The LastPass Security Incident, What I Did
After finding out that there might have been a security breach at LastPass, a company known for their online password management solution, I quickly changed my master password and started to think about possible consequences.
For some time now, I had been thinking about switching to an offline password management solution. Not necessarily because I think that online password managers are inherently less secure, but because it give me more control over my passwords.
I therefor made the decision to migrate all my LastPass account information to KeePass, a free password management software. But simply migrating the data was not enough. If someone did actually manage to steal data from LastPass servers, they might have all my login accounts by now. The chance is slim, especially if you take into account what LastPass has communicated so far, but since I earn my living on the web I wanted to be on the safe side here.
The decision was born to change all my account passwords after the migration. I knew that this would not be easy, with 500+ accounts listed in the LastPass database.
This guide explains how I imported my LastPass login database to KeePass, and how to change all your account passwords in record breaking time. Don't get me wrong, you will still spend hours and hours doing repetitive boring tasks.
Exporting LastPass database
The first task is to export the LastPass database. The information within act as a reference, so that you know how far you got with changing your account passwords. Open the LastPass website and click Sign In to LastPass to log into your account.
Once you are logged in select Export and enter your account's master password again.
LastPass outputs all of your account information in one large list. Select all with Ctrl-a, and then Ctrl-c to copy the information to the clipboard. Save them in a text file on the local system. The list contains all urls, usernames, passwords and other information that you have stored in LastPass's password manager.
Importing Passwords Into KeePass
Download the latest version of KeePass from the developer website. Please note that it is only available for Windows and many mobile devices. I have installed the password manager on an encrypted hard drive for extra protection.
Start KeePass after installation or extraction and select File > Import from the menubar. Select Generic CSV Importer from the options and load the text document with your account information. A click on OK imports the data into KeePass.
Please note that the url is added as the title of each individual password, which is not a big problem. The url field is left blank, which we will utilize soon.
Changing Passwords With KeePass
Now that you have all your LastPass passwords in KeePass it is time to change all of them. Here are a few tips to get you started with that:
- Disable the LastPass add-on in your browser. If you do not do this you will get a "we noticed a password change prompt" all the time.
- A big screen helps you. I had Firefox open in one half, Keepass and the password list in the other, which meant that I did have all information visible on screen all the time.
- Move all Generated Passwords entries to the old group
- Create password groups to sort passwords into. You can create new groups with a click on Edit > Add Group, or a right-click and Add Group.
- Start with your email accounts. Why? Because if they get compromised they may be used to reset passwords that you have just changed. Create a new group emails and change them right away.
- Now think about your most important accounts, e.g. financial, web hosting, shopping. Change those after you have changed the email accounts.
- Open a blank text document and use Tools > Generate Password List to generate a list of secure passwords. I suggest 20+ characters including upper- and lower-case, digits, minus and underline. You may add some special characters to it that are often allowed, for instance !?%&. Copy paste the full list into the text document. You will work through the list when you change accounts.
- Never use the same password for more than one account
- If you are a webmaster, you may have access to multiple accounts from one admin interface. For many WordPress sites, I have an admin account and an author account which both needed changing. To speed things up, you can log in with the admin, change the admin account first, and then change the author account while still logged in as the admin. The same is true for web hosting accounts if you host multiple domains and websites under that account.
- To keep track of things, I always added the url to accounts that I have changed the password for. I also moved those accounts to an appropriate group. This way, it was easier to keep track of the password changing progress.
The biggest drawbacks that you will encounter are sites that limit the number of password characters. I encountered more than one site that only accepted six characters in total. That's crazy.
My routine looked like the following:
- Double-click the next entry in the KeePass database, copy the url, paste it into the web browser.
- While it is loading copy the username from the KeePass database.
- Paste the username
- Copy the password with a right-click
- Paste the password
- Locate the account settings or password change options on the page.
- Paste the old password in if the site required it.
- Copy the next password from the password list and paste it into the new password form, submit.
- Double-click the entry in the KeePass database, paste the new password in there as well.
- Copy the url and paste it into the url field.
- Move the account to one of the groups
- Repeat
You may be able to speed things up further by installing a plugin like KeeFox which brings KeePass functionality to Firefox. Similar extensions are available for other web browsers. I'm currently managing about 50-60 accounts per hour with this system. You may be even faster if you use a browser plugin.
