurance - we won't spend that money until after the house has burned down because before then there's we don't care.
  Just look at the earlier article here on Slashdot to see how much most companies value good SysAdmins.
  
  --
  How come Slashdot never gets Slashdotted?
3. Re:Another breach, eh? by mlts · 2011-05-05 08:17 · Score: 1
  
  Don't blame the admins. In so many private companies, the PHBs decide that security has no ROI, so at best they give lip service to it.
  Guess what smaller businesses say about a security breach? "Geek Squad can clean the mess up and we can call them 24/7".
  Bigger businesses really are not affected because there is no financial incentive to. Customer list a .torrent on an ID theft side? Doesn't result in quarterly losses, and will be quickly forgotten.
  It will take governments stepping in before anything is done. Even then, things like Sarbanes-Oxley have not helped one whit in security. SOX and other laws have made SAN providers rich, with all the stuff that has to be stored/archived.
4. Re:Another breach, eh? by Anonymous Coward · 2011-05-05 12:50 · Score: 0
  
  In reality, it's a little of both. Good security is EXTREMELY hard to do. Especially in a reasonably sized company.
  You've got to train the users, and make sure they understand this.
  Implement good physical security.
  Implement good technology.
  Implement good policies.
  These should be designed to isolate the employees from the information, almost as much as it isolates the outside from the information, and other systems too.
  All while the users complain about their access and as new attack vectors come out everyday.
  Most companies I've worked for have handled a LOT of personal and sensitive information, and done it in absolutely cheap/hack way. We've had security breaches before, way worse than this, which we didn't catch for ages, and nothing was done about it. The rest of the company didn't even know, only IT.
  LastPass has done reasonably well here.
If minding your own passwords is too hard... by __aavqan3009 · 2011-05-05 07:04 · Score: 1, Informative

get off the internet. For crying out loud.
1. Re:If minding your own passwords is too hard... by Anonymous Coward · 2011-05-05 07:07 · Score: 0
  
  Amen
  meant in an entirely secular way
2. Re:If minding your own passwords is too hard... by Seumas · 2011-05-05 07:22 · Score: 1
  
  By "minding your own passwords", do you mean "mentally keep a checklist of every password you use at every website and for every service you access in your head"? Or do you mean "use your own shit and hope it's secure on your machine and in whatever way you use to sync it to other machines that you access rather than a cloud service"?
3. Re:If minding your own passwords is too hard... by creat3d · 2011-05-05 07:49 · Score: 0
  
  I use different passwords for every site I have to log in and I can remember them all. Seriously, why would you need such a service? Sounds like giving away the keys to your home and hoping nobody comes to rob you.
  
  --
  Grammar nazis are to this community what excrements are to gold.
4. Re:If minding your own passwords is too hard... by bananaquackmoo · 2011-05-05 08:12 · Score: 1
  
  That's fine if you have different passwords on 5 websites. What if you have different passwords on 5,000?
5. Re:If minding your own passwords is too hard... by hedwards · 2011-05-05 08:39 · Score: 1
  
  In olden times that was probably reasonable, but I've got well over a hundred passwords on file. It's hard enough to get around and change more than a few from time to time, but trying to actually remember them? Good luck without some sort of utility.
6. Re:If minding your own passwords is too hard... by definate · 2011-05-05 12:54 · Score: 1
  
  Just checked my repository, I have 157 different sites, all with different passwords, most are completely random, 30+ characters, using all possible type-able characters.
  You think you can remember those? If so, you should compete in those memory challenges, because I think you're the only one in the world who could do that.
  
  --
  This is my footer. There are many like it, but this one is mine.
Straight from the horse's mouth: by karnal · 2011-05-05 07:05 · Score: 5, Informative

Note: This is taken from http://blog.lastpass.com/2011/05/lastpass-security-notification.html
***f****f****f******f******f**f**f*f*******f******f*f**f******f******f********
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.
To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.
We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.
We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.
For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.
We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.
Again, we apologize for the inconvenience caused and will continue to take every precaution in protecting user data.
The LastPass Team.
UPDATE 1: We're overloaded handling support and

--
Karnal
1. Re:Straight from the horse's mouth: by calderra · 2011-05-05 07:15 · Score: 1
  
  Mod parent up. There is no direct threat to users, and this measure was taken out of an overabundance of caution. Lastpass does keep all of its passwords encrypted, and what they noticed was a potential attempt at brute force (dictionary) hacking, trying to guess people's passwords. If you have a strong password, your account is just as safe as it ever was.
2. Re:Straight from the horse's mouth: by Captain+Spam · 2011-05-05 07:26 · Score: 5, Insightful
  
  In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
  Gotta be honest here: Even if this WASN'T anything, if I had trusted my passwords for everything to some other party like this, I'd very well want them to be more than a bit paranoid in protecting it. So I say, kudos.
  
  --
  Demanding constant attention will only lead to attention.
3. Re:Straight from the horse's mouth: by Gaygirlie · 2011-05-05 07:38 · Score: 2
  
  This is really exemplary action; they're not entirely certain that there even is a threat to customers' data, but they take all the precautions they can and inform their users of the possiblity of a threat. We can only wish other companies were as careful!
4. Re:Straight from the horse's mouth: by Daetrin · 2011-05-05 07:39 · Score: 2
  
  Well that's certainly a lot more informative than what Sony had to tell their users about what was compromised and whether it was encrypted, hashed, or totally clear.
  
  --
  This Space Intentionally Left Blank
5. Re:Straight from the horse's mouth: by Anonymous Coward · 2011-05-05 07:50 · Score: 0
  
  ***f****f****f******f******f**f**f*f*******f******f*f**f******f******f********
  OK, I give up. What kind of code is that? Or is it just a string of censored f-words?
6. Re:Straight from the horse's mouth: by Anonymous Coward · 2011-05-05 07:51 · Score: 0
  
  PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds.
  What does 'rounds' mean in this sentence?
7. Re:Straight from the horse's mouth: by MobileTatsu-NJG · 2011-05-05 07:58 · Score: 1
  
  Somebody forward this to Sony.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
8. Re:Straight from the horse's mouth: by Anonymous Coward · 2011-05-05 08:00 · Score: 0
  
  I assume they're not talking about ammunition, so maybe salting+hashing passes?
  
  PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching. When the standard was written in 2000, the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase.
9. Re:Straight from the horse's mouth: by Nogami_Saeko · 2011-05-05 08:23 · Score: 1
  
  I agree.
  One of the keys here is that if you choose a good master password (phrase), your encrypted data set is still completely safe. There's a reason you should be using a strong password for a "master" password, and this is exactly that reason.
  I'm far happier that they acknowledge the problem and move on it quickly as opposed to delaying a response.
  
