Slashdot Mirror
LastPass Reporting a Security Breach, Including Authentication Hashes and Salts
hawkeyeMI writes: LastPass, the popular password manager, has been hacked. The company says that the “vast majority” of users are safe, and has posted a notice which begins: "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."
Who the fuck would think it's smart to use some web service like that, where some third party ends up with your passwords, even if they are encrypted in some way?
They're very handy for websites that have poor native security, as the passwords Lastpass generates are extremely tough. In a lot of cases, I'd rather trust Lastpass's security over that of a native website, and they have open sourced their client side decryption process as well (which has received several audits). I don't use it for anything I consider super sensitive (my bank account, for example), but it's pretty good for a lot of other applications.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
It's very hard to hack, but susceptible to data loss.
They're very handy for websites that have poor native security
Like lastpass.com?
I know. That's just a disaster waiting to happen. "We got hacked." "You don't say ..."
For the first and last time:
ANYTHING on the internet is NOT secure
Use a local password manager.
I'd like to take this time to recommend an excellent open source project called KeePassX.
https://www.keepassx.org/
It's a password vault application. Remember local applications, they run on your computer, that you physically have to be at to use(usually).
The Information Revolution will be fought on the command line.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Salting is nice, but when the attacker gets both the hash and the salt, they can attack specific users. Still, the 100k rounds of SHA256 seem decent.
Would bcrypt be any better than PBKDF2 here?
That's just stupid. No one can remember 30+ passwords. And not using unique passwords is the dumbest possible thing (gmail account "hack" from earlier this year)
So, *sometimes* use your brain.
I'm the submitter. I'm a LastPass user and I'll stay that way. If you actually read the article you'll see that things are under control. This is the second time LastPass has reported an attack that I can remember, and because of the client-side encryption and so on it's not a huge deal. Bravo to them for their proactive stance and sound methods.
Error 404 - Sig Not Found
"Almost everyone has a local password manager... it's commonly referred to as a brain."
Unfortunately the H. Sapiens Mark I brain is only good at remembering bad passwords. To remember good ones, you need a password manager.
Using auditory clues to induce dreams about a given topic is not impossible, and if the visual cortex activity can be decoded the simpler motor cortex that plays back your typing movements during password entry could also be decoded.
Your brain is hackable, with tools other than an axe.
"We’ve commissioned a write only off-site aggregated log server which can only be accessed via the console. This will allow us a guarantee that any logging is intact." ref
It's a strange idea to store passwords in the cloud anyway. I use these simple scripts in Ubuntu. Could work on Mac too, and I had a Windows/Perl/batch-file version long ago:
$ cat `which p`
#!/bin/bash
[ -d /media/truecrypt1 ] || t on
# accept up to 3 arguments, and filter on all 3 /media/truecrypt1/p /media/truecrypt1/p | grep -i "$2" | grep -i "$3"
if [ -z "$2" ]; then
grep -ni "$1"
else
grep -ni "$1"
fi
$ cat `which padd` /media/truecrypt1 ] || t on
#!/bin/bash
[ -d
echo `date +%F` " $@" >>/media/truecrypt1/p
And to mount the truecrypt volume:
$ cat `which t`
#!/bin/sh
file=$HOME/timecode
tcvol=/media/truecrypt1
do=$1
case "$do" in /media/truecrypt1
"on")
if grep -q
There is a bit missing in the post above:
$ cat `which t`
#!/bin/sh
file=$HOME/timecode
tcvol=/media/truecrypt1
do=$1
case "$do" in /media/truecrypt1 < /proc/mounts ; then ;; ;; ;; ;;
"on")
if grep -q
logger -t truecrypt "$0 Starting tc: already mounted"
exit
fi
logger -t truecrypt "$0 Starting tc"
DISPLAY=:0.0 truecrypt $file
"off")
t=$(find $tcvol -type f -printf "%TY-%Tm-%Td %TH:%TM\n" | sort -n | tail -1)
truecrypt -d
if [ -n "$t" ] ; then
touch -d "$t" $file
logger -t truecrypt "$0 Stopped tc and set mtime to $t"
else
logger -t truecrypt "$0 Stopped tc; no mtime to set found"
fi
"status")
truecrypt -t -l
"*")
echo "Usage: $0 on|off|status";
logger -t truecrypt "Bad option '$do' given to $0"
exit 1;
esac
LastPass of course is going to be a target; but if you used the product as recommended with 2nd factor authentication and not reusing your master password elsewhere you don't have anything to worry about. LastPass is handling this in a measured, logical, efficient manner - and as always, they err on the safe side. Of course, this being the internet, you have the usual suspects crying chicken little, the sky is falling.
