back to article LastPass admits attackers have a copy of customers’ password vaults

Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contains customers' stored passwords. In a December 22nd update to its advice about the incident, LastPass brings customers up to date by explaining that the August 2022 attack saw “some source …

  1. ChoHag Silver badge

    Someone Else's Password

    I'm sure everyone using the clown to keep their passwords safe is following strict security protocols and has nothing to worry about.

    1. Joe W Silver badge

      Re: Someone Else's Password

      Hard to say. I find these services appealing, I like password managers, and I dislike having to sync them manually between devices. I have not yet gotten around to get my own server up and running (well... internally it sort of works), so now I can sync in the house. Also note that this is beyond most people.

      Using a password manager with a hard to guess master password is way superior to using weak passwords on all those websites that might have your payment information - or even the ability to order stuff tied to your name but then sent to strangers' homes. Good luck remembering a dozen or more strong passwords.

      It is - as you imply - always problematic if malicious actors (and in fact, anybody but you) can access your password manager vault, but I still believe the risk is outweighed by the benefit to a normal user - IFF they use a strong master password.

      1. billdehaan

        Re: Someone Else's Password

        Using a password manager with a hard to guess master password is way superior to using weak passwords

        On a Windows PC, I've found using the AutoHotKey abbreviations function very useful to store strong passwords and assign them to keyboard strings.

        So, a definition like

        ::bwpw::QchauTQ<[Mkzg[RPR8<k3d!58wQ8Kw-svajzygG>awsHjR[Kr<9XLJakyGZmKR!

        Allows you to type "bwpw" (BitWarden password), and have it expand to the 64 password you need to get into the actual password manager.

        Unfortunately, I haven't figured out how to manage long passwords like that on mobile devices.

        1. elsergiovolador Silver badge

          Re: Someone Else's Password

          Can you show us some more examples of your passwords?

          Don't worry, it will show up to us as stars. For instance the bwpw you entered actually looks to us like that:

          ::bwpw::***************************************************************

          1. Jonathan Richards 1
            Joke

            Re: Someone Else's Password

            It's cleverer than that - who is going to guess that someone's password is *actually* sixty-three asterisks?

            1. zuckzuckgo

              Re: Someone Else's Password

              I'm sure there is a password cracking AI experiment some where scanning the internet for all the password memory tricks used by mere mortals. Add sixty-three asterisks and the others discussed here to that training data.

            2. LateAgain

              Re: Someone Else's Password

              With a space at the end

              1. Glen 1

                Re: Someone Else's Password

                and a Greek question mark (";")

              2. Anonymous Coward
                Anonymous Coward

                Re: Someone Else's Password

                "With a space at the end"

                Don't worry about that. Copy/paste from any M$ product such as word, which I've seen at least 3 colleagues use to store passwords, will add a UWS for you.

          2. billdehaan

            Re: Someone Else's Password

            Well, I did say that it was a definition like that. And no, that's not my actual password.

            Even if I had entered my actual Autohotkey definition, it wouldn't work. Things like the plus sign can't be entered directly, they have to be defined as {+}. So even cutting and pasting the string literal from my editor into the password won't work.

            1. Sp1z
              Joke

              Re: Someone Else's Password

              Hmm - that sounds like just the kind of back-tracking statement that someone who had just revealed one of their passwords to the Internet would say...

          3. Andy Landy

            Re: Someone Else's Password

            hunter2 ...

        2. mecmec

          Re: Someone Else's Password

          Yet another example of AutoHotKey - a tool that is specifically targeted by a lot of malware - being used in an extremely inadvisable way.

        3. Woodnag

          Re: Someone Else's Password

          I've used Shortkeys Lite for the last 20 years. Freeware back then. https://www.shortkeys.com/

        4. Filippo Silver badge

          Re: Someone Else's Password

          I am not familiar with AutoHotKey. However, if it gives you the ability to type bwpw and have it expanded into a large string, that string has to be stored somewhere. So, I would ask: is that "somewhere" a very safe place? Which processes have access to it? Is it encrypted? How, and where are the keys?

      2. Anonymous Coward
        Anonymous Coward

        Re: Someone Else's Password

        Rainbow tables make cracking passwords trivial unless you employ a decent salt on your hash. That's one thing they have not commented on (and their marketing folks would have if it were in place). Employing a unique salt to each vault would make it close to infinity for brute forcing. Also, defeating one vaults encryption would not impact any others.

        We're not too worried as even if they had full password access to our account, we are still protected by a layered approach and it is not possible for them to get into our network to use them.

        However, bad actors now have a copy of our encrypted password store and we presume breaking it is a possibility. As a result, we've spent three days replacing every password on our systems and updating the LastPass account. So our vault info, even if accessed, is now useless.

        Parkinson's Third Law of Computing: Encryption only delays access to information.

        1. tangentialPenguin

          Re: Someone Else's Password

          Unless the salt is stored in the same place as the passwords. Speed > security in most places. This is one of the things I don't like about the discourse on password hygiene, it almost exclusively focuses on the user instead of the practices of the service that has to store them securely.

