back to article Intruders get their hands on user data in LastPass incident

Intruders broke into a third-party cloud storage service LastPass shares with affiliate company GoTo and gained access to "certain elements" of customers' information, the pair have confirmed. LastPass did not define what it meant by "certain elements," saying it was unsure what data was looked at: "We are working diligently …

  1. Plest Silver badge
    Unhappy

    OnePassword next?

    My fear is that OnePassword will be next on the hitlist. I used to love using it when it was local and knew it was under my control, then they decided to move the data into online storage and it's like a spot you can never heal, just there not causing serious problems but bothering you that it might one day turn into a nasty boil! Ha ha!

    My family loves it, the family ticket is cheap enough and my kids are useless with passwords so this stores them and auto-generates sensible complex, unique passwords for every site without any effort from them, so swings and roundabouts I guess.

    1. Cybersaber

      Closed source password managment is too risky

      You can't trust a closed source password management solution. You can't trust someone else storing your passwords.

      LastPass is both. Their response is full of equvocation:

      'Devs can't push to prod' - This is a half truth designed as a full deception. They want you to hear 'they couldn't have modified prod' but that's not what they actually said. Just because a dev can't push to prod, doesn't mean that code can't enter prod. An attacker can slip stuff into Dev, and then *normal, authorized process* can push the hidden poison patch to prod.

      Once the code is in prod, one of the unspoken assumptions they hope you don't notice in their whitepaper is the *assumption* that they can't see your password. If a bad actor can modify the code that you can't see or know what changed in, then yes, *it* can see what you're typing and can *certainly* sent your master password to an attacker.

      What we have here is *both* the theft of the password database, *and* the potential for the key for it to have been captured. They're hoping you don't connect the dots there.

      The reason I lead with 'can't trust a closed source password manager' isn't because we're all devs who would have the foggiest notion about what is contained in a given patch. It's that it is unlikely to be taken private and do what you say onepassword did because someone could just fork it and cut them off at the knees.

      In short, I love KeePass, but whatever solution you use, I'd recommend it be open source and local-only. Online password managers are tasty targets that attackers can't resist, and it's only a matter of time before they're compromised, as the story of LastPass shows. Clever whitepapers with cute plans don't survive contact with stupid humans.

      1. BobV

        Re: Closed source password managment is too risky

        Keeping the password vault on local storage only relies on your storage and backup system being at least as reliable as that provided by the cloud service (Lastpass or whatever). That may be true for many of the people who read The Register, but it is definitely not true for the vast majority of computer users.

        I use Keepass with a hybrid storage system. The vault exists on my main computer (plus local backup) and also on pCloud. If either breaks I still have the vault.

        The key file only exists on my computers, my phone and my tablets. The master password only exists in my head and in an envelope to be opened if I die.

        So if someone breaks into my pCloud account and exploits a bug to see me type my password they still have to get hold of my key file.

        This setup won't be perfect, but it's a good compromise that works for me.

        1. Michael Wojcik Silver badge

          Re: Closed source password managment is too risky

          Exactly.

          Comments that begin with "you can't trust..." are useless. Trust is a meaningless attribute if it's not qualified with the parameters of trust and the threat model.

          Statistically speaking, the vast majority of computer users face a far greater risk from not using a password manager than they do from using a closed-source one with online storage. And even for those using a password manager, the risks of online storage are significantly lower than of losing access due to local equipment failure or loss.

          My passwords are stored online and sync'd to multiple devices because I've evaluated my password-storage software and decided the risk of it not meeting that trust level is low. My master password, along with instructions for installing the password manager software I use, are printed on a sheet of paper my wife has tucked away somewhere. That's the most sensible password-recovery risk for me to take under my threat model. I trust my wife not to abuse that access; and if she did, I have bigger problems to worry about. I'm happy with the risk of someone unauthorized finding that sheet of paper, because I evaluate it as extremely low.

          On the other hand, I also know the risk of local equipment failure is relatively high, because I've had that happen to me many times over the years, so it makes sense to hedge against that by using online storage and automatic synchronization.

      2. mpi Silver badge

        Re: Closed source password managment is too risky

        > In short, I love KeePass, but whatever solution you use, I'd recommend it be open source and local-only.

        And that is why I use pass :-)

        https://www.passwordstore.org/

        1. hayzoos

          Re: Closed source password managment is too risky

          Thank-you. I am bookmarking that link for further research. In my quick review, I saw the dev is Jason Donenfeld also dev of wireguard VPN. He seems to get the gist of K.I.S.S. and welcomes review of his work and showcases others' work that compliments and extends his.