I know my response to this page is pretty late but I thought I’d share my method as well.
I’ve been a Keepass user for a while and have been using it with Firefox with Keefox plugin. Works wonderfully.
I thought of sharing my method to get some feedback on the technique and if someone had better ways of encryption.
I have my keepass database encrypted with a combination of numbers, letters and special characters.
Now the keepass database is saved into an encrypted drive by Boxcryptor and put into my dropbox folder so that I can have my passwords along with my even on my smartphone.
Now in the worst case that my dropbox was hacked, they would get an encrypted boxcryptor file.
They would have to break that encryption and then break the keepass encryption in order to get to the passwords. Am I paranoid? Is there anyone who has something crazier / better?
I’d like to hear about it.
You shouldn`t be that worried about it. Most of your passwords are worthless and nobody would have them for free.
Listening to recent Steve Gibson Security Now #347 I was reminded of this very long thread. Plus we have another currently active thread going on a closely related subject of password strength that references Steve Gibson numerous times.
Gibson provides text transcripts of all his episodes so it was easy to copy what I had heard at the end of #347 that pertains to this thread
Steve: Yeah, well, use one of the better password managers.
Leo: Yeah, yeah. LastPass continues to impress.
Steve: Yup. They understand crypto . They’ve made no mistakes.
Leo: And they’re totally cross-platform, a buck a month for the pro, which you don’t even have to pay for, but it’s worth it.
Steve: Yup.
Leo: I think that’s probably a good choice.
Steve: It’s what I use.
The entire episode was about feeble password managers and the few that meet Gibson’s high standards. I saved the transcript, it’s a lot quicker to read it although the podcast is kind of entertaining.
Hi very useful software review. I like to use this for manage my passwords too. i tried to install it from the official website of KeePass. But i couldn’t find any link.. Any one please help??
Sticky Password manager I use.
Well, that was a major goof on my part. I accidentally downloaded 1.19b, the Classic version.
Sorry about that. Just imported it into 2.15 and works fine now. Thanks. :)
I don’t see any option for Generic CSV Importer anywhere. Here are the only options available: http://i.imgur.com/py2fV.png
Yes, I go on the lastpass website, export and it’s all in the web browser. Copy and paste into notepad, save it as a file. Then so far I’ve chosen Import from CSV File and it spits that error.
You may be running an older version. The Import looks different if you use KeePass 2.x. You may want to try that one.
Martin, it’s not strictly speaking an older version. Rather John’s using the 1.xx branch of KeePass. The KP developer is concurrently supporting two branches of KP: 1.xx for cross-platform users (e.g. KeePassX users), and 2.xx for those who have .NET/Mono. 1.xx is more portable but 2.xx has more features (including better import filters).
Dan did not know that. Thanks for letting me know.
The first line is this:
url,username,password,extra,name,grouping,fav
Afterwards, it’s all my web sites, usernames, and their password. I tried removing that line and importing it and it doesn’t work, same error. Tried exporting as CSV via the toolbar, importing it, still nothing.
Are you using KeePass 1.xx or 2.xx? Use 2.xx cause it can import generic CSVs.
Then try this:
1) Download LastPass Pocket. Open you account using LP Pocket, choosing to load your data from LastPass.com.
2) Export as plaintext CSV. It ought to save it as a .csv file, no need to copy+paste.
3) (Optional) Open the CSV using Excel/Calc or any other spreadsheet app.
a) Arrange the columns thusly:
name, username, password, url, extra, (the rest can be ignored)
b) You may delete the 1st row (the column titles). Otherwise it will also be imported by KP2.
c) Save and quit.
4) Open KeePass 2.xx. Click File > New to create a new database. Then click File > Import > Generic CSV importer. Choose the Lastpass CSV file.
5) (Optional if you skipped #3) Under Define Field Order, rearrange as follows: URL, User Name, Password, Title, Notes, (ignore the rest). Click Import.
BTW, make sure the CSV’s encoding is ANSI unless you are using non-Latin chars.
You are pasting it into a plain text document right, and selecting to the Generic CSV Importer format right? Have you tried to remove spaces in the file name of the file? My text file looked exactly the same way.
I keep having this problem:
An error occured while importing the file. File cannot be imported.
