Slashdot Mirror
LastPass: Users Don't Have To Reset Master PWDs
CWmike writes "LastPass on Friday rescinded its day-old order that all users of its online password management system reset their master passwords due to a database breach. In a blog post this morning, the company said it won't allow users to change master passwords 'until our databases are completely caught up and we have resolved outstanding issues.' In an e-mail to Computerworld, LastPass CEO Joe Siegrist said the company changed its plan in response to demands from users asking they not be required to reset their passwords. However, comments posted on a LastPass blog suggest that the company's decision may also be related to trouble some users appear to be having with the password reset process. The blog post acknowledged that it had 'identified an issue' with roughly 5% of users that reset their master passwords. The company said it would be contacting those users about a fix for the problem LastPass said earlier that passwords for its Xmarks bookmark sync, which it acquired last December, were not affected."
Yes.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Yes, downloading and installing a vim plugin (or using vim in the first place) is indeed reasonably difficult for most people.
I'm sure they have backups. If you have Pocket, you can actually backup your passwords by exporting to an encrypted .XML file, and access them locally.
It's not a bad idea to keep your own backups, in addition to your offline browser storage,
even though Lastpass has them stored 'in the cloud', better safe than sorry.
2 factor auth with Yubikey/USB token is also a good idea, as they encrypt the passwords not only with your master pw, but also with the hash of your authentication tokens
Ok, that's neat and all... but where's the iPhone/iPad/Blackberry app to access the 'gvim gpg' password store on the go? Where's the browser plugin to auto-login and automatically fill forms based on the gvim gpg datastore?
As someone who uses multiple systems, multiple web-browsers, and multiple operating systems (even virtual machines) I can say: yes, it is difficult to maintain my personal data. My LastPass account has over 50 sites in it. To be honest, most of them I don't even care if they were hacked. My banking website isn't even truly vital since you can't transfer funds electronically outbound, it requires an email confirmation to change physical address, and the account number is truncated on all of the screens (including exported data).
Does your GVIM data get stored somewhere that is accessible to you no matter where you are? And if it is, then it's most likely accessible to someone else if they were to hack you. Point being, nothing is completely secure AND easy. From the sounds of it though, LastPass has a system in place to secure the passwords, although I'm unsure how that can work with a "Lost Password" scenario that MorderVonAllem talks about in another comment.
Yes, downloading and installing a vim plugin (or using vim in the first place) is indeed reasonably difficult for most people.
That's why PasswordSafe [ http://pwsafe.org/ and http://sourceforge.net/projects/passwordsafe/ originally written by Bruce Schneier http://www.schneier.com/passsafe.html ] is what people need.
It doesn't solve every problem (e.g. key loggers and such things as might be on an untrusted system) but nothing does. It's a very simple, flexible, convenient piece of software that not only securely stores usernames and passwords, but URLs, email address, notes and more with the ability to copy/paste and/or drag/drop and/or autofill forms. Although it is mainly a Windows application, it's FOSS portable installs (e.g. U3) available. There is also a recent Linux port.
At the moment, I have 87 passwords in my primary passwordsafe file with related usernames, URLs, email, notes, password generation parameters, password expirations and more, all stored in a convenient hierarchy where work, banking, retail, hardware and other types of passwords are grouped in a tree that makes sense to me. For folks with simple needs, the hierarchy is optional and the entries can all be a flat list.
Sony's latest debacle has prompted me to wade through all my "important" entries (banks and such) and generate unique, random, secure passwords with expiration dates recommended by my PWsafe settings. Sadly, many of the accounts I created before I started using PWsafe used the same username and password combination for similar sites (e.g. retailers with CC info); I have now made my data much more secure with passwords I could never remember, except that PWsafe now remembers them all for me.
-- Jeff Woods
Short answer: No.
Longer answer:
Biometrics might (or might not, depending on accuracy) uniquely identify you, but it neither proves that you were present (your fingerprint or retina might have been stolen, either as a copy or more directly!) nor that you authorize access to whatever resource a password might secure (e.g. you might be dead or otherwise impaired and someone else slides your fingerprint or retina or DNA over the scanner).
Biometrics are convenient and still feel cool, but for really important resources, they increase danger rather than decrease it. For example, imagine that a billion USD is protected by your retina scan; I expect some folks would consider it reasonable to relieve you of your eyes (or even your whole head) for access to that much money.
On the other hand, using them as a username replacement (which still requires some other authentication like a password, and perhaps some two-factor mechanism like an RSA token) makes all kinds of sense. Just don't confuse "identity" with "authentication".
See also http://www.schneier.com/blog/archives/2009/01/biometrics.html and many other pertinent comments by Bruce and others.
-- Jeff Woods
Do you run your own mail server? Most people don't. Now get it over it, we use GMail. Same thing as using other web based services.
There is a big, BIG difference between deciding that it is not worth your while to run a mail server, versus being unable to do so.
It is a miracle that curiosity survives formal education. - Einstein
That much I understand but I was talking about if you "forget" your password and have a new one issued. If that's the case they can't decrypt your keychain because you don't have the password anymore. That's specifically what I'm wondering about.
This might be a lack of understanding of the LastPass system on my part, but I'm not understanding why they are/were suggesting customers reset their master password. Surely, if this password decrypts a password safe then it is as, if not more, important to reset all passwords which were stored in the database.
Do you run your own mail server? Most people don't. Now get it over it, we use GMail. Same thing as using other web based services.
There is a big, BIG difference between deciding that it is not worth your while to run a mail server, versus being unable to do so.
I would go one further and say it's an even bigger difference between wanting someone else to run your mail server, versus wanting someone else to remember your passwords for you.
It's also pretty telling when the users of such a service actually beg to keep their original passwords after being told those passwords are compromised.
You don't have to steal the eye, all you have to do is a man in the middle attack and snoop the data, if you are using it at home. if DRM and HDMI has taught the powers that be nothing, it should have taught them nothing is non-reverse-engineerable. And it's not like it will be a custom program, the eye scanner, algorithms netowrk code, etc to code and decode them will be widespread enough, even if they make a lot of them, that it will be profitable to break them, because you don't need to steal $1b from on target, but $5,000-$10,000 from hundreds of thousands of small targets
Personally, I store my encrypted files inside a version control system and use that to keep multiple systems in sync. Which solves the "keeping multiple systems up to date" problem, unless it's a system where you can't do version control.
So, if someone compromises your version control system, or one of your computers, they could grab the encrypted file. And maybe the encrypted GPG secret key file.
Then it's just a matter of brute forcing the GPG passphrase...
One word for you: torture. If someone is willing to cut your head to get access, I'm sure they have some 5 dollar wrench lying around to help them get your password.
http://xkcd.com/538/
WTF am I doing replying to an AC at 5 A.M on a Friday night?