Slashdot Mirror
LastPass Reporting a Security Breach, Including Authentication Hashes and Salts
hawkeyeMI writes: LastPass, the popular password manager, has been hacked. The company says that the “vast majority” of users are safe, and has posted a notice which begins: "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."
Store it on "the cloud"! Everything will be fine!
Who the fuck would think it's smart to use some web service like that, where some third party ends up with your passwords, even if they are encrypted in some way?
They're very handy for websites that have poor native security, as the passwords Lastpass generates are extremely tough. In a lot of cases, I'd rather trust Lastpass's security over that of a native website, and they have open sourced their client side decryption process as well (which has received several audits). I don't use it for anything I consider super sensitive (my bank account, for example), but it's pretty good for a lot of other applications.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
It's very hard to hack, but susceptible to data loss.
They're very handy for websites that have poor native security
Like lastpass.com?
I know. That's just a disaster waiting to happen. "We got hacked." "You don't say ..."
For the first and last time:
ANYTHING on the internet is NOT secure
Use a local password manager.
I'd like to take this time to recommend an excellent open source project called KeePassX.
https://www.keepassx.org/
It's a password vault application. Remember local applications, they run on your computer, that you physically have to be at to use(usually).
The Information Revolution will be fought on the command line.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Salting is nice, but when the attacker gets both the hash and the salt, they can attack specific users. Still, the 100k rounds of SHA256 seem decent.
Would bcrypt be any better than PBKDF2 here?
People store passwords in the Cloud all the time.
Just not in the same place. :)
I know. That's just a disaster waiting to happen. "We got hacked." "You don't say ..."
For the first and last time:
ANYTHING on the internet is NOT secure
Use a local password manager.
I agree with you - but i must add, even if i may sound "paranoid", while i understand how convenient it is: don't use a (local) password manager... use your (brain's) memory!
Antisthenes: "Wisdom begins by examining the words/names." - excuse my English, i am (slightly...) better with my Greek!
On the other hand, this should also provide you with a list of the sites where you should be changing your password.
Hopefully everyone will manage to do that before any of the hashes are cracked (if the crackers managed to get both the algorithm and salt).
I find ssh'ing into my own raspberry pi with keepass-cli http://sourceforge.net/project... the best way to get passwords so far. Slow but trustworthy. I sure wish that was not a sourceforge project though.
I am obviously unable to use something online, like Last Pass and 1Password.
It little behooves the best of us to comment on the rest of us.
That's just stupid. No one can remember 30+ passwords. And not using unique passwords is the dumbest possible thing (gmail account "hack" from earlier this year)
So, *sometimes* use your brain.
I'm the submitter. I'm a LastPass user and I'll stay that way. If you actually read the article you'll see that things are under control. This is the second time LastPass has reported an attack that I can remember, and because of the client-side encryption and so on it's not a huge deal. Bravo to them for their proactive stance and sound methods.
Error 404 - Sig Not Found
I know. That's just a disaster waiting to happen. "We got hacked." "You don't say ..."
For the first and last time:
ANYTHING on the internet is NOT secure
Use a local password manager.
Well, now that we have the word of someone that has absolutely no clue how infosec works I guess it's case closed right?
As far as how secure this service is... well... meh? Who the hell knows. Would I keep the launch codes there? No. My password for that Cartoon network? Sure. The point is, you seem to be claiming that your local hard drive is safer than a websevice literally dedicated to security. That's laughable to say the least. IF this site really is what it claims to be, then it's definitely more secure than your local hard drive, but certainly not as secure as simply memorizing the password.
The concern I would have immediately would be that you have to trust that vendor. Are they located in the US (or whichever country you live in so you can sue them) and subject to the jurisdiction of US courts should they turn out to be bad actors? And almost more importantly, do they keep all of their data on US servers? Being headquartered in the US but outsourcing your database to China would kind of defeat the purpose right?