          I have been using Bitwarden. It follows a hybrid local/cloud storage which you can host yourself. I need cross platform multi-device capability and cloud/network sync is necessary. I am satisfied with it's open sourceness and solidness of crypto implementation. But, the developers seem to be chasing the funds of enterprise customers and adding features for the sake of change. Not to a great extent at the moment, but it could accelerate. Therefore, I am developing an exit plan and pass looks like very good candidate for inclusion.

    2. This post has been deleted by its author

    3. Lil Endian Silver badge

      Re: OnePassword next?

      Plest, flatten your OnePassword account if you're concerned. Burn it to the ground. Then nuke it from space.

      Follow Cybersaber's advice, it's sound. (Local install, FOSS.) If you don't have a home server, you could probably stick USB storage in your router and share the database out from there. Others will know better about good password managers that can do this, mine's home grown.

      It is only a matter of time. Of that I am certain.

      1. yetanotheraoc Silver badge

        Re: OnePassword next?

        Let's hear from Cybersaber whether his "local-only" recommendation is the same as your "Local install" recommendation.

        "you could probably stick USB storage in your router and share the database out from there" -- I wouldn't try this myself, I'm not sure I could do it securely.

        1. Lil Endian Silver badge

          Re: OnePassword next?

          I've no particular reason to push the USB/router idea forward, but a least it's LAN-side. Certainly wouldn't be my go-to, I was throwing it out there as a non-super-techie option.

          I'm pretty sure Cybersaber and I are of similar minds (poor Cybersaber!) - but I'm happy to be told otherwise.

        2. Cybersaber

          Re: OnePassword next?

          It sounds like the same thing. The only compute that operates on my KeePass database is my local computer. It's a fair question, but yeah, I was referring to the database, input of the master key, and the compute that processes the two are right here on the computer I'm posting from. Nothing is bullet-proof, but in my personal risk asssessment, I reckon that if my machine were compromised such that an attacker could then get into my database, it wouldn't matter if I was using KeePass, LastPass, or AnyOtherPasswordManager - I'd be compromised. But I would know it, I would know the scope, and I would be incontrol of remedial actions. I can live with that.

          As for data resliency? yes, I move the database copies to cloud storage, because that's how encryption at rest work. I'm OK with that security story. LastPass isn't wrong when they say that having access to an encrypted file without the key is pretty low-risk. That's not the weakness in their overall plan.

      2. Graham Cobb Silver badge

        Re: OnePassword next?

        Personally I use Password Safe. Actually I use a database in Password Safe format with various different apps - there are many, for all platforms. Some apps are FOSS if that is what you want, some are tightly integrated with Android and IoS (for example with "keyboards" for transferring passwords into apps), others are little more than databases.

        I handle the sharing separately - outside the apps. I normally keep the master version of the database on my home PC. Devices sync by a variety of mechanisms, some of which only work at home, others are protected by OTP access so I can access them from anywhere if I have my phone.

        However, all that is quite complicated. I normally recommend friends and family to use one of the commercial password managers. Even if it can be broken into, it is going to be more safe overall than using a word document!

      3. fidodogbreath

        Re: OnePassword next?

        You still need an offsite backup of the data file. What if your house burns down with all of your devices inside?

        1. ThatOne Silver badge

          Re: OnePassword next?

          You can always put a copy of your encrypted password file on some online storage account(s). And if you're very paranoid, put it in a encrypted container (VeraCrypt) before doing so. You can even put copies (or photos) of other vital documents in that same encrypted container, so if your house burns down (and you escape...), you will be spared some of the recovery hassle.

          Now some will argue that it lacks the immediacy and automatic updating of commercial solutions, but in my own experience that kind of important stuff doesn't change very often and sometimes doesn't need updating for a whole year: I can manage wasting 5 minutes a month uploading updated versions of my vital backup file to a remote server. Note I don't care losing the password for some shopping sites I recently registered at because my house burnt down, it would be really the least of my worries at that point, besides they all have password recovery features. I only bother to update the remote database when I add/change some really important information (banking, etc.).

          Just my 2 cents worth.

    4. Roland6 Silver badge

      Re: OnePassword next?

      If we take the press release at face value, it would seem the user/customer data that exists outside of the zero trust user password safe will be a user's email address and subscription details which potentially includes payment/bank details.

