LastPass Security Notice

While LastPass seems to be responding well, I find their entire service exceeds my tolerance for risk.<p>If you don&#x27;t use a password manager, you&#x27;ve got 99 problems, but a centralized store of your credentials for everything that&#x27;s a huge target by virtue of having thousands of similarly centralized users ain&#x27;t one.<p>Using a password manager (good idea) and then storing all your passwords on a 3rd party service of which you have no control seems inherently risky. Lastpass is a huge target, and while I believe they generally take reasonable security measures, for many the risk of compromise may be greater than an encrypted stand-alone password database. Use a password manager, please, but keep it offline and don&#x27;t aggregate it with loads of other people&#x27;s databases.<p>This is one area where I feel strongly that the conveniences of &#x27;Cloud&#x27; are outweighed by the risks.

See quite a few nods to 1Password in here, which is good, although I tend to favor KeePass myself, given that it&#x27;s FOSS.<p>It also has a way better Firefox add-on than any of the others I&#x27;ve seen (which is my main browser), and the Android apps, if unofficial, aren&#x27;t bad either [0]. Importantly, they feature the ability to either pull from a local Keepass DB or to get it from a connected Google Drive account. I&#x27;ve taken to using the latter to make sure my database is synced across all my devices.<p>At this point it works fairly well across everything I use, with the one exception that trying to keep the database synced on my Windows box requires an extension that looked a tad shady to me [1], so I opted to simply manually upload a new version each time instead.<p>[0]: <a href="https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=keepass2android.keepass2android" rel="nofollow">https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=keepass2androi...</a><p>[1]: <a href="http:&#x2F;&#x2F;keepass.info&#x2F;plugins.html#kpgsync" rel="nofollow">http:&#x2F;&#x2F;keepass.info&#x2F;plugins.html#kpgsync</a>

I don&#x27;t use LastPass, but one thing that impresses me about their blog post: they didn&#x27;t hide behind &quot;your passwords are hashed&quot; or something equally weaselly, but instead said exactly and clearly how passwords are hashed. Every online company should take note.

No mention of pass?<p><a href="http:&#x2F;&#x2F;www.passwordstore.org&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.passwordstore.org&#x2F;</a><p>gpg password storage. Synchronization with rsync.<p>Beats the heck out of proprietary cloud hosted software.

Do they know how they were compromised?

I&#x27;ve been using LastPass for a while now, but I was recently evaluating the landscape for something more open. I came across Mitro[0], and it looks like it fits the bill. Unfortunately it doesn&#x27;t look like it has been much maintained since its open-sourcing last year.<p>Mitro checked a lot of boxes on my checklist, so it&#x27;s a bit disappointing that it has a smaller community.<p>[0]: <a href="https:&#x2F;&#x2F;www.mitro.co&#x2F;security-faq.html" rel="nofollow">https:&#x2F;&#x2F;www.mitro.co&#x2F;security-faq.html</a>

I&#x27;m now too paranoid for lastpass ever again.<p>Sandstorm made setting up a private gitlab about a 5 second thing. I&#x27;ll just checkin gpg encrypted textfiles once more.<p>There&#x27;s a bunch of shell scripts called pass <a href="http:&#x2F;&#x2F;git.zx2c4.com&#x2F;password-store&#x2F;" rel="nofollow">http:&#x2F;&#x2F;git.zx2c4.com&#x2F;password-store&#x2F;</a> which know about gpg, git and this format of text files. There&#x27;s browser and android plugin as well. Amusingly it has basic import&#x2F;export from every other password manager. I exported from lastpass and now all I have to do is switch to a new gpg key and buy all new hardware

I just deleted, regenerated, and re-associated Google Authenticator and then altered the number of iterations from 10,000 to 10,001 (causing it to re-encrypt the database). None of this is really required but it has invalidated much of the information they could have stolen.<p>The thing that really bugs me about this, is the email address. I have a very low spam level on that account (sub-1 per day on average) and I want to keep it that way. Last thing I need is someone to dump this theft onto a Pirate Bay-like site and then to get spammed by everyone and the kitchen sink.