  --
  "Nothing strengthens authority so much as silence." - Charles de Gaulle
10. Re:Straight from the horse's mouth: by metrometro · 2011-05-05 08:33 · Score: 2
  
  Reading this makes me more likely to use their service. Well played. Seriously.
11. Re:Straight from the horse's mouth: by Nogami_Saeko · 2011-05-05 08:35 · Score: 2
  
  They're re-encrypting (or hashing) the password 100,000 times (basically a big loop) before they end up with the version they store for the user.
  This makes it very computationally expensive to try and crack passwords. In the big scheme of things, it might only take a second or so for a modern CPU to perform this operation 100,000 times, however if someone is cracking passwords automatically, going from potentially tens of thousands of cracking attempts per-second to only one or two per-second makes a brute-force crack that much more unlikely to succeed within a realistic timeframe..
  N.
  
  --
  "Nothing strengthens authority so much as silence." - Charles de Gaulle
12. Re:Straight from the horse's mouth: by Anonymous Coward · 2011-05-05 08:47 · Score: 0
  
  Agreed, I'm in the KeyPass camp myself, I'd rather have control of my password vault, and not have it in some central DB, but if they are doing due diligence like this, I must say that it impresses me as a company I could trust.
13. Re:Straight from the horse's mouth: by Anonymous Coward · 2011-05-05 08:55 · Score: 0
  
  As I mentioned elsewhere, NO password can be IMMUNE to brute force attack. Certainly immune to dictionary attack, but not brute force. Brute force means to try every possible combination, hopefully in a smart way. This is why barriers are in place to limit brute force and statistically make it impossible/impractical.
14. Re:Straight from the horse's mouth: by karnal · 2011-05-05 13:28 · Score: 1
  
  I like to separate content by asterisks. Slashdot complained, so I put in random 'f's to circumvent the filter...
  
  --
  Karnal
15. Re:Straight from the horse's mouth: by Anonymous Coward · 2011-05-05 16:14 · Score: 0
  
  If you think they should be more paranoid, perhaps you should be too and maybe not use the service.
16. Re:Straight from the horse's mouth: by mysidia · 2011-05-05 16:17 · Score: 1
  
  It's an exemplary action, but it's a PR disaster, due to the headlines. Their actions are going to hurt (not help) them, unless there actually was a breach.
17. Re:Straight from the horse's mouth: by Chaonici · 2011-05-05 18:05 · Score: 1
  
  On the contrary. While I am not a LastPass user, I think more highly of them knowing that this is how they react to even /possible/ intrusions. I appreciate their cautious attitude given the sensitive nature of the information they handle.
18. Re:Straight from the horse's mouth: by mysidia · 2011-05-06 01:29 · Score: 1
  
  Yes, as a Slashdot user who bothers to read the whole article, you can come away with a high view of LastPass.
  But as for joe public who reads the headline, maybe a couple words, then takes a TLDR approach to the rest of the article, they come away thinking LastPass security was lax and they got hacked by 31337 hax0rs
19. Re:Straight from the horse's mouth: by Anonymous Coward · 2011-05-06 09:20 · Score: 0
  
  In this case, if you're trusting your data to them, you're implicitly stating it's their responsibility to be paranoid, in exchange for whatever it is you're giving them (money, advertising clicks, good vibes, whatever). This is so that you can offset your own paranoia and actually go do something useful.
I guess I'm just old school... by Gunkerty+Jeb · 2011-05-05 07:05 · Score: 1

I use this thing called my brain to store passwords. Sometimes I lose one, but it never gets hacked.
1. Re:I guess I'm just old school... by Anonymous+Psychopath · 2011-05-05 07:17 · Score: 4, Insightful
  
  Either you have an excellent memory or you're reusing the same password on multiple sites. If you're a mere mortal, like me, and you don't want to reuse a few passwords over and over again, you need a password manager.
  
  --
  Eagles may soar, but weasels don't get sucked into jet engines.
2. Re:I guess I'm just old school... by Jeek+Elemental · 2011-05-05 07:21 · Score: 1
  
  so how many brains have you lost so far??
3. Re:I guess I'm just old school... by BLToday · 2011-05-05 07:21 · Score: 1
  
  It hasn't been hacked YET. Or at least you believe it hasn't been hacked.
  My bet is that the NSA and/or DARPA is working on something to hack your brain.
4. Re:I guess I'm just old school... by Anonymous Coward · 2011-05-05 07:23 · Score: 0
  
  Bet you have a system or a pattern that can be used to figure out the rest of your passwords...
  That's hacking your brain...
5. Re:I guess I'm just old school... by Anonymous Coward · 2011-05-05 07:24 · Score: 0
  
  Or You could just quit signing up for every website. If I don't have to I'm not registering anywhere. And if a website requires it for example to post, then I look at what it would benefit me. Somewhere I almost never visit vs the need to remember another password?
6. Re:I guess I'm just old school... by Thud457 · 2011-05-05 07:28 · Score: 1
  
  All but one of them.
  
  One, his name is Spock, would also have been an acceptable answer.
  
  --
  the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
7. Re:I guess I'm just old school... by Anonymous Coward · 2011-05-05 07:28 · Score: 0
  
  You forgot another option: Use of 4-letter passwords or some normal word that comes to mind in the context.
8. Re:I guess I'm just old school... by avgjoe62 · 2011-05-05 07:31 · Score: 1
  
  For now....
  Army builds brain reading machine.
  
  --
  How come Slashdot never gets Slashdotted?
9. Re:I guess I'm just old school... by Anonymous Coward · 2011-05-05 07:31 · Score: 0
  
  $5 wrench
10. Re:I guess I'm just old school... by creat3d · 2011-05-05 07:55 · Score: 0
  
  I'm pretty sure there's a lot of us "mere mortals" who can remember all their passwords (all different ones) without the need to entrust a cyber nanny with said passwords. Of course, if you have an account for Twitter, Delicious, Digg, Bebo, Bobe, Baba, Bubo, Meeme, Moomo, Mamo, and every other useless social crap out there... I could see the need for a password manager.
  
