LastPass Security Breach?
You know that I'm using LastPass as my password manager. It offers everything that I need and then some. One thing that I like about the service is that the company is dedicated and taking security seriously. A blog post at the LastPass blog entitled LastPass Security Notifications mentions that the company has noticed a network traffic anomaly on a non-critical server. The cause for the anomaly could not be identified. Further investigation revealed that traffic was sent from a database which could not be accounted for either.
Instead of sweeping that incident under the table, the developers decided to assume the worst case scenario: That an attacker managed to breach the security and download user data from the database. The traffic amount was large enough to include user emails, server salt and salted password hashes.
This data can be used by the attacker to brute force passwords which would then give access to a user's Last Pass vault with all stored passwords.
The company as a consequence asks its users to change their master password as a precautionary measure.
Some users may have received notifications to change their master password, or other notifications related to the incident (an error has been encountered while loading your sites lastpass). Only users who try to connect and log in with a new IP address, one that they have not been using in the past weeks, are asked to do that.
I did change my master password and I'm currently seeing an anomaly on all sites. The autofill username and password feature appears to be broken. Even a right-click and the selection of LastPass > Copy Username or Copy Password does not reveal any entries.
I could not find any information about this on the LastPass website or in the user comments. I suppose it is a temporary thing that will resolve automatically.
Last Pass are rebuilding the boxes and have moved services to other servers for now. They also compared the code on the live servers with code from their repositories to make sure it was not tampered with.
If you read through the comments you notice that the majority of users that comment have log in problems. Some because their browser appears to be detected as a mobile device which they cannot log in with.
I for one am happy that LastPass did communicate the issue right away with their users, unlike other companies that we know of (hust, Sony, hust). Yes, it may be inconvenient today to get things sorted out, but I prefer that to doing nothing.
Advertisement
Its simple. Never save important information with a password manager. Right down your banking,paypal,etc passwords. Just use password managers for email,facebook,etc. Things that if they get hacked don’t really have private information and don’t matter.Just don’t use the same password for everything. I’ve seen people do that and their other passwords get hacked. And the worst is when you use facebook. They have some of the weakest security.
I’ve had my facebook hacked and then they tried to get into my email thinking it would be the same password. I never use the same password for anything. All my online accounts have their own complex password.And I’ve set it up for all my online account to track IP logins. And I’ve had Russian based IP try to get into email,appleid from the facebook hack. So watch out and don’t think someone can’t get your other account information from one email address or facebook.
Umm…don’t use a password manager for important information, but instead write it down?
How is a password stored in plain text more secure than one encrypted by a password manager? Not to say there aren’t ways that a password manager could *potentially* be compromised, but password managers are specifically designed to be the safest way to store your passwords short of remembering them. Even if you stored your password on a sheet of paper in a fireproof safe, it would probably be easier to get the paper than the encrypted database (assuming, of course, that you don’t use a stupid password).
I am using LastPass to store all my passwords for my banks; anyone who can access my account cannot conduct any transactions since my banks require a OTP
Security expert, Steve Gibson has this to say at http://www.twitlonger.com/show/a9bdm4
“Regarding LastPass’s cautionary approach…
Everyone should take a deep breath and not hyperventilate about LastPass’s possible database breach notification. LastPass is being ULTRA CAUTIOUS, which is what we all want.
The reason I have endorsed the LastPass system in the first place, after researching it thoroughly, is that EVEN THEY CAN’T DECRYPT the stuff we entrust them with. That means that even if someone got something from their database, it could not be readily used. (Not even our increasingly nosy governments, under court order.)
So, if that’s true, what’s the concern?
The concern is that if someone got EVERYTHING for one or more particular users, where “everything” means their account’s hash and their hash salt ~ which LastPass DOES need to store for us in order to authenticate our logon ~ then such an attacker could theoretically mount an offline brute force attack against that/those users by repetitively trying every possible passphrase, hashing it with the user’s unique salt, to see whether they can get the same resulting hash. If they could do that, then they would have discovered (the hard way) the user’s passphrase, allowing the attacker to impersonate that user to LastPass, logging on as the user and obtaining their site & password collection.
… Except that LastPass is now blocking ANY logon using the “old” password from ANY mobile device and and ANY IP other than one that the user has recently used. Which completely defeats the bad guys even if they were finally discover the user’s old password.
LastPass is also doing the one thing they need to, to make even the “brute forcing” attack infeasible: They are adding “password strengthening” which will require 100,000 hashing iterations PER PASSPHRASE GUESS, making any future brute force cracking effectively impossible.