When you get down to it, when you get into big-time security in major corporations, it's not really that you're jumping through lots of hoops to make sure the data is secure. You will ALWAYS fail at that. You just can't stay that on top of things. What you're really doing is trying to ensure that if there is a breach, you can recover from it and that you have someone to sue/blame to pay for the recovery. So you make sure you pick a service that's in the US, and is well insured. Then you leave it up to them and their insurance company to duke out the difference between higher premiums or more security people.
But if you're just Joe-schmo at home, and you want to store credentials to your netflix accounts and such? And it's a huge well know company like lastpass? Yes, they are more secure than your windows harddrive. A lot more secure. Maybe keep your bank login on a post-it note in the back of your sock drawer just to be safe though.
"Almost everyone has a local password manager... it's commonly referred to as a brain."
Unfortunately the H. Sapiens Mark I brain is only good at remembering bad passwords. To remember good ones, you need a password manager.
I have a photographic memory. Unfortunately the film is bad.
Any insufficiently advanced magic is indistinguishable from technology.
Using auditory clues to induce dreams about a given topic is not impossible, and if the visual cortex activity can be decoded the simpler motor cortex that plays back your typing movements during password entry could also be decoded.
Your brain is hackable, with tools other than an axe.
For people whose brain doesn't work well enough to remember dozens of passwords, you could also use an gpg encrypted text file. Works well for me.
"We’ve commissioned a write only off-site aggregated log server which can only be accessed via the console. This will allow us a guarantee that any logging is intact." ref
Few people can memorize a large collection of high-entropy passwords.
Yes, I know there are strategies for getting away with memorizing fewer. They're not necessarily good ideas.
That's great advice. Except I have 6 computers in three locations that I use on a daily basis. Putting it on a stick doesn't really work since I'm really good at losing things. Before using an online password manager I used the same 7 character password for everything. Now my password manager has 100s of passwords, allof which are unique and most of which are 30+ characters long. I really don't know what I would do without it.
It's a strange idea to store passwords in the cloud anyway. I use these simple scripts in Ubuntu. Could work on Mac too, and I had a Windows/Perl/batch-file version long ago:
$ cat `which p`
#!/bin/bash
[ -d /media/truecrypt1 ] || t on
# accept up to 3 arguments, and filter on all 3 /media/truecrypt1/p /media/truecrypt1/p | grep -i "$2" | grep -i "$3"
if [ -z "$2" ]; then
grep -ni "$1"
else
grep -ni "$1"
fi
$ cat `which padd` /media/truecrypt1 ] || t on
#!/bin/bash
[ -d
echo `date +%F` " $@" >>/media/truecrypt1/p
And to mount the truecrypt volume:
$ cat `which t`
#!/bin/sh
file=$HOME/timecode
tcvol=/media/truecrypt1
do=$1
case "$do" in /media/truecrypt1
"on")
if grep -q
If you have a real argument present it please. I encourage you to understand how LastPass actually works, and not how you think it works based on not reading TFA (obviously from your statement).
There is a bit missing in the post above:
$ cat `which t`
#!/bin/sh
file=$HOME/timecode
tcvol=/media/truecrypt1
do=$1
case "$do" in /media/truecrypt1 < /proc/mounts ; then ;; ;; ;; ;;
"on")
if grep -q
logger -t truecrypt "$0 Starting tc: already mounted"
exit
fi
logger -t truecrypt "$0 Starting tc"
DISPLAY=:0.0 truecrypt $file
"off")
t=$(find $tcvol -type f -printf "%TY-%Tm-%Td %TH:%TM\n" | sort -n | tail -1)
truecrypt -d
if [ -n "$t" ] ; then
touch -d "$t" $file
logger -t truecrypt "$0 Stopped tc and set mtime to $t"
else
logger -t truecrypt "$0 Stopped tc; no mtime to set found"
fi
"status")
truecrypt -t -l
"*")
echo "Usage: $0 on|off|status";
logger -t truecrypt "Bad option '$do' given to $0"
exit 1;
esac
They made a movie about that
LastPass of course is going to be a target; but if you used the product as recommended with 2nd factor authentication and not reusing your master password elsewhere you don't have anything to worry about. LastPass is handling this in a measured, logical, efficient manner - and as always, they err on the safe side. Of course, this being the internet, you have the usual suspects crying chicken little, the sky is falling.