    5. anothercynic Silver badge

      Re: OnePassword next?

      This is why I have never upgraded beyond 1Password 7. I don't like the cloud-based storage... If my own chosen storage is compromised, it's my fault. But having to rely on someone else to secure their storage? Nah.

    6. hoola Silver badge

      Re: OnePassword next?

      This is the problem as more and more services are moved into "the cloud". By their very nature it has to be accessible and at the end of the day, nothing is impregnable.

      It is just a matter of time and cost. The higher the potential value of the assets the more people will invest trying to gain illicit access.

      Password Managers are the perfect target.

  2. Lil Endian Silver badge

    Available + Convenient != Sane

    As was pointed out by some in the comments following the recent NardPass password article, using an online service like this just creates another attack vector. And a tasty one too, for the vagabonds out there.

    Why on Earth, if you're going to use a password manager, would you use a service like this? Convenience of sharing across devices? Can be done with a local store, but a little more techie to arrange the sharing - hence the 'convenience'.

    Yep, your local machine is (almost certainly) connected to the net, so is somewhat vulnerable. But that probably requires a targetted attack on you rather than a, drive-by, or a huge neon sign hanging over the service provider saying "Go on then!".

    Heck, you are better off writing your passwords on parchment and locking it in a drawer of your computer desk. No, we don't advise this! But if the crims can access that, they have access to your physical rig, and we know that's Game Over.

    And defo screw browser based password storage. Do the devs really think they're helping here?

    I do appreciate the pro/am divide, but sheesh!

    1. yetanotheraoc Silver badge

      Re: Available + Convenient != Sane

      I like your title. The whole problem is, as you put it, the pro/am divide. In short, if you make access *reasonably* secure, the pros will look for ways to make it *more* secure, the ams won't use it *at all*. ExtraHop says "implement controls that balance usability and security". Balance, ha! It's like the pros and the ams are fighting over a thermostat, each one wanting to turn the dial all the way in a different direction.

      1. Cybersaber

        Re: Available + Convenient != Sane

        Professionals are just as likely to make bad password security decisions as amateurs. I know this deep in my bones from long experience in the field. In the early parts of my quarter-century-long IT security I *was* one of those people. It doesn't take a genius to figure out jumping out of a moving plane at altitude is a potentially life-altering decision, yet skydivers exist, including actual geniuses. Characterizing it in simple terms referring to anyone who doesn't take security seriously an amateur is unhelpful. It is neither correctly characterizing the problem, nor helpful in pursuing solutions,

        I get why it's tempting to think that everyone who is paid to do IT security work is a paragon and champion of password security, and anyone who doesn't 'get it' can't possibly be knowledgeable about it (and thus an amateur,) but I can tell you it's just not so. It's a problem that's millennia old. The ol' Mark I human is just not good at prioritizing actions that are annoying or uncomfortable unless the risk is made 'real' to them. We need a decade of the equivalent of the 'this is your brain on drugs' ads. Security never has been, nor ever will be something desirable to do in a vacuum where the risks aren't viscerally 'real' to people.

        1. Lil Endian Silver badge
          Pint

          Re: Available + Convenient != Sane

          I do not disagree. As yetanotheraoc says, balance.

          Admittedly when saying pro/am I was pointing out an outlook difference, rather than stating "anyone on a payroll in IT knows, or even cares, what they're doing". I'm expect we've all worked alongside to total arse-biscuits. So my apologies for that. I guess it'd be more accurate to say "those-that-give-a-toss/those-that-don't" but it's a bit windy!

          I know some hugely knowledgable amateurs.

          A cat has four legs. Your dog has four legs. Your dog is a cat. I try not to fall for fallacies.

          [Icon: beers are on me!]

        2. Michael Wojcik Silver badge

          Re: Available + Convenient != Sane

          Professionals are just as likely to make bad password security decisions as amateurs.

          Indeed they are. And that includes overestimating risk and devoting excessive resources to mitigate negligible ones.

      2. Lil Endian Silver badge
        Thumb Up

        Fighting Over a Thermostat

        Lawl! Mind if I borrow that?

    2. Cybersaber

      Re: Available + Convenient != Sane

      Actually, the 'don't store your password on a post-it' advice is another example of a good adage being repeated after the wisdom that underpins in not necessarily applying anymore.