Entry: #0
The help file contains detailed information about the expected input format. Do you want to open the help file?
I click on Yes and it tells me absolutely nothing. I’ve searched on google and I’ve learned nothing. I’d like to use a local password solution, but I fear I will not be able to if I am forced to use lastpass.
Have you made sure that it is an empty text file that you have the data pasted into? Entry #0 seems to suggest either a problem with the first line or that there are no entries to be added.
Also, I did not tried the Chrome Plugin for keepass but people are reporting it to work very well.
Nitrox;
KeePass is the only system that uses auto fill with Two-Channel Auto-Type Obfuscation. Basically a keylogger would only see your pasting like Ctrl+V all the time but not the data.
And to take this into defense, how do you think LastPass fills the date on websites? It also auto fills, and guess what, it doesnt has any obfuscation at all.
So Lastpass needs plugins, KeePass doesnt. It works on all OS and browsers. Lastpass auto fills, so does KeePass, LP has plugins, KeePass has them for Explorer, Firefox and Chrome as well if you want them, but you dont need them to fill logins.
LP can change passwords and detect changes, granted, but I did not used that feature because it sometimes recorded bad data. It detected a password change but used as new password some other data I filled with the password change, blocking me out.
Where LP is better maybe is the policy for companies, you can share logins with someone without ever revealing it and that stuff. KeePass has a policy but its more limited, still its better then nothing.
Hi Martin Brinkmann,
I was exactly in the same boat as you where tonight, Manually importing over +300 logins.
I also make my living online so I cannot take any chances.
I started using eWallet years ago and then switched to LastPass Enterprise for the last 9 months or so.
I loved eWallet because it was offline and I could take it everywhere, I had it in a sync with my phone and my FTP server so I could access data everywhere. The problem was that I just hated to have to copy and paste all the time and the Firefox plugins was not enough as you will had to manually unlock it, search the record and click it.
LastPass was perfect or almost. The first thing I missed was the control and power I had with eWallet, LastPass is clearly for online stuff but thats it. Trying to import credit cards and other info which is not exactly login boxes is not nice in LP, its very limited. Also, LP has Pocket version but it doesnt do anything except import and export.
So I used LP with LP for applications and the more I used LP the more problems I saw. I suggested like 20 features in their forums and never had any reply, so clearly it was a product that is not evolving anymore as their userbase is just to big. Big problems, like you cannot copy and paste in the WP7 version. You dont have password history on logins for apps, and the are separated from the other logins is just terrible. I log allot into server consoles and having to update 3 records just because a server password changes is messy. I had to change the one that auto fills my SSH software, then the one that logs into cPanel and then another one holding the main record. As they all 3 use the same password, in more then once chance I missed to update one.
Using LP more and more I saw more its limitations. I was not happy with it anymore, its to limited and you have almost no control on it. I also had a bad vibe over it. I suggested allof of fixes, like cards together, or lets build an API to send data into the vault without decrypting it, or even a local server for business, none of this features was ever welcome. It seems LP wants to maintain as much control as possible on users.
What happen yesterday was the motive I needed to look for another solution. Its very funny but before leaving eWallet and going with LastPass I actually tried KeePass, but it was version 1.9, they are on version 2 over now. OH boy what a difference.
You can do absolutely all you can with Lastpass and even more. Let me explain.
KeePass lets you sync online just fine. You can add your FTP servers, or with a plugin add any service like Dropbox and have your data everywhere. You can even decide when to sync or for what, like saving a specific password can trigged the sync. YES ! It has triggers to make it do all you want.
So I started to read all the documentation on KeePass and I can tell you all this. Lastpass is a cheap toy versus Keepass. This is the ultimated password solution. I dare someone to tell me two thing Lastpass can better. It cant! This is so much superior in so many ways.
First it has all the features I was begging for months on the LP forums. Yes, they are here, now. This are mostly of more interest for heavy users but still they are here.
Example, you can have one and just one record, containing for example your server root password. This record can automatically not only execute a web url like your cPanel but also open putty and fill the password. Yes, it can do all of this. You can configure with login with as many websites and apps you want for each login you create. And guess, what it also can be linked to other logins, so update one field on one and it will update on the other.