I prefer one GPG file per site. Downside is that it exposes the site name, but also means I only decrypt only a single site password at a time.
Bonus points for putting the files into a version control system (git/svn/hg) so that you can cleanly sync them between PCs.
And making backup copies is as easy as stuffing the ASCII armored block into an email. Or printing it out for OCR'ing later...
Wolde you bothe eate your cake, and have your cake?
I had the same problem as you except I was looking after 70+ computers as a sysadmin about a decade ago. Used to store them on my Palm with a program called STRIP by Zetetic. Now I have their app on my iOS devices. It's not as flashy as LastPass but then it doesn't store all your passwords on the Internet either.
I personally use a KeePass 2.x database. I use it across my computers and Android phone.
For convenience, I use BitTorrent Sync to keep the file updated across devices. I have it set to only sync on the local network(s), instead of over the internet. So, all if I add or change a password at home, it will sync to my phone and laptop via the local network. When I go to my office, when my phone connects to the local wifi it will sync the file to my work computer.
I use a password and keyfile. I copied the key file over to my devices manually, and is not within the Sync share.
This is the best security:convenience ratio I could come up with.
backdoor into the encryption. It's only a matter of time before hackers locate it and fling it open to let the animals in.
There are no secrets. There is no privacy.
I'm the submitter. I'm a LastPass user and I'll stay that way. If you actually read the article you'll see that things are under control.
This is the second time LastPass has reported an attack that I can remember, and because of the client-side encryption and so on it's not a huge deal. Bravo to them for their proactive stance and sound methods.
Not only that, but even if the encrypted vault were compromised along with the hashes/etc (allowing somebody to start brute-forcing them), I could easily use lastpass to identify all my accounts and the last change date for each. Since almost all my accounts use random passwords changing them all is a bit of a pain, but not too big a deal. I'm just replacing one random string of values with another. I could change all my accounts in a weekend and all the new passwords are synced across my devices.
Lastpass is extremely convenient and I don't know of many practical alternatives that are any more secure against the same threat models. Maybe a piece of paper in my pocket would be more secure against the remote attacks, but I don't really see that as a step up.
Who the fuck would think it's smart to use some web service like that, where some third party ends up with your passwords, even if they are encrypted in some way?
People who understand how LastPass security works.
LastPass security is actually quite good, and designed to be resilient against data breaches. The attackers haven't gotten any passwords. What they have gotten is hashes, salts, and hints which could lead to passwords, given enough time and computational power.
The clock started ticking as soon as the attackers obtained the data dump. As soon as I reset my master password, the clock stops ticking. Between those two events is the only window of time the attackers have to brute-force the hash or guess my password based on the hint. As soon as I change my master password as prompted by the LastPass email, they have nothing.
If you use 2-factor authentication with LastPass, like Google Auth, even if they crack your master password before you change it, they still have nothing.
Eagles may soar, but weasels don't get sucked into jet engines.
By centralizing all the passwords they are a prime target for infiltration. The hackers knew that by taking this one business they would potentially gain access to millions of websites. In a normal attack they have no idea if they will get good data, with LastPass they couldn't miss. That then makes them one of the most high profile targets on the internet and they'd need NSA level security to keep people out. I little internet company with world class security? I don't think so, even Google got hacked with a spear fishing attack.
I agree with the other posters, you'd have to be nuts to use LastPass for anything that was tied to financial transactions. And just even the secondary effects could be tremendous now that they have login information (depending on the number of websites the last pass information could give them all kinds of information out accounts and names/emails used making the hacking significantly easier).