          1. Mike 137 Silver badge

            Re: Someone Else's Password

            "it almost exclusively focuses on the user instead of the practices of the service that has to store them securely"

            Well said. Some time back I reviewed the password security of a multinational business and found that the entire edifice rested on "password rules" that didn't actually ensure unguessable passwords even if followed to the letter. All the other potential contributors to password protection (including hardening of the authentication servers and retry limiting) had been entirely ignored. However staff could be sacked if someone misused their account.

            My report identified over a dozen independent attack vectors against passwords, of which only three depended on user actions or omissions. The rest were entirely the responsibility of management and IT techs.

          2. gnasher729 Silver badge

            Re: Someone Else's Password

            No, a salt, even a badly protected salt, means that your effort hacking my password doesn’t help you at all to figure out someone else’s password. Without a salt, an attacker could find which of a million customers use the same password and then make the obvious guess that these would be weak passwords. So they can focus on weak passwords.

            With a salt there is no way to guess who is using a weak password and who is not.

            1. Anonymous Coward
              Anonymous Coward

              Re: Someone Else's Password

              and no-one ever uses the same salt in dev and prod...

          3. mpi Silver badge

            Re: Someone Else's Password

            What does it matter if the salt is stored in the same place as the password?

            The point of the salt is to

            a) make using precomputed hashes ("Rainbow Tables") much harder

            b) prevent the attacker from cracking multiple passwords by cracking one hash

            1. gnasher729 Silver badge

              Re: Someone Else's Password

              And c) Make it hard to guess which passwords are easy to crack. If my hashed password and your hashed password are the same, it’s likely the same password, and a week password.

        2. Mike007 Bronze badge

          Re: Someone Else's Password

          Salts are used in hashes to prevent the same password hashing to the same value for 2 users. LastPass does not hash the passwords.

          LastPass encrypts the passwords with a unique key, so they can be decrypted again (which hashes prevent). The unique keys are what prevent rainbow tables working.

        3. Woodnag

          So our vault info, even if accessed, is now useless.

          Hopefully so. But the plaintext info has an awful lot of info for social engineering attacks to reset your new passwords.

        4. Pier Reviewer

          Re: Someone Else's Password

          They won’t comment on salts because the vaults are aren’t hashed - they’re encrypted. There is no salt. There will be an initialisation/nonce depending on the encryption mode in use.

          Rainbow tables are no good here - there’s no hash. Attackers will (assuming there are no weaknesses with how the encryption is used - not necessarily true!):

          - guess a stupid password (eg Password1)

          - throw it into a password based key derivation function (PBKDF)

          - use the resulting key to decrypt a username field from *every* vault

          - check if they got a sane plaintext (valid padding etc)

          - repeat

          The PBKDF will slow them down. The trouble is, it’s a numbers game for them. They can test one pass vs thousands of vaults and only need to do the slow PBKDF once per pass. They *will* pop some master passwords, because some ppl will have used weak master passwords :(

          1. Sp1z

            Re: Someone Else's Password

            However, what they can also do with the email addresses from the database is use them to look up any records on older pwn lists and try those passwords. I'm sure some people will have used this new fangled password manager but somehow ended up with their normal password as the master.

            1. Anonymous Coward
              Anonymous Coward

              Re: Someone Else's Password

              Or, worse yet, that all of their passwords match a specific pattern. Then it just a matter of finding their employment date, and applying that pattern*.

              * - with an offset based on the number of password expirations that they've been through.

      3. The Basis of everything is...

        Re: Someone Else's Password

        Keepass is as good a password manager as any - and I've worked in secure sites where it was the mandated solution so I figure if it's good enough for them it's good enough for me.

        Syncthing also works well for secure synchronisation of the password DB between devices (Linux, Window and Android all proven, not tried any others) but of course like any replication based solution you must make sure you don't try to update the password DB on two devices at the same time. It#s also handy for automagically backing up photos or other files on your mobile back to a system you control too.

        I'd also recommend having one keypass file for passwords you'd want on a mobile device, and a second for any that you definitely don't want to have on your mobile if it gets lost, stolen or otherwise attacked. And of course you'd be making periodic backups of your keepass files won't you?

        1. hoola Silver badge

          Re: Someone Else's Password

          Yes to both of those.

          I make sure everyone in the family has their own Keepass instance and have setup Syncthing to a an HP Microsrver in my garage.

          This is far more preferable than OneDrive or such like as the data is not left on someone else's cloud service.

          I then use another product to backup the server to a cloud account where I control the encryption in flight and at rest. That gives me versioning in the event that something is lost, corrupted or one of the endpoint gets duffed over with ransomware.

          But as you say, this is way beyond what most people can configure.

      4. Anonymous Coward
        Anonymous Coward

        Re: Someone Else's Password

        It shouldn't be beyond most people. Cybersecurity should be taught as part of the national curriculum. It's a shame IT in schools hasn't come much further from when I was at school.

