Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass: Users Don't Have To Reset Master PWDs

Posted by timothy on from the nn@s73rp@ssw0rd-ought-to-work-fine dept.

CWmike writes "LastPass on Friday rescinded its day-old order that all users of its online password management system reset their master passwords due to a database breach. In a blog post this morning, the company said it won't allow users to change master passwords 'until our databases are completely caught up and we have resolved outstanding issues.' In an e-mail to Computerworld, LastPass CEO Joe Siegrist said the company changed its plan in response to demands from users asking they not be required to reset their passwords. However, comments posted on a LastPass blog suggest that the company's decision may also be related to trouble some users appear to be having with the password reset process. The blog post acknowledged that it had 'identified an issue' with roughly 5% of users that reset their master passwords. The company said it would be contacting those users about a fix for the problem LastPass said earlier that passwords for its Xmarks bookmark sync, which it acquired last December, were not affected."

83 comments

  1. This whole password issue is a problem by Anonymous Coward · · Score: 0

    Really, how many dozens of passwords and accounts am I supposed to have?

    It's just trouble waiting to happen.

    Can't we have a biometric identity verifier, or some unique token, or whatever?

    1. Re:This whole password issue is a problem by jdwoods · · Score: 5, Insightful

      Short answer: No.

      Longer answer:

      Biometrics might (or might not, depending on accuracy) uniquely identify you, but it neither proves that you were present (your fingerprint or retina might have been stolen, either as a copy or more directly!) nor that you authorize access to whatever resource a password might secure (e.g. you might be dead or otherwise impaired and someone else slides your fingerprint or retina or DNA over the scanner).

      Biometrics are convenient and still feel cool, but for really important resources, they increase danger rather than decrease it. For example, imagine that a billion USD is protected by your retina scan; I expect some folks would consider it reasonable to relieve you of your eyes (or even your whole head) for access to that much money.

      On the other hand, using them as a username replacement (which still requires some other authentication like a password, and perhaps some two-factor mechanism like an RSA token) makes all kinds of sense. Just don't confuse "identity" with "authentication".

      See also http://www.schneier.com/blog/archives/2009/01/biometrics.html and many other pertinent comments by Bruce and others.

      --
      -- Jeff Woods
    2. Re:This whole password issue is a problem by Anonymous Coward · · Score: 0

      Really, how many dozens of passwords and accounts am I supposed to have?

      It's just trouble waiting to happen.

      Can't we have a biometric identity verifier, or some unique token, or whatever?

      Cool. Then we can have all the problems we have right now with key retention and password/token security, only now it can't just be changed anytime like a regular password. Remember that "biometric identity" is ultimately just a set of bits. Steal those bits and you have password problems all over again. Heard of card readers for ATM machines? How about those on a whole new level? Want to bet that authorized machine is 100% secure? Want to bet it will be stored in a database that's 100% secure?

      What're you gonna do now, redesign your fingerprints or the blood vessels in your retina? Oh yeah, and with biometrics you cannot provide a token without also personally identifying yourself in a truly unique way. So bye-bye anonynimity, and you better believe advancing technology will only make it faster and cheaper to match things like biometrics.

      This is a really, really fuckin' bad idea. But please, keep sellin' it based on convenience alone. Everything is always to fight terrorism, save the children, etc. We still haven't learned much from history so maybe getting fucked good and rough and hard will fix our short memories. So you've elected yourself a god, and your god's holy name is CONVENIENCE AND SECURITY hey? Cool. Sacrifice at his altar then. Just don't start wondering if the price is too high.

    3. Re:This whole password issue is a problem by Aeternitas827 · · Score: 1

      (your fingerprint or retina might have been stolen, either as a copy or more directly!)

      If your retina were stolen, I would think that would pretty much guarantee that you (at the very least) didn't authorize it...and has a degree of certainty on the not present bit. Though, I'm sure there's some twisted individual out there willing to lose an eye for the heist of a lifetime (taking, for the example of the $1B).

      --
      I don't post AC. I like my -1, Flamebaits. Trump/Sheen 2012 on the Batshit Insane ticket!
    4. Re:This whole password issue is a problem by johncandale · · Score: 2

      You don't have to steal the eye, all you have to do is a man in the middle attack and snoop the data, if you are using it at home. if DRM and HDMI has taught the powers that be nothing, it should have taught them nothing is non-reverse-engineerable. And it's not like it will be a custom program, the eye scanner, algorithms netowrk code, etc to code and decode them will be widespread enough, even if they make a lot of them, that it will be profitable to break them, because you don't need to steal $1b from on target, but $5,000-$10,000 from hundreds of thousands of small targets

    5. Re:This whole password issue is a problem by GNUALMAFUERTE · · Score: 2

      One word for you: torture. If someone is willing to cut your head to get access, I'm sure they have some 5 dollar wrench lying around to help them get your password.

      http://xkcd.com/538/

      --
      WTF am I doing replying to an AC at 5 A.M on a Friday night?
  2. Curious by MorderVonAllem · · Score: 1

    I'm rather curious about how the site passwords are stored on this site. My assumption was the all the passwords were encrypted with the master password. If this is the case and only some of the passwords are encrypted with the new password because the databases weren't "caught up" or if someone forgets their master password and needs a password reset then wouldn't the account be unrecoverable?