      Why is it a good idea not to write your passwords down on a post it? Well BEFORE when we all worked in an office it was because then they'd all be there in easily 'decrypted' form in an insecure and monitored place where your work mates could come by and unlock your computer to change your screen saver or do something slightly less harmless. Very much the 'all the passwords are here in one place you can grab all at once, so come at me, bro!' paradigm you correctly associated with LastPass.

      At home though? Your physical security and ACL on who can be in your home are effective compensating controls in many cases. Do I do that? No, I still use keepass, but I would come down less hard on someone leaving post-its on their wfh 'office' desk than i would if I found it under a keyboard in pre-COVID days.

      I could probably be persuaded, after a sit down with the person involved about why they're being given the TRUST and PRIVILEGE of doing so, and the ways it hedge against it going wrong. I mean yeah, there's risks, but for REAL security, where that user might just instead use Password123Aug2022 to defeat complexity checkers... eh, it's a devil's bargain I could maybe live with.

      Dunno, maybe. Kills my soul, but maybe. Probably not, but... you know, there's this IT Benevolence fund we have, and donors get perks... ;)

      ...But humor aside the real take-away of this reply is: Always evaluate whether the basis of your good practices has changed, and if/how that affects the 'goodness' of the practice.

      1. Lil Endian Silver badge

        Re: Available + Convenient != Sane

        Agreed.

        Summery: choose (a) make informed decisions or (b) don't.

        Store your password/phrases:

        (a) WAN side

        (b) LAN side

        (c) Off line

      2. Missing Semicolon Silver badge

        Re: Available + Convenient != Sane

        Definitely. After much thought, my password storage at home is a Little Black Book.

    3. Graham Cobb Silver badge

      Re: Available + Convenient != Sane

      Actually, browser password storage isn't a particularly bad idea. Sure it has weaknesses (device can be stolen or hacked, ..) but they are targetted weaknesses. The crim has to be either physically close or deliberately targetting you. Unless you are a prominent person, that is your best protection. Random hacker targetting company databases is unlikely to get your passwords.

      1. Lil Endian Silver badge

        Re: Available + Convenient != Sane

        Again, horses for courses.

        Browser devs are fallible, users install third party, unaudited extensions, browsers leak. Each to their own, I prefer not to introduce an attack surface if possible, and don't recommend it generally.

      2. Cybersaber

        Re: Available + Convenient != Sane

        Other than him having his byte-order wrong (not a fan of fruit companies or big blue mainfranes ;) I'm with Lil Endian on this. Your threat model may need a deeper look. You don't have to have physical access to your machine to get your browser passwords. Both of your assertions are wrong. The attacker does *not* need to be physically close *nor* do you have to be specifically targeted. There are automated/wormable/bot-based attacks that target browser password caches.

        They're very porous, and their defense story is usually pretty poor because they're not designed to be secure storages, just convenient aggregators. Doesn't take much searching to find historical and in-the-wild attacks that are not proximity based, and are indiscriminately targeted.

        Suggested search terms:

        browser password attacks

        browser saved password vulnerability

        Relevant CVEs discovered within 30 seconds of searching: (and if I found these within 30 seconds because I knew how easy it would be to find them, there are likely an order of magnitude or two more.)

        CVE-2011-0167

        CVE-2006-1729

        CVE-2007-3511

        1. Lil Endian Silver badge
          Joke

          Re: Available + Convenient != Sane

          Cybersaber, you're either deep in the Matrix or at one with the dharma!

          You are correct that my byte order is wrong: I had all off my teeth removed a few days ago! I've been sucking on couscous since! (When will this endianness!!)

          [Icon: although I'm joking, I'm not bloody joking!]

          ;)

          PS - kudos for the refs

        2. Graham Cobb Silver badge

          Re: Available + Convenient != Sane

          I guess we'll agree to differ. To me, those CVEs are exactly the reason browser storage is the best option for many people: browser security bugs are taken very seriously and fixed very quickly. And I stick by my assertion that they expose a very, very small remote attack surface - certainly not one allowing access to millions of passwords from one data breach!

          Personally I don't use browser storage - but I take my security much more seriously than my family or colleagues do. I do normally recommend it to those I know won't be taking the sorts of pain I do to protect my security. For most people, the alternative to browser password storage is not more secure but much less secure - it mostly involves using variants on one or two passwords with some small changes - find one of their passwords and you can easily break into half of their accounts with only a few attempts.

      3. Anonymous Coward
        Anonymous Coward

        Re: Available + Convenient != Sane

        >Actually, browser password storage isn't a particularly bad idea.