        When I was at school IT was a "half" GCSE combined with RE. Which pissed me off to no end. I actively refused to attend RE classes unless they let me sit and study the full IT GCSE because I needed the full GCSE to make getting into A Level computer science that bit easier. They didn't, and I failed (half) GCSE RE, #ohwell.

        What I ended up having to do was get at least B grade in physics and maths as well as the half IT GCSE...which I did because I am a massive fucking nerd...but still, it'd have been nicer to study all of those without also having the immense pressure of getting high grades and the intense stress that comes along with having no idea where you might score for 3 fucking years...add to that the fact I have pretty serious seasonal allergies and I was off my tits on anti-histamines for 4 months a year (the 4 months that exams typically fall in) and you have an extremely high pressure, high stress environment...it resulted in me hating school with a passion.

        Anyway, point is, IT needs to stop being a footnote and be brought to the fore. It should be a core subject at this point and it should start as early in a kids school career as possible, specifically to benefit those that may not have access to computer equipment at home.

        My kids do and they're advanced for their age...but I'm seeing my kids friends come over and try to use my oldest sons PC (these are kids that are 7 to 8 years old) and they can't operate a mouse or use a web browser. I don't know their home situation, but one has to assume it's a cost based decision...therefore, if kids get exposed to IT earlier in school, it helps to slim the divide somewhat.

        None of these fucking Chromebooks either. Put them on proper Linux.

        1. Anonymous Coward
          Anonymous Coward

          Re: Someone Else's Password

          I feel your pain! I'm old enough to have done O' levels, and my school resolutely refused to let us take O Level Computer Studies despite having a room full of micros and at least one teacher who knew enough to teach it.

          Not to be deterred, we kicked up merry hell and said we'd sit as external candidates until they finally backed down with very bad grace.

          The subject was very different from the little I've seen of ITC or whatever they call the modern malarkey. There was actual programming, both theory and practical, binary arithmetic, truth tables - a reasonable grounding in the basics, in fact, and a fair introduction to A Level. It worries me that this doesn't seem to be taught at a basic level any more - we seem to have produced a generation that can't put their phones down long enough to cross a road safely, but has no idea how any of these gadgets actually work.

          1. Yet Another Anonymous coward Silver badge

            Re: Someone Else's Password

            I did computer O level soon after it was introduced (yes my chiseled abs hide how old I am)

            It wasn't quite "colour in the picture of the minicomputer" but it was bloody close. I remember those of us who programmed in asm for fun finished in 30min and looked around confused.

            1. John Brown (no body) Silver badge

              Re: Someone Else's Password

              I also did O level Computer Studies within a year or two of it first appearing as an official O level and the exam was a lot more than "colour in the the picture of the minicomputer". Maybe it was different exam boards, but what we did was proper Computer Studies with actual logic gate type questions and other real computer related stuff so long ago I don't remember now, a programming element completed as part of the course work in advance of the actual exam. Likewise the A level I did afterwards, the first year out school/exam board offered it. And that was hard too.

          2. Bebu Silver badge

            Re: Someone Else's Password

            can't put their phones down long enough to cross a road safely - this is a problem?

            has no idea how any of these gadgets actually work - to be fair I am not sure anyone really does anymore. Reading a text on 4G/LTE I realized just how complex these systems are and modern CPUs are complicated enough to catch out even the clever as the list of spectre type vulnerabilities attests. Best we can hope for is that the user understands its not magic as against technology. From my youth I know how carburettors and (Kettering) ignition systems work although I haven't a clue about modern fuel injection and ignition systems I trust that similar functions are achieved in slightly different (better) ways.

            1. John Brown (no body) Silver badge

              Re: Someone Else's Password

              Agreed, you don't need to fully understand how a tool works to use it. But having a least a basic understanding of the principles the tool is based on goes a long way to understanding how to use the tool properly and look after it. Like knowing the basics of clutch plates helps understand how not to burn out the clutch. Or how an LCD panel is made of layers and so realising just how delicate they can be, resulting in fewer broken laptop screens :-)

              1. John H Woods Silver badge

                Re: Someone Else's Password

                And why polarised sunglasses are now shit for driving as nearly all the displays inside the car, and a good many outside are now unreadable!

                Annoying because reactive sunglasses are also useless in any modern car because most filter the UV that darkens the lenses. Thank goodness for decent neutral tints ...

                1. Filippo Silver badge

                  Re: Someone Else's Password

                  I've had reactive sunglasses made recently, and they offered me a choice of whether they would work in a car, or not. I asked for them not to go dark in a car; my wife later had them made too, and asked for them to go dark in a car. I can attest that each pair works as advertised. I don't know what they do exactly, but it's apparently a solved problem.

        2. This post has been deleted by its author

        3. Bebu Silver badge

          Re: Someone Else's Password

          Was your 50% R.E. of any use? I remember Bertie Wooster did find his scriptural knowldge prize of some use.

          1. Yet Another Anonymous coward Silver badge

            Re: Someone Else's Password

            50:50 CS:RE does teach you that C++ templates surpasseth all human understanding

            I assume it was 2 separate 1/2 credit courses but I like to think it was a single combined lesson.