    1. Re:Curious by mysidia · · Score: 3, Informative

      I'm sure they have backups. If you have Pocket, you can actually backup your passwords by exporting to an encrypted .XML file, and access them locally. It's not a bad idea to keep your own backups, in addition to your offline browser storage, even though Lastpass has them stored 'in the cloud', better safe than sorry.

      2 factor auth with Yubikey/USB token is also a good idea, as they encrypt the passwords not only with your master pw, but also with the hash of your authentication tokens

    2. Re:Curious by jimmyhat3939 · · Score: 1

      I believe they have a way to change your master password. So, what they'd likely do is decrypt the various keychain files using your old password (which you'd have to enter to change it), and then they re-encrypt with the new password.

      Generally, passwords are pretty weak unless you follow specific protocols in how you set them up (passphrases, unusual chars, misspellings). I'd rather they used a public-private keypair, but then that would be cumbersome for users.

      --
      Free Conference Call -- No Spam, High Quality
    3. Re:Curious by MorderVonAllem · · Score: 2

      That much I understand but I was talking about if you "forget" your password and have a new one issued. If that's the case they can't decrypt your keychain because you don't have the password anymore. That's specifically what I'm wondering about.

    4. Re:Curious by MaskedSlacker · · Score: 1

      From their password recovery page (I checked since I was curious after you raised the point):

      LastPass has added support for an optional way to store a disabled One Time Password (OTP) locally on your computer in case you forget your Master Password. This feature allows account recovery for those who want it without revealing your password to LastPass.

      You can choose not to save this disabled One Time Password by launching Preferences from the LastPass icon menu, and selecting the Advanced tab. If you decide to disable the local OTP, your only recourse if your password hint doesn't help is to delete your account and start over. If you disable the preference after creating one, it causes the One Time Password to be deleted off LastPass' servers.

      This makes it sound like they save the One Time Password on their server, and it decrypts a file stored only on your local PC that either contains your master password, or possibly as hash of it (I'm guessing at the implementation here). Or possibly it saves a keyfile to your PC that decrypts a separate (and separately encrypted) copy of your data.

      What does seem clear is that you are correct in so far as they CANNOT decrypt your stored passwords themselves. If you don't have that One Time Password file on your PC, there is no recovering your account.

    5. Re:Curious by Yaur · · Score: 1

      the existence of a "Password reset" feature implies that it is not stored securely. Balancing that with the need for a password recovery is one of the fundamental problems with this type of service.

    6. Re:Curious by pdbaby · · Score: 1

      They describe the password reset feature. Another post also gave a good interpretation of how it likely works

      --
      Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
    7. Re:Curious by pdbaby · · Score: 1

      oops, that is, they describe the password reset feature on their website http://helpdesk.lastpass.com/account-recovery/ and it's not a simple "confirm your identity and we'll e-mail you a new password" system

      --
      Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
    8. Re:Curious by Anonymous Coward · · Score: 0

      All encryption done on the local machine, so all lastPass has is the encrypted blob. So the answer is yes. If you forget your password and the recovery hints do not work your account is lost. The only way LastPass could recover is to brute force your passwords form the hashes they store for you.

  3. Maybe it's just me... by pongo000 · · Score: 0

    ...but am I the only one who is very hesitant about storing my precious passwords "in the cloud"? I use this gvim gpg plugin to encrypt my passwords, on my own terms, and I make them accessible to myself by any number of ways that I control.

    Is this so incredibly difficult to do for most people that they must depend upon others to maintain their personal data?

    1. Re:Maybe it's just me... by John+Hasler · · Score: 3, Insightful

      Is this so incredibly difficult to do for most people that they must depend upon others to maintain their personal data?

      Yes.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    2. Re:Maybe it's just me... by Eil · · Score: 2

      Is this so incredibly difficult to do for most people that they must depend upon others to maintain their personal data?

      Yes, downloading and installing a vim plugin (or using vim in the first place) is indeed reasonably difficult for most people.

    3. Re:Maybe it's just me... by mysidia · · Score: 2, Insightful

      Ok, that's neat and all... but where's the iPhone/iPad/Blackberry app to access the 'gvim gpg' password store on the go? Where's the browser plugin to auto-login and automatically fill forms based on the gvim gpg datastore?