  --
  Grammar nazis are to this community what excrements are to gold.
11. Re:I guess I'm just old school... by Ruke · 2011-05-05 08:07 · Score: 1
  
  Or you could use the same password-salt on multiple sites, with a unique, easy-to-remember base for each site. For example, my base could be "RjZg#sl1", which would produce RjZslshg#sl1 for slashdot, RjZgglg#sl1 for gmail, RjZtwttrg#sl1 for twitter, etc.
  You need to memorize eight characters, and one process (remove consonants from service name), and you've got a secure, unique password for each website. It's not perfect - if someone is specifically targeting you, and gets two or three of your passwords in cleartext, they have a good chance at guessing your others, but it's probably more secure than storing your passwords written down somewhere, even encoded.
12. Re:I guess I'm just old school... by Dice · 2011-05-05 08:27 · Score: 2
  
  I find that sentences describing my thoughts about the service in question and mapped to leet-speak are easy to remember for a large number of sites.
  Some hypothetical examples:
  1. Slashdot: d0tc0m1.0d1n0s4ur
  2. Twitter: 0hg0dwh0c4r3z4b0utth1zsh1t
  3. Flickr: 3y3y4mh3r3f0rth3b00b13z--3y3m34n4rt
13. Re:I guess I'm just old school... by Anonymous Coward · 2011-05-05 08:46 · Score: 0
  
  Pfft. The Army has had mind readers for ages. They're called officers: they can read their bosses' minds and tell them exactly what they want to hear.
14. Re:I guess I'm just old school... by Anonymous Coward · 2011-05-05 08:47 · Score: 0
  
  That would have been funnier if you were logged into your Slashdot accuont when u wrote that.
15. Re:I guess I'm just old school... by ColdWetDog · 2011-05-05 09:06 · Score: 2
  
  And I have something like 12 passwords for WORK alone. That have to be changed. On different schedules.
  
  There is more in my life than memorizing passwords. Not much (it seems, at times), but more.
  
  --
  Faster! Faster! Faster would be better!
16. Re:I guess I'm just old school... by Anonymous Coward · 2011-05-05 09:34 · Score: 0
  
  OK, let's just consider -non trivial- web sites that one might need access to (using my own situation as an example):
  
  Credit cards (3 sites)
  Cable/Internet
  Online Bank
  Brick and Mortar Bank
  Company payroll
  Electric Company
  Life Insurance Co.
  Auto Insurance Co
  Local Town Tax Collection Dept.
  401K Investment Acct.
  
  Notice there's nothing even as trivial as Slashdot in that list, yet it's a significant number of passwords to remember. Even if I never sign up an account at a web site I only have a marginal interest in, all the sites I truly WANT to access adds up to pretty large number.
  And I even try to use some simple 'rules' to generate the passwords, but that breaks when two different sites have -incompatible- password requirements of their own. The most typical example I run into is sites that REQUIRE mixed case passwords vs. sites that REJECT mixed case passwords, but there are other problems too.
17. Re:I guess I'm just old school... by lennier · 2011-05-05 09:41 · Score: 1
  
  I use this thing called my brain to store passwords.
  I tried that too, but then this happened.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
18. Re:I guess I'm just old school... by greghodg · 2011-05-05 09:44 · Score: 0
  
  Brain and brain! What is brain!
19. Re:I guess I'm just old school... by Gaygirlie · 2011-05-05 10:49 · Score: 1
  
  I have a slightly different approach. I have one password with 2 variations I use for most sites, but I have a third password that I only use for my e-mail account. Thus even if I lost access to one of the other sites I could still reset the password via e-mail and then I'd proceed to change the passwords on all the other sites I use, too.
20. Re:I guess I'm just old school... by VortexCortex · 2011-05-05 11:18 · Score: 1
  
  Either you have an excellent memory or you're reusing the same password on multiple sites. If you're a mere mortal, like me, and you don't want to reuse a few passwords over and over again, you need a password manager.
  Or, If you're a code like me, you wrote a javascript:sha1( salt + get_master_pw() + host ); bookmarklet which enables you to use the same password everywhere, but generate a site specific hash that you enter into the PW field.
  Note: I would use someone else's PW hasher plugin, but I can re-code my own system from scratch in any URL bar, text editor, command shell or programming language to re-gain access to my codes in a worst case scenario...
21. Re:I guess I'm just old school... by airjrdn · 2011-05-05 11:56 · Score: 1
  
  What do you do when a site gets hacked and your algorithm can no longer be used there? How do you remember that siteA now uses algorithm 2, etc.? I just don't see how that's useful long term.
  
  --
  
  My Tech Posts on Twitter
22. Re:I guess I'm just old school... by airjrdn · 2011-05-05 11:58 · Score: 1
  
  How do you handle it when you have to change the password for a site?
  
  --
  
  My Tech Posts on Twitter
23. Re:I guess I'm just old school... by Ruke · 2011-05-05 12:34 · Score: 1
  
  This has happened; I changed my salt, not my algorithm, and set out to change my password everywhere else, as well. It's probably not too terrible to change your passwords every so often anyways. I guess that I have to remember two eight-character salts; the current, and the previous. I don't do this terribly often, maybe once every 6 months or so. If I go a year without accessing a service, I either simply abandon the account (in the case of webmail, BBS, etc), or go through the process of account-recovery. (In the unlikely case that I don't access an important site, like a bank, in a given year.)
  It's not a perfect system, I'll grant you that. However, it uses a simple mnemonic system that isn't any more complicated to use than the simplest software-based solution out there, and it doesn't have any of the common failure cases common to the software solutions out there. (Lost databases, stolen databases.) It's certainly not for everyone, or every situation - I use PasswordSafe and a shared .psafe file when I need to share passwords within a group, or store a whole lot of passwords - but I've found that it's a great system for my own personal use.
24. Re:I guess I'm just old school... by Unequivocal · 2011-05-05 15:14 · Score: 1
  
  I'd way rather have one very long (say 20 chars), fairly random password memorized and use that to encrypt the rest of my passwords, than use a system like yours. Predictability is a big vulnerability. If someone can guess 7 out of 12 chars of your password, that means a brute force is relatively trivial to accomplish. If two sites you use get cracked, and they happen to store your p/w in cleartext (some places still do I'm sure), then the crackers will have a nice pattern to work from. At least that's my opinion..
25. Re:I guess I'm just old school... by Anonymous Coward · 2011-05-05 15:56 · Score: 0
  
  If it's important to your life, defend it as such. if it is your OS or your email,make that password some crazy letter number combo. but if it's just yet another username on some random website, who gives a shit if it's hacked? use the same easy to remember( and possibly dictionary hackable)password. just create another account if it gets hacked. High karma or low ids are cool for the occasional dick waving, but you should know that in the end it really isn't that valuable.
  ideally, you should probably only have five complex passes, maximum. you decide what those are.
  I call it security by learning when you should give a fuck.
26. Re:I guess I'm just old school... by L4t3r4lu5 · 2011-05-05 22:45 · Score: 1
  
  Not really. You can come up with a simple algorithm to create passwords which meet security criteria, and the algorithm is all you need to remember. Hell, go one better and include a salt.
  