            We will now read from the holy book. K&R chap10 vs 2: "and lo the pointer returneth from malloc was not null and he saw that it was good "

          2. Anonymous Coward
            Anonymous Coward

            Re: Someone Else's Password

            No I failed it.

            That said, even if I passed it and tried to use the cross cultural knowledge I gained to start my own "disruptive" religion, it'd be branded as a cult and would never get any recognition. Therefore it's a worthless qualification.

            I do wonder how many people put RE on their CV and whether it's ever made a difference in a job interview?

            Interviewer: So, you've mentioned that got an A* in RE but failed everything else.

            Interviewee: That's right, I think I'd be a valuable part of the team.

            Interviewer: But this is a car parts factory.

            Interviewee: I'd bring you a significant competitive edge.

            Interviewer: How so?

            Interviewee: Well, I'd be able to train on topics such as "What is a Gurdwara?", "Why is Satan a bastard?" and so on.

        4. Glen 1
          Headmaster

          Re: Someone Else's Password

          "kids that are 7 to 8 years old"

          So... an age where you *definitely* wouldn't let them go on the internet unsupervised, and who has the time to *properly* supervise? -- Or *properly* set up parental controls?

          Well, us, but we are not the norm.

          Instead people use walled-garden devices that are easier to lock down. oh look - Chromebooks and IPads. A mouse? is that like a separate trackpad? /s

          For many of us, we nostalgically romanticise about our first taste of computing. BBC Basic, tape decks, doom/quake mods -- our whole careers and perhaps path of our lives were formed by playing with these systems as kids. When we hand our kids tablets to keep them entertained, it means Baby's-First-Operating-System is Android or IOS. Their first user interface is a touch screen. The first place they are likely to see technical information are in the settings pages of those devices. (What *is* your phone's IP address?)

          As the current batch of kids grow up, they will have the same feelings of nostalgia about the current set of games and devices. We might be better off teaching them the underpinnings of what they are *actually* using, rather than sitting them in front of the 'Mom/Dad's Laptop' (that they rarely get to use) and trying to do it formally.

          Want them to learn something else? 'Proper' Linux? Then give them *those* devices to play with. After all, that was literally the point of the Raspberry Pi.

          How many of us come across grown adults who cant navigate a directory structure? People who are using a computer every day, but couldn't tell you where the Downloads folder actually is, or where to start looking for that document they just saved. You don't need a desktop operating system for that. That is something that can be taught to kids with phones/tablets - maybe a MicroSD card or two to introduce the concept of different drives.

          Slightly off topic: I realise you were talking about *other people's* kids, but plug a mouse into that chrome book and set them loose on some (browser based?) games that take advantage... watch how fast their mouse skills improve. Quake 3 on the pi zero? Living room Lan party?

  2. Anonymous Coward
    Anonymous Coward

    One Password ...

    ... to in the Darkness Bind them.

    1. Halfmad

      Re: One Password ...

      Hopefully people have MFA on their essential accounts and any email accounts used for recovering access to them.

  3. sarusa Silver badge
    Devil

    Private Equity Twats

    Seriously, it's been breach after breach since they got bought out by LogMeIn. Private Equity Twats are all about squeezing blood out of the turnip, never about improving the turnip. I know LastPass is super convenient, but if you actually care about any of your passwords and logins use something else.

    Since they got the vaults of every LastPass customer, it's entirely worth their while to try bruteforce on all of them. Hope you used a super annoying master password!

    1. wolfetone Silver badge

      Re: Private Equity Twats

      "never about improving the turnip"

      A turnip can't be bettered though.

      Unless you make it a potato. Then it really would be peak vegetable.

      1. spireite Silver badge

        Re: Private Equity Twats

        My password would be casserole in that case

        1. a pressbutton

          Re: Private Equity Twats

          there is someone now trying "casserole in that case" on that vault archive

        2. breakfast Silver badge

          Re: Private Equity Twats

          Rejected: Password is not stroganoff.

          1. Anonymous Coward
            Anonymous Coward

            Re: Private Equity Twats

            I wish I could give you 10 upvotes for that! But one will have to do.

        3. hoola Silver badge

          Re: Private Equity Twats

          Blackadder to Baldrick counting

          What is this?

          One bean

          Adds another...

          Two beans

          And a third

          A small casserole.

          And the giant turnip....

      2. Anonymous Coward
        Anonymous Coward

        Re: Private Equity Twats

        is potato!

      3. Anonymous Coward
        Anonymous Coward

        Re: Private Equity Twats

        A turnip can be bettered. I can still remember the wife and I on our wedding day laughing. The caterers brought out a turnip that was exactly the same shape...as a thingy!

    2. Mike 137 Silver badge

      Re: Private Equity Twats

      "since they got bought out by LogMeIn"

      No surprise there. The fundamental principle of a password is that it keeps others out", not that it lets you in. Any password service that makes this mistake is not worth a tinker's cuss.

