Slashdot Mirror

← Back to Stories (view on slashdot.org)

LastPass Reporting a Security Breach, Including Authentication Hashes and Salts

Posted by samzenpus on from the one-password-to-rule-them-all dept.

hawkeyeMI writes: LastPass, the popular password manager, has been hacked. The company says that the “vast majority” of users are safe, and has posted a notice which begins: "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

6 of 206 comments (clear)

  1. Re:Who the fuck would use something like that? by Anonymous Coward · · Score: 5, Funny

    They're very handy for websites that have poor native security

    Like lastpass.com?

  2. KeePassX by smutt · · Score: 5, Informative

    I'd like to take this time to recommend an excellent open source project called KeePassX.

    https://www.keepassx.org/

    It's a password vault application. Remember local applications, they run on your computer, that you physically have to be at to use(usually).

    --
    The Information Revolution will be fought on the command line.
  3. Re:I believe I have a pile of I-told-you-sos to se by hawkeyeMI · · Score: 5, Informative

    I'm the submitter. I'm a LastPass user and I'll stay that way. If you actually read the article you'll see that things are under control. This is the second time LastPass has reported an attack that I can remember, and because of the client-side encryption and so on it's not a huge deal. Bravo to them for their proactive stance and sound methods.

    --
    Error 404 - Sig Not Found
  4. People need to settle down... by gbcox · · Score: 5, Insightful

    LastPass of course is going to be a target; but if you used the product as recommended with 2nd factor authentication and not reusing your master password elsewhere you don't have anything to worry about. LastPass is handling this in a measured, logical, efficient manner - and as always, they err on the safe side. Of course, this being the internet, you have the usual suspects crying chicken little, the sky is falling.

  5. Re:Who the fuck would use something like that? by Anonymous+Psychopath · · Score: 5, Informative

    Who the fuck would think it's smart to use some web service like that, where some third party ends up with your passwords, even if they are encrypted in some way?

    People who understand how LastPass security works.

    LastPass security is actually quite good, and designed to be resilient against data breaches. The attackers haven't gotten any passwords. What they have gotten is hashes, salts, and hints which could lead to passwords, given enough time and computational power.

    The clock started ticking as soon as the attackers obtained the data dump. As soon as I reset my master password, the clock stops ticking. Between those two events is the only window of time the attackers have to brute-force the hash or guess my password based on the hint. As soon as I change my master password as prompted by the LastPass email, they have nothing.

    If you use 2-factor authentication with LastPass, like Google Auth, even if they crack your master password before you change it, they still have nothing.

    --

    Eagles may soar, but weasels don't get sucked into jet engines.

  6. Re:Heh by Jawnn · · Score: 5, Informative

    Store it on "the cloud"! Everything will be fine!

    And guess what? If you used even the most basic security hygiene, especially with your LastPass master password, it still is.