(And remember, they’re not even sure that anything was obtained. They mostly just saw some traffic volume that they couldn’t account for, so they are being VERY cautious.)
I have changed my LastPass passcode (it was and will be a multi-symbol nightmare using upper and lowercase alpha, digits and symbols) because there’s no reason NOT to err on the side of caution.
But I am every bit as happy and confident about my recommendation of LastPass today as I was yesterday. They are maturing their already secure system, making it more and more bulletproof and safer for us to use and trust.”
Well, I started to “inadvertently” send SPAM email through my Hotmail a few days ago, and I completely blame this security breach for that! I don’t know how to react to this.
You need to change your passwords.
Yep, exactly – just how strong is your email’s password ? What about your LastPass master password ?
It is in the mid xx range
looks like theyve handled this well. been down for 3 hrs
I recommended those who are intereseted in finding out more how this “potential” breach may have or not have any effect on their LastPass account to read this link: (Joe Siergist, CEO of LastPass, interviewed by PCWorld)
http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html
And hopefully it will put other people’s minds at ease, and set the record straight and put facts into order.
/m
I use lastpass but i dont store anything as important as my SS, Credit card info, etc.I use it on less important stuff like signing into forums and gaming sites that dont require any payment.I have my emails on lastpass but im about to change my main one right now.Dont put your trust in machines somethings are better off left in your brain,laziness can be your downfall take the time to remember your very important info and type it when you need it.
At the end of the day – like most things I suppose – different strokes for different folks….
I landed here because I could figure out what was going on with lastpass.
I had no notice at all and found no information on their website either.
I cannot even connect to my account. I keep getting an error of check your internet connection, which is running fine.
You just cannot compare LastPass with an offline password manager.
The chief reason for using LastPass is because you want to access your passwords from different locations/computers.
You should therefore only suggest a portable offline password manager as a suitable replacement.
And, if you invoke better security as the reason to do the switch, let me congratulate you for your (warped) sense of humour. Or worse…
Dropbox, TrueCrypt, … for common folks? Another joke.
Just get real. Last Pass is waaaaaaaay safer than any portable password data base.
A key issue is the security of your master password. And the main problem with master passwords is that to be secure they must be so complex that they hard to remember. But maybe not.
I just read an article which claims that for a password you can use any three words that are easy to remember and they constitute an extremely secure password. According to the article, the password example, “this is fun”, would be able to resist a Common Word attack for 2,537 years. The author provides details and answers objections.
http://www.baekdal.com/tips/password-security-usability
…other than, perhaps – that an attacker would have to FIND my online Truecrypt volume. As I said it’s not in any mainline cloud storage.
I don’t know how much Keepass communicates online, other than to seek updates – but given its security importance, it’s blocked in my firewall as a matter of course.
Once again I’m with Rowan – in fact nothing to add.
So pity away, milithruldur. We’re entitled to our opinions as you are to yours – and don’t stoop to invective to defend them.
I mean no ill intent with what I said, and I will admit pity might be a very strong word. If you will forgive me for being not a native English speaker, and I will stand corrected for words which came across to you as being offensive.
/m
same thing and also say UPLOADING my DATA !!!!
After reading this post I attempted to change my master password 3 times but I received “server errors.†I hope the worst hasn’t happened.
I understand exactly how their password management system works. They have, however, focussed the attention not on the fact that an outside party has retrieved their master password hashes and salts, but on the fact that this will “only be a problem if you have a weak password”, i.e. one that is easily brute-forced. It all boils down 3 things.
1) The most secure way of managing your passwords is to either remember all of them in your head.
2) If you prefer not to remember all your passwords, then use an offline-only password management system like KeePass. Yes, offline-only. It does indeed matter whether the data is stored offline or online. Offline data would not be subject to the attack in question. It is, however, still susceptible to brute-forcing. The very nature of brute-forcing and dictionary attacks require that you have ‘something’ which you are attacking. Sure, offline data isn’t completely safe, but it’s in orders of magnitude safer than storing it online.
3) If you need your form of password management available ‘on-the-go’ then you’d be better off with using some form of encrypted hosting service. I know it may seem like it’s the same thing as LastPass, but it’s not. LastPass relies on a single layer of encryption (hashing your master password) whereas using a tool like KeePass and hosting that within an encrypted hosting service has 2 layers of protection.
Even if you did get access to the files within the hosting service (via some online vulnerability, break-in, data theft, etc), you’d first need to brute-force the encryption (or decrypt the data if it uses reversible encryption and the password is known) and then you’d still need to brute force the KeePass database. By placing the KeePass database in another layer of encryption (TrueCrypt containter or ) you give yourself 3 layers in which an attacker would have to compromise in order to get to your data.
