back to article LastPass got hacked: Change your master password NOW

Password-storing cloud biz LastPass is urging its users to change their master passwords after hackers broke into its network at the end of last week. The intrusion reportedly happened on Friday afternoon, but many LastPass users are only learning about it now. LastPass last had a security scare in 2011. "In our investigation …

  1. yoganmahew

    Say what?

    I've just found out about it from this post... so they surely haven't emailed everyone...

    I've just checked my vault and the security challenge scores me at 46%... I didn't realise the missing 54% was because they'd given my details away...

    1. TeeCee Gold badge
      Meh

      Re: Say what?

      so they surely haven't emailed everyone

      You amaze me. Maybe they like to think that their user base has more sense than to respond to: "Dear Lastpass user. It is now important to update your account details. Please login at the following link: https://wecantbelieveyoufellforthisyoutwat.moodyhost.com.".

      Other possibility. They did, but messages like that go straight to your spam bucket....

      1. yoganmahew

        Re: Say what?

        Hmmm. It arrived this morning at 04:04...

        "We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords"

        Either they're confident and I don't need to change or they're not...

        And my last bloody spam-free email address is now for sale :(

        1. Lee D Silver badge

          Re: Say what?

          "And my last bloody spam-free email address is now for sale :("

          Buy the cheapest domain you can find.

          Point the MX record at the cheapest of cheap VPS.

          apt-get install postfix dovecot

          Then use whatever you want@domain.com - i.e the name of company you give it to - theregister@mydomain.com

          Every time you give out an email put it on a whitelist, everytime you get an unsolicited spam, put that company's email in the block list.

          And if you want you can just forward all email to another address (or even duplicate it all to, say, a GMail address) for security. Hell, you can make your backup MX be your domain registrar's original so if the VPS goes down, email just gets forwarded a normal.

          It gets me that techy people aren't running their own domain but complain about spam.

          1. Dabooka

            Re: Say what?

            @Lee D

            'It gets me that techy people aren't running their own domain but complain about spam.'

            I'm not techy (enough), but I really want to be doing this. Any good idiots guides out there? I need a challenge for the looming long autumn nights....

            1. Anonymous Coward
              Anonymous Coward

              Re: Say what?

              "I'm not techy (enough), but I really want to be doing this."

              Look for a host that provides Plesk on the VPS, it provides a nice user friendly front-end for configuring e-mail aliases.

              http://support.hostgator.com/img/articles/EmailAliasScreen.png

              Note: above image is just for visuals, I know nothing about Hostgator or how good they are, it's certainly not a recommendation to use them.

            2. Anonymous Coward
              Anonymous Coward

              Re: Say what?

              FastMail makes this painless, and is super flexible. Great spam tools, best IMAP support, dynamic email addresses, good support, FTP/WebDAV support. Also gives you shared webspace, great for static sites, or cloaked redirects (aka proxy) to things like Google Docs, linkedin.yourdomain.com, etc.

              https://www.fastmail.com/help/ourservice/hosteddomains.html

              https://www.fastmail.com/help/receive/domains.html

      2. Danny 14

        Re: Say what?

        "You amaze me. Maybe they like to think that their user base has more sense than to respond to: "Dear Lastpass user. It is now important to update your account details. Please login at the following link: https://wecantbelieveyoufellforthisyoutwat.moodyhost.com."."

        No, what you tend to expect is something along the lines of:

        "we have had a breach, go to the site as normal and change your password - we wont provide a link so you know this email is genuine".

  2. Rory B Bellows
    Joke

    The password managers one weakness... the password...

    1. Thorne

      I'd of said the weakness was the managers.......

      1. Anonymous Coward
        Anonymous Coward

        "I'd of said the weakness was the managers......."

        Being hosted on a Linux box and running PHP / Wordpress is likely the primary issue here....

      2. Scott 53
        Headmaster

        ...or maybe it won't

        Thorne - you have other weaknesses

      3. Tom Chiverton 1 Silver badge

        "I'd of said the weakness was the managers......."

        Well, if you used something like PasswordSafe, you can just keep the database in a private Seafile bucket. Much smaller targets than Dropbox or LastPass.

        Just sayin'.

    2. Anonymous Coward
      Anonymous Coward

      "However, if your master password is complex, you should be safe – it will take an attacker far too long to crack your passphrase. Setting up two-factor authentication kills the problem dead, anyway."

      Remember there are two different things:

      1. Access to the web service to get your encrypted password file

      2. Decrypting your password file

      The two-factor authenticatation only helps for (1). If they have already broken into the system and downloaded your encrypted password file then turning on two-factor auth won't make any difference.

