Slashdot Mirror
LastPass: Users Don't Have To Reset Master PWDs
CWmike writes "LastPass on Friday rescinded its day-old order that all users of its online password management system reset their master passwords due to a database breach. In a blog post this morning, the company said it won't allow users to change master passwords 'until our databases are completely caught up and we have resolved outstanding issues.' In an e-mail to Computerworld, LastPass CEO Joe Siegrist said the company changed its plan in response to demands from users asking they not be required to reset their passwords. However, comments posted on a LastPass blog suggest that the company's decision may also be related to trouble some users appear to be having with the password reset process. The blog post acknowledged that it had 'identified an issue' with roughly 5% of users that reset their master passwords. The company said it would be contacting those users about a fix for the problem LastPass said earlier that passwords for its Xmarks bookmark sync, which it acquired last December, were not affected."
I'm rather curious about how the site passwords are stored on this site. My assumption was the all the passwords were encrypted with the master password. If this is the case and only some of the passwords are encrypted with the new password because the databases weren't "caught up" or if someone forgets their master password and needs a password reset then wouldn't the account be unrecoverable?
Yes.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Yes, downloading and installing a vim plugin (or using vim in the first place) is indeed reasonably difficult for most people.
Ok, that's neat and all... but where's the iPhone/iPad/Blackberry app to access the 'gvim gpg' password store on the go? Where's the browser plugin to auto-login and automatically fill forms based on the gvim gpg datastore?
As someone who uses multiple systems, multiple web-browsers, and multiple operating systems (even virtual machines) I can say: yes, it is difficult to maintain my personal data. My LastPass account has over 50 sites in it. To be honest, most of them I don't even care if they were hacked. My banking website isn't even truly vital since you can't transfer funds electronically outbound, it requires an email confirmation to change physical address, and the account number is truncated on all of the screens (including exported data).
Does your GVIM data get stored somewhere that is accessible to you no matter where you are? And if it is, then it's most likely accessible to someone else if they were to hack you. Point being, nothing is completely secure AND easy. From the sounds of it though, LastPass has a system in place to secure the passwords, although I'm unsure how that can work with a "Lost Password" scenario that MorderVonAllem talks about in another comment.
...where's the iPhone/iPad/Blackberry app to access the 'gvim gpg' password store on the go?
I thought it was for our benefit that Apple does not permit libre software on the iPhone/iPad, and that anyone who does not want to pay the Apple tax should just turn to "the cloud" to deliver their applications.
Palm trees and 8
Is this so incredibly difficult to do for most people that they must depend upon others to maintain their personal data?
Do you even have to ask?
Not to be elitist or condescending, but most end users can be likened to toddlers, just able to take enough steps to move themselves around but still desperately in need of others to take care of them and give them an environment they can survive in. When they do not get what they want, they throw tantrums and scream and cry until either they get what they want or someone hands them a shiny distraction that makes them completely forget what exactly they were demanding. It is unfortunate, but most people lack the simple curiosity and ability to think for themselves that would be needed to escape that mode of living.
Palm trees and 8
TFA says .5%, not 5%.
Yes, downloading and installing a vim plugin (or using vim in the first place) is indeed reasonably difficult for most people.
That's why PasswordSafe [ http://pwsafe.org/ and http://sourceforge.net/projects/passwordsafe/ originally written by Bruce Schneier http://www.schneier.com/passsafe.html ] is what people need.
It doesn't solve every problem (e.g. key loggers and such things as might be on an untrusted system) but nothing does. It's a very simple, flexible, convenient piece of software that not only securely stores usernames and passwords, but URLs, email address, notes and more with the ability to copy/paste and/or drag/drop and/or autofill forms. Although it is mainly a Windows application, it's FOSS portable installs (e.g. U3) available. There is also a recent Linux port.
At the moment, I have 87 passwords in my primary passwordsafe file with related usernames, URLs, email, notes, password generation parameters, password expirations and more, all stored in a convenient hierarchy where work, banking, retail, hardware and other types of passwords are grouped in a tree that makes sense to me. For folks with simple needs, the hierarchy is optional and the entries can all be a flat list.
Sony's latest debacle has prompted me to wade through all my "important" entries (banks and such) and generate unique, random, secure passwords with expiration dates recommended by my PWsafe settings. Sadly, many of the accounts I created before I started using PWsafe used the same username and password combination for similar sites (e.g. retailers with CC info); I have now made my data much more secure with passwords I could never remember, except that PWsafe now remembers them all for me.
-- Jeff Woods
Short answer: No.