  4. billdehaan

    The cloud is just someone else's computer

    Unless 1Password is doing things line enforcing users to have different passwords (ie. warning them when they try to save a password for website X that it's already used in website Y), and I doubt such a thing is even possible without accessing the passwords themselves, people are going to continue to use, and re-use, weak passwords.

    I've seen some websites which report things like "the password you entered is one of the 10,000 most commonly used passwords; please select another", but then all most people do is tack their pet's name or something in front of it (which is still better than nothing, but hardly ideal).

    Personally, I've been using Keepass for literally decades. It may not be the most convenient thing to use, but it succeeds at the most important thing a password manager should be good at: it's secure.

    For low-risk passwords (like, er, el Reg here), I use Bitwarden. It's a zero-knowledge system, I'm using a 48 byte master password, and frankly, if someone wants to take the effort to crack Bitwarden and my master password, they deserve to get my Register, Slashdot, and Ars Technica passwords, for all the good it will do them.

    For things like banking, taxes, and online shopping accounts, they're all in a Keepass hive on a VeraCrypt volume that includes a portable browser instance with no plugins or extensions.

    The funny/sad thing is, the effort I take with my low value accounts (hi, el Reg) on Bitwarden is actually more than many of my friends' SOs and family members use for their high value accounts. I had to resuscitate a PC with a nearly dead SATA drive a while back, and it came with a sticky note that had "USERNAME=xxx PASSWORD=yyy" for the windows login account. I cloned the drive, and when testing the replacement in the PC, I brought up the browser. There were a dozen tabs with various accounts, and sure enough, I was either already logged in to the owner's account, or the "yyy" password would get me in.

    I've never been a big fan of the cloud, because of things like this 1Pass breach. But seeing how most people treat security on their own, it's a question of which is worse.

    1. A Non e-mouse Silver badge

      Re: The cloud is just someone else's computer

      Unless 1Password is doing things line enforcing users to have different passwords

      1Password doesn't force unique passwords, but it does flag any passwords that are reused in your vaults.

      A slightly worried 1Password user.

      1. Roland6 Silver badge

        Re: The cloud is just someone else's computer

        >1Password doesn't force unique passwords

        Be glad it doesn't.

        For example, my Amazon US and UK accounts have now been merged into a single account. However, if I log in on the US site,I get my US profile andsimilarly on the UK site I get my UK profile. Hence my password manager has two sites that seemingly reuse credentials.

        I have a few other entries the password manager also flags as being credential reuse, but which aren't.

        1. MiguelC Silver badge

          Re: The cloud is just someone else's computer

          Like the umpteen different cloudy apps I use on a day-to-day basis that my employer decided should each have a unique URL but the same login information

          1. Yet Another Anonymous coward Silver badge

            Re: The cloud is just someone else's computer

            Be glad your company doesn't use ADP with one site and half a dozen different userid/passwds to track payslisps, holiday, tax etc

            1. Richard 12 Silver badge

              Re: The cloud is just someone else's computer

              They probably do that, too.

              Very few of the outsourced HR sites are tied to your corporate login, for the excellent reason that they're legally obliged to give you access to your electronic payslips and the like for several years after you've left the company.

              Of course, that doesn't stop incompetent HR drones from blocking you anyway, thus creating work for themselves later on.

              1. John Brown (no body) Silver badge

                Re: The cloud is just someone else's computer

                "Very few of the outsourced HR sites are tied to your corporate login, for the excellent reason that they're legally obliged to give you access to your electronic payslips and the like for several years after you've left the company."

                Are they? We changed providers for payroll a while back and were all sent repeated emails reminding us to download all our payslips and P60's etc before the switch as we'd no longer have access afterwards. I doubt anyone who had left the company in the meantime were told of that.

      2. abetancort

        Re: The cloud is just someone else's computer

        How log before 1Password is breached too? I trust a lot more Apple iCloud and their E2EE encryption not with a password but a de unique long key that sits on your devices.

        1. anothercynic Silver badge

          Re: The cloud is just someone else's computer

          Only if you use 1Password with their online vault could you be at risk. If you use the old off-line vaults (how it used to be with 1Password 5, 6, 7), you're as safe as your cloud provider password (and your master, obviously).

    2. Anonymous Coward
      Anonymous Coward

      Re: The cloud is just someone else's computer

      1Password does a lot for password notifcations, these are the once you get on your main dashboard:

      - Lists sites that have been compromised where you have stored accounts

      - where you've reused the same password mulitple times

      - where you used "weak passwords"

      - where you've save a password for HTTP sites over HTTPS

      - where you've chosen basic password over where it knows a 2FA option exists

      I use the 2FA feature of 1Password a lot as it's superb and really easy to setup for most sites.

      I'm was not overly happy about being forced to use cloud and after LastPass got hit it shook me up but unless 1Password wants to see their revenues go up in smoke in days then I'm sure they've done everything to tighen up.

      Ultimately the repsonsibility lies with the users, if you use "abc123" as the master key then you're moron and deserve to be screwed. There's no excuse these days to use stupid passwords, the info is blasted from places everyone uses like the BBC news, the tools are there both free and paid, the UK Gov even does basic infosec lessons to schoolkids of 8 years old.

