LastPass hacked!

S0litaire

Time to change your Master Passwords people!!

Looks like last Pass servers have been hacked :

https://blog.lastpass.com/2015/06/lastpass-security-notice.html/

LastPass wrote:

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571

LastPass has announced on their company blog that they detected an intrusion to their servers. While encrypted user data (read: your stored passwords for other sites) was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account. According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. If you use LastPass, you should do this immediately. If you share that master password with any other services, you should change it there, too. Finally, if you haven’t enabled two-factor authentication you should do that immediately.

kwikbreaks

Looks like others may have heard before I did...

PASSWORD RESET


Oops! Our servers are a bit overloaded right now.




Please try your password change again shortly, we will catch up soon.

===

Worked OK a bit later

rainygreyhound

I was getting the same message but I managed to log on eventually and change it. Would have been nice for Lastpass to notify people via e-mail rather than leaving them to find out three days later. Glad I pay for Premium.:think:

mr_fishbulb

May be a useful reminder for people to set-up two factor authentication on their Lastpass account. It's free (even for the non-premium accounts) and there are a few different options to choose from.

I've been playing with Duo which I like as it sends a push-notification to your phone (so you know when someone is trying to log in from an untrusted device). Also works with Google and Microsoft authenticator.

https://helpdesk.lastpass.com/multifactor-authentication-options/

Marktheshark

Book + Pen and your own system of disguise .
keeping things online is a hackers dream.
They will get it if they want it.

RumRat

Yes, the two factor authentication is a must really. I find that the Microsoft authenticator works very well.

kwikbreaks

Marktheshark wrote: »

Book + Pen and your own system of disguise .
keeping things online is a hackers dream.
They will get it if they want it.

Don't forget your tinfoil hat too.

securityguy

The problem with this sort of system is that it's never entirely clear what the security model is. The Kerchoff Principle says that all that needs to be secret is the key, and the encryption algorithm and the ciphertext should be available to the attacker without weakening the system. However, obviously, if you have two equally strong encryption algorithms it's harder to break one you don't know than you do know, and it's much easier to decrypt ciphertext you have than ciphertext you don't have. If I encrypt something with a secret algorithm which is good ("NSA Suite A") and place the ciphertext into a sealed envelope in my desk, it's going to be harder to break than if I use a public algorithm like AES ("NSA Suite B") and post the ciphertext on MSE Forums.

So in principle, it shouldn't matter if Lastpass leak _everything_, provided the software running on the client devices is OK. You have a secret known to the user, which is put through a key derivation function to encrypt a vault of passwords. It shouldn't matter if the encrypted vault (aka "blob") leaks, because it's encrypted.

However, the secrets may not be very good quality ("password123") and it might be practical to try to brute force them. Lastpass take some sensible precautions against that (iterated hashes in the key derivation function greatly slow down the attacks) but that doesn't stop an attacker who gets lucky against weak passwords. So in that case, keeping the blob secret so the attacker can't try that attack is a good thing: they can't attack ciphertext they don't have.

So if you're confident that your passphrase is resistant to a brute force attack (which isn't easy to know) and are confident that the computer you type your passphrase into isn't leaking information to the bad guys (almost impossible to know), Lastpass can be as insecure as you want with their servers and you're OK. But back in the real world, leaking the encrypted blob isn't good, and retrospectively changing the passphrase used to encrypt it doesn't help, because the attacker has the blob encrypted with the old, perhaps weaker, passphrase.

In this case, Lastpass say they didn't leak the blob (and the volume of those means they would know). But leaking passphrase hints isn't good, because if the attacker gets the blob by some other means, they have a clue. There's some stuff in my thesis looking at solutions to this, but they are theoretical and have all sorts of constraints which make them probably less than useful for real applications. There is research work going on about building handheld devices which store passwords securely, but they are not easy to construct for all usecases.

I use Lastpass, and I'm happy with the risk trade off, because I use a strong passphrase and I'm as confident as I can be that my device doesn't leak secrets. But I think it's an interesting and complex set of tradeoffs, and I don't think Lastpass do a terribly good job of explaining to the man in the street what the issues are.

kwikbreaks

If it weren't for LastPass I'd probably use virtually the same and easy-to-crack password everywhere.

If it weren't for LastPass I'd be lost using complex passwords on sites I access with mobile devices because the battery would be flat before my sausage fingers found the symbols etc. and got everything correct.

mttylad

Ditto, I could not remember a different password for every site etc.

Like the old adverts - I was so impressed I bought premium lol

Heck know what i'll use for a phrase now but I'll have to think of one & change it.

Oblivion

Access Manager works for me. ... http://www.accessmanager.co.uk/