LastPass Reporting a Security Breach, Including Authentication Hashes and Salts

hawkeyeMI writes: LastPass, the popular password manager, has been hacked. The company says that the “vast majority” of users are safe, and has posted a notice which begins: "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

Hash and Salt

[psyclone]

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

Salting is nice, but when the attacker gets both the hash and the salt, they can attack specific users. Still, the 100k rounds of SHA256 seem decent.

Would bcrypt be any better than PBKDF2 here?

Re:KeePassX

[kosmosik]

> https://www.keepassx.org/ [keepassx.org]

> It's a password vault application. Remember local applications,
> they run on your computer, that you physically have to be at to use(usually).

Usually Keepass and alike are used to store passwords for network services. So the computer storing your passwords in KeepassX is still networked and susceptible to attacks. Also people tend to use multiple machines (sometime even not own) so in order to use KeepassX you still need to transfer its data file somehow. You could keep this file on a pendrive probably with portable version of the app.

So KeepassX in my opinion is less convinient to use than Lastpass - with the latter I just login to service (using two factor authentication) and access my passwords. But mind you I use Keepass only for not-so-sensitive accounts like 100+ eshops, forums and crap like thant (not financial, medical, otherwise sensitive, essential internet authentication account hubs like Google or Facebook).

So for me in order to use Keepass would be to carry a medium with data file (which can be lost, stolen, copied) or to share the data file via some kind of authenticated network service like SFTP, HTTPS, Dropbox etc.

I know the Keepass/local pass file way would be probably slightly more secure but Lastpass method is just more convinient.

Oh and if I were to use password manager I would not go Keepass way - what for? Passwords are just some lines in text file. I would just use encrypted text file, shell utilities like grep and have access to it via SSH with two way authentication (I love Google Authenticator with PAM module for my private use).

My point being that if used correctly (only for not sensitive accounts, two form authentication enabled) a trusted service like Lastpass (I find them very concerned about security - they are targeted all the time) is quite secure and more convinient that Keepass.

Also I would love to have some offline device for my sensitive stuff like financial, medical and so on - I lone for something in form of small ipod-like MP3 player that can be fed with data and when prompted for authentication I could choose my credentials from it and display it would generate QR code with token that could be scanned via webcam to authenticate. Of coure it would be suspectible to MITM attacks and physical loss but in my opinion it would be the most secure way for using password store without sharing it via network.

Re:Who the fuck would use something like that?

[KGIII]

My niece has a friend (this is, sadly, a true story) who got their first credit card. She was pleased and activated it. She was so excited, and I kid you not, she took a picture of this card and posted it to her Facebook account. I am not sure how they got the 3 or 4 digit number on the back of the card (or if they did) but it took less than a day for the card to reach its limits and, sadly, she is not being held liable for the fraudulent transactions. Some folks should not be allowed credit cards or internet access. My point is, I suppose, that people do not understand even basic security.