Main Area and Open Discussion > General Software Discussion
LastPass hacked
MilesAhead:
That's exactly the reason I never used LastPass-Ath (June 16, 2015, 01:27 AM)
--- End quote ---
Same here. How ultimately is having one password that opens all accounts really different than using the same password for all accounts? The end result is the same if an attacker picks the right entry point.
-Stoic Joker (June 16, 2015, 07:20 AM)
--- End quote ---
What I don't get is why are these dictionary attacks succeeding? What happened to killing access to the account if there are 50 password entry attempts in a minute?
Shades:
Allowing one entry a minute is already a big boost in security and is easy to setup. If it takes much time, most attackers loose interest. Return rates of hacking accounts is financially much less viable this way.
Granted, this method isn't convenient for the end user when he/she doesn't remember the password. The ones that do remember aren't affected at all.
It might even get people that have trouble remembering to use phrases they can remember as a password, which would be an even bigger boost to their security. That is, if they aren't blocked to do so by stupid password systems that are used by companies that provide on-line services that is. Ah well, there's hoping for you...
wraith808:
LastPass has issued a Security Notice saying that they have been hacked resulting in account owners personal information being compromised.
They claim that no password data was breached, but recommend that all users change their master password ASAP.
-xtabber (June 15, 2015, 06:11 PM)
--- End quote ---
That linked statement says something different than your blurb, IMO.
Do I need to change my master password right now? LastPass user accounts are locked down. You can only access your account from a trusted IP address or device – otherwise, verification is requested. We are confident that you are safe on your LastPass account regardless. If you’ve used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites you need to update it.
--- End quote ---
we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed.
--- End quote ---
Both of those directly contradict what's in your blurb. At least... unless I'm missing something?
What they say was accessed:
The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
--- End quote ---
There's a lot more they'd have to compromise to use that. Unless they can just guess from your reminder.
And I'm not really worried with two factor enabled. Unless they can get my device, they aren't getting in by the front door. So why change it?
It's always a balance between accessibility and security. Because of the fact that I want my wife to be able to access my accounts if something happens to me, and want the ability to change my passwords without updating some monolithic list for her, this is a good enough compromise, IMO.
tomos:
^ what their email said was:
We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.
We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.
--- End quote ---
(my emphasis)
xtabber:
That linked statement says something different than your blurb, IMO.
Do I need to change my master password right now? LastPass user accounts are locked down. You can only access your account from a trusted IP address or device – otherwise, verification is requested. We are confident that you are safe on your LastPass account regardless. If you’ve used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites you need to update it.
--- End quote ---
we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed.
--- End quote ---
Both of those directly contradict what's in your blurb. At least... unless I'm missing something?
What they say was accessed:
The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
--- End quote ---
-wraith808 (June 16, 2015, 09:33 AM)
--- End quote ---
In my book, that qualifies as personal information. Whether or not it is enough to crack your passwords, it can be a serious problem for many users who may not be as sophisticated as you are.
And your first quote from the LP notice contains language explicitly telling anyone who has a weak master password or has used their master password on other sites needs to change it.
Note also that LP does not say that no passwords were compromised, only that they have not found evidence of that and that they think their encryption methods are strong enough to prevent that from happening. Of course, they also thought their security was strong enough to prevent a breach in the first place.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version