Let me guess...
Let me guess... the hacker broke into the developer's account, navigated to their internal repo and Lastpass filled in the password for him?
Internal source code and documents have been stolen from LastPass by a cyber-thief. The password manager maker said on Thursday that someone broke into one of its developer's accounts, and used that to gain access to proprietary data. The biz, a big beast in the security world and based in Massachusetts, insisted that its …
They don't, from the LastPass FAQ:
"We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password."
C.
The objection was about the **master** password, not the encrypted ones. Without the master passwords of course they should be still safe if the encryption is right, even if they ware stolen.
But why they didn't reply "we haven't your master passwords" instead of "We're told that these master passwords are still safe, and haven't been compromised or accessed by the intruder, "? If LastPass doesn't have the passwords, how could they be compromised or accessed?
A simple mistake under the rush, or a Freudian slip? Think about it...
Is the master password sent to LastPass? In a good system that password would never be sent to LastPass, the encrypted data would be sent to you and decrypted locally, with the master password never leaving the local system If it is sent remotely, who knows if a "rogue developer" or a "configuration error" doesn't make it end is some "log"? As if it never happened before...
@LDS "A simple mistake under the rush, or a Freudian slip? Think about it..."
From their statement linked in the article.
"FAQs
1. Has my Master password or the Master Password of my users been compromised?
No. This incident did not compromise your Master Password. We never store or have knowledge of your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password. You can read about the technical implementation of Zero Knowledge here."
So not a "Freudian slip" just covering an expected question.
This post has been deleted by its author
I am wondering: if they lied to us about not having a plaintext copy of our master password, and about not having plaintext copies of our secondary passwords, could we know that they had lied?
I don't have reason to believe they are lying, I'm just being the Devil's advocate.
This post has been deleted by its author
No experience with LastPass here, but isn't it a "web thingy"? Call me geriatric or tin foil hat, but I always had some problems with the concept of keeping your critical passwords in a (software) vault, and then storing "the vault" on somebody elses hard drive/ computer...
That doesn't seem to have stopped various companies doing that sort of thing in the past.
Please provide one instance of a company who has successfully been sued for or governmentally-penalized for one billion dollars or more for having improperly secured customer data. Typically, the legal appeals process results in reduced awards to the plaintiffs.
That is why it is good idea not to have the login to your recovery/password change email account stored in your password vault or browser.
Unfortunately, this does cause problems...
For example the EE app likes to randomly demand your account password instead of pin/biometric. Obviously you only use that on the laptop's browser and not on the phone and with the special character rules, you aren't going to remember it. So the only way to urgently transfer data say is to reset the password, which gets sent to a different email account to the one on the phone...
because the alternative is that *you* manage your passwords. And en masse, that is the worst possible outcome.
There's something about a lot (but thankfully not all) IT specialists that makes them require a far higher bar for IT security than they do for anything in the real world. I suspect it's so some of them can act the Bertie Big Bollocks at parties (maybe I'msour because I don't get invited to those sort of parties ?).
As long as your security is a single step ahead of the bad guys - who are either targeting a very small subset of high net worth accounts, or alternatively just trawling the masses - you'll be OK.
The real value of a password manager is to allow me to have 1,000+ unique gibberish passwords of eye watering entropy. Have I been pawned ? Do I care ?