Bah, your brain has been proven very susceptible to rubber hose cryptographic attacks.
-Turkey
I agree with the other posters, you'd have to be nuts to use LastPass for anything that was tied to financial transactions.
Why? I'd rather my banking credentials be leaked than my email or domain registrar credentials.
What can a person do with my bank account anyway? Nothing, that can't be traced and/or reversed.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
ANYTHING on the internet is NOT secure
Use a local password manager.
A local password manager is just as vulnerable as LastPass, likely more so since few password managers take security as seriously as LasstPass does.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
I know. That's just a disaster waiting to happen. "We got hacked." "You don't say ..."
For the first and last time:
ANYTHING on the internet is NOT secure
Use a local password manager.
I agree with you - but i must add, even if i may sound "paranoid", while i understand how convenient it is: don't use a (local) password manager... use your (brain's) memory!
Most people who use their brain will pick very easy to remember passwords which are in return easy to guess and hack. I have been changing over to using my YubiKey. Slot 1 is configured for OTP, slot 2 is a 32 character static password of random upper and lowercase letters.
This happened three or four years ago too. I thought lastpass was great until that. I shut my account down immediately. They had a lot going for them, but security wasn't one of them.
lastpass seems a little bit strange.
do they have the ability to look your passwords? there's the ability to reset password but is that only for the "two factor"? they claim the decrypted passwords never leave your device, but they have password reminder questions/system? so what the fuck? they have syncing and that so.. do they have the ability to decrypt the data in lastpass or not?
world was created 5 seconds before this post as it is.
In fact, when I wanted to demo about half a dozen dual-factor solutions for a colleague, I showed them all on my LastPass account.
"What can a person do with my bank account anyway? Nothing, that can't be traced and/or reversed."
Then you should feel perfectly safe posting your bank credentials on this site.
You know, we called applications 'apps' long before the invention of the cell phone or the proliferation of the smart phone. In other words, your disdain for the word is a bit silly as it has been a part of our lexicon for quite some time.
"So long and thanks for all the fish."
My niece has a friend (this is, sadly, a true story) who got their first credit card. She was pleased and activated it. She was so excited, and I kid you not, she took a picture of this card and posted it to her Facebook account. I am not sure how they got the 3 or 4 digit number on the back of the card (or if they did) but it took less than a day for the card to reach its limits and, sadly, she is not being held liable for the fraudulent transactions. Some folks should not be allowed credit cards or internet access. My point is, I suppose, that people do not understand even basic security.
"So long and thanks for all the fish."
I have a "universal" password. It basically remains much the same for every site but it is complex and varies per site.
Examples (not real, obviously):
myp@$$W0RD18117tSlashdot
myp@$$W0RD18117tGmail
This has flaws, obviously, but brute force attacks are a small risk as is guessing based on intimate knowledge of me. Of course, if they get one they can get the rest. I attempt to mitigate this by having multiple combinations that I recall easily. If I am unable to remember the password then I just move on to the next format and try that one. I have maybe a dozen that I move through. Some of them include things like the year and I will change the password at the end of that year to a new one. Obviously my above examples are sanitized - they are not real examples.
My system is not perfect, none of them are, but it is one that has worked for me with no known security failures. If I am on a trip then I typically use VNC (encrypted and password protected) and do any serious things from a dedicated computer at home. My feeling is that it does not have to be hard to remember for it to be difficult to guess.
"So long and thanks for all the fish."
I do not know... My security here, on my network, may well be better than that at some unknown company. I, for example, do not have to allow inbound traffic from millions of people. I can stop all inbound traffic that does not originate on my network. I do not have to have constantly running services that may have exploits of their own. I can encrypt all my stored data. I can use a VPN. I can even create my own VPN. I am able to configure a hard or soft firewall to very explicitly cover only my needs and do so myself so that I needn't worry about someone else configuring it properly on my behalf.
