• LastPass hacked, hashed/salted master passwords and password hints exposed
    74 replies, posted
Of all the times I HAVE to forget my damn master password now! (╯°□°)╯︵ ┻━┻
[QUOTE=Levelog;47974217]My master password is a 25 character long password containing caps, lower case, numbers, and symbols.[/QUOTE] In all likelihood you're completely fine not even changing it - but you still should.
FFS I literally just started using LP like 3 weeks ago... looks like i'm going back to writing my passwords in a Notepad file saved in an encrypted TrueCrypt container.
Fucking hate hackers.
[QUOTE=Handsome Matt;47975158]They don't have your master key either - read up on how LastPass actually works please.[/QUOTE] You also are able to download local backups in case the service dies so you can access passwords locally. Not sure how they can hold your passwords hostage when that's a thing. And if some sort of flaw was found, it would be a flaw with SHA-256 and AES 256 itself, because that's what they're using. Which means that LastPass would be the least of your problems because many governmental and industry level applications are also compromised and we're facing a global crisis.
[QUOTE=Rocket;47974685]That doesn't actually solve any of them. They can still hold my passwords hostage, still lose my data, and still have some security flaw that leaks my master key or that allows an attacker to find the master key.[/QUOTE] You have a local copy of your encrypted password bank.
[QUOTE=Zeke129;47974194]If you have a strong password it'll continue being secure for the next several billion years it takes to crack. [editline]15th June 2015[/editline] Because it's harder to steal encrypted passwords from a physically secure webserver than it is to steal plaintext passwords from a sticky note under a desk[/QUOTE] how'd you know I have all my passwords on sticky notes you cheeky tit now I have to change my facepunch password
[QUOTE=Rocket;47974685]That doesn't actually solve any of them. They can still hold my passwords hostage, still lose my data, and still have some security flaw that leaks my master key or that allows an attacker to find the master key.[/QUOTE] They can't hold your passwords hostage because the extensions and apps all have offline copies. You can export them into a universal CSV file at any time, as long as they're currently decrypted with your master password. Lastpass is basically just a backup server for an encrypted file containing your passwords, with the added ability to access that file from a web interface. The latter makes it a [i]tiny[/i] bit less secure than putting a Keepass database on Dropbox/Google Drive, but it's effectively the same. From what I understand the decryption of your passwords happens client side - they don't have access to your master password.
[QUOTE=SPESSMEHREN;47975342]FFS I literally just started using LP like 3 weeks ago... looks like i'm going back to writing my passwords in a Notepad file saved in an encrypted TrueCrypt container.[/QUOTE] I've always wondered is that a safe thing to do? I mean given a strong password and a good choice in encryption I think it's a pretty good idea so long as no one finds out the password or you end up with screen capturing malware. Before anyone says that an attacker can just download it and attempt to crack it what if you were to make it 50-100gb? No attacker would be able to download that uninterrupted or would even waste their time on it.
[QUOTE=Zeke129;47977095]They can't hold your passwords hostage because the extensions and apps all have offline copies. You can export them into a universal CSV file at any time, as long as they're currently decrypted with your master password. Lastpass is basically just a backup server for an encrypted file containing your passwords, with the added ability to access that file from a web interface. The latter makes it a [i]tiny[/i] bit less secure than putting a Keepass database on Dropbox/Google Drive, but it's effectively the same. From what I understand the decryption of your passwords happens client side - they don't have access to your master password.[/QUOTE] LastPass also works on Android, so you can log on to things without issue. It can even fill out login/password forms in other apps. The only downside is you need to pay for it, but I'm more than willing for pay $12/year for that.
[QUOTE=Tone Float;47973460]Fucksake, you can't use the same password for everything because one site's hack will make all of them vulnerable. Furthermore, you can't use a password composed of words because it will be guessed by a dictionary attack. Your only hope is to have a hundred "RS8XE2ha8sS" passwords you'll never remember, and store them on a password service which will of course then be hacked! Fuck hackers.[/QUOTE] Get a notebook, get a safe, there you go. Bury it in the backyard. Dig it up at night when you forget your passwords. When your neighbor starts to wonder why you dig up your backyard at one in the morning, kill him and bury him with the safe. Only the dead will know your secrets.
[QUOTE=Paramud;47977283]Get a notebook, get a safe, there you go.[/QUOTE] Security is a balance of inconvenience and effectiveness; LastPass provides the average user a very good balance of the two by making it easy to have a unique and secure password for each site. Is it the most security method, no, of course not; but it's a lot better than using the same weak password everywhere, or writing passwords down on sticky notes, excel documents, or various other insecure formats. If you're really concerned then yea, having a computer it that is never connected to the internet, has full hard drive encryption (with a strong master key), and is stored in a safe isn't a bad idea in terms of security (though, of course, you have to take it out of the safe to look up your passwords). Plus, you wouldn't be having sites remember you so you would always need to be re-logging in (if you're really worried about security, then having your session key stolen is a more realistic threat in most cases anyway because that's what's getting stored and transmitted all of the time, not the password [*in well designed sites at least]). Not to mention, having a single point of failure (the computer hard drive) is a terrible idea in terms of redundancy. Even if the data is stored in some redundant format, one big natural disaster or someone breaking in a stealing the entire safe and all of those passwords are lost. This is the biggest reason I switched to LastPass: redundancy. Also, I see by your edit that you were being sarcastic. Never the less, I'm sure some people do actually think that's a good idea (it actually would be alright, if impractical and cumbersome, if not for the issue of no offsite redundancy).