>Sure, offline data isn’t completely safe, but it’s in orders of magnitude safer than storing it
>online.
Certainly this is the case for people who have their machines configured properly (decent firewall, up-to-date anti-virus and anti-malware, etc), and who aren’t downloading / installing pirated games / software.
However, for many users, the security on LastPass servers will far exceed that on their own machines.
Ofcourse, that still makes LastPass servers a nice, big, juicy (albeit “salty”) target.
Like others have said, the most important factor here is the master password.
Your suggestions border on extreme paranoia, but I appreciate creative ways in employing security, no matter how impractical it may seem. That multi-layered encrypted container may be overkill, but let us not forget that LastPass has achieved striking a balance between good security and convenience, without putting upon uninitiated users too much work while at the same time satisfying informed users with details of transparent implementation.
It matters to you whether data resides online or offline because you know how to take the extra step in securing your passwords. But in the perspective of someone not inclined to such things but needs to make use of the service, and for us who understands the workings of such things, you would think that it is enough to advise the user that the weakest link in an encrypted system begins with the key (password) that unlocks the system. Then however this data is acquired, either online or offline, even without considering the risks entailing both, it doesn’t matter as long as the key (password) is strong.
And the advise is enough in the purview of practicality while maintaining reasonable security. You on the other hand were able to come up with your suggestions because you know and understand, and you can. Security has always been in a game of tradeoffs with convenience, but as you can see LastPass has enabled users to take advantage of great security with great convenience.
Your suggestions are very well appreciated, but for us who know and understand, you really can’t be in extremes when deciding what would be best security. You need to strike a balance for the others who aren’t in the same playing field, so to speak. Unless there is urgent need for going into paranoia, or anything that involves high risk, or even just for the plain reason that you have the know-how, then going extreme with security may have its place. By then you’ll not be relying upon LastPass because you know how, and you can.
But for the sake of the many, that they may benefit, then in this light LastPass have assessed sufficiently the risks involved, and have decided to err in the side of caution.
Let us not forget LastPass is commendable for what they did, even when no definitive proof of an attack has been found yet.
/m
>multi-layered encrypted container may be overkill,
Actually, LastPass data is multiply encrypted. First time with your master password, and then again with your Master Password plus email address.
My Master password is 33+ characters long (upper case, lower case, digits, special characters, and containing no dictionary words), and my email address (which is a very strange and special email address that I *only* use for LastPass) is 50+ characters long (upper case, lower case, digits).
Together, they make a final LastPass container password 93+ characters long.
Even if someone obtained a copy of my LastPass container, it would take a powerful server farm (by today’s standards) 100’s of billions of years to crack the password.
Same here, attempting to change pass leads to error on their side. Gonna be an optimist and assume they’re doing “maintenance”. However, I have full access to my passes.
Never was notified of this by them. There was also absolutely no indication of any sort of “crisis” going on in their site. No popups with a warning, nothing. Although Lastpass does keep logging itself out, so that’s weird enough to be noticed I guess.
It may be nothing to worry about, but everyone should definitely change their passwords (it’ll then re-encrypt your personal db). In the end it’ll be a good fire drill and opportunity to fix anything they might have missed before.
What would I do without you, Ghax. heads up very much appreciated.
Yes, LastPass did indeed handle this situation the right way.
After reading this post I attempted to change my master password 3 times but I received “server errors.” I hope the worst hasn’t happened.
ARGH!
I just logged into mine and tried to change the password, to which id did some re encrypting (3 pop up windows) then told me that it had failed due to an error nad to try login again later.
So i logged in with my old pwd and lo and behold ALL my saved data is now GONE.
Thanks Lastpass.
So what are the alternatives cos I dont want to trust 3 years worth of login details to them again.
BAH
What ??? Didn’t you ever backup your LastPass data to your PC (Tools -> Export to -> LastPass Excrypted File) ?
I do that *everytime* I change a password, so the latest encrypted data is always on my main PC (that is kept very secure).
I pity you both, Rowan and Jack, for your words are quicker than what your thoughts could take to ponder.
You tell of offline, encrypted password storage, and usage of online backups for anywhere access to the passwords database, WITHOUT knowing that such workflow is the very same thing LastPass does, but even better.
LastPass supports offline access when configured. It is not simply “a server-hosted password management that can only work online”. This is why LastPass provides offline password access via portable applications like LastPass Pocket for Windows.