      The only thing which really protects you is the (static) passphrase used to encrypt your password file.

      1. Anonymous Coward
        Anonymous Coward

        The problem with LastPass and kin

        1. They store your passwords on their servers; 2. Their servers can and do get hacked; 3. If you enter your master password when their servers are compromised, the hackers can decrypt all your saved passwords.

        It's a significant risk. For anything beyond "silly social crap" you need a local app + file sync (or version control), compartmentalized with separate master passwords for different teams and security levels. Nope, there isn't a good answer for non-nerds.

  3. I_am_Chris

    KeePass

    Use KeePass. There's no server to compromise. You're in charge of your passwords. Job. Done.

    1. veti Silver badge

      Re: KeePass

      Yeah, that'll work, because I know so much more about system security than the people at LastPass.

      Seriously: pen and paper. A pocket book of some sort. Post-It notes. Physical security is a well understood problem, we've been thinking about it all our lives for several generations now, we know when we've been breached. Digital security is not going to reach maturity in my lifetime.

      1. Hugh McIntyre

        Re: KeePass

        Or 1Password which lets you store the DB locally (not in the cloud) and sync to mobile devices over Wi-fi (e.g. at home).

        Probably want to avoid the browser plugins as well unless you want to trust code running in the browser's address space with access to all of your passwords (I don't).

        1. DavCrav

          Re: KeePass

          "Or 1Password which lets you store the DB locally (not in the cloud) and sync to mobile devices over Wi-fi (e.g. at home)"

          Actualy, just use 1Password as your password. Everyone will try Password1 and you'll be fine.

      2. Jim 59

        Re: KeePass

        Yeah, that'll work, because I know so much more about system security than the people at LastPass.

        The people at Lastpass just strangers, and are not responsible for your security. It is no skin off their nose if your bank account is emptied. Trusting your life/fortune to random Internet companies is about as responsible as taking sweets from a stranger.

        The exception would be if you had a contract with Lastpass forcing them to reimburse any losses you suffer, without limit, and pay damages on top. Is that the case ?

    2. asdf

      Re: KeePass

      Or if you really need the cloud functionality you can store the already encrypted KeePass db file on Dropbox or some such, preferably encrypted with another cipher (and of course different password) such with GPG for example.

    3. Piro

      Please

      Yeah, I use keepass, and don't use any browser plugins. I only load it when I need a password from it.

      Lastpass always seemed like a dodgy idea, to me. Any centralisation.

    4. Anonymous Coward
      Anonymous Coward

      Re: KeePass

      "Use KeePass."

      Just use a password protected Excel sheet. Excel uses AES encryption so is secure against brute force as far as is known when used with a complex password...

      1. Charles 9

        Re: KeePass

        KeePass is multiplat with iOS and Android support.

        1. Anonymous Coward
          Anonymous Coward

          Re: KeePass

          and KeePassX is open-src, runs on every desktop OS including Linux.

          I've also heard good things about 'pass' - a commandline pw mgr that stores data in text files.

      2. JohnFen

        Re: KeePass

        But then you're stuck with using Excel.

      3. I_am_Chris

        Re: KeePass

        "Just use a password protected Excel sheet. "

        Not sure if you're joking, but just in case you're not, google 'break excel password' and you'll find lots of workarounds including this one:

        http://community.spiceworks.com/topic/328118-need-to-unlock-a-password-protected-excel-2010-workbook

        Excel is never the answer. Regardless of the question.

        1. sabroni Silver badge
          Happy

          Re: Excel is never the answer

          What the name of the spreadsheet app in Windows Office?

        2. Anonymous Coward
          Anonymous Coward

          Re: KeePass

          "Not sure if you're joking, but just in case you're not, google 'break excel password' and you'll find lots of workarounds including this one:"

          Obviously you didn't read your own link all the way through. Encrypted Excel files are secure, there is no workaround, the only way to unlock them is a brute force attack - which is not feasible for a complex password (say 10 varied characters / symbols upwards)

          1. asdf

            Re: KeePass

            Even if it is unbreakable it doesn't change the fact to do banking at home you have to have Excel installed on your home computer(s) which for many on this site has been a non starter for many years now.

    5. The Bam

      Re: KeePass

      And of course you know how to do this better than they do. Not.

  4. Anonymous Coward
    Anonymous Coward

    And Now Little Green Hack...

    Do you ever listen to "K-BILLY's Super Haxx of 2015 weekend"? It's my favorite station!