Longer answer:
Biometrics might (or might not, depending on accuracy) uniquely identify you, but it neither proves that you were present (your fingerprint or retina might have been stolen, either as a copy or more directly!) nor that you authorize access to whatever resource a password might secure (e.g. you might be dead or otherwise impaired and someone else slides your fingerprint or retina or DNA over the scanner).
Biometrics are convenient and still feel cool, but for really important resources, they increase danger rather than decrease it. For example, imagine that a billion USD is protected by your retina scan; I expect some folks would consider it reasonable to relieve you of your eyes (or even your whole head) for access to that much money.
On the other hand, using them as a username replacement (which still requires some other authentication like a password, and perhaps some two-factor mechanism like an RSA token) makes all kinds of sense. Just don't confuse "identity" with "authentication".
See also http://www.schneier.com/blog/archives/2009/01/biometrics.html and many other pertinent comments by Bruce and others.
-- Jeff Woods
Do you run your own mail server? Most people don't. Now get it over it, we use GMail. Same thing as using other web based services.
There is a big, BIG difference between deciding that it is not worth your while to run a mail server, versus being unable to do so.
It is a miracle that curiosity survives formal education. - Einstein
Not to be elitist or condescending....
You know, saying "not to do x" immediately before doing x doesn't make it any better. You might as well say "Not to be racist, but [insert ethnic group here] should learn their place."
Not to be elitist or condescending....
You know, saying "not to do x" immediately before doing x doesn't make it any better. You might as well say "Not to be racist, but [insert ethnic group here] should learn their place."
The difference is greater than it may seem. While a real elitist or a truly condescending person may be glad and feel vindicated because this is so, the GP seemed to share my regret that the average has been reduced to this. I don't consider that elitist, racist, condescending, etc... I consider it a willingness to call things what they are and to focus one's energies on how to improve and be part of the solution.
If you don't wish to see it that way, then dismissal becomes an attractive option. Doesn't it?
It is a miracle that curiosity survives formal education. - Einstein
(your fingerprint or retina might have been stolen, either as a copy or more directly!)
If your retina were stolen, I would think that would pretty much guarantee that you (at the very least) didn't authorize it...and has a degree of certainty on the not present bit. Though, I'm sure there's some twisted individual out there willing to lose an eye for the heist of a lifetime (taking, for the example of the $1B).
I don't post AC. I like my -1, Flamebaits. Trump/Sheen 2012 on the Batshit Insane ticket!
Tony? Is that you?
"Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
You know, going with my racism example, a racist would say he's just calling things the way they are too. Saying "not to be condescending" doesn't make someone any less of an arrogant prick, if they then go on to call the majority of people a bunch of screaming mindless toddlers.
Ok, that's neat and all... but where's the iPhone/iPad/Blackberry app to access the 'gvim gpg' password store on the go? Where's the browser plugin to auto-login and automatically fill forms based on the gvim gpg datastore?
Rolling your own is a bit more work (yes, I have to fill in the passwords myself, rather than using autofill [and who knows where *that* data might be cached]), but at least I don't have to worry about a 3rd party telling me that I have to change my secure passphrase...and then changing their minds because they can't quite make up their minds.
This and other recent "breaches" pretty much show that for the preset (anyway), storing critical information "in the cloud" is neither secure nor reliable.
Certainly, high traffic web serving can benefit from "The Cloud", especially for those that don't have the money to support the kind of hardware and infrastructure.
But highly valuable and/or proprietary corporate or personal information? Nope...
If you want news from today, you have to come back tomorrow.
Interesting plug-in. On Windows, I've been storing passwords as GPG ASCII armored text blocks inside of regular text files (generally 1 per service or site). Decryption requires that I copy/paste the ASCII block into GPA's clipboard viewer.
(I try to keep things ASCII as much as possible when it comes to this, because that way you can fax / print / email the contents of the text file without having to do any binary/text conversion for fax/print.)
I store my password files in a version control system, which makes it easy to synchronize across multiple machines / locations / USB keys. It's only the GPG key that I have to be extra cautious about (and which has a very strong passphrase).
Wolde you bothe eate your cake, and have your cake?
Does your GVIM data get stored somewhere that is accessible to you no matter where you are?
The contents are encrypted with their GPG key. If they have their GPG key and the encrypted files, then yes they can get access. If I need access to a particular password, I load the file into GPA's clipboard utility, decrypt it, then copy/paste the password over to where it is needed (or type it).
Personally, I store my encrypted files inside a version control system and use that to keep multiple systems in sync. Which solves the "keeping multiple systems up to date" problem, unless it's a system where you can't do version control.