        In some circumstances it is a really good idea.

        Just been able to run the Nirsoft tools to recover the passwords for a deceased uncle's online share dealing account for which the only indication it actually existed was an annotated printout hidden in a stack of papers - a nice addition to his widow's 24x7 care fund.

    4. Displacement Activity

      Re: Available + Convenient != Sane

      Heck, you are better off writing your passwords on parchment and locking it in a drawer of your computer desk. No, we don't advise this! But if the crims can access that, they have access to your physical rig, and we know that's Game Over.

      Who's 'we'? I advise it. Not in your computer desk, but at least somewhere where a burglar might not find them. If they're stored on a computer, anywhere, they're exposed, period. If you write them down, a burglar has to get inside, and find them, and work out how to use them. And, as you point out, if they get into your office/house, it's game over anyway, so it doesn't really matter if they found that pice of paper.

      1. Lil Endian Silver badge
        Pint

        Re: Available + Convenient != Sane

        I didn't say "it's the best practice". I said it's better. I suggest to all friends and family not to use online password stores, which is the origin of the sentiments.

        Whether I apply 'we' or 'I' generally depends on the scenario including the level of security/defence required and the person(s) receiving the advice. You can read that as 'industry accepted best practice" vs "meh!".

        It's not difficult to add an extra layer for the home user that isn't using x^n length passphrases: write a passphrase reminder, not the passphrase.

        So no, I don't advise writing passwords down. I'm unique if I'm alone here and there is no 'we', and will start charging more accordingly!

        We hope that both you and all have a good weekend.

    5. Michael Wojcik Silver badge

      Re: Available + Convenient != Sane

      Lord, save me from armchair security.

      What's your threat model? Online password stores are encrypted using a key derived from a master password. If the cryptography is implemented correctly – and there's nothing complicated here, just straightforward KDF and symmetric encryption – then it doesn't matter if the store is leaked. Here in the real world, symmetric encryption done correctly is not "broken". Just not gonna happen.1

      As for the "closed-source password manager contains a backdoor" threat: Under any reasonable threat model, for this use case, this looks overwhelmingly less likely than any number of other vectors, such as conventional keylogging malware.

      Pretty much everyone I know, including the most technically- and security-inclined, are far more likely to neglect to back up a local password database, or neglect to synchronize changes between devices and so end up at least temporarily without access to some resource. Or to make provisions for password recovery in the event of their incapacitation or death.

      This hyper-vigilant approach to password management misallocates resources in every version I've seen described. It's iron bars across the front door while leaving the back unlocked. Or, really, the reverse, because password managers simply are not a common target of attack (because the reward for attacking them is low).

      But, hey, I'm willing to be persuaded otherwise. Show me an actual threat model and reasonable estimations of risk.

      1The absolute worst case is probably AES-128 and a huge quantum computer (which no one has, and wouldn't be economical for this if it were), in which case you get down to a 264 work factor using Grover's algorithm. Go ahead, have at it.

      1. Lil Endian Silver badge

        Re: Available + Convenient != Sane

        No! Not... the comfy chair!

        A bit late getting back to you, sorry, I didn't see your post.

        Everything you say is, of course, perfectly correct. Except that your real world doesn't acknowledge real world fallibility, you're assuming a perfect world. You even say it yourself. If the cryptography is implemented correctly.

        I'm stating something simple: why allow the store to be leaked in the first place?

        The answer should almost certainly be limited to: it's not really that much of a problem if my passwords are leaked, because (eg) I'm not responsible for (have access to) a bank's ATM infrastructure. Of course, I'm highlighting balance in purpose to risk, as has been mentioned multiple times.

        "closed-source password manager contains a backdoor" - I'm unclear where a back door was mentioned.

        I genuinely agree with your post (declared by UV) and stand by you. I also stand by my assertions, pedantic though they are!

  3. Anonymous Coward
    Anonymous Coward

    Regular backups

    I take a backup of Lastpass data monthly to be squirreled away on a USB drive in a drawer.

    1. Cybersaber

      Re: Regular backups

      That's a data resiliency plan, not a data security plan. What you have there is a system for protecting and recovering a database full of passwords that could be (and one should assume are) currently being sold in the usual places for such things.

  4. DrXym

    Password Safe

    Use that instead - https://pwsafe.org/. It's free, open source, uses strong encryption and you can save your keys locally or in the cloud if you prefer through drive, dropbox etc. Obviously if you save the file to the cloud you want to use a strong passphrase on the file, and not share it with the cloud account.

