LastPass *possibly* Hacked

Your password may have been compromised.
They're forcing people to change their passwords though it looks like their site may not be up to the task.

An offline (free) password manager is KeePass.

*maybe hacked. They aren't sure. But it looks like they are doing the proper thing with quick notifications and actions, unlike Sony.

And your passwords should be safe if you used a smart (non dictionary) password in the first place. Only way they'll be able to truly get passwords out of this IF they did get the database is brute force attacks using dictionary attacks.

Good grief. The only way to be safe is go offline.

MrDeVil909 wrote:

Good grief. The only way to be safe is go offline.

Ding ding..

Dr.Ghastly wrote:
MrDeVil909 wrote:

Good grief. The only way to be safe is go offline.

Ding ding..

I'll miss you guys.

MannishBoy wrote:

*maybe hacked. They aren't sure. But it looks like they are doing the proper thing with quick notifications and actions, unlike Sony.

And your passwords should be safe if you used a smart (non dictionary) password in the first place. Only way they'll be able to truly get passwords out of this IF they did get the database is brute force attacks using dictionary attacks.

This. The topic should be "LastPass Possibly Hacked" as at this point, they have no confirmation of that beyond an unusual traffic spike on their servers. They are taking the paranoid route while they investigate. I listened to SecurityNOW's analysis of LastPass a while back (it's why I use them) and the passwords are encrypted to Hell and gone. If you lose your master password, they can't reset it for you. If you used a proper secure password as your master password on LastPass (and you're insane if you didn't), then you'll be fine.

Yeah, this is sort of the anti-Sony -- they noticed indirect evidence that they might be hacked, and hit the big red Panic button.

Inconvenient, but much, much safer.

Important bits of information:

1. As stated by others, there is no evidence of an intrusion. All there is is a bit of unaccounted-for traffic between one of their machines and the database.

2. According to LastPass, the amount of traffic was not sufficient for users' actual password vaults to have been transferred. At most, email addresses and corresponding password hashes were taken. This is important because it means attackers (if they exist) do NOT have the ability to run offline attacks on your password vault. (If they had the vaults, changing your master password would not be sufficient, as the copied vault would still be encrypted by the old master password).

3. If your master password is a strong one, attackers (if they exist) have very little practical chance of acquiring your password. The only really viable threat is against people with weak, dictionary-crackable passwords.

4. If you use a Yubikey with your LastPass account, you are still safe even if your password does crack.

TL;DR: If you had a weak password or you just want to be extra paranoid secure, go change your master password to something strong (not dictionary-crackable), and go about your day. (Almost) nothing to see here.

And if you want a Yubikey, you can get one for $15 right now by buying the "VIP" one (pre-configured for Symantec's VIP service) and using the coupon code: VIPoffer. (There will be a little bit more configuration required for this one as it doesn't come preloaded with a Yubico ID, but you can add one in yourself. Or just buy the normal key for $25).

I am so glad that just about a month ago, I bumped my LastPass password from somewhat strong to really really strong.

Thread title is panic inducing. I just started using lastpass after the sony debacle started and then I see this and I'm all "Oh for f's sake." I have a strong password so it sounds like I'm good.

On the note of passwords, why would any site restrict you to a short password? I have some 12 character passwords that I can't use because some sites restrict you to 11 or, worse, 8. Some sites won't let you use special characters, either. Seriously?

EvilHomer3k wrote:

On the note of passwords, why would any site restrict you to a short password? I have some 12 character passwords that I can't use because some sites restrict you to 11 or, worse, 8. Some sites won't let you use special characters, either. Seriously?

I was changing passwords on a brokerage account yesterday. Despite their requiring about 5 different security questions, they didn't allow for special characters.

Eyes rolled I tell 'ya.

EvilHomer3k wrote:

On the note of passwords, why would any site restrict you to a short password? I have some 12 character passwords that I can't use because some sites restrict you to 11 or, worse, 8. Some sites won't let you use special characters, either. Seriously?

Long ago, UNIX passwords were limited to 8 characters under the old DES-based algorithm for crypt(). Characters above 8 were discarded. This was an issue very recently with Gawker, as user's passwords were easily cracked when Gawker was compromised because they were still using this old legacy system. (A good test to try: attempt to login to sites you use using only the first 8 characters of your password. If it's like Gawker was, it would work).