      If you have a tech device that needs security to protect your info then treat it like your car, show it some proper respect as it's f**king dangerous in the wrong or incompetant hands.

      1. omegapoint6

        Re: The cloud is just someone else's computer

        1Password uses an additional randomly generated encryption key, not known to them, along side the master password, so hopefully should be more resistant to attacks even if someone got access to the data from their servers & you had a easily guessable master password.

        https://support.1password.com/1password-security/ has some details and links to a whitepaper on their encryption mechanism. I'm not a security expert, but it sounds like it should be a more secure design.

      2. abetancort

        Re: The cloud is just someone else's computer

        1Password can be compromised and the only thing standing between the hackers and you passwords would be you master password.

        I prefer systems where the a very long private key residing only in your devices is standing between the compromised passwords and the hacker. Like Apple Passwords in iCloud.

        But if Apple and Google have their way we won’t be using passwords and 2FA much longer. Passkeys are the future.

    3. the reluctant commentard

      Re: The cloud is just someone else's computer

      Although it is good to question how 1Password approaches this whole concept of password vault security, the article was actually about LastPass which is a completely different company.

      1. billdehaan

        Re: The cloud is just someone else's computer

        You're right, I was reading an article about 1Password prior to this and conflated the two. Mea Culpa.

      2. stiine Silver badge

        Re: The cloud is just someone else's computer

        Don't worry, next week will be here before you know it.

  5. Zenubi

    Sigh . .

    KeePass

    Open source

    Free

    PW file can be stored in the "cloud" / central location.

    https://keepass.info/

    I honestly do not understand why people use / trust these online PW stores. That said I don't understand why people do lots of things.

    1. Steve Graham

      Re: Sigh . .

      I don't trust... well, anyone, really. That's why I keep my own KeePass password manager with the database on one of my own systems. I have backups, of course, but with my personal use cases, I don't need to sync across multiple devices.

      1. JoeCool Silver badge

        Re: Sigh . .

        Don't trust people, but trust tech truisms :

        If you don't want security leaks, don't collect security info.

        This is why I use Firefox.

    2. Tom Chiverton 1

      Re: Sigh . .

      See also PasswordSafe - dump it in your NextCloud (or even free-tier Dropbox !) and it syncs too all your devices.

      Done.

    3. hoola Silver badge

      Re: Sigh . .

      Because it is simple and has a browser plugin.

      The same reason that there probably more passwords stored in browser profiles than anywhere else, particularly as the profile will follow the user on different devices.

    4. Piro Silver badge

      Re: Sigh . .

      I agree. Using a central service full of of passwords has always seemed like a terrible idea to me.

  6. Anonymous Coward
    Anonymous Coward

    So I pay for Lastpass ?

    How much do they pay me for the time it takes to change 1,000 password ?

    1. Anonymous Coward
      Anonymous Coward

      Re: So I pay for Lastpass ?

      For what it's worth - they do have an "automatic" password change feature available for many websites (i.e. it opens a new tab of the site in question, then drives a click-select-click type action list to change your password).

  7. Anonymous Coward
    Anonymous Coward

    The all eggs in one basket problem...

    These systems became highly valuable targets. Even if they could decrypt just a part of the data, they will still have valuable info from one strike. It's funny that a system that was designed to be decentralized to sustain a nuclear attack went back to a mainframe mentality where all data should reside in a central location.

    1. John Brown (no body) Silver badge

      Re: The all eggs in one basket problem...

      in this instance, the sensitive data, ie the usernames/passwords, are only centralised if you choose that option. Otherwise that data is scattered across all the websites you use them on :-)

      Except they are also centralised in your head/notebook/whatever :-)

  8. Reginald O.

    Nothing is Safe in the Cloud. Ever.

    There is nothing safe, secure or private in the cloud. I don't get why that's so hard to understand. Meanwhile, external high capacity plug in hard drives are dirt cheap. Seems like a no brainer to me for individuals even businesses to store and backup data to external encrypted drives then literally disconnect them when not in use.

    1. Roland6 Silver badge
      Unhappy

      Re: Nothing is Safe in the Cloud. Ever.

      >Seems like a no brainer to me for individuals even businesses to store and backup data to external encrypted drives

      Only problem, whilst the data held on encrypted drives may be secure, removable USB drives do get lost and that is when you discover the only copy of some important file is on the lost drive...

      1. heyrick Silver badge

        Re: Nothing is Safe in the Cloud. Ever.

        That's nothing to do with keeping info offline, that's an inadequate backup strategy.

      2. Yet Another Anonymous coward Silver badge

        Re: Nothing is Safe in the Cloud. Ever.

        You still have the encrypted passwd database on the key.

        If you lose the key you only have to worry that it somehow finds its way into the hands of a master cybercrimal

        An online passwd db company with millions of people's passwd is a bit more of a target.

    2. LateAgain

      Re: Nothing is Safe in the Cloud. Ever.

      and why not?