    4. Re:Maybe it's just me... by nbetcher · · Score: 4, Interesting

      As someone who uses multiple systems, multiple web-browsers, and multiple operating systems (even virtual machines) I can say: yes, it is difficult to maintain my personal data. My LastPass account has over 50 sites in it. To be honest, most of them I don't even care if they were hacked. My banking website isn't even truly vital since you can't transfer funds electronically outbound, it requires an email confirmation to change physical address, and the account number is truncated on all of the screens (including exported data).

      Does your GVIM data get stored somewhere that is accessible to you no matter where you are? And if it is, then it's most likely accessible to someone else if they were to hack you. Point being, nothing is completely secure AND easy. From the sounds of it though, LastPass has a system in place to secure the passwords, although I'm unsure how that can work with a "Lost Password" scenario that MorderVonAllem talks about in another comment.

    5. Re:Maybe it's just me... by betterunixthanunix · · Score: 1

      ...where's the iPhone/iPad/Blackberry app to access the 'gvim gpg' password store on the go?

      I thought it was for our benefit that Apple does not permit libre software on the iPhone/iPad, and that anyone who does not want to pay the Apple tax should just turn to "the cloud" to deliver their applications.

      --
      Palm trees and 8
    6. Re:Maybe it's just me... by Anonymous Coward · · Score: 0

      I built VIM in a cave with a box of scraps and I still don't know what the hell you are talking about. Yes, it's too complicated.

    7. Re:Maybe it's just me... by artor3 · · Score: 0

      I keep my passwords in a KeePass file in my Dropbox account. I can access them pretty much anywhere, and the only way they're getting stolen is if someone cracks both Dropbox's security and breaks my KeePass password. I assume Dropbox would let people know if they were hacked, so I'd have plenty of time to change my passwords before the KeePass security fails, assuming it ever does.

      Given the very large number of passwords I have to keep, this is certainly a better solution than reusing the same few (my old method) or writing them down and carrying them around everywhere.

    8. Re:Maybe it's just me... by betterunixthanunix · · Score: 1

      Is this so incredibly difficult to do for most people that they must depend upon others to maintain their personal data?

      Do you even have to ask?

      Not to be elitist or condescending, but most end users can be likened to toddlers, just able to take enough steps to move themselves around but still desperately in need of others to take care of them and give them an environment they can survive in. When they do not get what they want, they throw tantrums and scream and cry until either they get what they want or someone hands them a shiny distraction that makes them completely forget what exactly they were demanding. It is unfortunate, but most people lack the simple curiosity and ability to think for themselves that would be needed to escape that mode of living.

      --
      Palm trees and 8
    9. Re:Maybe it's just me... by Anonymous Coward · · Score: 0

      Do you run your own mail server? Most people don't. Now get it over it, we use GMail. Same thing as using other web based services.

    10. Re:Maybe it's just me... by jdwoods · · Score: 3, Informative

      Yes, downloading and installing a vim plugin (or using vim in the first place) is indeed reasonably difficult for most people.

      That's why PasswordSafe [ http://pwsafe.org/ and http://sourceforge.net/projects/passwordsafe/ originally written by Bruce Schneier http://www.schneier.com/passsafe.html ] is what people need.

      It doesn't solve every problem (e.g. key loggers and such things as might be on an untrusted system) but nothing does. It's a very simple, flexible, convenient piece of software that not only securely stores usernames and passwords, but URLs, email address, notes and more with the ability to copy/paste and/or drag/drop and/or autofill forms. Although it is mainly a Windows application, it's FOSS portable installs (e.g. U3) available. There is also a recent Linux port.

      At the moment, I have 87 passwords in my primary passwordsafe file with related usernames, URLs, email, notes, password generation parameters, password expirations and more, all stored in a convenient hierarchy where work, banking, retail, hardware and other types of passwords are grouped in a tree that makes sense to me. For folks with simple needs, the hierarchy is optional and the entries can all be a flat list.

      Sony's latest debacle has prompted me to wade through all my "important" entries (banks and such) and generate unique, random, secure passwords with expiration dates recommended by my PWsafe settings. Sadly, many of the accounts I created before I started using PWsafe used the same username and password combination for similar sites (e.g. retailers with CC info); I have now made my data much more secure with passwords I could never remember, except that PWsafe now remembers them all for me.

      --
      -- Jeff Woods
    11. Re:Maybe it's just me... by causality · · Score: 2

      Do you run your own mail server? Most people don't. Now get it over it, we use GMail. Same thing as using other web based services.

      There is a big, BIG difference between deciding that it is not worth your while to run a mail server, versus being unable to do so.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    12. Re:Maybe it's just me... by artor3 · · Score: 1

      Not to be elitist or condescending....