    1. fidodogbreath

      Re: Password Safe

      Wow, that pwsafe.org website design is a real walk down memory lane. The only thing missing is a "Best viewed in Netscape Navigator at 800x600" badge...

      FWIW, the XHTML 1.0 validator link reports 49 "Trailing slash on void elements has no effect and interacts badly with unquoted attribute values" errors. CSS checks out, though.

      1. ThatOne Silver badge
        Happy

        Re: Password Safe

        > that pwsafe.org website design is a real walk down memory lane

        I guess it is: Password Safe was initially created in the early 2000s by some random named Bruce Schneier at Counterpane Systems, then continued by volunteers.

        https://en.wikipedia.org/wiki/Password_Safe

  5. TheRealRoland
    Devil

    Until they're not...

    >credentials are safely encrypted

  6. Tony W

    Keepass?

    I'm surprised no-one has mentioned this. Surely one should assume that the encrypted password file might be intercepted so that shouldn't be a worry. The problem seems to be other user information. In the case of Keepass and the associated mobile apps, the only information that might become available is that the app has been downloaded.

    With no restrictions on master password, so it can include spaces, it is easy to invent a long pass-phrase that's memorable to you and impossible to guess for anyone else. So it can continue to be used for ever (or until quantum computing makes all passwords obsolete) and need not be stored except in your head. Mine is 20 characters alphanumeric. I personally am prepared to save effort on devices without a physical keyboard by authenticating with my fingerprint, but you don't have to take that risk so don't tell me I shouldn't be doing it.

  7. MOH

    Eggs. Basket

  8. Phil Kingston

    Self-hosted BitWarden FTW

  9. Horst U Rodeinon
    Flame

    I closed my Lastpass account years ago

    and I still received a notice of the breach. I recall vaguely all my data were said to be removed.

    I can't get too excited, though, because any passwords that haven't since been changed are for accounts long since closed.

    My complaint is about the lie that one's data is ever deleted even when you are told it has been.

    1. Anonymous Coward
      Anonymous Coward

      Re: I closed my Lastpass account years ago

      If you had a paid account, then Lastpass has a SEC requirement to keep data about you for a specified length of time (probably 7 years), regarless of your lack of a continued business relationship.

  10. Jflynn007

    Auditors beware

    I am so warn down with cloud everything and trusting vendors that are sold and swapped like it is a game.

    Every IT audit and cyber insurer requires one of these password services. Gone are the days of Excel-based password “vaults”. We laughed at them years ago, but in reality I long for the days of needing to hack my network to get the good stuff.

    LastPass is a marketing machine that has been caught twice with their pants down. Yet the best practice is to rely on them with important corporate credentials.

    Not sure how this is progress. I long for the days when we had password vaults on our network.

  11. Displacement Activity

    "The company is known to use a one-way salted hash for master passwords"

    Err... that's really helpful then. Not. If the hackers have stolen the hash, the salt is there, in plain text, in the hash. The hacker can now just do dictionary attacks to retrieve the master password. Salting is only useful before the encrypted password is stolen.

    1. OhForF' Silver badge
      FAIL

      Re: "The company is known to use a one-way salted hash for master passwords"

      A salt is helpful even if it is known to the attacker as it makes infeasible to use rainbow tables.

      It works as long as every hashed password is associated with a different salt (the attacker would have to create different rainbow tables for every salt value).

      The individual salt value does not have to be secret.

      1. Displacement Activity

        Re: "The company is known to use a one-way salted hash for master passwords"

        A salt is helpful even if it is known to the attacker as it makes infeasible to use rainbow tables.

        Short reply - so what? Let's say I steal your encrypted password database, where each password has its own salt. I now have those salts. I extract the salt, compute the hash of the top 1000 dictionary passwords using that salt, and compare the result against the value in the stolen database. Now repeat for every value in the database.

        If the database has 10K passwords, and you're computing 1000 hashes for each, that's 10M computations, which is trivial on your desktop PC. If the passwords hadn't been salted, I would only have had to compute 1000 hashes, instead of 10M. Yes, that's much more trivial, but the difference makes it meaningless to crow about having "a one-way salted hash".

        IOW, a rainbow table is irrelevant. It's not needed, even if it was possible. And it's not actually mandatory to downvote just because your knowledge is limited to Wikipedia entries.