  An example: My password scheme could be to take the first three letters of the domain name, the last three letters, reverse them, and in between insert the value 4Fd9. Now, this gives me the password for Slashdot of tod4Fd9als. That meets the requirements of pretty much any website you can think of, is unlikely to be features in any rainbow table, requires remembering very little, and is not reliant on me carrying my password vault with me all the time.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
27. Re:I guess I'm just old school... by gsslay · 2011-05-05 23:34 · Score: 1
  
  Your brain would be worth marvelling at if you let us know just how many passwords you have, or how often you are forced to change them.
  If it's 50 or more, which is not unheard of when you work with computer systems, then you truly are remarkable... .. or foolishly reusing passwords (or worse).
  If it's 2, (your email and slashdot account) then not so remarkable.
28. Re:I guess I'm just old school... by Anonymous Coward · 2011-05-06 00:23 · Score: 0
  
  You can also use a hash method to generate unique password for all sites.
29. Re:I guess I'm just old school... by foniksonik · 2011-05-06 00:30 · Score: 1
  
  Or he uses a pattern that is not machine obvious.
  1Little2Red3Riding4Hood
  Or better
  4Big3Blue2Walking1Pants
  Or better
  4Slashdot3Blue2Walking1Pants
  
  --
  A fool throws a stone into a well and a thousand sages can not remove it.
Wel... by theNAM666 · 2011-05-05 07:05 · Score: 1

Apparently the hackers got only paswords, and not passwords. No big deal then.
1. Re:Wel... by Anonymous Coward · 2011-05-05 17:22 · Score: 0
  
  They got basically the user-names and master passwords, they apparently didn't get many (if any) actual password lists. To obtain the password lists, they would need to brute force the master passwords then use those to login and grab the password lists.
One key to rule them all... by geekmux · 2011-05-05 07:06 · Score: 1

"...advised its customers to change the password they use to access the service..."
Wow, I only have to change one password? Whew, that's a relief! For a minute there, I thought I had to change them all. (/sarcasm)
Consolidated password management works, as long as YOU maintain 100% control. Use Truecrypt locally for securing your password file. Sync the encrypted file to the cloud of you want an "online" backup.
1. Re:One key to rule them all... by mailman-zero · 2011-05-05 07:16 · Score: 4, Informative
  
  Consolidated password management works, as long as YOU maintain 100% control. Use Truecrypt locally for securing your password file. Sync the encrypted file to the cloud of you want an "online" backup.
  LastPass is basically the exact same thing. It's encrypted locally and sent to them AFTER encryption. They don't store the plaintext passwords. The danger is the same either way if a user doesn't use a strong enough password.
  
  --
  Let's play video games with mailmanZERO
2. Re:One key to rule them all... by Anonymous Coward · 2011-05-05 07:18 · Score: 0
  
  Wut.
  Their window of opportunity to access the data closes once your password changes. Lastpass does only store your encrypted passwords, it needs your master pass to unencrypt them. Assuming you're not an idiot and your master pass isn't bruteforcable in the time before you change your password (if it's bruteforceable full stop), then your passwords are safe. They said not enough data could have been stolen for entire databases to be compromised if indeed there was an attack.
3. Re:One key to rule them all... by Anonymous Coward · 2011-05-05 07:26 · Score: 0
  
  No, because if you encrypt your own material you hold the keys. If you let someone else do it, they hold the keys. And who knows how good they are at keeping them safe.
  You always know how good you are (or, how bad you are) at keeping your own keys safe.
  Keepass(x), gpg encrypted file backup with the gpg keys backed up on a CD in a bank safety deposit box. (and if you're daring, a copy of the key on a usb jump drive you keep on your person at all times)
4. Re:One key to rule them all... by RobDude · 2011-05-05 07:51 · Score: 1
  
  Pick your poison....
  If you go with LastPass - you get great integration/ease of use and you can access your passwords from any place with internet access. For that ease of use, you run the risk of LastPass's servers being hacked and hoping that the encryption they use is strong enough and that your password isn't vulnerable to a dictionary-type attack.
  If you take your approach - you get limited integration/ease of use and you can only access your passwords from any place where you can access gpg.
  In either case, if your local machine is compromised all of your passwords are stolen.
5. Re:One key to rule them all... by Anonymous Coward · 2011-05-05 07:52 · Score: 0
  
  This is the same way LastPass works. They hash your password, then use your hashed password as the encryption key to encrypt the real encryption key, then all of your data is encrypted using the 2nd encryption key. All of your data is inaccessible without your original password.
6. Re:One key to rule them all... by vrmlguy · 2011-05-05 07:59 · Score: 1
  
  No, because if you encrypt your own material you hold the keys. If you let someone else do it, they hold the keys. And who knows how good they are at keeping them safe.
  You always know how good you are (or, how bad you are) at keeping your own keys safe.
  Keepass(x), gpg encrypted file backup with the gpg keys backed up on a CD in a bank safety deposit box. (and if you're daring, a copy of the key on a usb jump drive you keep on your person at all times)
  Don't forget the copy you keep in your head and enter whenever you need to access the safe; you're vulnerable at that point to a key logger. :)
  With LastPass, you encrypt your own material, LastPass never holds the keys. LastPass works exactly the same as KeePass: there's a binary blob that is kept on an Internet-accessible server, and you download the blob and decrypt it locally. All they have is an encrypted version of your key, just like in your Linux/Mac/Windows desktop system. Yeah, maybe they could have used different keys for their web site and the blob, but I don't see how that would increase security all that much. With either service, an attacker has to get your blob (by hacking the LastPass server or your computer's cache, or by finding the KeePass blob on your computer or in a Dropbox or similar cloud-based server), then they have to brute force the key. If your key is easy to figure out using a dictionary, then you're hosed no matter which service you use.
  This is similar to the Gawker attack, except with Gawker the encrypted passwords were made public, along with the subset that were brute forced. I checked for my email address and it only showed up in the first list, not the second. Of course, my passwords for everywhere use the "at least one letter, number and special character" rule, they are generally fairly long (pre-Gawker, 8 characters, post-Gawker, 14), and I don't use leet-speak to determine the non-alpha characters (leet-speak increases the effort needed to brute-force by only a small factor).
  