I&#x27;ve learnt a lot reading this thread. Thank you all.<p>But I can&#x27;t believe almost everyone here, talking about security, is talking about Dropbox even as a hypothetical cloud option for storing password related info.<p>- Dropbox (and most of the other cloud storage services) do not encrypt your data, or if they do now as they claim, with SHA256, I&#x27;d say they must be able to decrypt it whenever they want to, as they give you the &quot;Did you forgot your password&quot; option to change it, so they have to be able to decrypt it and encrypt it with your new password o whatever they use to encrypt) and they hired ¡Condoleeza Rice! for their board of executives (she puts &quot;national security&quot; over any privacy so...), so you can count any worker at Dropbox can peep at everything you upload whenever they want to.<p>Of course you&#x27;ll think: &quot;I&#x27;m not a terrorist, I don&#x27;t care.&quot; Well, if a worker can take a look, and you don&#x27;t even know him... The threat is quite clear to me.<p>MEGA, for example, does encrypt everything you upload taking as seed some derivation of your password, but they DO NOT store your password, so they can&#x27;t ever decrypt it for themselves. Probably no one could know even the names of the files you have uploaded unless they already had your password (of course, if you lose it, you lose all of the files uploaded!!! Beware!!!).<p>I rather trust MEGA than Condoleeza&#x27;s (big-brother government) Dropbox, seriously.<p>There must be other cloud storage services which encrypt data not storing enough info to decrypt it without your input. I just stumbled upon MEGA and liked the synch app.

&quot;Service as a software substitute&quot;<p><a href="http:&#x2F;&#x2F;www.gnu.org&#x2F;philosophy&#x2F;who-does-that-server-really-serve.en.html" rel="nofollow">http:&#x2F;&#x2F;www.gnu.org&#x2F;philosophy&#x2F;who-does-that-server-really-se...</a>

If you are using LastPass without 2FA (YubiKey, etc), people attacking LastPass itself is really the least of your problems. I&#x27;d be much more concerned about keyloggers grabbing your password. BeEF can pop up a LastPass phishing prompt if you just happen to load the wrong javascript file.<p>Using just one string of characters to protect ALL of your passwords is insane.

Slightly off-topic: am I naive to believe that my personal system of password management is just about as good something like 1Password or LastPass? Hear me out. My passwords are generated as follows:<p>[Low|Med|Hi] + [Key] + [Initials] + [Number]<p>Low|Med|High = One of three keys based on how sensitive the site is. High: banking &#x2F; work &#x2F; email, Low: I don&#x27;t trust the site, Med: other.<p>Key = Random string that only I know, with the most important accounts having a unique string<p>Initials = Initials of site name based on domain name + TLD, with the initials moved up x letters (for example, capitalone.com -&gt; COC -&gt; DPD)<p>Number = One of three random sets of numbers I use. Sometimes I forget which number I use for each site, but I can figure it out after a few incorrect attempts.<p>This means a unique password for every site generated by a system that only I know with no central storage except my brain.<p>What is wrong with this? What would be the advantage to using 1Password &#x2F; LastPass over this?

Password reset page is down:<p>&quot;Oops! Our servers are a bit overloaded right now.<p>Please try your password change again shortly, we will catch up soon.&quot;

Oh great, just the day before yesterday I finally jumped to LastPass (because obviously WinKee is not compatible to my new Lumia phone), using my best password (long, no real syllables, memorized).<p>It sounds like the password is still safe enough, but it&#x27;s a very unfortunate, inconvenient timing indeed.

Why not just use KeePass? It seems to work great. A bit less convenient, but overall a nice option.