Beyond that, limiting password length is a way that some systems limit database size. This, however, is a dead ringer giveaway that the system in question is storing passwords themselves instead of hashes of the passwords. A hash is going to be the same length whether the password is 1 character or 100. A service limiting password size is a warning sign that there are probably deeper security issues in this service and that you might want to go looking elsewhere for what this service is providing.

As for restricting special characters, that's a giveaway that they're either (a) storing passwords in plain-text and trying to prevent you from using your password as an SQL injection attack vector, or (b) they just don't understand the password security problem well enough and would rather simply disallow and discard special characters than actually figure out WTF they're doing.

To be fair, there's also (c) integration with a legacy system that required (or still requires) supporting alphanumeric-only phone keypads. Frankly, a lot of web interfaces for financial institutions are just nice front-ends communicating with some gnarly ancient big iron in the back.

Legion, does the "VIP" Yubikey work the same as the regular one, once you get it configured?

Can you explain a bit how Yubikey works in general? (their site doesn't really do a great job explaining the actual process of how yubikey is applied). How does it work in a practical sense? What happens if you lose it? etc.

Does the VIP version require anything from symantec be installed or subscribed to?

thanks

Jeff-66 wrote:

Legion, does the "VIP" Yubikey work the same as the regular one, once you get it configured?

Yes. The only difference between the two is:
* regular key: comes pre-configured with a Yubico identity
* VIP key: comes pre-configured with a Symantec VIP identity

Both keys have "slots" for two identities, so you can add a Yubico identity to the second slot of the VIP key. (I'm not sure if you can do the reverse - add a VIP identity to the regular key - as those may have to come preconfigured. I am not certain. I bought the VIP one because it was $10 off and I wanted to experiment with the "harder" path of having to add in my own Yubico ID).

Can you explain a bit how Yubikey works in general? (their site doesn't really do a great job explaining the actual process of how yubikey is applied). How does it work in a practical sense? What happens if you lose it? etc.

Once I get mine and actually use it for a few days, I intend to write a blog post about it that should answer those questions. I will link that post here.

As for if you lose your Yubikey, I know there is a somewhat-intensive way of getting Yubico to give you a new Yubikey with the same ID (you've got to provide a bunch of information to prove that you're you). But in more practical terms, services like LastPass that let you use Yubikeys usually allow you to associate more than one Yubikey with your account. So my thinking is that you buy two, associate them both, and you stick one in a safe deposit box.

Does the VIP version require anything from symantec be installed or subscribed to?

I believe the answer is "no" but I'll be able to offer much more concrete answers once my key arrives.

Thanks, Legion. I look forward to hearing your thoughts after you get it. This thing sounds good to me, as I'm sick of worrying about this crap. It seems no company is safe from hackers, and a hardware based login tool might end that worry, or at least by 99%.

http://www.baekdal.com/tips/password-security-usability?

Has anyone read the above article? It's compelling, but I'm not sure I have the technical expertise to evaluate the advice.

Essentially, he's saying that a three word password, even if the words are in the dictionary, is more secure than an equal length random character password (as long as you use dashes or spaces in between the words).

I use the Lastpass generator to make most of my passwords now, but honestly I'd rather have some passwords I can remember. One of the side effects of Lastpass encouraging people to change their master passwords is that their servers are crushed. I haven't been able to login or get into my fault a few times today, which meant I couldn't access a lot of the passwords I don't have memorized from alternate computers (like, say, at work).

Granted, that will pass. But it still reminds me that being able to remember a secure password can be awfully useful in certain situations.

f*ck! And I just switched to this BECAUSE of Sony.

MannishBoy wrote:
EvilHomer3k wrote:

On the note of passwords, why would any site restrict you to a short password? I have some 12 character passwords that I can't use because some sites restrict you to 11 or, worse, 8. Some sites won't let you use special characters, either. Seriously?

I was changing passwords on a brokerage account yesterday. Despite their requiring about 5 different security questions, they didn't allow for special characters.

Eyes rolled I tell 'ya.