    "K-BILLY's Super Haxx of 2015 continues. And if you're the tenth slurped one you'll win two tickets to the monster hack extravaganza being held this year at the NSA Fairgrounds featuring Big Daddy Alexander's truck, "The Oh-Bahmer.", accompanied by Russian and Chinese hotrods. The 10th victim wins on the station where the pwnerage survives. And we will now continue with the Lastpass song , "Won't somebody somehow think of my master password"...

  5. Admiral Grace Hopper
    Unhappy

    Very glad that you told us

    Quite narked that LastPass didn't.

  6. Spindreams

    Indeed I am a paying customer and I found out here just now.... not pleased... :(

  7. Anonymous Coward
    Anonymous Coward

    Just received a notification now.

    1. Anonymous Coward
      Anonymous Coward

      Me too! I've had four already!!

      1. John G Imrie
        Joke

        Me to ...

        All with different links to somewhere in Russia.

        For some reasion they keep asking for my master password.

  8. Gray
    Holmes

    grim reality

    Just as well suppose that if it's online, and uses a password ... it will be hacked. It's way past time for a better way.

    1. Charles 9

      Re: grim reality

      Except there isn't. Especially for people with bad memories.

  9. Andrew Jones 2

    Use EnPass, has full syncing, has apps for multiple platforms, has no account on a 3rd party server - instead opting to let you control your own data and do syncing via whatever cloud backup provider you prefer - I use Google Drive. The data is obviously encrypted with your master password before being transferred.

    1. Killing Time

      Like the idea but keeping my password vault in my drive account… not sure about that, eggs and baskets etc. If you are ‘connected’ you have to be prepared to trust someone (accounts, data, personal details etc) there is no getting away from it.

      Have looked around for solutions which meet my requirements and Lastpass were (and still are quite frankly) providing a professional solution for a more than reasonable fee.

      They detect an intrusion (not really huge news these days), they investigate, assess the impact and advise me accordingly, within a reasonable timeframe, given the protection already provided to me by

      A. the encryption and B. ‘the protection of the herd’ ( my vault is one of thousands).

      Changed my password, job done with no drama………

    2. Anonymous Coward
      Anonymous Coward

      This:

      "I use Google Drive"

      And you expect your data to be free from prying eyes?

      Purr-lease...

  10. Muskiier

    Got an email this (Monday) evening. If the hack was Friday why such a delay? Perhaps there is a reason but the email did not explain this.

    1. Anonymous Coward
      Anonymous Coward

      No point in telling you to change your password until they've found out how it happened and fixed it. Otherwise your new password is just as likely to get robbed as your old one.

  11. lambda_beta

    What does LastPass mean?

    Is is the last password you used?

    is the password that might last?

    is the last time the password was hacked?

    is it the last time you'll use LastPass?

  12. Kaemaril#
    WTF?

    Hmm. Only just saw the article on the register about this at 03:30 on Tuesday morning. Double checked my inbox and spam filters, and nope - nothing from LastPass about this, darnit. If they're still sending out reminder e-mails they're certainly taking their time!

    So I've just gone in and changed my Master Password myself, just in case. Hope that doesn't somehow come back to bite me.

  13. This post has been deleted by its author

    1. This post has been deleted by its author

      1. Tomato42
        Boffin

        salt just needs to be unique, 256 bit one is beyond overkill, it requires there to be 2^128 accounts before the chance of two salts repeating comes into 50% probability territory.

        1. This post has been deleted by its author

        2. Mike 137 Silver badge

          "256 bit ... is beyond overkill"

          Actually worse for you than that. For a collision-free hashing algorithm the safe limit is for the total length of the clear text to not exceed the length of the hash (in bits). If it does, there _will_ be (not just may be) collisions. So very long plaintexts (regardless of their make-up) actually make the attacker's job more rewarding, as brute forcing a given hash may yield more than one plaintext. Thus the attacker can potentially obtain more credentials from the same number of captured hashes.

          However your '50% probability' depends on the hashing algorithm's transfer function having a uniform distribution. I'm not sure whether it does, but I'd be surprised if it did considering the principle of how it works.

    2. dragon2611

      It's 100,000 rounds on the server in Addition to the number of rounds also performed on the client. (Configurable in the advanced settings on general)

  14. Zog_but_not_the_first
    Facepalm

    You see...

    Writing your passwords down on a piece of paper and hiding that under the cat's litter tray is the most secure way.

    1. Anonymous Coward
      Joke

      Re: You see...

      A litter tray is not allowed in many offices. And maybe a big, menacing dog is better than a cat, then.