Hi, creator of StrongBox Password Safe (<a href="https:&#x2F;&#x2F;itunes.apple.com&#x2F;us&#x2F;app&#x2F;strongbox-password-safe&#x2F;id897283731" rel="nofollow">https:&#x2F;&#x2F;itunes.apple.com&#x2F;us&#x2F;app&#x2F;strongbox-password-safe&#x2F;id89...</a>) here. I think LastPass have done a pretty good job of being upfront and honest about their techniques and have a handy little product. Comments above mention the centralised nature of storage and indeed it is an issue as it becomes a real bullseye for hackers. Ultimately it’s a tradeoff between convenience and security. For what it’s worth my app uses the standard Password Safe format (<a href="http:&#x2F;&#x2F;passwordsafe.sourceforge.net&#x2F;" rel="nofollow">http:&#x2F;&#x2F;passwordsafe.sourceforge.net&#x2F;</a>), designed by Bruce Schneier. It can store your encrypted password databases locally on device or on Dropbox or Google Drive. This can be easily exported or imported. An added bonus is you can store other tidbits of information in there, notes of any kind, not just passwords. Might be useful for those of you with more stringent security in mind, or more general encryption requirements. It’s also free.

Title should be edited to be more specific:<p><i>&quot;[W]e have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.&quot;</i><p>So, a breach of LastPass itself but not a breach of its users&#x27; non-LastPass per-website passwords&#x2F;data.

Now I don&#x27;t feel so out of touch for not using last pass. It always seemed like a bad idea to put all of your trust in a single point.

The LastPass blog won&#x27;t let me post any comment that mentions KeePassX, so I&#x27;m mentioning it here.<p>Other security folks might recommend other password managers that they prefer (e.g. &#x27;tptacek likes 1Password). Generally, you should listen to them over me.<p>KeePassX is open source and NOT cloud based, so if those are two points on your mental checklist, it&#x27;s worth checking out.

Thoughts on LastPass vs 1Password?

I found out from an article on Lifehacker. Still have yet to get an announcement in email, extension or app from LastPass themselves.<p>While the blog post was nice, it would have been better to directly let subscribers know.<p>I am a premium subscriber with 2fa enabled.<p>Just received the announcement at 6:54pm CT:<p>Dear LastPass User,<p>We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.<p>We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.<p>We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.<p>Regards, The LastPass Team

<i>Schneier&#x27;s Password Safe</i> is the real deal:<p><a href="http:&#x2F;&#x2F;passwordsafe.sourceforge.net&#x2F;" rel="nofollow">http:&#x2F;&#x2F;passwordsafe.sourceforge.net&#x2F;</a><p>I use it on:<p>- Ubuntu<p>- Windows<p>- Android<p>Synchronisation of the password db files is accomplished by storing a master file on Google Drive (Multi-Fac Auth here). I only change passwords on Ubuntu - upload to Drive and download to Android and Company.

Any good tricks on how to generate a new master password that is a) secure enough and b) I can memorize?

On a related note...I&#x27;m using KeePass+Yubikey but am a bit worried that the project is still hosted on sourceforge. The devteam seems to think it&#x27;s no problem at least that&#x27;s the impression I get from reading the forum.

&quot;LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.&quot;<p>I wouldn&#x27;t mention that if your data has just been compromised. Although it makes is hard to handle that data, it is more info about how the data is encrypt.

I switched to lastpass a year ago for all non-critical accounts, basically everything thats not email or my personal finances. Its still a bit of a risk, but this way I only need to remember about 5 passwords. I guess I&#x27;ll slowly be updating all the passwords on my lastpass sites and coming up with a new master password today.<p>In short, more major sites need to implement a Google Authenticator style service.

Plug for <a href="https:&#x2F;&#x2F;oneshallpass.com" rel="nofollow">https:&#x2F;&#x2F;oneshallpass.com</a>. Open source. Your site-specific password is an HMAC; the key is your password and the payload is the site you&#x27;re logging in to. Works perfectly offline. You can optionally store an encrypted list of the sites you use (and parameters like number of symbols) to the server.