I can not say that my network is more secure than this one in the article. What I can say is that it probably is - I have no known attacks that have been successful. I do have a number of intrusion attempts in my logs. I can not be certain that I have not been successfully attacked but it is unlikely. I may not be more secure, which is a process - not an application, than this particular company (it is possible) but I am certainly more secure than the vast majority of online servers. I am also likely more secure than the lastpass site as well. Of course I am far less a target than they are - and I am certain I am vulnerable somewhere (beyond physical attacks).
"So long and thanks for all the fish."
Everything is a prime target for infiltration. So are my online banks. But we all use online banks because we believe that we can and should be able to. Are we just going to give up doing everything because everything is vulnerable and a target? Or do we just do what we do and do it with the most care and attention to security that we can?
I'm sure that Lastpass security is going to be a lot more intense than an average website. And how else are you going to manage the hundreds of dozen-character long, unique, and complex passwords you want to use with each site?
What Lastpass are doing is simply amazing and is enabling a vast improvement in security (and convenience).
And by the way, what are you going to do when your smartphone or laptop is stolen, with all those hundreds of passwords you have saved in your web browser, or else what? put them in a text file? or else used the same passwords for multiple sites? ... as opposed to if you have Lastpass and all you need to do is change your master password and forget about it!
LMAO. Your local password manager on your computer which is ON THE INTERNET!
KeePass is good but their browser add-ons are not as good as Lastpass unfortunately.
Guys, what is your problem? The only way these guys have ANYTHING is if you use your master password on an actual website other than just logging into your lastpass account. Now, if your master paswoord is boobies, then, you're in trouble. But if you use anything remotely decent, you are fine. Especially if you use 2 factor authentication any time you login outside your known trusted devices the diminishing returns are so low... And unlike most companies, at least LastPass has the integrity to actually tell us when there has been a problem. You know, because that's something that responsible companies SHOULD DO. But mostly, they DON'T.
In a lot of cases, I'd rather trust Lastpass's security over that of a native website,
You would be trusting that Lastpass's security is NEVER broken though, because once it's broken, they have ALL your passwords. If only one native website is broken though, then only one of your passwords has been taken.
You have offline solutions for that, like KeePass. I'd rather go with the extra hassle of having to sync the KeePass database myself than being dumb enough to put it on some cloud service. And no, a KeePass database on Dropbox is almost just as dumb.
Well, if I get one of your passwords and know you visit a second site, then I immediately know the password to that second site. Not terribly secure.
I suspect their security is actually pretty good. Just not perfect.
At least your computer with your KeePass file is not such a high profile target as the LastPass servers (unless you're Edward Snowden perhaps).
Aha. What? In the US if your banking credentials get out on your end the bank is under no legal obligation to make your account whole. They'll try to reverse transactions, but if the money's gone the money's gone and it's your problem. The fact that the money can be traced to an organized crime syndicate in far-away country where nobody cares is not going to help you much.
But it's quite easy to brute force. "So, you didn't like us breaking your finger? You have 9 more to go unless you give us the password".
You dream about logging in? You work too hard. :-)
To be honest, the idea that anybody who can see your credit card can take your money is not really security at all. Usually transactions require additional evidence - either the physical card, the PIN, the address, or the security code.
I know that a company like Lastpass has paid professionals to maintain infrastructure with strict security, vs. whatever I would be able to muster on my own. I could use Keepass and perhaps sync with my Owncloud server, but then is my security going to be better than theirs? Probably not even close.
I like the idea of Keepass and have it installed, but their plugins are not as good as Lastpass and using it is kind of cludgy. I have no special allegiance to Lastpass in particular, although I personally think they are probably the best at what they do and have been around the longest and the annual fee - something I'm more than happy to pay knowing they are professionals - it totally reasonable and worth far more than the amount of resources I would have to expend to produce duplicate functionality on my own.