    2. Anonymous Coward
      Anonymous Coward

      Re: You see...

      It is the most smelly as well!

    3. JeffUK

      Re: You see...

      Nah, get them tattooed on the bottom of your foot; that way you'll almost certainly notice if someone steals them.

  15. Trixr

    Awesome. First heard about it just now. No poxy email from them. Off to Keepass now.

  16. Anonymous Coward
    Anonymous Coward

    Security limbo

    We've lowered the encryption as requested by the authorties now we just need to get the users to re-encrypt with this backdoor active.

    Pasword update email being sent now....

    1. Bob Vistakin
      Devil

      Re: Security limbo

      You may have a point there.

    2. S4qFBxkFFg

      Re: Security limbo

      That's a thoroughly depressing thought - would there be any way for Lastpass to prove otherwise?

    3. saabpilot

      Re: Security limbo

      Now that a very scary thought

  17. wolfetone Silver badge

    If someone wants your passwords bad enough, they will get them. No matter how smart the guys at LastPass are, no matter how much "security through obscurity" you use, your passwords are gold and they will be targeted.

    YubiKey's anyone?

    1. JamesPond

      YubiKey's Anyone

      Where do you plug that into an iPhone?

      I'm hoping my 26 character long masterkey is strong enough with alphanumeric and special characters, but I've changed to a longer key just in case.

      From my perspective, it comes down to the risk of using a salted cloud based flexible solution that works on windows, mac and ios vs having to manually copy encrypted password files around which I probably would not do, or would not keep all my devices up-to-date. Some have suggested encrypting a file and putting on drop-box, but I don't see that as being any more secure than LastPass.

      1. Anonymous Coward
        Anonymous Coward

        Re: YubiKey's Anyone

        Not that I've either got a YubiKey or a iPhone come to that, but you can buy an NFC-enabled Yubikey... open the app on your phone, tap your YubiKey to your NFC-enabled phone and.... magic happens (allegedly)...

      2. Anonymous Coward
        Anonymous Coward

        Re: YubiKey's Anyone

        > Where do you plug that into an iPhone?

        Using the USB camera connection kit.

        https://www.yubico.com/faq/yubikey-ios-device-ipad-iphone/

        Not that it helps you much unless the web applications you use support Yubikey OTP (few do).

        You can store a long random password in a Yubikey, but then you'd be using the same long random password on every web service, which is obviously no good.

      3. Alan Brookland

        Re: YubiKey's Anyone

        Get yourself the NFC version. Works fine on my Android phone so I assume it would work on an iPhone too.

        1. Anonymous Coward
          Anonymous Coward

          Re: YubiKey's Anyone

          Unfortunately the NFC-enabled Yubikey is a non-starter until Apple open up the iPhone's NFC for third party use. Yubico take a guess at something from 12 to 16 months from launch last year. With Apple pay only just launching outside the US, I suspect it might be longer still to keep out any third party payment options that might compete.

          You could use one of the versions of Authenticator, which would work on the iphone, but you'd have to give up using Yubikey on the desktop.

      4. wolfetone Silver badge

        Re: YubiKey's Anyone

        "Where do you plug that into an iPhone?"

        There's a version that gives NFC capabilities, so you can tap it against your iPhone.

        If your iPhone doesn't support that, which is surprising as it's a £500+ phone, then I feel bad for you son. I got 99 problems but a phone with no NFC isn't one.

        Hit me.

    2. Alan Brown Silver badge

      "If someone wants your passwords bad enough, they will get them"

      ObXKCD: https://xkcd.com/538/

    3. Anonymous Coward
      Anonymous Coward

      Yubikey's everyone ?

      So as a yubikey user, according the lastpass statement,

      two-factor authentication kills the problem dead. (how ?)

      I have a long-ish (18char) master password,

      and use yubikey for 2nd factor...

      whats the risk for me.

      as for the possibility of requiring re-encrypting for Govt. backdoors... that is a scary thought.

      1. Warm Braw

        Re: Yubikey's everyone ?

        Yubikeys come with a variety of different authentication mechanisms, depending on which variant you get, though a popular one is OTP. Secure? Up to a point, but remember SecurID?

        And, of course, even unhacked it doesn't obviate MITM, and nor will some of the cryptographically-stronger options.

        It's a jungle out there...

      2. Scott 29

        Re: Yubikey's everyone ?

        > whats the risk for me.

        Subpoenas.

  18. Rich 11 Silver badge

    Enjoying the thought...

    ...that someone would use a password manager and then use the exact same password for some other web site somewhere. But I'd be willing to bet it's happened.