Yeah, well, computers speak English, like good 'muricans.

/I've got my eye on you

Title updated.

*Legion* wrote:

To be fair, there's also (c) integration with a legacy system that required (or still requires) supporting alphanumeric-only phone keypads. Frankly, a lot of web interfaces for financial institutions are just nice front-ends communicating with some gnarly ancient big iron in the back.

Don't forget, some sites don't use complex passwords for 'usability', ie, the old people can't handle the truth.

unntrlaffinity wrote:

Has anyone read the above article? It's compelling, but I'm not sure I have the technical expertise to evaluate the advice.

I've not read that article but passphrases can be much easier to remember (fasterthanaspeedingbullet = f@5t3rThanA5p33dingBullet = F@%Terthanaspeedingbullet) can be easier to remember but as was stated earlier, if a site limits you to 8 (or even 14 - I like to make my passwords at least 20) characters than you're out of luck anyway.

I've cut down on amazon shopping quite a bit since my password is now too complex to remember and can only access it from home where the DB is that maintains my passwords is.

unntrlaffinity wrote:

http://www.baekdal.com/tips/password-security-usability?

Has anyone read the above article? It's compelling, but I'm not sure I have the technical expertise to evaluate the advice.

Essentially, he's saying that a three word password, even if the words are in the dictionary, is more secure than an equal length random character password (as long as you use dashes or spaces in between the words).

I read that. And while I'm not an expert, I see what I believe to be a whole lot of problems with it.

1) As I mentioned earlier with regards to Gawker, some old password systems limit password length to 8 and discard the rest. If you're using a string of words, your string just got snipped down to something a whole lot closer to a single-word ripe for dictionary cracking. If you had a long-ass random password, you still have an 8-character random password.

2) His argument is based on the idea of web applications limiting authentication attempts to 100 per second, and using that metric to extrapolate this long cracking time required to beat his low-entropy passwords. Problem is, this is not a sound assumption. If LastPass was indeed attacked as the worst-case scenario assumes, the attackers have the password hashes right now. They don't have to run through the web application and any rate-limiting the application might enforce. They can attack the hashes at a rate a hell of a lot faster than 100 attempts per second.

He addresses this in his follow-up reply to Security Now, basically taking the attitude that, all hashed passwords are equally secure. He falls into the trap of thinking that salting = magic. This is, frankly, not true. Salting only complicates my attack in that I can't just use a pre-generated rainbow table to attack the hash. Salting does absolutely nothing to stop me or even slow me down from brute-force cracking your hash.

He does accurately state that, in many cases, a site getting hacked would reveal your password because the site stupidly stores the password instead of a hash. That's true, but from what he wrote, he seems to think storing passwords in plain-text is the norm (it's still too much of a norm, but you will be laughed out of the room by legitimate developers for doing it) and that hashing is some magic new technique that is not common (in fact, it is standard best practice) and that salting + hashing = your password is safe no matter what (nope, a hash of an overly-simple password is trivially crackable offline).

3) His argument in favor of phrases over randomness as a means of creating passwords with greater length is not completely without merit. However, things start to fall apart when you think about how many sites you have passwords to, the need for those passwords to be different from each other, and how well you can really remember passwords (even phrases) for all of those sites. The idea of making passwords easy to remember falls apart beyond a certain scale. Once you get beyond just a handful of them, the approach of creating one super-strong remembered password for a password vault, and then having the vault manage a bunch of strong random passwords, becomes a lot more viable.

Underneath all of the misguided claims, I think there is a germ of a good idea in there: for passwords that you have to remember (and if you use a password vault, you need to remember at least the one to open it), go for good password length by concatenating passwords together. If you have a handful of passwords you've used in the past, you can make a decent single long one by concatenating all those passwords together. And better yet, find ways to add some entropy to it. L33tspeak helps a little, inconsistently-applied l337speak is better for making it less dictionary-vulnerable. And then while you're at it, add a few small bits of randomness in there. It's hard to remember a 32 character random string, but it's easier to remember a few memorable words, twisted around and with a little randomness sprinkled in. The latter is never going to be as secure as an equally-lengthed random password, but the longer you make it and the more randomness and deviation from dictionary spelling that you can tolerate, the better of a memorable password you can create.

