Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Reporting a Security Breach, Including Authentication Hashes and Salts

Posted by samzenpus on from the one-password-to-rule-them-all dept.

hawkeyeMI writes: LastPass, the popular password manager, has been hacked. The company says that the “vast majority” of users are safe, and has posted a notice which begins: "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

12 of 206 comments (clear)

  1. Re:Who the fuck would use something like that? by EmeraldBot · · Score: 4, Informative

    Who the fuck would think it's smart to use some web service like that, where some third party ends up with your passwords, even if they are encrypted in some way?

    They're very handy for websites that have poor native security, as the passwords Lastpass generates are extremely tough. In a lot of cases, I'd rather trust Lastpass's security over that of a native website, and they have open sourced their client side decryption process as well (which has received several audits). I don't use it for anything I consider super sensitive (my bank account, for example), but it's pretty good for a lot of other applications.

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  2. Re:Who the fuck would use something like that? by Anonymous Coward · · Score: 5, Funny

    They're very handy for websites that have poor native security

    Like lastpass.com?

  3. KeePassX by smutt · · Score: 5, Informative

    I'd like to take this time to recommend an excellent open source project called KeePassX.

    https://www.keepassx.org/

    It's a password vault application. Remember local applications, they run on your computer, that you physically have to be at to use(usually).

    --
    The Information Revolution will be fought on the command line.
  4. Hash and Salt by psyclone · · Score: 4, Interesting

    We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

    Salting is nice, but when the attacker gets both the hash and the salt, they can attack specific users. Still, the 100k rounds of SHA256 seem decent.

    Would bcrypt be any better than PBKDF2 here?

  5. Re:Who the fuck would use something like that? by Anonymous Coward · · Score: 4, Insightful

    That's just stupid. No one can remember 30+ passwords. And not using unique passwords is the dumbest possible thing (gmail account "hack" from earlier this year)

    So, *sometimes* use your brain.

  6. Re:I believe I have a pile of I-told-you-sos to se by hawkeyeMI · · Score: 5, Informative

    I'm the submitter. I'm a LastPass user and I'll stay that way. If you actually read the article you'll see that things are under control. This is the second time LastPass has reported an attack that I can remember, and because of the client-side encryption and so on it's not a huge deal. Bravo to them for their proactive stance and sound methods.

    --
    Error 404 - Sig Not Found
  7. People need to settle down... by gbcox · · Score: 5, Insightful

    LastPass of course is going to be a target; but if you used the product as recommended with 2nd factor authentication and not reusing your master password elsewhere you don't have anything to worry about. LastPass is handling this in a measured, logical, efficient manner - and as always, they err on the safe side. Of course, this being the internet, you have the usual suspects crying chicken little, the sky is falling.

    1. Re:People need to settle down... by j-turkey · · Score: 4, Insightful

      ...Of course, this being the internet, you have the usual suspects crying chicken little, the sky is falling.

      They're also smugly saying "I told you so" - and doing so seemingly without understanding the situation. The situation hasn't changed since the beginning: don't use the service if you don't trust the encryption. If the service is breached and the (open source, peer reviewed) encryption stands up to attack, then the threat is astronomically minimal.

      --

      -Turkey

  8. Re:I believe I have a pile of I-told-you-sos to se by Rich0 · · Score: 4, Informative

    I'm the submitter. I'm a LastPass user and I'll stay that way. If you actually read the article you'll see that things are under control.

    This is the second time LastPass has reported an attack that I can remember, and because of the client-side encryption and so on it's not a huge deal. Bravo to them for their proactive stance and sound methods.

    Not only that, but even if the encrypted vault were compromised along with the hashes/etc (allowing somebody to start brute-forcing them), I could easily use lastpass to identify all my accounts and the last change date for each. Since almost all my accounts use random passwords changing them all is a bit of a pain, but not too big a deal. I'm just replacing one random string of values with another. I could change all my accounts in a weekend and all the new passwords are synced across my devices.

    Lastpass is extremely convenient and I don't know of many practical alternatives that are any more secure against the same threat models. Maybe a piece of paper in my pocket would be more secure against the remote attacks, but I don't really see that as a step up.

  9. Re:Who the fuck would use something like that? by Anonymous+Psychopath · · Score: 5, Informative

    Who the fuck would think it's smart to use some web service like that, where some third party ends up with your passwords, even if they are encrypted in some way?

    People who understand how LastPass security works.

    LastPass security is actually quite good, and designed to be resilient against data breaches. The attackers haven't gotten any passwords. What they have gotten is hashes, salts, and hints which could lead to passwords, given enough time and computational power.

    The clock started ticking as soon as the attackers obtained the data dump. As soon as I reset my master password, the clock stops ticking. Between those two events is the only window of time the attackers have to brute-force the hash or guess my password based on the hint. As soon as I change my master password as prompted by the LastPass email, they have nothing.

    If you use 2-factor authentication with LastPass, like Google Auth, even if they crack your master password before you change it, they still have nothing.

    --

    Eagles may soar, but weasels don't get sucked into jet engines.

  10. LastPass has many 2-factor options by Beryllium+Sphere(tm) · · Score: 4, Informative

    In fact, when I wanted to demo about half a dozen dual-factor solutions for a colleague, I showed them all on my LastPass account.

  11. Re:Heh by Jawnn · · Score: 5, Informative

    Store it on "the cloud"! Everything will be fine!

    And guess what? If you used even the most basic security hygiene, especially with your LastPass master password, it still is.