It has memory protection, it erases data once copied to the clipboard, it lets you choose which encryption you want, I can talk all day long, it has everything. Just try the plugins. For example I found I could not add credit cards so nice like I did with eWallet. No problem, I downloaded a plugin to create my own templates containing my own fields!
You can open multiples databases. You can log into softwares automatically like Skype, your FTP client, you name it. It has password expiration that reminds you to change them. It has a customized history for all data changed.
And here comes the best. You don’t need plugins !!!! My concern with LP and Roboform was their plugins. They work so well in some browsers and so bad in others. And also to be honest. Have plugins is not safe. An attacker can target the plugin. Do you know where your plugin is connecting and when? I know with KeePass. My Norton pops up if it wants to connect to the internet, so I know its me trying to check an update, otherwise even if its compromised it cannot connect to the net unless I want to. Also if you read the security on KeePass you wil noticed its highly superior in very possible sence.
To log into a website it has auto fill, you train your login once, very easy it takes 3 seconds, just choose the browser and say what you want it to fill and that’s it. Then on any website just press Ctrl + Alt + A and it will fill and login. On any website on any browser without plugins. But since its open source there are plugins for it as well. And yes even a Windows Phone app is available, and an iPhone one, and a Blackberry and of course Android as well. Did I mention it’s absolutely free?
The thing I was concerned about Lastpass and the hack was, they don’t know what happened. Do you really want to trust all your digital life to people that don’t even know whats happening on their own network? Also, they had connected their desktop works to their cloud database? What? What kind of security is this. They say “The last pass you will ever remember†and then they send an email asking people to change the only password they remember. Huu?
Its very concerning, not the offline issue, I can live with that, but the fact they don’t know what happened but that something breached their systems. Sorry folks but sharing my logins with other 9 millions clienst in a central storage is just honey for hackers. I prefer it to have it on my PC and maybe on Skydrive lost somewhere where only I can find it.
LastPass is perfect for allot of people, that want all automatically, but for others that want to store bank accounts, credit cards, customers data, its not the right solution. You need something that is open and can be customized, something secure that you want to control. The way LastPass handle this says allot about the company. I did not received a single email when they where down, I had to google it.
They posted just in their blogs and they took their forums offline so people would not go there to rant about the issue. Basically they where hidding, and yes I tried to access the forum all the time and it was offline on purpose. I even hit a “test.html†as index once I tried to load it, so they took it off on purpose.
Also some commenters in their blogs said they contacted their support once and they know exactly their username and passwords. So the story about your master password not being send is actually just that, a story.
People working in LP can access your data if they want. Just remember, they control what updates are send to your plugins, so they can also control to where your data is send and what. People asked them about auditing as far back as 2008, they never did because I suspect it would reveal nasty things about their services, specially that its highly insecure. Nothing is 100% safe, I know, but LP just is not good enough to for me to put all my online business at risk. This is the same reason why Fortune companies and their IT systems will use stuff like KeePass, open source, that can be modified to their systems, and extended to make it work like they want, and of course maintain control over their data.
From what I can tell KeePass doesn’t have a role-based authentication or any kind of password sharing(Other then sharing a password for a single database). I appreciate your enthusiasm, but “Lastpass is a cheap toy versus Keepass” seems like a stretch.
Thanks for your report, interesting to read.
Welcome to the club Martin! I´ve been using KP for years (I´ve always preferred offline methods) and can not complain about it. One good thing to say about it is that it is compatible with my good old Pocket PC. Then, I can basically take my passwords with me, no need to carry a laptop or get the passwords from internet!
Cheers!
If you are not comfortable with copying and pasting in Keepass, then you can use Auto type. The only drawback of Auto type is that keyloggers can record the simulated keys. You can read more about Auto type here http://keepass.info/help/base/autotype.html
There is another form of entry called Two-Channel Auto-Type Obfuscation. It uses both combination of copy and paste + Auto type. It is more secure than Autotype and makes keyloggers useless.
You can read more about it here: http://keepass.info/help/v2/autotype_obfuscation.html
BTW, for people migrating from LP to KP, I suggest that after you create your database to go to File > Database Settings > Security and change the key transformation rounds to a higher value than the default. This will increase the security of the database, which is very useful if you plan to carry it in a thumb drive or sync with DropBox et al.