Do we have a Password Security Catch All Thread around here; if not should/can we create one to keep this topic, on topic? I have several questions about this recently (thanks SOE) that I would like feedback on, but I don't want to derail this thread more than needs be.

Eezy_Bordone wrote:

I've cut down on amazon shopping quite a bit since my password is now too complex to remember and can only access it from home where the DB is that maintains my passwords is.

I use a phrase, but only the first letter of every word. So it's easy to remember quite a few characters if you can remember a sentence like a quote, song lyric, or something else that means something to you.

Throw in some numbers and special characters and it's not that bad.

I'm not using a password manager because it's a pain to deal with on my work PC. But I have a general phrase password as described above, with a few characters that are easily remember per site tacked on to make the different sites specific.

LastPass CEO in PCWorld interview: "we probably overthought this a bit and we're maybe too alarmist ourselves"

PCW: So, to set the record straight: Is there any chance whatsoever that passwords users stored in their LastPass accounts could now be compromised?

Siegrist: We don't think there's much of any chance of that at this stage. If there was, it would be on the orders of tens of users out of millions that could be in that scenario, just because of the amount of data that we saw moved. But it's hard for us to be 100 percent definitive without knowing everything.

(...)

PCW: If someone had what you'd consider a strong master password, then, would they have any reason to be worried at this point?

Siegrist: No. None.

The article intro mentioned that they reacted as they did even though they thought the incident could "hurt the company's image", but in my eyes, an aggressive response to even a crazy remote possibility of some security leakage is an image booster. I like and support companies who (a) are transparent and (b) take security seriously. It's one of the reasons I bang the drum loudly for NearlyFreeSpeech and this sort of transparency will have me banging the drum for LastPass.

Mother of god... I used to not care about the hackers because they griefed companies and people I didn't like, but now that I can't check my emails or buy ish on Amazon they have gone too far!

In all honesty though, I'm glad LastPass did what they did. I'd rather have them overreact and inconvenience us for a day than have them do what Sony did and herp derp for a week before telling anyone.

MannishBoy wrote:

*maybe hacked. They aren't sure. But it looks like they are doing the proper thing with quick notifications and actions, unlike Sony.

And your passwords should be safe if you used a smart (non dictionary) password in the first place. Only way they'll be able to truly get passwords out of this IF they did get the database is brute force attacks using dictionary attacks.

Good thing 12345 isn't in the dictionary. /sighofrelief

Legion, do you have any clue what the process is if you lose your Yubico? I'm curious what would happen since you're either going to have it on your keys or it's own keyring and you could always lose it.

Does LastPass do kind of the same thing as 1Password, where I can have one master password that I use to login locally, and then it would generate a super-strong password for me for each individual site (and I wouldn't have to remember them)?

Symbiotic wrote:

Does LastPass do kind of the same thing as 1Password, where I can have one master password that I use to login locally, and then it would generate a super-strong password for me for each individual site (and I wouldn't have to remember them)?

Yes. You can auto-generate strong passwords or assign them manually, of course.

Also, LastPass has an online "Vault" feature, which you can use if for some reason you cannot use the LastPass extension/plugin/add-in. They decrypt your passwords database locally on your PC using JavaScript. I found it really handy during the first month of my work at a new place, when my PC was locked down and wouldn't allow any software "non-supported" installs.

Tigerbill wrote:

Do we have a Password Security Catch All Thread around here; if not should/can we create one to keep this topic, on topic? I have several questions about this recently (thanks SOE) that I would like feedback on, but I don't want to derail this thread more than needs be.

As you wish: Password Security Catch-All Thread

I hope that the majority of LastPass customers have to to rely on them exactly because of their paramount focus on honest relationships with their users, and as such, would appreciate LastPass proactiveness and transparency in dealing with this issue (or maybe even an eventual absence of an actual issue to speak of). Too true -- a lesser company would inform that "Rrecently we have detected a localized instance of data breach that has affect an extremely small portion of our clients, blah blah. Nevertheless, we advise that youd should change your master password, cancel your linked credit cards, and petition with SSA to change your social secruity number, just in case".