    1. qwertyuiop
      WTF?

      Re: Enjoying the thought...

      Which leaves us with the painful question of where you store the password to your password store!

  19. muttley
    Facepalm

    Cloudy password manager, what could go wrong?

    Shocker.

    Password Safe is good.

    Win, Mac, App Store and Android too.

  20. Yugguy

    OOH OOH!!! I know what the weak point is

    Password-storing CLOUD.

    Password-storing CLOUD??????

    How could that ever be a good idea?

    1. DropBear
      Devil

      Re: OOH OOH!!! I know what the weak point is

      "How could that ever be a good idea?"

      Fiscally. They call them "revenue streams".

    2. JamesPond

      Re: OOH OOH!!! I know what the weak point is

      So what is your suggestion for those of us living in a mobile world and not chained to one device? I need to access my accounts, including banking and e-mail from my iPhone, mac at home and windows PC at the office that has the USB ports disabled. I'm keen to hear of suggestions that are easy to use, reliable and secure.

      1. John G Imrie

        I need to access my accounts ...

        Why?

        This is a serious question. What's so important that you need near real time access to all this data? Can't it wait until you get home?

        1. Anonymous Coward
          Anonymous Coward

          Re: I need to access my accounts ...

          No, users can't wait till they get home, because when they're away from home, they're living their lives, and that means needing access to vital data. Whether it's my business clients travelling abroad, or my offsprogs' day-to-day London life, usernames and passwords, and other security/identity information, are needed all the time - when things are going fine and even more so when there's a problem.

          For the techno-savvy there may be "better" solutions than LastPass and its ilk, but for the rest of the planet, those solutions will not be better because they won't be usable and they won't be used.

          Said with some feeling having spent too much time recently helping my hapless users - and some of my more hapful users too - sort out username/password messes. Apple IDs being the most troublesome.

          1. JeffUK

            Re: I need to access my accounts ...

            One option, off the top of my head: take a piece of paper, write your passwords on it, stick it in your wallet.

            That way, you'll know what they all are (primary function), they will be almost completely secure (primary requirement) and you'll know who has access to them, and if/when they've been stolen.

            Don't have to be particularly techno-savvy to drive a biro.

      2. JohnFen

        Re: OOH OOH!!! I know what the weak point is

        How about using one of the many password keeper programs that can run on all your platforms? Most of them make it very easy to copy your password data between platforms.

        1. Charles 9

          Re: OOH OOH!!! I know what the weak point is

          "How about using one of the many password keeper programs that can run on all your platforms? Most of them make it very easy to copy your password data between platforms."

          Assuming you can actually COPY them, which may not be possible on a platform where local storage is restricted BUT you still need to be able to get the password to the site RIGHT F'N NOW.

          As for the paper in the wallet, people have been pickpocketed in the past without their knowledge. AND their memories are bad enough they can't decide if it was "RositaChiquitaSenorita" or "SenoritaPequitaRosita".

      3. Yugguy

        Re: OOH OOH!!! I know what the weak point is

        I have a password keeper on my phone. The encrypted database file is not held anywhere on the internet, or backed up to any network device. I always have my phone with me. If I were to lose it I would initiate a remote wipe.

        I have backups of the encrypted database file on usb and cd hidden in my house.

        This is as safe as I need to be.

        I don't believe that this makes me "chained" to one device.; Yes, I need to have my phone with me but I am able to read and then type the passwords onto other devices.

    3. JeffUK

      Re: OOH OOH!!! I know what the weak point is

      You're basically storing all of your passwords on someone else's computer, using software you have no way of validating, running on servers who's configuration you have no way of validating.

      I always get looked at like the internet-age version of a luddite for saying 'maybe some things shouldn't be on the cloud' ... but I'm glad I stuck to my principles on this one.

      1. Anonymous Coward
        Anonymous Coward

        Re: OOH OOH!!! I know what the weak point is

        "... but I'm glad I stuck to my principles on this one."

        I half stuck to mine. I use Lastpass for a huge number of sites that don't involve money or anything else that could do appreciable damage, so mainly it's forums, site commenting, travel info etc. I just felt a bit queasy at the prospect of parking banking details etc in the cloud, and there's few enough of those to remember.

  21. Anonymous Coward
    Anonymous Coward

    Rats

    I was very pleased with my LastPass master password. Long, difficult to guess, and easy to remember.

  22. Jim 59

    Storing your passwords in the Internet

    No.

    1. Anonymous Coward
      Anonymous Coward

      Re: Storing your passwords in the Internet

      It's a bit moot anyway since for a lot of sites if you breech the users email account you can reset the passwords.