Thankfully, I always keep my LastPass and KeePass synced (manually). Now I’ve disabled the LP extension and started using KeePass again. To integrate with Chrome browser, I downloaded and installed ChromeIPass and KeePassHttp. Works almost as good as LastPass. I also synced my KeePass directory (with the kdbx database) with Windows Live Mesh so I can use it with all my Windows PCs.
The keepass solution works (sort of), but it’s a bit on the heavy side (lol .NET). It doesn’t recognize some logins from my lastpass imports, and so I try entering them manually. OK, that isn’t a huge deal, but it won’t remember that pass in Keepass (unless I’m doing something wrong). Entering them manually or even manually exporting them via plugin seems so barbaric after using Lastpass so long heh.
Rough. I’m hoping there’s a solution to enable proper db updating from the browser itself.
Keepass 1.xx does not use .NET framework, and besides, .NET is already installed in Vista and Win7 so it’s no longer “heavy” for a lot of new users. Even my last XP machine had .NET installed because it’s used by a lot of quality programs.
Fair enough, and I use .NET too, but it is on the heavy side as far as resources. Reason I’m using the 2.xx .NET version is that Keefox requires it.
That said, I’ve found a happy medium. I’m using Passifox to import my old lastpass logins into browser user/pass fields, and once entered, Keefox offers to remember them. So Keefox can actually update your Keepass db, which is what I wanted.
At the end of the day, Passifox is being used to import old logins and save them in a format that Keefox “likes”, and then that site I saved is good to go with only Keefox. So far so good. It’s damn sure less painful than updating everything by hand.
Also, I did up the transformation rounds when I was poking around in the settings. I’ll have to go back and tweak them again to see if the higher numbers causes “lag” like it said it might.
I wonder if there’s any option to securely delete my lastpass profile…
@Martin. You could have saved yourself a lot of time if you stayed with LastPass and just got a YubiKey (http://helpdesk.lastpass.com/security-options/yubikey-authentication/).
BTW dont forget that amongst other things, Lastpass also supports strong authentication, which means an additional static code from a grid you posess, in case you try to unauthenticate from a new unknown PC, so even the master password wouldnt be enough for possible hackers ;-)
Unless you change from where you connect, just enable this option in the future and you are safe …
Great tip!
There are some basic rules:
– Do not choose a password someone -yourself included- can ever guess, but only “calculate”. Like concatenating the 1st letter of every (second/third) word in a long favourite sentence.
– The more symbols in your alphabet, the better. Using letters only is better than using numbers only. 8 digits is a strict minimum (Kudos to most banks & credit cards!).
– Adding one digit to a password will always beat selecting a larger alphabet. Having a 9-digit long password made of letters only is better than an 8-digit one with letters and numbers.
– Change your password regularly (At least the master one).
I have looked to the program and i am not really sure at all about the plugins i have to use to use this program properly, with integration with main Firefox browser. So what do i really need or do i need all off the here after named plugins:
keeform
keefox
passfox
Maybe someone else can help you there, I have not looked at the plugins myself. Will do so in the future though.
@milithruldur +1
There is an addon called PassIFox which brings Keepass integration to Firefox 4.
Link: https://addons.mozilla.org/af/firefox/addon/passifox/
I have been using Keepass for quite some time now and I find it very useful for storing passwords locally.
I use Keefox which does it as well.
http://keefox.org/
I never heard of Passifox, it looks like it’s a much more recent project.
KeeFox works with Waterfox (64 bit Firefox) … absolutely magic in storing new entries and filling passes. BTW KeePass installed 64 bit also – superior to commercial programs like Roboform :)
Thanks for posting, I will definitely take a look at this.
Of course all this talk with decryption doesn’t make it sound like an easy thing to do, because brute-force attacking requires considerable computational power, sometimes taking months or years before finally cracking a password open.
Cryptographically strong passwords add complexity to the decryption process, so the complex, and long, the better. Also, strong encryption algorithm (AES-256 and the likes) comes into play in deterring hacking attempts.
And add a healthy habit of refershing (renewing) passwords every now and then. :-)
/m
So far nothing LastPass did was wrong, nor had been an indication of security malpractice. And there are yet to surface successful attempts at stealing (decrypting) the stolen data (encrypted) if there ever was a security breach.