      You know, saying "not to do x" immediately before doing x doesn't make it any better. You might as well say "Not to be racist, but [insert ethnic group here] should learn their place."

    13. Re:Maybe it's just me... by causality · · Score: 1

      Not to be elitist or condescending....

      You know, saying "not to do x" immediately before doing x doesn't make it any better. You might as well say "Not to be racist, but [insert ethnic group here] should learn their place."

      The difference is greater than it may seem. While a real elitist or a truly condescending person may be glad and feel vindicated because this is so, the GP seemed to share my regret that the average has been reduced to this. I don't consider that elitist, racist, condescending, etc... I consider it a willingness to call things what they are and to focus one's energies on how to improve and be part of the solution.

      If you don't wish to see it that way, then dismissal becomes an attractive option. Doesn't it?

      --
      It is a miracle that curiosity survives formal education. - Einstein
    14. Re:Maybe it's just me... by joebagodonuts · · Score: 1

      Tony? Is that you?

      --
      "Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
    15. Re:Maybe it's just me... by artor3 · · Score: 1

      You know, going with my racism example, a racist would say he's just calling things the way they are too. Saying "not to be condescending" doesn't make someone any less of an arrogant prick, if they then go on to call the majority of people a bunch of screaming mindless toddlers.

    16. Re:Maybe it's just me... by pongo000 · · Score: 1

      Ok, that's neat and all... but where's the iPhone/iPad/Blackberry app to access the 'gvim gpg' password store on the go? Where's the browser plugin to auto-login and automatically fill forms based on the gvim gpg datastore?

      Rolling your own is a bit more work (yes, I have to fill in the passwords myself, rather than using autofill [and who knows where *that* data might be cached]), but at least I don't have to worry about a 3rd party telling me that I have to change my secure passphrase...and then changing their minds because they can't quite make up their minds.

    17. Re:Maybe it's just me... by Anonymous Coward · · Score: 0

      Problems with dropbox:

      1. They share your data with feds.
      2. It's a user-based app, not a filesystem.

      The first I can live with, allowing for the whole (perception of) safety in numbers thing. The second, not so much.

    18. Re:Maybe it's just me... by WuphonsReach · · Score: 1

      Interesting plug-in. On Windows, I've been storing passwords as GPG ASCII armored text blocks inside of regular text files (generally 1 per service or site). Decryption requires that I copy/paste the ASCII block into GPA's clipboard viewer.

      (I try to keep things ASCII as much as possible when it comes to this, because that way you can fax / print / email the contents of the text file without having to do any binary/text conversion for fax/print.)

      I store my password files in a version control system, which makes it easy to synchronize across multiple machines / locations / USB keys. It's only the GPG key that I have to be extra cautious about (and which has a very strong passphrase).

      --
      Wolde you bothe eate your cake, and have your cake?
    19. Re:Maybe it's just me... by WuphonsReach · · Score: 1

      Does your GVIM data get stored somewhere that is accessible to you no matter where you are?

      The contents are encrypted with their GPG key. If they have their GPG key and the encrypted files, then yes they can get access. If I need access to a particular password, I load the file into GPA's clipboard utility, decrypt it, then copy/paste the password over to where it is needed (or type it).

      Personally, I store my encrypted files inside a version control system and use that to keep multiple systems in sync. Which solves the "keeping multiple systems up to date" problem, unless it's a system where you can't do version control.

      And since it's GPG, you can store it as a ASCII text block, suitable for printing, faxing, framing, e-mailing, even old postal mail. Or shoving a copy on a sheet of paper into my safe deposit box. The weak link in a GPG system is the secret key, the encryption itself is strong enough that you can send copies of the text to anyone in the world without worry. They can't do jack with it unless they have the private key and the passphrase needed to decrypt the private key.

      (On Windows, look at the GPG4Win toolset.)

      --
      Wolde you bothe eate your cake, and have your cake?
    20. Re:Maybe it's just me... by Anonymous Coward · · Score: 0

      Saying "not to be condescending" doesn't make someone any less of an arrogant prick, if they then go on to call the majority of people a bunch of screaming mindless toddlers.

      Sometimes you have to stop giving in to feel-good terms, and call it like you see it.

      Betterthanunix's comment was right on the mark, and phrasing his/her lead in to their point simply served to point out that he/she knew that there would be some friction generated from the main comment, and that he/she was aware that some would take offense.

      When you use a lead in like that, it is somewhat of an apology for pointing out an unpleasant truth.

      And, frankly Artor, why you had to bring racism into this is beyond me. The way I see it, this makes you the most arrogant prick in the thread.

      Couldn't you think of a better example?

    21. Re:Maybe it's just me... by dissy · · Score: 2

      Do you run your own mail server? Most people don't. Now get it over it, we use GMail. Same thing as using other web based services.