LastPass encrypts the password database, as KeePass does the same. Then after encrypting locally it syncs this database (when you’re online) with LastPass servers for anywhere access, the same as using online backups for anywhere access to the passwords database – only better and all done via secure channels. I will not go replicate the detail of the entire process, for it is available from the LastPass website. But let me do tell that the big difference LastPass has over KeePass is the wide browser and mobile device integration, and OS support, of LastPass for password access convenience – something that when compared to KeePass belittles it.
If you’re leery about the practice LastPass employ in storing your encrypted data, then I suggest you read further from the LastPass website. The process is so transparent, you only need to get your minds working on the details, and let Google be your friend in assissting understanding. Now compare that with your current choice of online storage.
As with most encrypted data, KeePass and LastPass, to name a few, the weakest link is in the master password that was used to encrypt the data (and the hashing and encrypting algorithm in some cases). Brute forcing relies upon the weakness of master passwords that can be cracked using dictionary-based attacks and sheer computational force. Whether online or offline, it matters not where the data resides.
Regarding the breach? (with the question mark), I do hope that people nowadays never loses the essence and bits of details of what has just been read. If you follow link to the LastPass blog, they consider “this may be an overreaction and we apologize for the disruption this will cause, but we’d rather be paranoid and slightly inconvenience you than to be even more sorry later.”
That is overreaction without providing sensible reason that “the potential threat here is brute forcing your master password using dictionary words,” because “If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you.” Then again if you’re paranoid like they are, then it never hurts to change the password every once in a while.
So before you leave inaccurate impressions (LastPass being an online password manager may be doubtful) based on inaccurate understanding (this kind of breach will always be possible with server-hosted password management solutions) WITHOUT understanding the implications how the breach MAY affect you, if at all – I suggest you read, strive at knowing, never rest on one’s laurels, and you may yet find that this habit continues to improve your quality of living.
/m
I’d like to up vote this. This is precisely how I believed LastPass worked. I’ve tried to explain this to coworkers and friends, but the details of how the cryptography works can be lost on the less technically-minded (and those who don’t actively look for it). I still have faith in the technology used in LastPass.
I’m a a LP customer but have not received any communication
Email communication would have been better. How many people actually visit the LastPass website? I don’t. I heard about this via Twitter from The How-To Geek. On top of that, when you go to the LastPass website, there is nothing on the front page about this issue. You have to click on News and then click on View More under Our Blog to see what happened. I can’t believe that LastPass did not provide more visibility to its user base regarding this issue.
I backup my Lastpass with KeePass
though I wish that there is an easier way
Have to say I agree with Rowan. The use of direct online storage for passwords has always seemed a curious practice to me, if only because such services are bound to be prime targets for attack.
I find KeePass more than adequate, supported by a VERY strong master password. Database backups are stored online exactly as Rowan suggests, though in my case not in Dropbox.
I often feel that a lot of security breaches result from misplaced trust in others – usually organisations whose word we can only take for their standards of care. Assurances of “100% security – guaranteed!” usually have me running the other way.
That said, at least LastPass have been up front about it, which speaks far more about their integrity than any amount of smooth PR.
Sadly this kind of breach will always be possible with server-hosted password management solutions. Despite the assurances from companies that your data is safe, you just don’t know exactly how safe ‘safe’ really is.
I’d recommend sticking with offline solutions like KeePass, and if you need it available everywhere, then put the program and the password database inside DropBox. If you want to improve the security even more, then put that password database inside a TrueCrypt container which then resides within DropBox.
Rowan, how does syncing your password database through Dropbox make it any more secure than using lastpass? You’re putting your password data out there on the web either way. If someone figures out a hole in Dropbox, they can also steal your data.
Ultimately, almost anything on a computer that’s connected to the web can be stolen. If you use strong passwords, encryption and good physical security, you will be much tougher to get data from than the average person so people will go after the easiest targets. Not too many people are going to worry about breaking data encryption or cracking a salted password as they don’t know if you have anything valuable on the backend. If you’re Warren Buffett, you’ll likely need to take extra precautions.
In the unlikely event (granted, lastpass’s event was just as ‘unlikely’) that dropbox was compromised, your data (which is already encrypted by dropbox) is encrypted by Keepass, which in turn only leaves the attacker with your compromised data which is itself encrypted. The attacked would need to then brute-force your encryption on your KeePass database.
Using this method, you have an additional layer of security on top of existing measures that providers like dropbox and other hosting providers may offer. If you’re more paranoid, there are more restrictive measures you can take, but obviously this is going to affect user-friendliness.
Sure, lastpass is convenient, but if I consider the risk of my internet-banking password being compromised because I entrusted too much to an organisation would be gullible of me. One ultimately has to weigh up the value of the information that is being stored versus the convenience of service provided. In most cases, convenience and security are inversely proportional.