  --
  Nothing for 6-digit uids?
7. Re:One key to rule them all... by Rich0 · 2011-05-05 08:00 · Score: 1
  
  LastPass is basically the exact same thing. It's encrypted locally and sent to them AFTER encryption. They don't store the plaintext passwords. The danger is the same either way if a user doesn't use a strong enough password.
  The problem I have with their site is that they use the same password to encrypt your password database that you use to log into the site. So, if somebody puts the equivalent of a keylogger on their server they get everything.
  They should have one password to authenticate to the server, and another password to encrypt the passwords that get uploaded to the site. In fact, you'd only need both when logging in from a client that doesn't use Lastpass, since the latter could safely store the former.
8. Re:One key to rule them all... by erobbin · 2011-05-05 08:18 · Score: 1
  
  If "the equivalent of a keylogger" worked like that, e-commerce as we know it would not exist. Thanks to SSL/TLS it doesn't.
9. Re:One key to rule them all... by Rich0 · 2011-05-05 08:32 · Score: 1
  
  Sure it does:
  1. Get root on webserver.
  2. Edit login page. New login page has the user enter their password into a box, and send the password in the clear to the server (fully protected by SSL of course).
  3. Send copy of password to wherever.
  4. Do whatever the previous secure implementation did with the users's password and pass that into the authentication routine so that the app works fine.
  SSL/TLS only protects you against attacks to data in-transit. Now, SSL client certificates would completely prevent this attack, but nobody uses them.
10. Re:One key to rule them all... by Anonymous Coward · 2011-05-05 08:33 · Score: 0
  
  They already do what you ask for. They use two different hashing methods (both based on sha256) for deriving authentication and encryption keys.
  "Your Master Password is never sent to LastPass, only a one-way hash of your password when authenticating, which means that the components that make up your key remain local."
11. Re:One key to rule them all... by Anonymous Coward · 2011-05-05 08:53 · Score: 0
  
  http://www.grc.com/sn/sn-256.htm
  key = sha256(normalize(email) + password)
  authToken = sha256(key + password)
  neither password nor key ever leave the client. They only receive the authToken and email. They then sha256(authToken + salt) where salt is 256B generated per account and uses this super-digested result in their database for future authentication comparisons.
  A database leak only gets the email address, salt, and super-digested salted auth token result. The only thing the database data gains a hacker is the ability to offline attack on a single user's password, one user at a time.
12. Re:One key to rule them all... by Unequivocal · 2011-05-05 15:17 · Score: 1
  
  Well said. Trusting a cloud provider to give you your only encryption seems nuts. I use SpiderOak for cloud services, so I encrypt it once in pwsafe and then they encrypt it again when it goes up.
13. Re:One key to rule them all... by mysidia · 2011-05-05 16:29 · Score: 2
  
  The problem I have with their site is that they use the same password to encrypt your password database that you use to log into the site. So, if somebody puts the equivalent of a keylogger on their server they get everything.
  Your browser doesn't actually send the password to their site when you are "logging in" to their website. They use client-side crypto via Javascript; or offloaded to their browser plugin if you have that installed.
  You need to ssl sniff your connection, and capture the data exchanges, to understand what's going on.
  You might find it interesting that they actually encourage you to do that; they even recommend tools in the FAQ for sniffing the SSL traffic, and in the forums have offered detailed explanations of what's going on.
14. Re:One key to rule them all... by Rich0 · 2011-05-06 00:20 · Score: 1
  
  And what happens when somebody cracks their webserver and modifies their site to remove all the fancy Javascript and just have the client send the password to them? The browser won't complain - the SSL cert still is correct and the current browser model trusts websites implicitly. Well, yes-and-no - there is the annoying pop-up the first time you submit form data to any website on some browsers that everybody just disables anyway. Plus, that pop-up would appear whether you submit hashed or clear password data.
15. Re:One key to rule them all... by Rich0 · 2011-05-06 00:22 · Score: 1
  
  Users are still trained to type their master password into the box, and not to inspect the page source 100% of the time to make sure that client-side javascript is going to not actually send it to them. If you hack their site, and change their login page, you'll get all the passwords you need to crack the keys.
16. Re:One key to rule them all... by Rich0 · 2011-05-06 00:27 · Score: 1
  
  At best that only protects you from somebody stealing their database. It does not protect you from somebody modifying the login page to just send the password to the server and logging it.
17. Re:One key to rule them all... by mysidia · 2011-05-06 01:35 · Score: 1
  
  And what happens when somebody cracks their webserver and modifies their site to remove all the fancy Javascript and just have the client send the password to them? The browser won't complain
  The browser will detect this if you have the right addon, and the code isn't properly digitally signed However, if the hacker modify the Javascript code that is immediately detectable by the operator of the site -- it's one of the most obvious ways a hacker can tip off the company is by modifying a monitored page on their website.
  Suddenly, the monitoring device will detect a page has been changed, and their security alarms should go bananas.
  The concern about malicious site or software modification is one of the greatest concerns for any host-proof password cloud storage solution, including LastPass, Passpack, etc.
  Especially when they offer a web-based password vault.
  It's a concern; but it's also a concern the Lastpass folks know about and can easily monitor. It's a much smaller risk than silent information leak.
18. Re:One key to rule them all... by Rich0 · 2011-05-06 02:44 · Score: 1
  
  Agreed, and I have to say I'm impressed at the level of disclosure and monitoring by Lastpass on this one. If anything it increases my sense of security using their service.
19. Re:One key to rule them all... by WuphonsReach · 2011-05-06 05:39 · Score: 1
  
  The problem with Truecrypt and a single password file (or even multiple password files) - if the volume is mounted, your passwords are completely vulnerable to anything on the system that can read/write files.
  
  Instead, consider just putting passwords into a text file, with the contents encrypted with GPG. Maybe one site per file if you wish. When you need a password, copy the ASCII armor block into the clipboard and decrypt with GPG (or a tool like GPA or WinPT).
  
  The advantage here is that the contents of the text file are encrypted, you can mail them around in emails (it's plain text, a.k.a ASCII armored), and you don't have to take special steps to protect the contents of the files. You just need to be careful with your GPG private key. Stuff them into a version control system, or a file sync service, or carry them around on a USB key. They're useless unless you have your GPG private key and the passphrase used to decrypt the private key.
  
  --
  Wolde you bothe eate your cake, and have your cake?
Bullshit article and submission. by Seumas · 2011-05-05 07:08 · Score: 1

Lastpass released this information yesterday and they did not state that they were hacked as the submitter does nor do they state that they were probably hacked as the article does. They stated that there was a mismatch in the amount of traffic between some of the servers and that whenever this occurs, they do an investigation, which usually turns out to be nothing. They felt it was probably nothing, but since they were unable to (so far) determine exactly what accounted for the difference in data transfers, they wanted to take the safe road and enforce a password change on all accounts.
ORIGINAL LASTPASS STATEMENT FROM MAY 4TH
(source: http://blog.lastpass.com/2011/05/lastpass-security-notification.html)

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.
To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.
We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.
We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.
For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.
We don't have a lot that indicates an i
Daaaaamn. by Anonymous Coward · 2011-05-05 07:08 · Score: 0