      There is a big, BIG difference between deciding that it is not worth your while to run a mail server, versus being unable to do so.

      I would go one further and say it's an even bigger difference between wanting someone else to run your mail server, versus wanting someone else to remember your passwords for you.

      It's also pretty telling when the users of such a service actually beg to keep their original passwords after being told those passwords are compromised.

    22. Re:Maybe it's just me... by Anonymous Coward · · Score: 0

      Shut up idiot.

    23. Re:Maybe it's just me... by mysidia · · Score: 2

      Personally, I store my encrypted files inside a version control system and use that to keep multiple systems in sync. Which solves the "keeping multiple systems up to date" problem, unless it's a system where you can't do version control.

      So, if someone compromises your version control system, or one of your computers, they could grab the encrypted file. And maybe the encrypted GPG secret key file.

      Then it's just a matter of brute forcing the GPG passphrase...

    24. Re:Maybe it's just me... by Yaur · · Score: 1

      the interesting question is how were they compromised? If its put together properly there should be minimal risk if the DB is disclosed.

    25. Re:Maybe it's just me... by hairyfeet · · Score: 1

      But does it plug into major browsers like FF and Chromium based? Because as a PC repairman the biggest problem I run into is folks just can't keep up with all the damned passwords so they either use the same thing everywhere, or they save them all in the browser and then if something happens to the browser or OS they are boned.

      What I need is something simple, that is easy to use, where someone like my dad could just plug in a thumbstick, input a master password, and then have the thing generate random passwords and remember them on the stick. It would have to input the data into the browser so they don't have to mess with copy/paste, just plug in, use and go.

      Everyone here complains about security but average folks just can't keep up with all the bullshit. They need simple, they need easy, they need 'clicky clicky". this is why so many people have lame passwords, it is because they just can't keep up with any more and most "solutions" are a PITA themselves. So does anybody know of something that works like I described?

      --
      ACs don't waste your time replying, your posts are never seen by me.
    26. Re:Maybe it's just me... by Anonymous Coward · · Score: 0

      . So does anybody know of something that works like I described?

      http://www.roboform.com/ - I've been using it for years, does everything you've described and then some

    27. Re:Maybe it's just me... by icebraining · · Score: 1

      Even that wouldn't work for many people, since they also want to use it on an iP{hone,ad}.

      --
      Dilbert RSS feed
    28. Re:Maybe it's just me... by icebraining · · Score: 1

      I don't for monetary reasons (would need to pay for a relay, since I have a dynamic IP and my ISP doesn't provide their own relay).

      --
      Dilbert RSS feed
    29. Re:Maybe it's just me... by ProfanityHead · · Score: 1

      ...but am I the only one who is very hesitant about storing my precious passwords "in the cloud"? I use this gvim gpg plugin to encrypt my passwords, on my own terms, and I make them accessible to myself by any number of ways that I control.

      Is this so incredibly difficult to do for most people that they must depend upon others to maintain their personal data?

      I use Lastpass but not for "precious passwords". I could care less if they steal all my web forum logins etc. The important ones like online retailers who have personal info, banks, etc. I store in my head.

      Most people I know use 123456 or password as their password everywhere then wonder how sh*t happens. If I ever get compromised at a sensitive site it's not because *I* didn't try, it's because I have no control over what happens to my 'net packets after they leave the router. Many sites really make me wonder if they are protecting their data as I would like.

    30. Re:Maybe it's just me... by h4rr4r · · Score: 1

      And assuming he used one of a decent length that is not a concern

    31. Re:Maybe it's just me... by Anonymous Coward · · Score: 0

      KeePass will do it with plugins. (KeePassHttp and PassIFox I believe)

    32. Re:Maybe it's just me... by mspohr · · Score: 1

      I use Keepass with a shared Dropbox file so I don't have to rely on cloud vendor security.

      --
      I don't read your sig. Why are you reading mine?
    33. Re:Maybe it's just me... by Anonymous Coward · · Score: 0

      If any of your "any number of ways" is network accessible than you are doing pretty much the same thing that LastPass does. In fact it is probably less secure because you are probably not using servers and networks hardened by security pros and you are most likely not using 2 factor auth. that is avail with LastPass.

    34. Re:Maybe it's just me... by Anonymous Coward · · Score: 0

      1Password works like Password Safe and is available for the iPad/iPhone. I use it and like it but it isn't free.