[QUOTE=Paramud;47977283]Get a notebook, get a safe, there you go. Bury it in the backyard. Dig it up at night when you forget your passwords. When your neighbor starts to wonder why you dig up your backyard at one in the morning, kill him and bury him with the safe. Only the dead will know your secrets.[/QUOTE] What if you forget where in the backyard you buried it?
[QUOTE=Zet;47977361]What if you forget where in the backyard you buried it?[/QUOTE] Ask your neighbor
What happened to just writing your passwords down and hiding the paper like I do Storing ANYTHING online means it can be stolen by anyone from anywhere, or lost because of a service shutdown
I do wonder why they not using hardware module based salting same goes for obscure additional encryption via hardware plus I remember some months (or maybe year ago) someone demonstrated nice way of hardware based encryption, which returned to attacker trying use software decryption attacks completely different (false) results seems like LP is stuck in prehistory on that my good old approach of using KeepPass or RoboForm with local database and strongly encrypted backup in protected archive on random storage is better
[QUOTE=TheTalon;47977558]What happened to just writing your passwords down and hiding the paper like I do Storing ANYTHING online means it can be stolen by anyone from anywhere, or lost because of a service shutdown[/QUOTE] And storing it in your room means someone could walk in and steal it. Unless you're going with the put-it-in-a-safe-and-bury-the-safe-in-the-backyard route.
[QUOTE=waxrock;47977690]And storing it in your room means someone could walk in and steal it.[/QUOTE] Yeah and if you store it in your mind someone can torture it out of you. Or you could just forget. No place is safe, but some are less likely to be stolen by criminals.
[QUOTE=TheTalon;47977558]What happened to just writing your passwords down and hiding the paper like I do Storing ANYTHING online means it can be stolen by anyone from anywhere, or lost because of a service shutdown[/QUOTE] Then your house burns down and you're fucked because you can't access any of your accounts, or (best case) you can do recovery through your phone for your email, then go through the process of recovering the passwords for every other account. Nevermind the problem of theft. Now, mind, I understand the mindset that the internet is inherently insecure and that nothing on (or connected to) the internet is ever "completely" safe. This is true, of course, and the secured data on the internet is subject to much greater and ongoing attacks than say, your front door. On the other hand, the measures that secure that data are likewise robust to survive these attacks in large part; if they weren't, then the internet simply would not be able to function in the way it does now as there could be no trust, no authentication. To each their own I guess, and a piece of paper isn't the worst way to store password information, but you should seriously look into backing up your important account information in a different location if you're going to continue going the paper route.
Just make your passwords follow a system which you determine by a letter of the website and some numbers which correlate to the type or length of the websites text. Only you know the system and its basically like having a master password but way easier to remember
The worst thing is, this is the first I'm hearing of it, didn't even get an email from LastPass.
[QUOTE=ijyt;47978491]The worst thing is, this is the first I'm hearing of it, didn't even get an email from LastPass.[/QUOTE] I just got one from them about an hour ago
[QUOTE=geel9;47972460]Because of how strong cryptography works lol[/QUOTE] Call me crazy / paranoid but I wouldn't trust that. Cryptography is strong but there is so much potential for side attacks. All it takes is one small bug in an implementation to make it completely insecure (look at the Debian issue a few years back).
[QUOTE=Rangergxi;47972497]I just write them down.[/QUOTE] Hell yeah, analog storage is best storage.
I just keep 'em all in my head where they are safe.
All they got was the hashed master passwords. No user data lifted in this hack. Change your master password and life goes on.
[QUOTE=TheTalon;47977558]What happened to just writing your passwords down and hiding the paper like I do Storing ANYTHING online means it can be stolen by anyone from anywhere, or lost because of a service shutdown[/QUOTE] Because having 100+ post-it notes with passwords on them is much safer and manageable.
[QUOTE=KillerJaguar;47977254]LastPass also works on Android, so you can log on to things without issue. It can even fill out login/password forms in other apps. The only downside is you need to pay for it, but I'm more than willing for pay $12/year for that.[/QUOTE] There are Keepass clients for Android that automatically synchronize the database file as well. You can store it on Dropbox or Google Drive and it works basically as seamlessly as Lastpass.
[QUOTE=SPESSMEHREN;47975342]FFS I literally just started using LP like 3 weeks ago... looks like i'm going back to writing my passwords in a Notepad file saved in an encrypted TrueCrypt container.[/QUOTE] Or you could just use KeePass for free, more secure and a lot more convenient [video=youtube;rAUVUUhf7U0]https://www.youtube.com/watch?v=rAUVUUhf7U0[/video]
[QUOTE=Michael haxz;47987537]Or you could just use KeePass for free, more secure and a lot more convenient[/QUOTE] But it's not really either of those things. It is on about the same level as LastPass.
Sorry, you need to Log In to post a reply to this thread.