      Yes having a password vault is an eggs in one basket type solution but properly encrypted with a decent master password it's probably safer than re-using the same password everywhere and you could always use it for the less important sites, like forums and such.

  23. Craig 2

    ahahahahahahahahahahaha... ad infinitum

    I feel like smug scum for laughing at people's pain, but I just can't help it....

  24. JimmyPage
    Meh

    So, LastPass got hacked ...

    (I will buy a virtual beer for anyone who can name the programme, and character for this next quote !)

    "A patient died. And now you want to close the whole hospital !"

    I use LastPass. It's cloudiness is an asset - it means I can use *any* machine to access secure sites.

    I accept I am trading convenience for security. I've evaluated the risks, and decided they are worth it.

    Current count is >300 unique passwords stored, none of which is less than 12 characters, and all of which are generated nonsense.

    1. Anonymous Coward
      Anonymous Coward

      Re: So, LastPass got hacked ...

      Absolutely. For my clients to whom I have recommended LastPass, it's a huge step up in security and convenience over what they were doing before.

    2. lorisarvendu

      Re: So, LastPass got hacked ...

      I'm with you JimmyPage. God knows how many passwords I've got stored in LastPass, and like you're they're all gibberish. My master password is about 33 characters long, and I'm quite happy with that. Like everyone else I didn't get the email until yesterday, but fully accept that this was probably because LP were in the middle of a thorough investigation that took them 3 days to complete.

      I'd rather a company took this long to uncover all the facts, instead of just throwing panic-stricken "the sky is falling" emails out minutes after the event with minimal information whatsoever. Immediate information is not necessarily accurate information.

      Sadly a lot of the comments here seem to be gleefully beating LastPass about the head for a) being hacked and b) simply existing. That and laughing smugly at other commentards who dare to be so stupid as to use a cloud-based password storage company...unaware of the irony in being quite happy to use a cloud-based auction site, cloud-based email, essentially cloud-based Internet Banking...

      1. JohnFen

        Re: So, LastPass got hacked ...

        "unaware of the irony in being quite happy to use a cloud-based auction site, cloud-based email, essentially cloud-based Internet Banking..."

        Who are you talking about? I use none of those things, for the same reason that I wouldn't touch something like LastPass.

        1. lorisarvendu
          Happy

          Re: So, LastPass got hacked ...

          "Who are you talking about? I use none of those things, for the same reason that I wouldn't touch something like LastPass."

          Yeah, 'cos when I make a general statement about something on the Internet, I do of course mean it to apply to absolutely everybody who will ever read my comment, and that includes you. Even though I have no idea who you are, or that you existed up until this second. I'm afraid you are wrong. You do use eBay and you do use Internet Banking. Because I say so. And I am right. Because I am commenting on the Internet.

          Ooops, might have overdone the f***ing irony there. Jeez!

          Tell you what. Have a Big Grin just in case you think I'm being serious. :D

    3. Killing Time

      Re: So, LastPass got hacked ...

      "I will buy a virtual beer for anyone who can name the programme, and character for this next quote"

      House..... and House!

      1. JimmyPage
        FAIL

        Nice try, but you're not old enough.

        It was Cowley, in The Professionals episode The Rack

        1. Killing Time

          Meh...it should have been....

          I notice no attempt to represent a broad Scots mangled sentence, by way of context!

          Regular Friday night viewing for me at one time, with its Ford Capri's, Granada's and even the odd Triumph PI if I remember correctly... .....but not since

  25. Anonymous Coward
    Anonymous Coward

    The problem with passwords

    Is believing that you need to use a different password for every bit of shite on the Internet that requires you use one.

    1. Charles 9

      Re: The problem with passwords

      But you DO. If they break into ONE shite site, they can use that to log onto your other shite sites. Which allows them to build a profile on you that lets them run a believable spear phishing attack on you to get to the higher tiers.

      Put it this way. Even the most useless bit of detritus you leave on the Net can be used to cobble together an identity theft.

      1. lorisarvendu
        FAIL

        Re: The problem with passwords

        Another problem with passwords is that a lot of people find it difficult to make them random enough. In the late 80s I was having a discussion about passwords with a programmer in the IT dept I worked in at the time. He smugly claimed that nobody would ever guess his password. I stepped back, looked him up and down and said "cyberman". "You bastard!" the dyed-in-the-wool Dr Who fan said.

        This is a true story.

  26. saabpilot

    Well well, the corruption does on and up

    Why am I only finding out about this from the PRESS.