    35. Re:Maybe it's just me... by Anonymous Coward · · Score: 0

      Good comments, hairyfeet, but even those of us who aren't "clicky clicky" need an efficient way to generate and store a hundred IDs and passwords. Granted, 90% of those-- well, mine at least-- aren't for critical sites but are nonetheless ones I want kept handy (forums, retailers, vendor support sites and the like). The only IDs and passwords I actually memorize and do not store are for my financial sites. Maybe I'm just lazy (in fact it's likely!), but when I accumulated about fifty sites I found myself falling into the "use one good password for all" mode until the recent Target/Best Buy/etc. hack woke me up again. I started using LastPass because it seemed secure enough and worked across multiple browsers and platforms, which is what I needed. I hope they get their vulnerabilities patched up to keep it "secure enough".

    36. Re:Maybe it's just me... by gentry · · Score: 1

      So you store you password encrypted file in the cloud on a service that isn't quite so security sensitive and therefore heavily protect as LastPass? Unless you're using a large key file I'd say your password security is worse, not better, than the LastPass solution.

    37. Re:Maybe it's just me... by mysidia · · Score: 1

      And assuming he used one of a decent length that is not a concern

      And assuming you used a Lastpass master password of a decent length, it's not a concern that someone will be able to brute-force the encryption on the RSA 2048-bit key to get the private key required to decrypt Lastpass' AES256 encrypted blob.

    38. Re:Maybe it's just me... by mspohr · · Score: 1
      I don't worry about Dropbox being secure since the KeePass file is secure by AES and SHA-256. Someone could try to guess my password but that would be their only chance of breaking into the file. KeePass even has protection against dictionary attacks which means that at best can only try one or two entries per second. So I could just use "Hello" as my password and it would be nearly impossible to decrypt. However, I do have a very strong password.

      This gives me local storage on each of my machines plus cloud synchronization. Also runs on everything I use: Mac, Linux, Android.

      --
      I don't read your sig. Why are you reading mine?
    39. Re:Maybe it's just me... by jdwoods · · Score: 1

      Differences from one website to another make it very hard to automate username & password login. Some web sites (especially some that are nuts about Flash and Web2.0) make it hard just to type them in. However, for 90+% of websites and applications, drag&drop works great; for copy/paste works too. You don't have to select the text and then copy it, just select the entry you want and click a button to copy username to the clipboard (then paste it with keyboard or mouse clicks) then click another button to copy the password to the clipboard and then paste that into the other field. It even supports remembering a login URL for each entry with one button to open the URL and another to drag&drop it onto a browser. Nothing is perfect, but PasswordSafe continues to evolve and improve user interface.

      --
      -- Jeff Woods
    40. Re:Maybe it's just me... by pnutjam · · Score: 1

      even without plugins, keepass will run from USB on any machine back to win95 and you can open the pw database and have it auto-type passwords. It does have a tendency to auto-close if you don't change the settings.

      In addition to keeping it on your USB stick, there are also versions for just about every mobile device out there.

      --
      Cheap storage VM.
  4. Storing passwords on some other person's computer by betterunixthanunix · · Score: 0

    The whole concept of this system screams "bad idea" to me. Of course, I said the same thing about Hushmail, and even after the DEA demonstrated why Hushmail was a bad idea people continued to use and even recommend it.

    --
    Palm trees and 8
  5. order of magnitude by Anonymous Coward · · Score: 1

    TFA says .5%, not 5%.

  6. Neither Secure Nor Reliable. by Frosty+Piss · · Score: 1, Interesting

    This and other recent "breaches" pretty much show that for the preset (anyway), storing critical information "in the cloud" is neither secure nor reliable.

    Certainly, high traffic web serving can benefit from "The Cloud", especially for those that don't have the money to support the kind of hardware and infrastructure.

    But highly valuable and/or proprietary corporate or personal information? Nope...

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Neither Secure Nor Reliable. by Anonymous Coward · · Score: 0

      http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.richard.stallman

    2. Re:Neither Secure Nor Reliable. by gentry · · Score: 1

      The 'cloud' in this case is the LastPass database where the levels of security are far higher than a desktop users PC or a general file storage service. Sure, there is an increased exposure due to all of those passwords being in the same place, but even if the entire LastPass database was stolen if users have strong passwords it is unlike their data would be exposed, especially now they've introduced PBKDF2 with 100,000 rounds of 256 bit salting. That's at least as good as KeePass with password only encryption with a suitable number of rounds. In addition to a password, LastPass support OTP, single use passwords and other secondary mechanisms. They also noticed a potential issue and acted immediately. If someone stole a password file off a users desktop would they even notice?

    3. Re:Neither Secure Nor Reliable. by Anonymous Coward · · Score: 0

      On the contrary it showed that a hosted password service, if well-designed, can survive even a complete data compromise. Anyone with a strong password was perfectly safe. Anyone with a weak password wasn't safe to begin with, they just got less safe with the hack because brute force attacks could no longer be controlled. Also, it's not "The Cloud". It's just a normal hosted system. We've been using thing kind of thing for two decades now. It didn't suddenly turn into "The Cloud".