A company like Sony could conceivably recover from a breach like this, but LastPass is a service explicitly targeted toward people who want their shit to be super-duper-secure. It's over.
1. Re:Daaaaamn. by heypete · 2011-05-05 08:58 · Score: 2
  
  How so?
  The data stored on LastPass is, with the exception of the salt and email address (neither of which are sensitive), encrypted. The only risk is to those who used weak "master passwords", and then the bad guys would need to identify which of the encrypted data blobs they got (assuming they actually got any) are weakly secured. This is not exactly easy.
  From the LastPass announcement:
  
  In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
  In short:
  - Not many, if any, encrypted data "blobs" were taken. This means that the odds of an offline attack on the encrypted data is low.
  - They don't state how many people's email addresses, salts, and salted password hashes were taken. It could have been only a few accounts worth, or it could have been a lot. Based on what they're saying, the main risk seems to be an offline attack on the password hashes, and then having the bad guys log into the online accounts and get data. Other mechanisms, like two-factor authentication, would then apply. Changing passwords in such a scenario is a good thing, as even if bad guys managed to get people's passwords, they would be invalid.
  Perfect security isn't possible, but LastPass seems to be on the ball with this. I appreciate them disclosing the information and trying to remedy it immediately, rather than waiting for a week as with Sony.
They didn't pull a sony by binkzz · 2011-05-05 07:10 · Score: 3

It isn't as bad as it seems, and kudos for them to be upfront and open about it:

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password. We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script. In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs. If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing. To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.

--
'For we walk by faith, not by sight.' II Corinthians 5:7
1. Re:They didn't pull a sony by lwsimon · 2011-05-05 07:25 · Score: 1
  
  Wow. I'm going to check out their service then - that's obscenely ethical.
  
  --
  Learn about Photography Basics.
2. Re:They didn't pull a sony by Seumas · 2011-05-05 07:33 · Score: 1
  
  The other slight concern would be that if you're using their printed personal grid as a second factor of authentication, any data breach might have included a copy of your personal grid, which they could then use. Of course, that would only be useful if they also bruteforced your password, since they have to be used in combination. The solution is simple enough - go into your account settings and generate/print a new personal authentication grid. Or . . . at least . . . do that when they aren't overloaded from all the traffic and you can access your settings.
3. Re:They didn't pull a sony by dreampod · 2011-05-05 09:32 · Score: 1
  
  That was my reaction too. If they are this cautious about unexplained traffic then maybe a online password service (run by them) isn't the disaster I thought it would be.
4. Re:They didn't pull a sony by mysidia · 2011-05-06 13:22 · Score: 1
  
  The grid has a certain level of being 'interesting', but I recommend the Yubikey + Lastpass bundle instead.
  I like the fact that your passwords stored on the client are also encrypted with the hash of your Yubikeys, when using this. So even if your master password is compromised, they cannot be decrypted.
  I just wish Lastpass would give me the option to turn off the ability to recover from a lost Yubikey, as long as I register enough Yubikeys on my account, and keep a couple in secure secondary locations (as in bank safety deposit box), where they are not easily lost.
pity!! by liqs8143 · 2011-05-05 07:15 · Score: 1

sad to see so many organizations facing attacks from hackers! pity!
Somebody misread their slogan by Anonymous Coward · 2011-05-05 07:18 · Score: 0

as "The Last Password You'll Have to Hack".
This. by Jon.Laslow · 2011-05-05 07:20 · Score: 1

Seriously. I can't stand the thought of someone else having every password I use for everything. I use a system to generate passwords in a semi-hard-to-predict fashion for services I don't really care about, and have a number of 'strong' passwords for things that are important. Those passwords (and the information on where to use them) gets stored in a TrueCrypt container that I periodically update and sync with my VPS and my Dropbox. The TrueCrypt volume key isn't recorded anywhere - it's in my head, which is the safest place for it (because, seriously, if someone is actually going to go to the effort of torturing me to get my passwords, they're going to be in for a big let down).
1. Re:This. by llZENll · 2011-05-05 07:36 · Score: 1
  
  Its just like anything else, be smart about it. It doesn't force you to use it for every site so don't. I use it for all my forums, some email, some social sites, basically anything that if stolen, doesn't matter, well over 100 sites. I don't use it for anything connected to any part of my finances, credit cards, or my big selling or buying sites (ebay,amazone,etc), a much smaller 10-20 sites. Using it this way is worry free and does simplify things. You still have multiple passwords, but at least the ones for non financial sites are automatic now on all my computers, and I no longer use the same password for these sites.
2. Re:This. by Anonymous Coward · 2011-05-05 18:20 · Score: 0
  
  if someone is actually going to go to the effort of torturing me to get my passwords, they're going to be in for a big let down).
  And you'll be kicked to within an inch of your life. Good plan!
Headline Edit by mailman-zero · 2011-05-05 07:22 · Score: 4, Informative

LastPass Pasword Service may have been Hacked.
This is a good story, but the story isn't that they were definitely hacked. It's entirely possible that the anomalous data transfers they mentioned were caused by internal testing and not properly documented, based on the limited information we have available.
Here is a transcript wherein Steve Gibson talks at length about why LastPass is secure.

--
Let's play video games with mailmanZERO
1. Re:Headline Edit by Anonymous Coward · 2011-05-05 08:23 · Score: 0
  
  You trust this monkey Gibson for anything?
2. Re:Headline Edit by indeterminator · 2011-05-05 09:13 · Score: 1
  
  He's more trustable than an AC.
  Some of Mr. Gibson's opinions are a bit excessive (like the whole 'stealth ports' thing), but he usually gets the facts right.
3. Re:Headline Edit by Anonymous Coward · 2011-05-05 11:30 · Score: 0
  
  Steve Gibson? Seriously?
4. Re:Headline Edit by mysidia · 2011-05-05 16:34 · Score: 1
  
  Some of Mr. Gibson's opinions are a bit excessive (like the whole 'stealth ports' thing), but he usually gets the facts right.
  Excessive in some regards. There is a theoretical grain of truth to the whole 'stealth ports' thing. It just doesn't buy you any security in the real world; nor do closed ports hurt.
I noticed something happened last night by raulfragoso · 2011-05-05 07:23 · Score: 2

I'm a LastPass user and last night I was forced to change my master password. Initially I was a bit suspicious about the request, so I took all the measures to make sure it was a genuine request from LastPass.com. When I was sure it was a safe request, I changed my master password to something even stronger than it was. I'm a paying user for their premium services, and in my opinion I must admit that their reaction to that casualty and possible data breach has been very open and reasonable. I would be very angry if instead they had an attitude like PSN. At least they took proactive countermeasures and are being honest to their customers, that attitude really deserves some kudos.
oh yeah? by ClioCJS · 2011-05-05 07:25 · Score: 1

INCEPTION!