And since it's GPG, you can store it as a ASCII text block, suitable for printing, faxing, framing, e-mailing, even old postal mail. Or shoving a copy on a sheet of paper into my safe deposit box. The weak link in a GPG system is the secret key, the encryption itself is strong enough that you can send copies of the text to anyone in the world without worry. They can't do jack with it unless they have the private key and the passphrase needed to decrypt the private key.
(On Windows, look at the GPG4Win toolset.)
Wolde you bothe eate your cake, and have your cake?
This might be a lack of understanding of the LastPass system on my part, but I'm not understanding why they are/were suggesting customers reset their master password. Surely, if this password decrypts a password safe then it is as, if not more, important to reset all passwords which were stored in the database.
Do you run your own mail server? Most people don't. Now get it over it, we use GMail. Same thing as using other web based services.
There is a big, BIG difference between deciding that it is not worth your while to run a mail server, versus being unable to do so.
I would go one further and say it's an even bigger difference between wanting someone else to run your mail server, versus wanting someone else to remember your passwords for you.
It's also pretty telling when the users of such a service actually beg to keep their original passwords after being told those passwords are compromised.
Based on that description, it sounds like they are saying users don't have to change their master password because their systems can't keep up with load, rather than because they've proven that user data isn't at risk.
Government and police can access anything in your cloud and on your machine if they want to: they can put trojans and keyloggers into your software updates and downloads, and they can fake SSL certificates and decrypt your encrypted traffic. And they don't just do that in the US, they do it in many countries. To protect against government intrusion into your data is very hard. A service like Hushmail is probably more secure than almost anything you can do yourself, even on your own harddisk.
You don't have to steal the eye, all you have to do is a man in the middle attack and snoop the data, if you are using it at home. if DRM and HDMI has taught the powers that be nothing, it should have taught them nothing is non-reverse-engineerable. And it's not like it will be a custom program, the eye scanner, algorithms netowrk code, etc to code and decode them will be widespread enough, even if they make a lot of them, that it will be profitable to break them, because you don't need to steal $1b from on target, but $5,000-$10,000 from hundreds of thousands of small targets
It isn't legal in the USA. At least in my view and hopefully that of every judge all the way up to the supreme court. I wouldn't for one second think that the US authorities wouldn't try it though and get away with it.
I'd be shocked if the US authorities could make a software vendor (or FOSS maintainer) modify code under court order. It screams first amendment (code is copyrighted speech after all). They could (potentially) bar a vendor or maintainer from announcing modifications to a code base (gag orders, etc.), but forcing them to make the modifications would be utterly unprecedented (to my knowledge).
Personally, I store my encrypted files inside a version control system and use that to keep multiple systems in sync. Which solves the "keeping multiple systems up to date" problem, unless it's a system where you can't do version control.
So, if someone compromises your version control system, or one of your computers, they could grab the encrypted file. And maybe the encrypted GPG secret key file.
Then it's just a matter of brute forcing the GPG passphrase...
Only works if they know who their target is. My parent discussed German authorities trying to find a user of an anonymity program. You're right that the point is moot if the investigators already know where to find the target.
the interesting question is how were they compromised? If its put together properly there should be minimal risk if the DB is disclosed.
But does it plug into major browsers like FF and Chromium based? Because as a PC repairman the biggest problem I run into is folks just can't keep up with all the damned passwords so they either use the same thing everywhere, or they save them all in the browser and then if something happens to the browser or OS they are boned.
What I need is something simple, that is easy to use, where someone like my dad could just plug in a thumbstick, input a master password, and then have the thing generate random passwords and remember them on the stick. It would have to input the data into the browser so they don't have to mess with copy/paste, just plug in, use and go.
Everyone here complains about security but average folks just can't keep up with all the bullshit. They need simple, they need easy, they need 'clicky clicky". this is why so many people have lame passwords, it is because they just can't keep up with any more and most "solutions" are a PITA themselves. So does anybody know of something that works like I described?
ACs don't waste your time replying, your posts are never seen by me.
Even that wouldn't work for many people, since they also want to use it on an iP{hone,ad}.
Dilbert RSS feed
I don't for monetary reasons (would need to pay for a relay, since I have a dynamic IP and my ISP doesn't provide their own relay).
Dilbert RSS feed
...but am I the only one who is very hesitant about storing my precious passwords "in the cloud"? I use this gvim gpg plugin to encrypt my passwords, on my own terms, and I make them accessible to myself by any number of ways that I control.
Is this so incredibly difficult to do for most people that they must depend upon others to maintain their personal data?