I commend them for their honesty, so thanks for the heads up :)<p>One thing i noticed: They used quite a few german words (&quot;dennoch&quot;, &quot;jedoch&quot;, &quot;dann&quot;) which i haven&#x27;t seen used elsewhere up to now.<p>Is that common? I know that quite a few words are used commonly in English like &quot;kindergarten&quot; for instance, but this is the first time i&#x27;ve seen those in an english blog...

Time to kill the password.<p>Federated login using OpenID Connect seems like a far better solution. I can&#x27;t fathom why so many web sites want the awful responsibility of storing your password. Why not leave that to Google, Facebook or Microsoft? Or you bank for that matter...<p>And yes - you should secure your IDP login with multi-factor authentication.

Wow! More and more centralized services are being hacked. Time for something more decentralized.

Phew. Good thing I use <a href="http:&#x2F;&#x2F;www.passwordstore.org" rel="nofollow">http:&#x2F;&#x2F;www.passwordstore.org</a> and <a href="https:&#x2F;&#x2F;git-annex.branchable.com" rel="nofollow">https:&#x2F;&#x2F;git-annex.branchable.com</a>.

Things like this are why I prefer Firefox Sync. Works across all my devices (home laptop, work laptop, Android phone), and uses <i>client-side encryption</i>, so a compromise of the Sync server provides the attacker with nothing of value.

I don&#x27;t understand the use case for LastPass&#x2F;Dropbox&#x2F;FTP storage of password, 1Password (and probably others) allow to sync through wifi, isn&#x27;t that enough? Why would you need to do it over the cloud?

I have a German system from a German IP and some of the words in the article are German. Weird. Do they have some kind of auto translation that kicks in even though they didn&#x27;t translate the whole article?

Does LastPass keep the encrypted copy of the password file for non-premium accounts? For accounts that don&#x27;t sync and just use it from a single browser?

Strange fact: changed my master password a few min ago. But there&#x27;s a message saying it was changed <i>23</i> hours ago.

And now they are under heavy load because of people changing their master passwords. Can&#x27;t change mine :)

How many times does LastPass need to screw up before you guys flee it? Pick your security vendors carefully!

This is what I recommend to non-technical users: <a href="http:&#x2F;&#x2F;www.amazon.co.uk&#x2F;Silvine-Executive-Pocket-Notebook-143x90mm-x&#x2F;dp&#x2F;B006O8915M&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.amazon.co.uk&#x2F;Silvine-Executive-Pocket-Notebook-14...</a><p>I use a hand-rolled gpg + git + owncloud for myself, but that&#x27;s not convenient if you don&#x27;t routinely have terminal windows open.

iCloud Keychain doesn&#x27;t store your passwords on Apple-controlled servers when you do not configure an iCliud Keychain storage PIN; you can use it in a mode that simply syncs keychains across devices, all of which allow password-based encryption.

Wouldn&#x27;t the solution be something akin to enpass?

One another incident that reminds me, why 2 factor authentication is absolutely necessary for important information.

<i>&quot;LastPass simplifies your online life by remembering your passwords for you.&quot;</i><p>You had one job. And you blew it.

The year is 2015 and they still dont have mobile site to change password. Amazing

you had one job. one.

I&#x27;ve always had the feeling that LastPass was held together by sticks and duct tape, especially the frontend.

Perhaps this isn&#x27;t the thread to discuss this but I feel like the state of access in 2015 is dismal at best...<p>Every option out there either sucks ass on mobile or only integrates with a TINY percentage of apps and on desktop they aren&#x27;t much better. How does Chrome (on iOS and OS X) blow every other PW manager out of the water? It &quot;Just Works (tm)&quot; while every other PW manager makes me just through a shit ton of hoops... I want to be safe but I can&#x27;t be the only one who feels &quot;chore&quot; doesn&#x27;t even begin to describe what maintaining and using a PW is like. My &quot;Master&quot; PW is secure but I&#x27;m not typing that thing every 5 minutes, 1Pass got better with Touch ID but it still makes me want to smash my phone every time I have to use it (Also, 1Browser, yeah how about FUCK NO).