  7. Re:Storing passwords on some other person's comput by Anonymous Coward · · Score: 0

    While the implementation was always questionable what stops the DEA from using Microsoft or some other vector to compromise your security? Besides that we in theory should be protected from such actions by the way that such actions are violating our rights (something to needing a warrant to search-and the government is conducting a massive search). The way it works is by sending an update to a program everybody uses and that update monitors every computer for which sites users visit and then return the IP for those users (with enough restrictions you will likely get only one) which match certain criteria.

    This narrows it down to only providing the government with a single person (possibly). Millions might be searched in order to discover which person likely accessed a site. The compromised individual does have to repeatedly access the same site. That is likely though. Once they have an IP they can get a ?second? warrant for further investigation. Maybe the first one is sufficent. I guess it depends on what the exscuse is for the violation of all those users rights which you violated in order to get the IP of the individual you were after.

    This is how the German authorities compromised the security of a user of an anonymity program similar to Tor. In that case they just made the authors of the anonymity program modify it and then when most users including the user they were after updated it they were screwed. Could this technique be used again? I don't see why not. It'll take a court ruling to smack it down. While this example was of someone targeted by German authorities and the company was located in Germany it likely wasn't legal. They still got away with it.

    It isn't legal in the USA. At least in my view and hopefully that of every judge all the way up to the supreme court. I wouldn't for one second think that the US authorities wouldn't try it though and get away with it.

  8. Only the master password? by blake1 · · Score: 2

    This might be a lack of understanding of the LastPass system on my part, but I'm not understanding why they are/were suggesting customers reset their master password. Surely, if this password decrypts a password safe then it is as, if not more, important to reset all passwords which were stored in the database.

    1. Re:Only the master password? by egranlund · · Score: 1

      The master passwords weren't leaked, there was a possibility that someone got access to data that would allow them the possibilty of brute-forcing user's master passwords. The way the system works is that the master password encrypts the database of your passwords. They didn't have any definitive so they suggested you change your password just to be safe.

    2. Re:Only the master password? by blake1 · · Score: 1

      So what I'm saying is... these guys have potentially got the password databases. What's changing your master password going to do? It'll ensure that they can't get into your password safe as it stands, online. But if they brute force your database then all of your passwords are compromised. No?

    3. Re:Only the master password? by pdbaby · · Score: 2

      LastPass said that the level of traffic they saw in the attack was enough for the password hashes + salts but not enough for users encrypted blobs.

      --
      Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
  9. For the right reasons? by joeflies · · Score: 1

    Based on that description, it sounds like they are saying users don't have to change their master password because their systems can't keep up with load, rather than because they've proven that user data isn't at risk.

  10. same for Ubuntu, Windows, and SSL by t2t10 · · Score: 1

    Government and police can access anything in your cloud and on your machine if they want to: they can put trojans and keyloggers into your software updates and downloads, and they can fake SSL certificates and decrypt your encrypted traffic. And they don't just do that in the US, they do it in many countries. To protect against government intrusion into your data is very hard. A service like Hushmail is probably more secure than almost anything you can do yourself, even on your own harddisk.

  11. Re:Storing passwords on some other person's comput by MaskedSlacker · · Score: 1

    It isn't legal in the USA. At least in my view and hopefully that of every judge all the way up to the supreme court. I wouldn't for one second think that the US authorities wouldn't try it though and get away with it.

    I'd be shocked if the US authorities could make a software vendor (or FOSS maintainer) modify code under court order. It screams first amendment (code is copyrighted speech after all). They could (potentially) bar a vendor or maintainer from announcing modifications to a code base (gag orders, etc.), but forcing them to make the modifications would be utterly unprecedented (to my knowledge).

  12. Re:Storing passwords on some other person's comput by mysidia · · Score: 0

    I'd be shocked if the US authorities could make a software vendor (or FOSS maintainer) modify code under court order.

    They don't have to. The feds can hire assembly programmers to patch binaries themselves. If they want to monitor a subject, they'll get an order that allows them to covertly break in, plant the modified binary on the target's computer, and leave; taking measures to ensure the subject won't be aware the FBI had visited their place.

  13. Re:Storing passwords on some other person's comput by MaskedSlacker · · Score: 1

    Only works if they know who their target is. My parent discussed German authorities trying to find a user of an anonymity program. You're right that the point is moot if the investigators already know where to find the target.

  14. Why not client side javascript? by Anonymous Coward · · Score: 0

    First off you must trust the local system. If not then it can just use a keylogger to get your master password and then the hackers can just log into your account normally and read all your stored passwords. So why not do everything on the local system, and just use the server to store encrypted data? Generate a key, encrypt it with the passphrase, and encrypt the data. Send the encrypted key and data to the server. Whenever you add/remove/change a password just re-encrypt the data and send it to the server again.