I use Lastpass but not for "precious passwords". I could care less if they steal all my web forum logins etc. The important ones like online retailers who have personal info, banks, etc. I store in my head.
Most people I know use 123456 or password as their password everywhere then wonder how sh*t happens. If I ever get compromised at a sensitive site it's not because *I* didn't try, it's because I have no control over what happens to my 'net packets after they leave the router. Many sites really make me wonder if they are protecting their data as I would like.
And assuming he used one of a decent length that is not a concern
One word for you: torture. If someone is willing to cut your head to get access, I'm sure they have some 5 dollar wrench lying around to help them get your password.
http://xkcd.com/538/
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Interesting you say that. SuperGenPass is a client-side app in JavaScript for crypting passwords. It's just a bookmark with a bunch of JS. There is also a version that works on mobile phones too (the app is all javascript, no AJAX or server side), so you could use that on your phone if you're on another computer, or copy that to your own server if you're super paranoid
The reason to not use a local system is that many people are not restricted to just one system. I have 3 computers that I use on a regular basis, not counting my work PC. Portability/version controlling between the systems is not impossible to do on your own, but it is annoying just the same, and for most users, it is simply easier to use a centralized service.
There do exist usb key fob devices that can encrypt your password and store it on the key fob, that way all you have to do is put the key in your usb port, open the program from the drive, and enter your master password, but these things cost money, which is prohibitive for most users when a free alternative exists.
Of course, you could just do like I do... I have a virtual machine that gets used only for my banking (one bank, easy to do). I don't do any online transactions other than bill payments which get done through my bank's website: nobody other than my bank has any of my banking information. And as for forum passwords, facebook, etc., I don't really care about security and use a handful of easy to remember passwords. Like you suggest, it's based on one assumption: if I don't trust the system I'm working on, I've lost the game. I run a reasonably well locked down browser for general use, and I kill the browser and start up a completely different operating system when I want to do anything financial.
As for work, they're anal about resetting passwords way too frequently on the systems I use, and won't let me use any kind of password manager... so I simply keep all of the tool logins and passwords in a password-protected excel file on my network drive. It's their own damned fault if it gets compromised, because theoretically that can only be accessed by somebody logged in as me, and their own security policies are the reason I need to keep the passwords like that.
LastPass gives the user the option to use all these security features (strong master password, authentication grid, fingerprint/card reader, hardware key), but they can't force the user to be secure.
The user is always the weakest link, but this doesn't mean that those who know what they are doing can't be safe.
We both said a lot of things that you are going to regret.
Here's an idea/question: Why can't Lastpass generate strong temporary passwords and send that to users?
I use Keepass with a shared Dropbox file so I don't have to rely on cloud vendor security.
I don't read your sig. Why are you reading mine?
So you store you password encrypted file in the cloud on a service that isn't quite so security sensitive and therefore heavily protect as LastPass? Unless you're using a large key file I'd say your password security is worse, not better, than the LastPass solution.
And assuming he used one of a decent length that is not a concern
And assuming you used a Lastpass master password of a decent length, it's not a concern that someone will be able to brute-force the encryption on the RSA 2048-bit key to get the private key required to decrypt Lastpass' AES256 encrypted blob.
This gives me local storage on each of my machines plus cloud synchronization. Also runs on everything I use: Mac, Linux, Android.
I don't read your sig. Why are you reading mine?
There was no confirmed breach just suspicious traffic.And a lot of media hype. Almost all media misquoted the incident so the hole incident sounds more exiting.
And even if there was a breach: Unlike almost all other Cloud services Lastpass encrypts all data client site. Either by plug-in or JavaScript. Without the master password data is useless.
And no: master passwords where not stolen — as the media tells everybody — if your master password is weak then someone might guess it.
Differences from one website to another make it very hard to automate username & password login. Some web sites (especially some that are nuts about Flash and Web2.0) make it hard just to type them in. However, for 90+% of websites and applications, drag&drop works great; for copy/paste works too. You don't have to select the text and then copy it, just select the entry you want and click a button to copy username to the clipboard (then paste it with keyboard or mouse clicks) then click another button to copy the password to the clipboard and then paste that into the other field. It even supports remembering a login URL for each entry with one button to open the URL and another to drag&drop it onto a browser. Nothing is perfect, but PasswordSafe continues to evolve and improve user interface.
-- Jeff Woods
even without plugins, keepass will run from USB on any machine back to win95 and you can open the pw database and have it auto-type passwords. It does have a tendency to auto-close if you don't change the settings.
In addition to keeping it on your USB stick, there are also versions for just about every mobile device out there.
Cheap storage VM.