I'm the submitter. I'm a LastPass user and I'll stay that way. If you actually read the article you'll see that things are under control.
This is the second time LastPass has reported an attack that I can remember, and because of the client-side encryption and so on it's not a huge deal. Bravo to them for their proactive stance and sound methods.
Not only that, but even if the encrypted vault were compromised along with the hashes/etc (allowing somebody to start brute-forcing them), I could easily use lastpass to identify all my accounts and the last change date for each. Since almost all my accounts use random passwords changing them all is a bit of a pain, but not too big a deal. I'm just replacing one random string of values with another. I could change all my accounts in a weekend and all the new passwords are synced across my devices.
Lastpass is extremely convenient and I don't know of many practical alternatives that are any more secure against the same threat models. Maybe a piece of paper in my pocket would be more secure against the remote attacks, but I don't really see that as a step up.
Who the fuck would think it's smart to use some web service like that, where some third party ends up with your passwords, even if they are encrypted in some way?
People who understand how LastPass security works.
LastPass security is actually quite good, and designed to be resilient against data breaches. The attackers haven't gotten any passwords. What they have gotten is hashes, salts, and hints which could lead to passwords, given enough time and computational power.
The clock started ticking as soon as the attackers obtained the data dump. As soon as I reset my master password, the clock stops ticking. Between those two events is the only window of time the attackers have to brute-force the hash or guess my password based on the hint. As soon as I change my master password as prompted by the LastPass email, they have nothing.
If you use 2-factor authentication with LastPass, like Google Auth, even if they crack your master password before you change it, they still have nothing.
Eagles may soar, but weasels don't get sucked into jet engines.
By centralizing all the passwords they are a prime target for infiltration. The hackers knew that by taking this one business they would potentially gain access to millions of websites. In a normal attack they have no idea if they will get good data, with LastPass they couldn't miss. That then makes them one of the most high profile targets on the internet and they'd need NSA level security to keep people out. I little internet company with world class security? I don't think so, even Google got hacked with a spear fishing attack.
I agree with the other posters, you'd have to be nuts to use LastPass for anything that was tied to financial transactions. And just even the secondary effects could be tremendous now that they have login information (depending on the number of websites the last pass information could give them all kinds of information out accounts and names/emails used making the hacking significantly easier).
In fact, when I wanted to demo about half a dozen dual-factor solutions for a colleague, I showed them all on my LastPass account.
"What can a person do with my bank account anyway? Nothing, that can't be traced and/or reversed."
Then you should feel perfectly safe posting your bank credentials on this site.
My niece has a friend (this is, sadly, a true story) who got their first credit card. She was pleased and activated it. She was so excited, and I kid you not, she took a picture of this card and posted it to her Facebook account. I am not sure how they got the 3 or 4 digit number on the back of the card (or if they did) but it took less than a day for the card to reach its limits and, sadly, she is not being held liable for the fraudulent transactions. Some folks should not be allowed credit cards or internet access. My point is, I suppose, that people do not understand even basic security.
"So long and thanks for all the fish."
LMAO. Your local password manager on your computer which is ON THE INTERNET!
But it's quite easy to brute force. "So, you didn't like us breaking your finger? You have 9 more to go unless you give us the password".
To be honest, the idea that anybody who can see your credit card can take your money is not really security at all. Usually transactions require additional evidence - either the physical card, the PIN, the address, or the security code.
I know that a company like Lastpass has paid professionals to maintain infrastructure with strict security, vs. whatever I would be able to muster on my own. I could use Keepass and perhaps sync with my Owncloud server, but then is my security going to be better than theirs? Probably not even close.
I like the idea of Keepass and have it installed, but their plugins are not as good as Lastpass and using it is kind of cludgy. I have no special allegiance to Lastpass in particular, although I personally think they are probably the best at what they do and have been around the longest and the annual fee - something I'm more than happy to pay knowing they are professionals - it totally reasonable and worth far more than the amount of resources I would have to expend to produce duplicate functionality on my own.
Store it on "the cloud"! Everything will be fine!
And guess what? If you used even the most basic security hygiene, especially with your LastPass master password, it still is.
And how else are you going to manage the hundreds of dozen-character long, unique, and complex passwords you want to use with each site?
with an offline tool, like keepass. Same functionality, only stored locally (or on your phone), not on the cloud.