Because a local machine is inherently unhackable...
There are plenty of tech-savvy people who use services like LastPass. Of course putting all your passwords in one place, on one server, comes with risks. It also has a few advantages, including: > They notify you of hacks to sites you have passwords stored for > You don't have to type passwords, protecting you from keyloggers If it turns out that the people who've attacked LastPass have information that genuinely puts my passwords at risk then I can change my passwords. I'd assume they are going to generate and apply new per user salts, and everything else declared doesn't overly concern me. If it turns out that someone has the encrypted file containing passwords, and the salt, then I'll change my passwords even though it's almost inconceivable that anyone would take the effort to decrypt the files.
What happens if you lose the device? If it backs them up where does it back them up to, how does it get them to the backup and how secure is it? Without knowing a lot more I'd be equally, or more dubious, of claims that password managers on devices like phones are any more secure overall.
What is troubling is that every time you use this credit card over the phone etc, you give out all that personal info just to make the transaction and who says that the person you are talking to is not just putting the details in a chip/pin machine as "card holder not present" but also writing the details down in a notebook to sell/use at a later date as they have just.... got your full name as what's on the card, they have you 16 digit number they have your start date they have your end date and they have the 3 digit CVV code on the back of the card.
I dare say his problem isn't about the recentness of the word "app" but rather the overuse by PR drones.
In a lot of cases, I'd rather trust Lastpass's security over that of a native website,
If only one native website is broken though, then only one of your passwords has been taken.
You mean the one password that has been used on every other site.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Or you can simply change the one master password and your problem is solved.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
It is possible to remember an arbitrary number of different, safe passwords. My method is to have one password that is short, but hard, in the meaning of impossible to crack by dictionary attack. Think random letters, numbers, the stuff that is hard to memorize. But it's always the same base password, so you will know it by heart eventually. Assuming the website you use the password on hashes the password, that leaves you vulnerable to lookup/rainbow tables, because the base password should be fairly short, below 10 chars.
To defeat rainbow tables, I salt that password in a way I don't have to memorize but can easily deduce, for example with the site I'm using the password on. Examples: ReallyHardPasswordSlashdot, ReallyHardPasswordGoogle, ReallyHardPasswordSteam, etc. They all are different and not reusable, their hashes are different, they are (hopefully) long enough to be too long for rainbow tables
The grass is always greener on the other side of the light cone.
Self-reply: Or just use hunter2 for everything, it will show up as ******* for everyone that isn't you.
The grass is always greener on the other side of the light cone.
I am not sure how they got the 3 or 4 digit number on the back of the card
only takes a thousand attempts (at worst) to guess that number. You'd hope the card system would block it after 3 or so failed attempts, but you never know if they do.
And how else are you going to manage the hundreds of dozen-character long, unique, and complex passwords you want to use with each site?
with an offline tool, like keepass. Same functionality, only stored locally (or on your phone), not on the cloud.
This: rezial.com I admit that I never tried LastPass, so I'm not claiming this is better/more convenient.. I use it, and I'm happy with it. but now I also want to try LastPass :)
Incorrect. Anyone can remember three reasonably secure (read: long and not all lower case) passphrases. Use them in tiers where one is for "I don't care if my Slashdot/Ars Technica/Disqus/TPB account really gets hacked" and one is for "this is an email account that a lot of other accounts can be password reset to hijack, don't use this anywhere but on email accounts that need to be secure" and one is exclusively for bank accounts or other highly sensitive information. That way if "LOL We Use No TLS And MD5 And Store Password Hashes In Cookies Forum" gets hacked and someone cracks your forum account password from the hash, the only risk is to your not-too-important accounts and they don't have your email account password.
Or your 30 passwords can look like "Mfdajsio[][$#@5625429i04356kio:FSD===-F" and you can trust all of them to a password manager and pray that the one magical master password for that manager doesn't fall into the wrong hands, lest your single point of failure give up a list of all your accounts along with their corresponding passwords.