    Browsers these days should be plenty fast enough to encrypt a small amount of data like this, and it would mean the server wouldn't ever need to know any passwords or keys at all. You could even set it up like mailinator without accounts... after all a username and password is the same as "username password".

    About the only problem is that somebody that knew your "username phrase" could brute force your main password offline, instead of being rate limited by asking the server. But this wouldn't be a problem with a strong password anyway. Also getting crypto right in with only floating point math...

    1. Re:Why not client side javascript? by PhrstBrn · · Score: 1

      Interesting you say that. SuperGenPass is a client-side app in JavaScript for crypting passwords. It's just a bookmark with a bunch of JS. There is also a version that works on mobile phones too (the app is all javascript, no AJAX or server side), so you could use that on your phone if you're on another computer, or copy that to your own server if you're super paranoid

    2. Re:Why not client side javascript? by realityimpaired · · Score: 1

      The reason to not use a local system is that many people are not restricted to just one system. I have 3 computers that I use on a regular basis, not counting my work PC. Portability/version controlling between the systems is not impossible to do on your own, but it is annoying just the same, and for most users, it is simply easier to use a centralized service.

      There do exist usb key fob devices that can encrypt your password and store it on the key fob, that way all you have to do is put the key in your usb port, open the program from the drive, and enter your master password, but these things cost money, which is prohibitive for most users when a free alternative exists.

      Of course, you could just do like I do... I have a virtual machine that gets used only for my banking (one bank, easy to do). I don't do any online transactions other than bill payments which get done through my bank's website: nobody other than my bank has any of my banking information. And as for forum passwords, facebook, etc., I don't really care about security and use a handful of easy to remember passwords. Like you suggest, it's based on one assumption: if I don't trust the system I'm working on, I've lost the game. I run a reasonably well locked down browser for general use, and I kill the browser and start up a completely different operating system when I want to do anything financial.

      As for work, they're anal about resetting passwords way too frequently on the systems I use, and won't let me use any kind of password manager... so I simply keep all of the tool logins and passwords in a password-protected excel file on my network drive. It's their own damned fault if it gets compromised, because theoretically that can only be accessed by somebody logged in as me, and their own security policies are the reason I need to keep the passwords like that.

  15. At the end of the day by DarkOx · · Score: 0

    There are two pretty fundamental problems with lastpass.

    1. The stronger the security the less usable the system is. They could require two factor and one factor could be a username password pair where the password is at least 24 bytes, no two bytes in a row. The second factor could be an RSA token, or their grid system for one time pads seems pretty solid to me. AES-256 blockmode encrypt the users data as one big struct with those keys and you have a data store that even if becomes completely public is likely to stand up against any cryptographic or even bruit force attack no matter how long the attacker has to wait. Trouble while this would be secure it would be usable for many.

    2. Because you can't do it right, in that someplace in the chain there has to be a key weak enough for typical humans to remember and a token easy enough to carry, last pass presents a target. Worse it presents a very valuable target.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    1. Re:At the end of the day by CyberDragon777 · · Score: 1

      LastPass gives the user the option to use all these security features (strong master password, authentication grid, fingerprint/card reader, hardware key), but they can't force the user to be secure.

      The user is always the weakest link, but this doesn't mean that those who know what they are doing can't be safe.

      --
      We both said a lot of things that you are going to regret.
    2. Re:At the end of the day by Anonymous Coward · · Score: 0

      1. They do offer 2 factor authentication.

      2. While this is true, it is true of any storage that is network accessible. I am much more concerned about data stored on Google, Azure, S3, etc... that some company has stupidly put in clear text or otherwise not followed best practices. See Gawker breach.

      The main vulnerability in any security is stupidity or laziness. If someone really clicks through all the tutorial, suggestions, explanations, and examples on LastPass on how to make a strong pass phrase and still types in "password" for their password... You can only give people the tools, you can't force them to use them.

  16. An idea. by Epell · · Score: 1

    Here's an idea/question: Why can't Lastpass generate strong temporary passwords and send that to users?

    1. Re:An idea. by lasaboogy · · Score: 1

      Here's an idea/question: Why can't Lastpass generate strong temporary passwords and send that to users?

      It doesn't work that way. They would have to know your original master password in order to decrypt your database and re-encode it with the new temporary password. Since they do not know your master password, this idea fails.

  17. Only there was no breach by krischik · · Score: 1

    There was no confirmed breach just suspicious traffic.And a lot of media hype. Almost all media misquoted the incident so the hole incident sounds more exiting.

    And even if there was a breach: Unlike almost all other Cloud services Lastpass encrypts all data client site. Either by plug-in or JavaScript. Without the master password data is useless.

    And no: master passwords where not stolen — as the media tells everybody — if your master password is weak then someone might guess it.