    We all should have had notification under Disclosure rules, morally if not in law.

    Let hear your justification for paying customers to continue their subscription.

    1. James Cane

      Re: Well well, the corruption does on and up

      I found out earlier today via email from LastPass. I guess mailing millions of people takes a while. Who'd have thought?

    2. saabpilot

      Re: Well well, the corruption does on and up

      Now how did that get into the title of my post ? cos I never typed that into it. it should have said something else "WTF@lastpass"

      (It came from another response ages ago). guess its a cookie a buffer or something. or have I been hacked :)

  27. Anonymous C0ward

    If the bad guys have the encrypted data

    What does changing my master password save?

    1. James Cane

      Re: If the bad guys have the encrypted data

      The bad guys don't have the encrypted data, that's the point. Or at least, LastPass says that they don't.

      1. Anonymous Coward
        Anonymous Coward

        Re: If the bad guys have the encrypted data

        If it has good encryption, trying to break it will be impractical, which leaves eavesdropping. But if your password changes, they can't use the nes password with the old vault.

  28. Anonymous Coward
    Anonymous Coward

    Passpack...

    ... is good. That is all.

  29. Alan Sharkey

    My method

    I've got a text file, encrypted with a password into Winzip which I store on my Synology NAS drive accessible remotely.

    In that, I don't have my passwords, but I have mnemonics which only I can relate to. So, for example, I would say "my old village" and I know that it is the village I used to live in. Anyone who did manage to get hold of my file and decrypt it would also need to know a lot about me.

    Of course, once I get into my dotage and forget things, it will not work, but by that time, I won't actually care :)

    Alan

    1. James Cane

      Re: My method

      Or they could just use a modern dictionary attack, which would probably have the name of your village, combined with common number and symbol substitutions and suffixes.

      LastPass, on the other hand, will generate a 20 character totally random password for you, and allow you to use it as you don't have to remember it. And let's not forget, LastPass accounts haven't actually been compromised in this attack.

      1. Alan Sharkey

        Re: My method

        I defy any hacker to work out what "local watering hole" is. Go on - give it a go :)

        1. JeffUK

          Re: My method

          Red Lion

          The Globe

          Hunters Rest

          Greengate

          or

          Watergrove

          Am I Close?

  30. James Cane

    Fukushima

    This reminds me of Fukushima.

    Lots of fuss about nuclear disasters, release of radiation, how it was all a terrible idea. But nobody died and radiation leakage was small.

    Likewise, there's no suggestion that anyone's passwords have been compromised here. That's kind of the take-home lesson, I think: LastPass was attacked and held up.

    1. This post has been deleted by its author

    2. JohnFen

      Re: Fukushima

      You have a strange definition of "held up". Their defenses were breached. That the breach wasn't 100% catastrophic (this time, as far as we know) doesn't take away from that fact.

      1. Anonymous Coward
        Anonymous Coward

        "doesn't take away from that fact."

        ...And doesn't take away from the fact that hundreds of thousands of people were displaced by the Fuku event... Something rotten in the Pacific too, lots of sea creatures getting washed up all along the eastern seaboard, what's that about? Radiation not being detected, but is it some unintended consequences?

        1. James Cane

          Re: "doesn't take away from that fact."

          OK, so it was a flawed analogy. But I, for one, used LastPass *expecting* it to be breached at some point. The bit of it that interested me was its encryption, which has held.

  31. Anonymous Coward
    Anonymous Coward

    Oh well..

    I was planning to do this for a long time but now never got around to doing it.

    https://lastpass.com/delete_account.php

  32. Anonymous Coward
    Anonymous Coward

    It's a US company - how did they ever get business?

    Honestly, if you supply a US based company with a US hosted website with your personal passwords you need your head examined.

    What will happen next:

    - some mea culpa's

    - some finger wagging from the FTC of the "thy shall" nature

    - at best a minuscule fine

    - some LastPass announcement that is replete with jargon and technology statements

    - absolutely no admission of liability

    - give it two weeks, and the clients will be back. At least the bleating ones.

  33. JeffUK

    There's no guarantee all of your passwords haven't been exposed.

    Step 1: Hack the webserver

    Step 2: Change the code on the page that shows you your passwords, after they're decrypted to also save them somewhere on the server in plaintext

    Step 3: ????

    Step 4: Profit!

  34. JimmyPage
    Boffin

    Once again ...

    part of the problem with passwords - internet passwords specifically - is the total lack of anything remotely resembling an RFC on the best practices to implement password-based authentication.

    Is the password complexity sufficient ?