--
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
Not to worry by defaria · 2011-05-05 07:27 · Score: 1

http://www.twitlonger.com/show/a9bdm4
So why ... by garry_g · 2011-05-05 07:33 · Score: 1

... does anyone believe storing sensitive informaiton in the "cloud" or the Internet?
1. Re:So why ... by erobbin · 2011-05-05 08:08 · Score: 1
  
  Believe it?
2. Re:So why ... by praxis · 2011-05-05 09:20 · Score: 1
  
  Your question is missing a component. So why does anyone believe X what? Where X is "storing sensitive information in the 'cloud' or the Internet"? Is a good idea, presumably?
3. Re:So why ... by Anonymous Coward · 2011-05-05 10:31 · Score: 0
  
  Not me. Password storing services are red flags alone.
  Nothing beats sticky notes in a drawer.
The "cloud" by Anonymous Coward · 2011-05-05 07:38 · Score: 0

Is not a good place to store sensitive information. Fly by night startup website operators are especially suspect. Better to write it down than trust them.
Ridiculous by Chad+Birch · 2011-05-05 07:39 · Score: 1

Oh for the love of god, this is way out of hand.

They weren't "hacked", they saw a tiny anomaly in their network traffic (which honestly, most companies wouldn't even have noticed), and decided to notify you about it and handle it in the most paranoid way possible. It's such a small thing that I wouldn't have expected most companies to even tell anyone it happened.

But somehow them behaving in a very commendable way for a security company has blown up into an absolute PR nightmare for them, with sites like BusinessWeek posting articles with the title "LastPass Loses Passwords for 1.25 Million Customers", which aren't even remotely correct. This is why companies don't disclose security breaches, because people are too dumb to understand the details, it gets sensationalized for no reason, and comes back to bite them hard.

Their implementation of this was pretty poor (trying to force almost everyone to change their password, when their server can't handle password changes at that rate), but their overall intentions were extremely good, and only make me even more confident in their service.

--
Sturgeon was an optimist.
1. Re:Ridiculous by mysidia · 2011-05-05 16:37 · Score: 1
  
  Seems like BusinessWeek might deserve a fat libel suit for such an outrageous headline....
Site Overloaded by Kamiza+Ikioi · 2011-05-05 07:42 · Score: 1

They just got slasdotted, efuct, dugg, and twitter bombed all at once. Read more.

--
I8-D
1. Re:Site Overloaded by pushing-robot · 2011-05-05 08:08 · Score: 1
  
  And here is the actual text, for those of you trying to avoid irony in your diet.
  
  Update 2, 2:15pm EST:
  Record traffic, plus a rush of people to make password changes is more than we can currently handle.
  We're switching tactics -- if you've made the password change already we'll handle you normally.
  If you haven't the vast majority of you will be logged in using 'offline' mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you'll see the bar).
  As load lowers we'll increase the percentage of people being sent through email validation / password changing.
  For people experience problems please email us at support@lastpass.com -- we have seen a few reports of bogus data post change, we think this is due to you downloading a stale copy and if you go to LastPass Icon -> Clear Local Cache and try again it should work.
  You can access your data via LastPass in offline mode or by downloading LastPass Pocket : https://lastpass.com/misc_download.php (choose your OS)
  
  --
  How can I believe you when you tell me what I don't want to hear?
Re:KeePass + Wuala by aarongadberry · 2011-05-05 08:01 · Score: 2

I prefer KeePass + Wuala for even more security. I set up the KeePass file in a synced folder so I can use KeePass to login to Wuala.
http://www.gadberry.com/aaron/2011/04/29/wuala-for-dropbox-users/
So... by Anonymous Coward · 2011-05-05 08:09 · Score: 0

They must have been using playstations at work...
1. Re:So... by lennier · 2011-05-05 09:44 · Score: 1
  
  ThirdToLastPass: It's the antepenultimate.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
Hacker convenience by Drakkenmensch · 2011-05-05 08:11 · Score: 1

LastPass: the one stop hack for all your identity stealing needs.
Where do you store your passwords? by aclarke · 2011-05-05 08:16 · Score: 1

Maybe you store your passwords in your huge brain, but if you're using something like KeePass or 1Password on your computer, you're still storing your passwords on the internet. Granted, they're not in an amalgamated "hack me" target like LastPass, but it's not like they're securely offline, taped to your monitor.

--

www.clarke.ca
Sensationalism much? by erobbin · 2011-05-05 08:25 · Score: 1

"LastPass Password Service Hacked." Did the creator of this title actually read the LastPass blog post? This is sort of like hearing someone cough and concluding they have lung cancer. Calm down people. No one's in any danger, thanks to LastPass not being Sony.
Password Grid for iPhone by Anonymous Coward · 2011-05-05 08:27 · Score: 0

(shameless plug)
Password Grid for iPhone helps you generate a random grid of characters, based on a key you choose.
With the grid, you can visually convert an easy to remember passcode (like "secret") to something safer (like "8A2sN34v2s5T").
-You can have your converted passphrase copied to your clipboard or emailed to you for quick access.
-You can customize the grid generation complexity, with uppercase letters, numbers and symbols, which makes your encrypted passwords much more secure.
http://passwordgrid.com/
So... by The+Grim+Reefer2 · 2011-05-05 08:28 · Score: 1

"LastPass, a popular Web based password management firm, advised its customers to change the password
They need to change the name of the company to "Second to LastPass"?
Their blog is hosted @ Google not @ Lastpass by Kamiza+Ikioi · 2011-05-05 08:29 · Score: 1

ping blog.lastpass.com
PING ghs.l.google.com (74.125.93.121) 56(84) bytes of data
ping lastpass.com
PING lastpass.com (96.255.24.82) 56(84) bytes of data.
Not very ironic when you know how DNS works.

