Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Reporting a Security Breach, Including Authentication Hashes and Salts

Posted by samzenpus on from the one-password-to-rule-them-all dept.

hawkeyeMI writes: LastPass, the popular password manager, has been hacked. The company says that the “vast majority” of users are safe, and has posted a notice which begins: "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

7 of 206 comments (clear)

  1. Re:My Brain by Sowelu · · Score: 3, Insightful

    It's very hard to hack, but susceptible to data loss.

  2. Re:Who the fuck would use something like that? by Anonymous Coward · · Score: 4, Insightful

    That's just stupid. No one can remember 30+ passwords. And not using unique passwords is the dumbest possible thing (gmail account "hack" from earlier this year)

    So, *sometimes* use your brain.

  3. People need to settle down... by gbcox · · Score: 5, Insightful

    LastPass of course is going to be a target; but if you used the product as recommended with 2nd factor authentication and not reusing your master password elsewhere you don't have anything to worry about. LastPass is handling this in a measured, logical, efficient manner - and as always, they err on the safe side. Of course, this being the internet, you have the usual suspects crying chicken little, the sky is falling.

    1. Re:People need to settle down... by j-turkey · · Score: 4, Insightful

      ...Of course, this being the internet, you have the usual suspects crying chicken little, the sky is falling.

      They're also smugly saying "I told you so" - and doing so seemingly without understanding the situation. The situation hasn't changed since the beginning: don't use the service if you don't trust the encryption. If the service is breached and the (open source, peer reviewed) encryption stands up to attack, then the threat is astronomically minimal.

      --

      -Turkey

  4. The NSA has probably already inserted their by mark_reh · · Score: 1, Insightful

    backdoor into the encryption. It's only a matter of time before hackers locate it and fling it open to let the animals in.

    There are no secrets. There is no privacy.

  5. Re:Who the fuck would use something like that? by Anonymous Coward · · Score: 2, Insightful

    "What can a person do with my bank account anyway? Nothing, that can't be traced and/or reversed."

    Then you should feel perfectly safe posting your bank credentials on this site.

  6. Re:Who the fuck would use something like that? by execthis · · Score: 3, Insightful

    I know that a company like Lastpass has paid professionals to maintain infrastructure with strict security, vs. whatever I would be able to muster on my own. I could use Keepass and perhaps sync with my Owncloud server, but then is my security going to be better than theirs? Probably not even close.

    I like the idea of Keepass and have it installed, but their plugins are not as good as Lastpass and using it is kind of cludgy. I have no special allegiance to Lastpass in particular, although I personally think they are probably the best at what they do and have been around the longest and the annual fee - something I'm more than happy to pay knowing they are professionals - it totally reasonable and worth far more than the amount of resources I would have to expend to produce duplicate functionality on my own.