      After all we used to rotate tapes and take the latest off site,

      (I blame management that think's it can get a backup every 15 minutes, Cheep, )

  9. Hiya

    2FA?

    Why no comment from LP on using 2FA at LP log-in to increase security of account?

    1. Throatwarbler Mangrove Silver badge
      Unhappy

      Re: 2FA?

      It doesn't matter when the miscreants made off with the password file itself. They don't need to log in to your LastPass account, so 2FA is irrelevant.

      1. zuckzuckgo

        Re: 2FA?

        2fa is still relevant to all the passwords stored in the password file itself. Customers should be warned to look out for suspicious 2fa requests as a warning that their password file may have been compromised.

        Compromise should not be possible unless the users master password is weak or has been reused. However, this assumes there are no unrecognized weaknesses in LastPass data handling.

        1. Yet Another Anonymous coward Silver badge

          Re: 2FA?

          Even without the passwd having your unencrypted username/site list is worrying.

          1. John Brown (no body) Silver badge

            Re: 2FA?

            Exactly. Because who knows how well secured those sites are!

        2. Anonymous Coward
          Anonymous Coward

          Re: 2FA?

          It just occorred to me that I store my 2fa reset code in my password manager....

  10. Roland6 Silver badge

    Some things don't change...

    >Yet we know that users are often dumfoundingly lax at choosing good passwords, while two thirds re-use passwords even though they should know better.

    I suspect, given the use of AES, if you can identify the vault, it would be worth doing a dictionary attack using the credentials obtained from previous web breeches.

    The question we need to be asking is whether the source code facilitates the unwrapping of user vaults from the file format they are held in, decryption and the reading of useful data from the proprietary binary.

    1. This post has been deleted by its author

  11. Neil Barnes Silver badge

    while two thirds re-use passwords even though they should know better.

    Two thirds reuse passwords because they (I) don't see a need for the security that a password theoretically affords. Kudos to those websites - Ebay and Paypal spring to mind - who run two-factor authorisation, because they *do* need the security. But to comment on a story, as one might here? To even *look* at a price list for something you're considering purchasing? Not convinced...

  12. parlei

    Well, good thing we have a long weekend to change all our stored passwords!

    At least all of mine are unique: servicename_Shortpw1

    (If you believe this is my pattern I have an awesome deal you should not pass up!)

  13. yoganmahew

    Drip drip drip

    I'm a bit pissed off with the drips of increasing badness coming from Lastpass. What next? Login emails also compromised, but don't worry, they can't be associated with vaults? Well, they can be associated with vaults, but not with the list of passwords, what, didn't we tell you all the master passwords got released too? Yeah, I know we weren't supposed to have them stored, but some random error captured them to diagnostic logs. Those were captured too.

    1. yoganmahew

      Re: Drip drip drip

      Oh, and how long have they know this for? And they release it while everyone is on holiday?

      This is pretty much "don't trust me" breach disclosure playbook. I expect the next release will be New Year's Eve...

    2. Anonymous Coward
      Anonymous Coward

      Re: Drip drip drip

      The user emails were already compromised. The only thing I'm not sure of is if the user login (@lastpass.com) passwords were captured as well. I suspect it due to their specificity about vault passwords. Its like they think we don't know that you can assign variable1's value to variable2.

  14. Anonymous Coward
    Anonymous Coward

    So outside of keep pass, what other password managers are suggested?

    Saw bitwarden mentioned

    1. yoganmahew

      The problem is not so much with the password manager, but with the rest of the crap around the cloud storage. Bitwarden has their manager code opensourced, but in Lastpass's case, shoddy code left hard-coded credentials to cloud storage bucket (it's really egregious, since all the major cloud providers have secret managers that you can build to only access at runtime, assuming you can be arsed to code it that way). A breach of the development environment (poorly secured in many companies it seems) left free access everywhere :(

  15. Chris Evans

    A unique memorable password?

    I keep meaning to investigate password lockers, this news doesn't fill me with confidence. I currently use a system that means I have unique passwords for all sites and I can remember them.

    W@rd1234*56an#ther

    Where the @ is the third letter of the website domain and # is the first letter

    The words and actual number are ones I've memorised.

    So a unique password for every website that can easily be remembered. The system I actually use has some of elements of the above and more.

    If a human was trying to crack it they probably could, especially if they had my password for two websites

    1. heyrick Silver badge

      Re: A unique memorable password?

      Could do something simple like add the value of the letter (A=1), rolling at ten. So if your number is 1234 and the letter is D, the result is 1+4, 2+4... or 5678. An extra tweak could be to write it backwards if the number is odd.

      Not too difficult to process mentally, but will require multiple examples to figure out what's going on, not just two.

    2. tangentialPenguin

      Re: A unique memorable password?

      I create little stories or poems, e.g. TimAppleKnowsElRegSmilesAsItKills

      1. pip25
        Meh

        Re: A unique memorable password?

        That must be a real joy to type in on a phone.

        1. tangentialPenguin

          Re: A unique memorable password?

          SwiftKey.