        1. OhForF' Silver badge

          Re: Rainbowtables irrelevant

          Your example shows why it is important not to use a password that is in the dictionary of the top 1000 passwords (and without even adding some minor modification as adding an extra character somewhere).

          It doesn't show (at least not to my satisfaction) that rainbow tables are irrelevant or useless.

          If you have a copy of a database with a lot of password hashes and salts and you are only interested in my password the salt doesn't make a difference. If you want to break all passwords in the database a salt does make a difference. It won't make enough of a difference for those using passwords like '123456' or 'password' or 'secret'.

          If nobody uses salts any organization with enough resources (e.g. NSA, GHCQ but although Meta, Google, Apple, Samsung) could just build rainbow tables for all the commonly used hash functions (MD5, SHA-256, RIPEMD) and almost instantly crack any password when they get the hash value. The number of passwords the NSA might be interested in cracking is probably a bit higher than 1000.

          Still sounds irrelevant to you?

  12. Confucious2
    Trollface

    Can they tell me my master password?

    I lost my master password so can’t get into my vault many years ago.

    If the hackers would let me know what it is I could get back in to my account.

  13. El blissett

    "Why does this keep happening?" asks no-one about company this keeps happening to

  14. john.w

    Password Recovery

    There is a lot discussion and worry about securing passwords but little mention of some of the very lax methods employed by companies for password recovery. No point worrying about a secure password if it takes two minutes and simple info to change it.

  15. tiggity Silver badge

    Book

    For home use there's arguments for just writing them down in a book (2 books, kept synchronized, just in case).

    1. Accessibility - not accessible via the internet! You generally (break ins aside) have good access control over who gets into your house, so (burglars aside) should be safe from prying eyes.

    2. Not the main target of a crim. If someone does break in then main targets are the high value items, and we have "sacrifice" cash , jewellery & a prepaid card (i.e. not linked to our accounts) positioned so they are easy to find, similarly tech kit not hard to find. Discovering the password books would be a difficult and time consuming exercise.

    3. Forward planning. Self & partner getting on a bit, if the worst happens to one of us, the other can get access to logons they don't normally use. e.g. I have login for water supplier & phone / broadband, partner for electricity supplier (bill management split between us)

    N.B. Excludes any really critical (i.e. potentially large financial loss) passwords (e.g. partner does online banking on computer (not phone obv!) - being a cautious dev who has seen lots of bugs over the years, I don't 100% trust it so avoid it! - but I have memorised the credentials just in case & know where the auth keygen gadget lives )

  16. nijam Silver badge

    > We are working diligently...

    They mean "We are struggling..."

  17. justforgroups

    PasswordSafe

    PasswordSafe https://pwsafe.org ticks all the boxes for me - open source and local.

    I wouldn't have passwords stored online (or in the Browser). I would just remember the important ones.

  18. Anonymous Coward
    Anonymous Coward

    Im looking for an easy secure alternative (contrary to most im not knowledgeable in this stuff),

    but no one seemed to be concerned with good ol physical home break ins, where they certainly could steal

    your computer. So if you have your keepass thin on it, its compromised.

    Also if you put it on a usb key in a "normal" stash, if found by burglar they'll certainly look at it

    as possibly really valuable and definitely will take it.

    Which ironically makes me wonder if its not better to write all those downs in a notebook, or on a piece

    of paper taped to and stuf in the middle of a really boring book.

    Unless burglars quickly shake books to see if something falls.. but if this happens i mean geez theres no place to hide no..?

  19. jukejoint

    Please oh wise ones

    Ok tell me how to back out of Last Pass...I thought I was being very pro-active in security with it. I'm somewhat dense apparently.

    I am not a tech person - I just love to read about it, it's all like a thrilling mystery to me, and I do learn things along the way.

    (Also, Firefox always asks me if I want FF to save my passwords and I always choose 'don't save.')

    I get keeping a notebook. What is local storage? Don't yell at me / I'm sorry / yes I'm out of my league and it's scary way out here!

    1. jukejoint

      Re: Please oh wise ones

      Well apparently Last Pass contains instructions to deleting an account so I see how I can back out.

      Of course I'm looking up what a CSV file is and seems every other word which I don't know or can't recall.

      my final question, about local storage, I looked that up as well. Turns out a lot of my stuff is on local storage my Mac HD. I don't use ICloud or any cloud if I can help it. But I did pay for Last Pass.

      I just wanted someone to tell me what to do, I suppose. If there was a password manager that WAS secure as possible. I will reread all the comments again.