    Is the password stored in plaintext ? (Because some are, so you can be emailed it if you forget)

    If the password is encrypted, can it be decrypted ?

    If so by who ?

    Is a regular password change mandated ?

    etc etc etc

    I wonder, if I was to setup a site requiring a login to be created, and harvested all the email address/password combinations people used, how far I could get trying those credentials elsewhere.

    However, before I did that, I'd also wonder if anyone else had done it before me ?

    Quick question. What's the ISO reference for web-based authentication ?

    1. JeffUK

      Re: Once again ...

      OWASPs Application Security Verification Standard is a good starting point. IT has some weight to it (a lot of people have heard of OWASP) and it's quite pragmatic in its approach.

  35. Anonymous Coward
    Anonymous Coward

    Oh dear. Single point of failure.

    Why did anyone think it was a good idea to have all your passwords stored online?

    Almost as bad an idea as Microsoft Passport.

  36. lambda_beta
    Linux

    Why did anyone think it was a good idea to have all your passwords stored online?

    Why did you think storing anything online is a good idea??

    1. Charles 9

      Re: Why did anyone think it was a good idea to have all your passwords stored online?

      Because you MUST be able to retrieve it ANYWHERE, ANYTIME, AND you have a BAD MEMORY? Tell me how someone like that can get by.

  37. saabpilot

    email finally

    just got my email from Lastpass

    We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.

    We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.

    interesting use of other data by them.

    Lastpass get your act together.

  38. saabpilot

    OMG anrnt KeePass quick to get in on the postings

    Just how many posters mentioning (selling) KeyPass in this thread work for them ?

    I had it its not SSO its %$£P (imuho)

    1. Rimpel
      WTF?

      Re: OMG anrnt KeePass quick to get in on the postings

      What?? Maybe KeePass has been mentioned a number of times because it is a good non-cloudy alternative. Oh and it's open source and FREE.

      Do you work for LastPass?

      1. saabpilot

        Re: OMG anrnt KeePass quick to get in on the postings

        No I dont

  39. Anonymous Coward
    Anonymous Coward

    Security?

    Yeah they've heard of it.

  40. JohnFen

    And once again

    And we have yet another example of why you shouldn't store any important data in cloud services.

  41. Al Napp

    Coming up

    Those asterisks your yubikey enters are "paswordpasswordpassword"

  42. fred_larson_65

    Offline approach

    These incidents are just ensuring me to stay with the offline approach I've chosen couple years ago. For this I use Sticky Password and synchronize only via WiFi

  43. C Montgomery Burns

    Is the Short Version...

    .. Don't worry at all if your password was complex enough? That's the takeaway I get. Is that wrong? Mine is 15 characters with all different types and not dictionary. I am aware of no breakthrough in GPUs or what-not that can realistically bust that before I am too dead to care.

    I operate under the assumption that a hacker will have access to the hash database at some point. For every "breach" that's announced, how many happen that the company is either unaware of, or never cops to?

  44. James Cane

    Physical security?

    If your passwords are stored in your head, you're either an idiot or you have an exceptional ability to remember 20 character random strings.

    If your passwords are stored electronically, assume the hashes are available to hackers. If you're relying on obscurity to protect your passwords, you're doing it wrong. LastPass remains an excellent system as long as your master password is long and complex.

    I sometimes wonder if an ideal password locker would actually be totally in the open, with all the encrypted password files available for open download and inspection by everyone. Maybe the password locker service could even hold an annual "crack the password" competition.

    That would cause people to treat their master password with the respect it deserves.

    1. Charles 9

      Re: Physical security?

      "I sometimes wonder if an ideal password locker would actually be totally in the open, with all the encrypted password files available for open download and inspection by everyone. Maybe the password locker service could even hold an annual "crack the password" competition."

      How would you hold such a competition without getting sued up the wazoo for breach of privacy?

    2. This post has been deleted by its author

      1. Charles 9

        Re: Physical security?

        And what's to stop a more-sophisticated password cracker looking up books and song lyrics and trying the first-letter approach, complete with leetspeak substitutions? Plus as noted, it gets complicated once you add up the sites. Soon you'll be thinking, "Was it 'correct horse battery staple' or 'staple horse battery correct'? Or was it 'Rosita Chiquita Senorita' or 'Senorita Chiquita Juanita'?" Why do you think "password reset" attacks are becoming more common? The average human brain simply cannot cope, and there's really nothing better on offer that can't be copied or stolen.

  45. Brian Allan 1

    Sounds like the ideal target for an enterprising hacker! Lots of goodies...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like