For those who have good grasp on the game of encryption and decryption, you will know that the only way to successfully STEAL data is to be able to open pandora’s box (encrypted data). And here is where brute-force comes in, trying to crack the weakest link in encryption systems – the master password. Sometimes pre-generated hashing tables come into play to facilitate decryption in some cases. Successful attempts at decryption hinge upon the crytographic strength (complexity) of the master password.
Fundamentally, the difference between online and offline password storage can now be summarized as this: whether you will place your data, which is encrypted, in an online storage that may be high-value target for an attack, or whether you will place your data locally where you can _obscure_ its presence from attack. This is also followed up by asking whether you will trust the online entity for storage of your encrypted data, or you trust yourself with whatever storage mechanism you have at your disposal. For some or most users the answer will be clear, but for the more technically inclined, or meticuluous at that, they will choose the other.
If the answer is not apparent then ask yourself this: why would you trust YOUR bank with YOUR money or any invidivual or group with your valuables at that. Then perhaps the choice will be made clear for you.
Each scenario (online or offline) poses differing levels of risk. But whatever the risk, in both scenarios the same decryption process will take place, and the success of the attack hinges upon the complexity of the master password.
So the question now to ask is, where will you place your data?
LastPass understood the risk right at the very beginning, and they have designed their systems upon this well-thought understanding. However, the message common to all encryption systems that is often times lost to users is choosing a cryptograhically strong password – this can be said when setting WiFi passwords, as well as with password managers.
LastPass managed to provide great convenience and security at the same time, something that is often times hard to achieve. It would be most unfortunate when users started distrusting the service (perhaps because many others are doing the same), without grasping the fundamentals of encryption and how they may or may not be affected at all by the issue, when it has done nothing wrong so far in terms of standard security practice.
If users started converting from online password managers to offline software, then let it be done because of preference or principle, not because of misguided info or misinformed facts. (Of course I’m not saying anything about your recourse of action Martin, but just merely sharing my thoughts to other users who might be considering of switch managers after the news broke, and after they read your post :-) )
/m
I’ve been a keepass user for years. I keep local copies of the file on my devices and sync them via a flash drive or lately DropBox from time-to-time.
I have tried KeePass before and I never have any luck with it. This time has been no different. When I go to File > Import from > the list of options are not selectable so I cannot import anything into it. :(
Guess it’s back to just remembering my passwords. :(
I wasn’t referring to your own password, but only to the fact that “ppl having a strong, non-dictionary based password or pass phrase should be safe, for the potential threat here was brute forcing your master password using dictionary words”.
Regardless, changing all your account passwords, particularly the master one, is certainly a good thing to do on a regular basis, LastPass or not.
I was just thinking it was about time
I jumped on the LassPass bandwagon.
I am glad I did not with many jumping ship.
I did not think much of the LassPass official explanation.
I sense the breech is more significant than explained
and their statement did not inspire confidence.
A few things do not really inspire confidence: They started well with the blog post, and replies to users who commented there. But then everything seems to have been shut down. The servers are not always working properly, users cannot change their master password, they do not respond to support requests, either per email or blog post or forum anymore..
It looks like it is going from bad to worse.
The site is not accessible for me, I checked
out of curiosity, showing a 502 Bad Gateway.
Time will tell if they survive this incident..
Their reputation is severely damaged.
According to LastPass:
If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you – the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that’s immune to brute forcing.
I can re-assure you that my master password was relatively safe, 18+ chars, upper-lowerchars, numbers, special chars all included.
That was quick. For you to take this painstaking undertaking, perhaps this means “bye bye” LastPass for you, Martin? Just curious. :-)
I just have to say that when one someone does the right thing in whatever walk of life, sometimes one is bound to be punished by it, however worthy or unworthy the punishment may be. Harsh realities of life, no?
/m
Well I wanted to switch to a offline solution and this was just the last straw. I will not be using Last Pass anymore from today on. Yes, it is a little bit uncomfortable to copy and paste passwords when you want to log in, but it is not that bad.
actually storing in lastpass only the less important accounts and using keepass on my cellphone to store important accounts without the need to insert my usb pendrive into a pc to display contents.
Why did you choose KeePass over PasswordSafe?
I did not look at PasswordSafe. KeePass was recommended to me, and the application appears to offering everything that I need.