    2. jukejoint

      Re: Please oh wise ones

      tl dr version....I'm checking Last Pass website on how to delete. I found out local storage is my actual hard drive.

      I guess I just wanted someone to tell me what to do, what service would be the most secure. I'm still looking up CSV files and other unfamiliar terms. I guess I'll use the *gasp* handwritten method until further notice. I will reread all these comments.

    3. hayzoos

      Re: Please oh wise ones

      First, I must state it is good that you recognize the potential need to back out of Last Pass. You should prepare yourself to potentially have to change every password for every account you have stored in Last Pass. Every one of us should realize we may need to do the same no matter how you manage your passwords. You should start by prioritizing, identify the most important accounts. I have hundreds, maybe thousands of passwords to consider. I have a few dozen I would change immediately and begin storing in an alternative location such as in a paper notebook. Depending on the circumstances I may at that point go into a wait and see approach before I expend substantial effort for lower value accounts.

      The current Last Pass situation does have the hallmarks of a dumpster fire in the making. But while the chestnut "where there is smoke there is fire" is often proven true, the extent of the fire is what matters and that can vary enormously. The key is to be vigilant, but act appropriately according to the situation.

      "What is local storage?" Local storage for computer systems is where data can be semi-permanently stored without needing to traverse a network|cloud to the storage of another computer somwhere on the network|cloud. It works this way, If the network|cloud (i.e. The Internet) is down, local storage is still accessible and the information stored there.

      A philosophical question of sorts; If the network|cloud is down, do you need access to passwords for accounts on the network|cloud?

      Local storage to one computer on a network|cloud is network|cloud storage to any other computer on the network|cloud. If you accept that, then you need to realize you must apply appropriate security|protection to any information on any networked computer. Passwords stored locally on a networked computer should be protected as if they are anywhere else on the network. PROPER encryption is a very good way of providing said protection. Sorry for shouting, but improper encryption is an oxymoron.

      For proper encryption, Password Safe was presented in previous comments as a good way to do this, I agree because of the original author being Bruce Schneier, a world renowned cryptoghrpher who can also program. I have previously commented on the "pass" program mentioned earlier in the comments. The author of that tool, Jason Donefeld, is a relative newcomer relative to Bruce Schneier, but is building a very good resume in cryptography. There very well may be others, I have not looked into the matter recently. Encryption is heavy math intensive, few programmers can get it right. The best that can, want others to review their work for mistakes of any sort. Yes, even Bruce Schneier wanted feedback on his password safe tool. This is why other commentards have stated that open source password tools are to be preferred over closed source or even worse closed source with proprietary encryption algorithms.

      We regular commentards here do get wrapped up in our techiness and become myopic at times. The pragmatic among us often do remind us not to let the perfect be the enemy of the good. By this I mean that browser password managers are good but not perfect. They are accessible to the masses and can do far more good protecting passwords in general being easier to use than many other not quite perfect password managers.

      Just remember, if it is too easy, it is probably not too secure. If is is too secure, is is probably not too easy. Find the secure enough middle ground.

  20. hayzoos

    One more thing

    In my reading of the article and comments I also followed a few links.

    From the article, there is a link to "recovery" if you lose your master password. Tha link is https://support.lastpass.com/help/what-is-a-recovery-one-time-password-in-lastpass. Guess what? With my standard thrid party script and other element blocking, that link does not render a viewable page. Score: Last Pass = 0 out of 10

    In the comments a link to https://pwsafe.org/ was presented. With the very same third-party blocking, it rendered a perfectly viewable page. Now, I can see quite a few references to thrid party resources so I cannot guarantee I could fully interact with that site. It may work just fine though, I have seen worse thrd party inclusions work just fine without them being rendered. Score: pwsafe = 7 out of 10 (highly subjective: 3 third parties, but one "valid" outsource sefvice)

    Also in the comments was a link to pass https://www.passwordstore.org/ and it also rendered just fine. It also had third party references, but only two. I am fairly certain the site would be fully functional without the third party resouces. Score: 8 out of 10 (highly subjective as well: only two third parties but twitter and google - eewww)

    Websites of services like this should reflect their commitment to password protection.

    Can somebody show me a significant website without any third parth resources? Do they even exist these days?

    1. Cybersaber

      Re: One more thing

      KeePass (keepass.info) does have a link to Googlesyndication but it renders and works perfectly fine with Google blocked (at least for me with my NoScript Firefox extension.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like