No security is perfect, that's why you have need to have a good incident response plan.
This: rezial.com
I admit that I never tried LastPass, so I'm not claiming this is better/more convenient.. I use it, and I'm happy with it.
but now I also want to try LastPass :)
Will that auto-fill password forms? Also, how is it any more secure? You're still encrypting your password list and storing it on somebody else's server - if somebody obtains the encrypted list they can attempt to brute-force it.
And if your Lastpass account is ever hacked you'll lose access to all those accounts.
Well, you can keep backups but obviously if they brute force your encryption key then they can log into all your accounts and change your passwords on you.
Better to come up with a simple algorithm to generate your password based on the site you're using. No need to store anything. One less 3rd party knowing all the sites you care about. One hack required per account. Automated hacking and data mining tools aren't going to understand your algorithm.
That has a few challenges:
1. The algorithm needs to be secure. That likely means you can't do it in your head. It probably also means that you'll want to use a standardized tool which is secure.
2. You need to be able to run the algorithm from any device you want to access a website from.
3. If you want auto-fill of password forms (a major timesaver with lastpass) then you need to write a fairly robust application for multiple platforms, which means you'll probably use the same program to run your algorithm everybody else uses.
4. Your algorithm needs to take into account that a single domain could have multiple passwords, and multiple domains could use a shared password. Again, sounds like a robust tool is needed.
5. Using standardized tools means that automated brute-forcing becomes a possibility.
6. Depending on the algorithm, obtaining the password for one site might allow an offline brute-force attack on the algorithm which could yield your other passwords.
I will agree that one advantage of this sort of approach is that there is no cache of passwords to crack, which means that you have to attack the individual websites which generally means an online attack (throttled, limited attempts, etc). However, see #6 above.
There's always this: http://www.passwordcard.org/en
As mentioned, writing down your passwords (which this is just a fancy version of) makes them harder to crack online, but opens you up to a different set of attacks, especially any that involve physically overpowering you.
A lot of sites still don't require the three digit code on back (sadly).
I agree. I don't use it... just the standalone client on Linux and KeePass2Android on Android.
What do you think you told us so? I take it you didn't read the article...
My master password is 21-characters long. Even with the hashes having been collected, wouldn't it still take this side of forever to brute-force it? Should I still change my master password?
I'm really a low 5-digit Slashdotter, but this ID is where I am now.
How do you sync that between multiple computers, your phone and your tablet?
Not the same functionality.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Lastpass is extremely convenient and I don't know of many practical alternatives that are any more secure against the same threat models.
Keepass with sync to a Google account. Gives you everything Lastpass Premium does for free, and it's more secure to boot. 2FA is free with Google accounts (no need to buy additional hardware), sync to mobile devices is free, and by not running in the browser and allowing you to use an optional keyfile as well as a master password it's more secure.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I think it would be prudent to still have a password change/reset policy if you are using something like LastPass. If the individual sites get hacked your account is still compromised.
I'm a good cook. I'm a fantastic eater. - Steven Brust
I sync via SFTP. You could also sync via dropbox, google drive, or one of the other million things keepass has extensions for.
Comment Signature
And when you're on a corporate machine or server where you can't use Dropbox? Keepass is not LastPass. They both have their strengths.
So what you are saying is that you use Keepass in a way so that it can act just like LastPass, but it is Dropbox that has access instead of LastPass?
There is no benefit of Keepass stored on Dropbox over LastPass. They work entirely the same. In LastPass, the password database is encrypted with the access password, and LastPass has no access to your password database.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
I use Mozy to back it up, and BTSync to sync it with my phone.
As I said specifically said "I'm not claiming this is better". Just replying to OP wrt to existing alternatives.
Brute force? I would argue that by the time they broke it became irrelevant.