  16. Anonymous Coward
    Anonymous Coward

    Saving The Bad Guys Lots Of Time, n'est ce pas?

    @Simon_Sharwood

    The stolen data includes data in a "...proprietary binary format that contains both unencrypted data, such as website URLs...."

    So.....just to be clear....the bad guys get to target users who's websites include banks, Amazon, pension funds......and can ignore users saving passwords for, say, Grindr!!!!!

    Just saved the bad guys a lot of time, don't you think?

    1. Anonymous Coward
      Anonymous Coward

      Re: Saving The Bad Guys Lots Of Time, n'est ce pas?

      Unless they match an email address and grindr login with someone like a Catholic bishop, or republican senator.

  17. paul-m-w72

    You could all go buy one of these instead................

    https://www.amazon.co.uk/Clever-Fox-Password-Book-Log/dp/B08QMHJQHV/ref=sr_1_1_sspa?keywords=password%2Bbook&qid=1671798810&sprefix=passw%2Caps%2C118&sr=8-1-spons&sp_csd=d2lkZ2V0TmFtZT1zcF9hdGY&th=1

    1. heyrick Silver badge

      That's what I use. Memory for the sites I visit a log, a password book for everything else.

      Yes, it's a weak vulnerable link, but I figure if somebody swipes the password book (that is kept hidden), they've probably taken enough other stuff that passwords won't be my primary concern.

      Exception: banking PINs/passwords - committed to memory and never written down.

  18. sitta_europea Silver badge

    Store the keys to the kingdom in one place, online, managed by somebody else who happens to be (at least at the moment) employed by or running a profit-motivated organization.

    What could possibly go wrong?

  19. avilacha

    Stong password storage

    Texas Instruments PS6560 128kb memory from the nineties keeps them safe under a master password. Little machine has only serial connection, can't be hacked. Might be stolen, but as I keep it allays close to me I will know and act hopefully in due time. Trust it much more than any pw manager.

  20. Anonymous Coward
    Anonymous Coward

    One job

    If you're going to take responsibility for people's passwords then to need to accept accountability.

  21. breakfast Silver badge
    Holmes

    Feels like a repeat

    To have your "secure" password service breached once may be regarded as misfortune; allowing it to be breached twice starts to look like carelessness.

  22. Kev99 Silver badge

    "unless users practiced bad password hygiene" - You're kidding, right? The only secure password is the one that eliminates PEBKAC.

  23. JM987

    had nothing better to do

    Master password reset...

    Now time to reset the other 200 passwords that I have....

  24. razorfishsl

    I think we are about to see this whole thing go sideways... very badly...

  25. anothercynic Silver badge

    Ouch.

    That's all that needs saying... Ouch. I hope those people who had their vaults lifted also used two-factor authentication...

  26. MachDiamond Silver badge

    Physical virtual security

    If somebody is trying to hack passwords online, it leaves logs and there are measures to keep a hacker from just banging away until they discover the master password. If they can download a big dump along with user information, they can do the bulk of their work offline with as much iron as they can throw at it. People with long nonsensical passwords will fair the best, but many people are going to find that 69696969! isn't all that secure.

    1. MachDiamond Silver badge

      Re: Physical virtual security

      I saw a news report last night where a group of women stole a safe from a grocery store. A couple of them distracted the clerk while two others loaded the safe into a trolly, covered it with blankets and shawls and trundled out with it. They weren't going to bother to open the safe on-site, but get it someplace else where they could apply whatever tools they liked without attracting much attention. The manager claims the safe had about $9,000 in it. Not that great of a haul for all of the risk and being split between at least 5 people.

  27. Nematode

    Air gap

    Nothing like it.

    I would never store something vital to my security under someone else's control.

    Naebuddy's gonnae git ma passwurds withoot breaking in an' nickin ma computer first. Then break my password safe master password. And at least if the computer's not there, I know to ring the bank etc. And I refuse to have bank apps etc on my phone in case of losing it.

    Paranoid? Moi? Oui.

  28. Version 1.0 Silver badge
    Coffee/keyboard

    The pandemic has kept my Password vault secure

    Originally the cleaners would go over everything in the office and clean up, even flipping my keyboard over to reveal the password vault when they wiped the desk - setting me up to update everything, but now everything is secure and dirty - I'm very happy, this has been a big COVID benefit!

  29. Gob Smacked
    FAIL

    Not your vault,

    not your passwords...

  30. Sparkus

    this combined with the US Centric

    2FA bypass that's plagued xfinity/comcast should prompt a lot of people to start changing their master and other passwords.......

  31. Dee dubya

    Blame the victim eh?

    "Yet we know that users are often dumfoundingly lax at choosing good passwords, while two thirds re-use passwords even though they should know better."

    So professionals know it. Then design systems that are susceptible to this weakness. It's Ford Pinto levels of crappy design and dysfunctional corporate management.

    LastPass deserves to fail. If anything is "dumbfoundly lax" it is running LastPass and getting hacked.

    Cmon bite the hand rather than nuzzle.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like