--
I8-D
Re:Hmmm by Anonymous Coward · 2011-05-05 08:33 · Score: 0

Here's some good material for you: http://goatse.cx/
Yubikey users do not need to worry. by SimmyD · 2011-05-05 10:05 · Score: 1

If you were using a Yubikey with your account there is no risk with this kind of hack at all. :) makes a $25 usb key a great investment.
1. Re:Yubikey users do not need to worry. by mysidia · 2011-05-05 16:40 · Score: 1
  
  Users who bothered to set a strong password needn't worry either. Folks with 1234passw0rd might be more at risk
For a non .Net open source password database by Anonymous Coward · 2011-05-05 10:24 · Score: 0

I use Password Gorilla. Written in Tcl/Tk, has Linux, Mac OS X and Windows standalone versions ready to go.
Description from the wiki:
Password Gorilla is a Tcl/Tk application which can run on Linux, Windows and Mac OS X. The source files written are supposed to be compatible between platforms. They are tested to run on Linux kernel (less than or = to) 2.6.30.5, Windows XP, Windows 7 and Mac OS X 10.6. So it is possible to work with this password manager in heterogenous environments. The Password Gorilla generated database is besides compatible to actual Password Safe 3.2 databases. The password is SHA256 protected and the database contents are encrypted with Bruce Schneier’s Twofish algorithm. Brute force attacks are prevented by key stretching.
For a non-.NET open source password manager... by theurge14 · 2011-05-05 10:31 · Score: 1

I use Password Gorilla. Written in Tcl/Tk, has standalone downloads for Linux, Mac OS X, Windows. Been using it for the last few years, works well for me.
From the wiki:
Password Gorilla is a Tcl/Tk application which can run on Linux, Windows and Mac OS X. The source files written are supposed to be compatible between platforms. They are tested to run on Linux kernel (less than or = to) 2.6.30.5, Windows XP, Windows 7 and Mac OS X 10.6. So it is possible to work with this password manager in heterogenous environments. The Password Gorilla generated database is besides compatible to actual Password Safe 3.2 databases. The password is SHA256 protected and the database contents are encrypted with Bruce Schneier’s Twofish algorithm. Brute force attacks are prevented by key stretching.
NOW I'm angry, PSN hack meh by AbRASiON · 2011-05-05 10:36 · Score: 1

Fuck the PSN hack, who gives a shit about that, 99.9999999% of the time banks will allow me to simlply refute credit card fraudulent purchases. It costs me NOTHING but inconvienience.
I was a loyal foxmarks user, then xmarks, then they told me I had to use lastpass.
Well look how this has worked fucking out then, I am PISSED - jesus fuck is there some important passwords in my account.
For fucks sake.
1. Re:NOW I'm angry, PSN hack meh by heypete · 2011-05-05 11:29 · Score: 1
  
  Being that your passwords haven't been compromised (at least based on the most recent information they've posted), I don't see how this is remotely an issue.
  As they state on their site, "We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."
  Best case scenario, there are no bad guys. It was just a blip on the network and LastPass freaked out over nothing. This is a minor inconvenience to all involved.
  So, worst case scenario, bad guys get everyone's email address, salt, and salted password hash. Due to the salt, they can't use rainbow tables, so they need to brute-force each account's password. The only accounts vulnerable to this would be those with trivial master passwords (which is stupid). There's no way of knowing which accounts have trivial passwords, so they'd need to try brute-forcing everyone's passwords and then use those passwords to log into the LastPass service, get the encrypted blob, and decrypt it. By having everyone change their master passwords, all the information that the potential attackers get would be useless. Additionally, they are doing IP-based checking to help detect suspicious logins to their service.
  Even in a worst case scenario, having a non-trivial master password makes it exceedingly unlikely that a bad guy could access your account. Changing your password makes it even more unlikely. Using one of the several two-factor authentication methods LastPass offers makes it effectively impossible.
  Lastly, nobody *needs* to use LastPass. It's entirely up to you.
Xmarks Users by peterthomas2009 · 2011-05-05 10:46 · Score: 1

LastPass acquired Xmarks (browser plug-in for bookmark syncing) last year no mention of that database of more than 4.5 million users being breached.

- http://blog.xmarks.com/?p=2033
Shut up you idiots by Snaller · 2011-05-05 11:12 · Score: 1

Stop spewing crap when you know nothing of the case!
"Using an online service for something like your passwords is just incredibly stupid. It's a really well known place to hack for someone who wants lots of passwords. Backup your encrypted password container to your own place, but never something like this."
Hey, retardo, don't you think the people who made it know this? All of your password are stored on their system ENCRYPTED. They are encrypted on YOUR computer, with a password only YOU (not them) before being stored in the cloud. When you retrieve the password you get the encrypted blob, and it is decoded on your system.
*IF* and I stress *IF* the last pass servers were hacked (and nobody knows if they were, so the slashdot headline is pure tabloid) then all they got was encrypted blobs of material for a very small number of users.
IF something was actually taken, and your master password was "ignorant" then you might be bruteforced in short time, if you picked something long and non dictionary then not this decade.
The lastpass people run a very tight ship and because they noticed a slightly anomaly on their network they couldn't immediately explain they warned everybody within 24 hours! (as opposed to some sites who waits weeks)
You wanna know how Lastpass works? Listen to this review from Leo Laports 'twit' network:
http://twit.tv/sn256

--
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
I use the more secure password system evah! by Nyder · 2011-05-05 11:27 · Score: 1

It's called, my memory.
It's so secure, I might not even know the password i use. I like it better that way, don't have any written down passwords, don't have any "cloud" storage of a password vault, don't have an encrypted file/database of passwords i use.
Sure, on the occasion I have to retype in passwords till I get the right one, but not that often.
Using a program for passwords, reminds me of this little true story:
My buddy kept all his phone numbers on his Atari 130XE, which I said, "What if you don't have any power?" His reply was, "That never happens."
Of course, a bit later, he blew a fuse, that put the apartment without power, and guess where his landlords phone number was? Yes, on the computer.
Anyways, i prefer the mental exercise of remembering, good practice.

--
Be seeing you...
1. Re:I use the more secure password system evah! by Stupendoussteve · 2011-05-05 19:04 · Score: 1
  
  So what you're telling me is I just need to set up a phishing page that tells you that you entered the wrong password, and you will give me all of your passwords of which you probably reuse at least a few of them elsewhere, otherwise they would not be in the least bit memorable. Got it.
Optional XKCD by Requiem18th · 2011-05-05 12:06 · Score: 1

This one is relevant to our [strike]interests[/strike] conversation http://xkcd.com/792/

--
But... the future refused to change.
http://www.happyshopping100.com by IRISTTT · 2011-05-05 14:29 · Score: 0

-Something unexpected surprise-- Hello. My friend === http://www.happyshopping100.com/ ==== Dedi cated servi ce, the new style, so you feel like a warm spring!!! WE ACCEPT PYAP AL PAYMENT YOU MUST NOT MISS IT!!! thank you!!! Believe you will love it. **
Sony password storage FAIL by Anonymous Coward · 2011-05-05 20:21 · Score: 0

Here's a few lines about sony vs. password storage: http://blog.mostof.it/secure-password-storage-a-myth/
Re:Hmmm by sonyispants · 2011-05-05 20:41 · Score: 0

You are living under a rock, no?
goatse.cx is down since the dawn of time.
Rather go to goatse.ru you insensitive clod.
Honesty does not pay. by krischik · 2011-05-05 21:11 · Score: 1

Indeed. It is all over the world. To bad that honest comendable behaviour does not pay out in the end.