So ignore the PR drones and keep using the words as you used to, don't let the drones destroy a perfectly good word.
"What can a person do with my bank account anyway? Nothing, that can't be traced and/or reversed."
Then you should feel perfectly safe posting your bank credentials on this site.
Not really, he didn't say that nothing will happen, just that a small amount of work will be needed to fix it.
That doesn't mean he wants to do that work for no reason.
do they have the ability to look your passwords?
No, they do not. So if you ever forget your master password, you lose all your Lastpass-managed passwords forever (happened to my husband..). Everything is encrypted by your master password before it gets to Lastpass.
The only thing they have access to is your password hint, settable by you, which could be anything (and I usually set my password hint to have no relation to the master password).
I mentioned that. When you hit a second account (easily gathered with my unique username here) then you *may* run into one of the other combinations. So no, not totally secure once one is gone.
"So long and thanks for all the fish."
As soon as I change my master password as prompted by the LastPass email, they have nothing.
As far as I can tell - "not so fast". You also have to tell LastPass to not allow you to automagically revert to your previous master password. That's hidden under 'Advanced Settings'.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I used to do this, except that if one of those sites ever leaks the passwords plaintext, you re screwed everywhere, since it'll be trivial to add 'ReallyHardPassword' as a prefix for the site. Ditto if you cleverly change google->G0o9Le. ;)
As for 'salting', most* people use some variation of uppercase first letter, uppercase last and/or leding/ending "1" as their password. (Clever ones use 0 instead of 1) so if your password is "1ReallyHardPasswordGoogle!1" well, congratultions, you can now open my luggage
As many people point out, you really should have unique passwords for every site. For the really paranoid, you could use your password manager's password as salt, provided you trust their rnd genertor (spoiler: you must). It's trivial to just -manually- add the site name to the password form, so if you want to log in as me to slashdot, you'd use "aeCxXAk&+5a_s1&&Slashdot"
I _already_ do. I remember one passphrase that I use to access my local password manager.
Click on the site I'm trying to login into, Ctrl-C, Alt-Tab, Ctrl-V. Done.
Why the hell would I waste my time trying to remember 100+ passwords when one will do the job??
You also said it was a "small risk" when it's actually a massive risk. Get Gmail password, look for signups to other sites (invariably will contain username), notice Gmail password is XYZ123gmail, WOLOG say there was a Slashdot signup, go to slashdot.org and attempt login with username listed in Slashdot email + XYZ123slashdot, repeat for any other email with "registration" in the subject.
I do this, and I need one of two Yubikey Neo's to decrypt.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Woosh!
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Lastpass is extremely convenient and I don't know of many practical alternatives that are any more secure against the same threat models.
Keepass with sync to a Google account. Gives you everything Lastpass Premium does for free, and it's more secure to boot. 2FA is free with Google accounts (no need to buy additional hardware), sync to mobile devices is free, and by not running in the browser and allowing you to use an optional keyfile as well as a master password it's more secure.
Well, it is missing support for ChromeOS (which also requires running in the browser). :)
And I don't really see it as any more secure. Somebody can hack into Lastpass, and somebody can hack into Google. Both are likely fairly robust with their security. Apparently Lastpass is fairly up-front about intrusions.
And nothing prevents you from using a keyfile with lastpass. Just copy/paste it into the password prompt right after typing in your memorized portion of the password. :)
I'd say that keepass is at best equivalent to lastpass if you're able to access the passwords from multiple systems, and if you don't implement it well you could be worse off.
Nah, those all go to a spam email and that stuff is automatically deleted. It is a throw away account at one of the spam email services. Those will use a different password format. Still not totally secure.
"So long and thanks for all the fish."
And it is starting to happen... http://www.kurzweilai.net/brai...
Most of my computer friends write down the passwords but alter them in some pattern that works in their head. So ShittyIceCream8456 is ChapmansIceCream5684
I'm interested in that Yubikey Neo solution too...