Slashdot Mirror
LastPass: Users Don't Have To Reset Master PWDs
CWmike writes "LastPass on Friday rescinded its day-old order that all users of its online password management system reset their master passwords due to a database breach. In a blog post this morning, the company said it won't allow users to change master passwords 'until our databases are completely caught up and we have resolved outstanding issues.' In an e-mail to Computerworld, LastPass CEO Joe Siegrist said the company changed its plan in response to demands from users asking they not be required to reset their passwords. However, comments posted on a LastPass blog suggest that the company's decision may also be related to trouble some users appear to be having with the password reset process. The blog post acknowledged that it had 'identified an issue' with roughly 5% of users that reset their master passwords. The company said it would be contacting those users about a fix for the problem LastPass said earlier that passwords for its Xmarks bookmark sync, which it acquired last December, were not affected."
Yes.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I'm sure they have backups. If you have Pocket, you can actually backup your passwords by exporting to an encrypted .XML file, and access them locally.
It's not a bad idea to keep your own backups, in addition to your offline browser storage,
even though Lastpass has them stored 'in the cloud', better safe than sorry.
2 factor auth with Yubikey/USB token is also a good idea, as they encrypt the passwords not only with your master pw, but also with the hash of your authentication tokens
As someone who uses multiple systems, multiple web-browsers, and multiple operating systems (even virtual machines) I can say: yes, it is difficult to maintain my personal data. My LastPass account has over 50 sites in it. To be honest, most of them I don't even care if they were hacked. My banking website isn't even truly vital since you can't transfer funds electronically outbound, it requires an email confirmation to change physical address, and the account number is truncated on all of the screens (including exported data).
Does your GVIM data get stored somewhere that is accessible to you no matter where you are? And if it is, then it's most likely accessible to someone else if they were to hack you. Point being, nothing is completely secure AND easy. From the sounds of it though, LastPass has a system in place to secure the passwords, although I'm unsure how that can work with a "Lost Password" scenario that MorderVonAllem talks about in another comment.
Yes, downloading and installing a vim plugin (or using vim in the first place) is indeed reasonably difficult for most people.
That's why PasswordSafe [ http://pwsafe.org/ and http://sourceforge.net/projects/passwordsafe/ originally written by Bruce Schneier http://www.schneier.com/passsafe.html ] is what people need.
It doesn't solve every problem (e.g. key loggers and such things as might be on an untrusted system) but nothing does. It's a very simple, flexible, convenient piece of software that not only securely stores usernames and passwords, but URLs, email address, notes and more with the ability to copy/paste and/or drag/drop and/or autofill forms. Although it is mainly a Windows application, it's FOSS portable installs (e.g. U3) available. There is also a recent Linux port.
At the moment, I have 87 passwords in my primary passwordsafe file with related usernames, URLs, email, notes, password generation parameters, password expirations and more, all stored in a convenient hierarchy where work, banking, retail, hardware and other types of passwords are grouped in a tree that makes sense to me. For folks with simple needs, the hierarchy is optional and the entries can all be a flat list.
Sony's latest debacle has prompted me to wade through all my "important" entries (banks and such) and generate unique, random, secure passwords with expiration dates recommended by my PWsafe settings. Sadly, many of the accounts I created before I started using PWsafe used the same username and password combination for similar sites (e.g. retailers with CC info); I have now made my data much more secure with passwords I could never remember, except that PWsafe now remembers them all for me.
-- Jeff Woods
Short answer: No.
Longer answer:
Biometrics might (or might not, depending on accuracy) uniquely identify you, but it neither proves that you were present (your fingerprint or retina might have been stolen, either as a copy or more directly!) nor that you authorize access to whatever resource a password might secure (e.g. you might be dead or otherwise impaired and someone else slides your fingerprint or retina or DNA over the scanner).
Biometrics are convenient and still feel cool, but for really important resources, they increase danger rather than decrease it. For example, imagine that a billion USD is protected by your retina scan; I expect some folks would consider it reasonable to relieve you of your eyes (or even your whole head) for access to that much money.
On the other hand, using them as a username replacement (which still requires some other authentication like a password, and perhaps some two-factor mechanism like an RSA token) makes all kinds of sense. Just don't confuse "identity" with "authentication".
See also http://www.schneier.com/blog/archives/2009/01/biometrics.html and many other pertinent comments by Bruce and others.
-- Jeff Woods