Some LastPass users are locked out of their accounts after trying to reset their authenticator app
Password management service LastPass started to prompt its customers to reset their two-factor authentication method on May 9th, 2023. The company upgraded account security at the time by raising the number of password iterations to 600,000 rounds.
The increased number of iterations improves the protection of customer's master password, effectively making it more difficult for attackers to discover the correct master password.
LastPass explains on a support page that it uses the "PBKDF2 function implemented with SHA-256 to turn the master password of its customers into the encryption key. The number of rounds are used to create the encryption key and another round ofPBKDF2 is done to create the login hash. This login hash is then submitted to LastPass and used to authenticate the customer.
The new default number of password iterations has been set to 600,000 for new accounts and for accounts that update the existing iteration count.
LastPass informed customers about the upcoming change in emails, but has since then also prompted users to reset their multifactor authentication preferences in the used applications.
At least some LastPass customers have found themselves in reset loops that they can't escape from. In the past couple of days, several LastPass customers posted on the official forum claiming that they can't open their vaults anymore after following the company's instructions to reset their multifactor authentication.
Users of LastPass who face the loop can't open official support tickets, as these can only be opened by signed-in users. Affected users posted messages on Twitter or the LastPass Support Discussions forum.
The majority of recent posts on the official support forum are about login issues after following reset instructions.
LastPass explains the entire resetting process on a support page. There, the company reveals important information about the process. LastPass customers need to log-in to the LastPass website in a web browser to reset the multifactor authentication security feature. Resetting does not work using the browser extensions or the LastPass mobile apps.
The following steps are required to reset the authentication method:
- Activate the Continue button after logging in to LastPass. LastPass sends a six digit security code to the linked email address.
- The code needs to be entered as part of the process. Select Verify to continue.
- Open the authenticator application on the mobile device.
- Scan the QR code displayed in the browser using the application to pair it. It may be necessary to select Replace or Remove to delete the old information.
- Click Verify.
- Log-in to LastPass and authenticate with the multifactor authentication app.
What LastPass fails to mention is that it is sending out a second email that asks users to verify their device and location. Customers need to follow the link in that email to verify the device and location. Failure to do so appears to prevent the successful login.
LastPass experienced a severe security breach in 2022 that led to the copying of user vault data and information by the attacker. LastPass customers were asked to change all their passwords, including their account master password.
The security upgrade improves security for all users and will make it difficult for attackers to decrypt stolen data. Some LastPass users switched to different password managers as a consequence.
Now You: do you use multifactor authentication? (via Bleeping Computer)
I used to use the service Xmarks which LastPass acquired and then killed about 2 years later. Since that I have refused to support them in anyway. Also they were purchased by LogMeIn in 2015 (now GoTo). I used to use their products before they killed all their free offerings. This along with them being hacked is more than enough to not want to use their products. They should have implemented this within a month of last years hack not months later…
This is your last pass! Mwah-ha-ha-ha! (*In a supervillain voice*)
Trusting your passwords to a third-party service – I think those who fell into this trap deserved what they got.
> Trusting your passwords to a third-party service – I think those who fell into this trap deserved what they got.
In your view, if it’s first party, can you trust it?
The “too simple and happy-go-lucky thinking” makes me laugh out loud.
Google is supported by people like this.
By the way, a Japanese police investigation reported that “Most of the account information leaks are from Google Chrome users, and the vulnerability of their password managers is suspected”.
Google Chrome’s password manager expands passwords in plaintext into memory when the browser is started. Google has left this vulnerability untouched (Google’s excuse mentions that the browser’s usage vulnerability is the user’s fault, and the browser developer is exempt).
> In your view, if it’s first party, can you trust it?
It depends.
There are too few clues in your question to give a correct answer. If you ask a non-specific question, don’t expect a definite answer. Learn to formulate your questions better.
> The “too simple and happy-go-lucky thinking” makes me laugh out loud.
This is from your own illiteracy. You have drawn the wrong conclusions from what was said, and now you are laughing at those conclusions.
By the way, I laugh at your conclusions, too. But it was you who drew those silly conclusions, not me.
> Google is supported by people like this.
This statement of yours only underscores how incapable you are of thinking logically and how far away from reality your conclusions are.
>By the way, a Japanese police investigation reported that “Most of the account information leaks are from Google Chrome users
It’s hard to disagree with them.
>Google Chrome’s password manager expands passwords in plaintext into memory when the browser is started. Google has left this vulnerability untouched (Google’s excuse mentions that the browser’s usage vulnerability is the user’s fault, and the browser developer is exempt).
It’s fun to watch you argue with yourself.
Lastpass indeed, the very last pass.
LastPass was the first notable player in the password safe game, but now they are an ongoing train wreck.
There are now free, open-source alternatives that have proven themselves to be reliable and secure (KeePass – both regular flavour and XC – and Bitwarden spring to mind), so I’m not sure why anyone would stay with LP at this point.
I don’t know why anyone still uses AssPass
That was the last pass. Pass failed, last act of Shakespeare in background. “The rest is silence”.
What a bunch of lousy amateurs.