Slashdot Mirror
LastPass Password Service Hacked
Trailrunner7 writes "LastPass, a popular Web based password management firm, advised its customers to change the password they use to access the service following what the company said are signs that its network may have been compromised."
KeePass is really the best tool for handling passwords. Open source, crypted database, easy to use (CTRL+B for username to clipboard, CTRL+C for password), contains grouping and generates safe different passwords for every site. It's actually a great example of a well done open source project.
Using an online service for something like your passwords is just incredibly stupid. It's a really well known place to hack for someone who wants lots of passwords. Backup your encrypted password container to your own place, but never something like this.
LastPass is using the same security group as Sony....
Note: This is taken from http://blog.lastpass.com/2011/05/lastpass-security-notification.html
***f****f****f******f******f**f**f*f*******f******f*f**f******f******f********
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.
To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.
We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.
We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.
For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.
We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.
Again, we apologize for the inconvenience caused and will continue to take every precaution in protecting user data.
The LastPass Team.
UPDATE 1: We're overloaded handling support and
Karnal
'For we walk by faith, not by sight.' II Corinthians 5:7
Consolidated password management works, as long as YOU maintain 100% control. Use Truecrypt locally for securing your password file. Sync the encrypted file to the cloud of you want an "online" backup.
LastPass is basically the exact same thing. It's encrypted locally and sent to them AFTER encryption. They don't store the plaintext passwords. The danger is the same either way if a user doesn't use a strong enough password.
Let's play video games with mailmanZERO
Either you have an excellent memory or you're reusing the same password on multiple sites. If you're a mere mortal, like me, and you don't want to reuse a few passwords over and over again, you need a password manager.
Eagles may soar, but weasels don't get sucked into jet engines.
LastPass Pasword Service may have been Hacked.
This is a good story, but the story isn't that they were definitely hacked. It's entirely possible that the anomalous data transfers they mentioned were caused by internal testing and not properly documented, based on the limited information we have available.
Here is a transcript wherein Steve Gibson talks at length about why LastPass is secure.
Let's play video games with mailmanZERO
I'm a LastPass user and last night I was forced to change my master password. Initially I was a bit suspicious about the request, so I took all the measures to make sure it was a genuine request from LastPass.com. When I was sure it was a safe request, I changed my master password to something even stronger than it was. I'm a paying user for their premium services, and in my opinion I must admit that their reaction to that casualty and possible data breach has been very open and reasonable. I would be very angry if instead they had an attitude like PSN. At least they took proactive countermeasures and are being honest to their customers, that attitude really deserves some kudos.
My climbing gym web site was hacked recently and used for a phishing scam and general fun for the script kiddies. The annoying part is that, even with absolutely nothing critical to lose (other than site up-time due to our host taking the site down), there is still a lot of work to do just to make sure they didn't leave another back door. I know this because...I missed the backdoor. They dropped a nice PHP script on the server that gave them unrestricted access.
Anyway, the point is that just thinking one has been breached is shitload of work for someone, and probably a good reason to beat the bad publicity of a full breach with a press release that at first sounds worse than it well may be.
Help fight poverty: Punch a poor person.
I prefer KeePass + Wuala for even more security. I set up the KeePass file in a synced folder so I can use KeePass to login to Wuala.
http://www.gadberry.com/aaron/2011/04/29/wuala-for-dropbox-users/
I find that sentences describing my thoughts about the service in question and mapped to leet-speak are easy to remember for a large number of sites.
Some hypothetical examples:
1. Slashdot: d0tc0m1.0d1n0s4ur
2. Twitter: 0hg0dwh0c4r3z4b0utth1zsh1t
3. Flickr: 3y3y4mh3r3f0rth3b00b13z--3y3m34n4rt
How so?
The data stored on LastPass is, with the exception of the salt and email address (neither of which are sensitive), encrypted. The only risk is to those who used weak "master passwords", and then the bad guys would need to identify which of the encrypted data blobs they got (assuming they actually got any) are weakly secured. This is not exactly easy.
From the LastPass announcement:
In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
In short:
- Not many, if any, encrypted data "blobs" were taken. This means that the odds of an offline attack on the encrypted data is low.
- They don't state how many people's email addresses, salts, and salted password hashes were taken. It could have been only a few accounts worth, or it could have been a lot. Based on what they're saying, the main risk seems to be an offline attack on the password hashes, and then having the bad guys log into the online accounts and get data. Other mechanisms, like two-factor authentication, would then apply. Changing passwords in such a scenario is a good thing, as even if bad guys managed to get people's passwords, they would be invalid.
Perfect security isn't possible, but LastPass seems to be on the ball with this. I appreciate them disclosing the information and trying to remedy it immediately, rather than waiting for a week as with Sony.
And I have something like 12 passwords for WORK alone. That have to be changed. On different schedules.
There is more in my life than memorizing passwords. Not much (it seems, at times), but more.
Faster! Faster! Faster would be better!
The problem I have with their site is that they use the same password to encrypt your password database that you use to log into the site. So, if somebody puts the equivalent of a keylogger on their server they get everything.
Your browser doesn't actually send the password to their site when you are "logging in" to their website. They use client-side crypto via Javascript; or offloaded to their browser plugin if you have that installed.
You need to ssl sniff your connection, and capture the data exchanges, to understand what's going on.
You might find it interesting that they actually encourage you to do that; they even recommend tools in the FAQ for sniffing the SSL traffic, and in the forums have offered detailed explanations of what's going on.