LastPass Hacked, Change Your Master Password Now

[steven36]

LastPass and other web-based options store your passwords in encrypted databases in the cloud, which is inherently vulnerable, while KeePass and 1Password default to storing locally, which means they store your encrypted password database on a file on a device, like your phone or computer. Local storage is more secure, since it’s not on the web, but it’s less convenient. (Our sister site Lifehacker has a more detailed breakdown of the best password managers.)

http://gizmodo.com/am-i-an-idiot-for-still-using-a-password-manager-1711673486

I dont trust storing noting in a cloud that's important to me as in the past millions have lost or had there all there data stolen . If I had to use one I would use one that stored them locally.

[shorty6100]

I've never had a problem with LastPass-I've used it for years. The more popular a program is, the more likely it will be targeted. Just ask Kaspersky.

[steven36]

I've never had a problem with LastPass-I've used it for years. The more popular a program is, the more likely it will be targeted. Just ask Kaspersky.

All it takes is one smart person You ever here of that site Bug Me Not its full of stolen passwords . I been over there and seen peoples names from forums like these . :s

[mona]

I'm not a genius in these things... but guys... should I remove/delete my LastPass account or not?

I mean.. is it still safe to use?

There is nothing like absolute security. If the program was made by a human, so it can also be hacked / cracked by (another) human. [Note : the same situation is with door locks.]

But on other hand - security is not the only factor we need to take under account. Convenience of use does matter also.

IMO the clue is to choose a reasonable proportions between security and ease of use.

It is obvious that all our data stored in the cloud are less safe than that stored offline on our HDD.

But using programs like Last Pass browser extensions with their automatic log on to most often used sites are so extremely convenient ! Far more convenient than any offline password manager.

Therefore I use them both :

The most important passwords (like bank accounts credentials, credit cards and social security numbers) and other important information of any sort I use to keep offline in Sticky Password (free version WITHOUT online synchronization) , but KeePass can do as well. In this case security definitely outweighs convenience.

But login credentials from frequently used but less important sites and forums are another cattle of fish for me. Having them handy or even been able to be logged in automatically to all those places is too tempting. And that's why I use online solution, like LastPass browser addons in that case.

This DUAL system has worked for me for many years already without any problems, so I can recommend it especially to those who are confused and feel frustrated with what has happened today.

Cheers. :showoff:

[CODYQX4]

1Password

You control the encrypted files, and can either put it on the cloud, or not. You can sync with LAN Wi-Fi if you think someone would hack into your cloud AND decrypt your keychain.

LastPass is probably the biggest target, since it's all online and it's the most well known.

Anyway, changing your password is useless if it is ever determined that they have bad crypto, and they get their encrypted database dumped.

[mona]

I'm not a genius in these things... but guys... should I remove/delete my LastPass account or not?

I mean.. is it still safe to use?

I'm gonna directly quote here main post from the link supplied by Pointing since this thread shows many people didn't check that valuable info. It's really worth reading :

EDIT: Reposting this comment up here, because the original commenter deleted his reply and my comment got hidden.

Christ, people, before you run around like headless chickens or start bro-fiving each other for "knowing it all along that online password managers were stupid", RTFA.

If you don't understand how hashed passwords work, and you don't have a clue how LastPass works, allow me to educate you in the simplest terms I can think of as to why this is not nearly as big of a deal as you think it is.

None of the site passwords (that you enter in for individual sites) were breached. Not in encrypted or even hashed form. All

that they got were hashes of your master password (ignore the scary "master" bit of that word if you don't use LastPass).

A hash (in ELI5 terms) is the product of using a function to transform your plain-text password into something completely and discernibly different (like converting the string "jackthedog" into "D943HJ#GHG$DNM4O&5UTN@FMN"). The type of function used is what determines how easy it is to revert a hash back to its plain-text. I strongly recommend you look at the linked Wikipedia link to learn more.

Now then, the password for your account was hashed with a random salt and 5,000 rounds of client-side PBKDF2-SHA256, and 100,000 rounds of server-side PBKDF2-SHA256. One. Hundred. Thousand. Rounds. Let that sink in. Keep in mind that PBKDF2-SHA256 is purposefully designed to take as much time as possible to even make one attempt at cracking a produced hash.

But hey, let's assume they have this hash and they're actively cracking them one at a time (which is really the only "efficient" way of doing it).The immense power and processing that only the most richest of malicious attackers would have would still require a long, long time. We're taking weeks, even months. Even then, cracking your master password with the extreme level of hashing that LastPass puts it through is cost-prohibitively expensive, and you would have to already have been selected as an extremely valuable target for even the most dumbest of malicious attackers to consider you as a candidate for hash cracking. Eventually, the bills, the heat, the energy would all rack up like mad (several hundred to several thousands of dollars is a conservative ballpark).

But hey let's assume that they did it. It's been several weeks, months, or years later, and several hundred or thousand dollars later, and they finally have your password in clear text. Hurrah for the villain. Oh shit, everything is screwed, all your CCs, passwords, everything is gone!

Except even then, if they go through all that time, effort, and computing power, if you take 5 seconds change your password now, the result they end up with (at whatever point in the future weeks, months or even years from now) will be absolutely fucking useless, because they'll excitedly run over to lastpass.com, enter in this cracked password, and find it to be invalid, all because you were smart, calm, level-headed, and you changed your password a long, long time before they got to this point.

You are here. You've been made aware of it. Knowing about it is the strongest and most effective weapon you have against this, because every single bit of concern there might be in losing any of your data is dealt with by the five seconds it will take you to change this password. You don't even need to enable 2 Factor Authentication, but if you have some time to understand it (it's easy!), you absolutely should do that as well.

The people behind LastPass are much, much more intelligent than you or I in the context of cryptography and online security. They know what they are doing. They know the responsibility they uphold.

If the idea of an online password manager was easily debunked by a bunch of mainstream users going "What? Store my passwords online? Haha how stupid", than it wouldn't fucking exist in the first place.

Yes, they got hacked. Yes, it was unfortunate. However, their track record has been pretty good up until this point, and the fact that only hashes of a master password (and not a single password or hash or encrypted file) was all that was retrieved, and combined with the fact they're taking pretty extreme measures going forward including forcing master password resets for everyone and adding additional IP-based authentication checks for foreign IPs, that all tells me that they're taking it seriously enough that this will be less likely going forward.

Yes, there is irony in the fact that an online password manager got hacked. But a server is a server is a server. There are many, many things you can do to keep it safe and still be vulnerable, and LastPass does have to balance convenience and security, and thus far, they've done a decent job, and I have no doubt it's going to be now more skewed towards security and not convenience.

Change your master password, and you're perfectly fine. It just simply is not possible for anyone to have cracked your password in the time between the breach and the announcement. The hardware just doesn't even exist, and even if they had the power of the world's supercomputers, it still wouldn't happen before you change your password.

Don't eat FUD. Don't get your security news from CNet or your local TV station. Make an effort to understand security and you'll realize why so few security professionals are worried about this, and why it's an inconvenience at worst to have to change your master password.

Source : https://www.reddit.com/r/Android/comments/39y6eh/psa_lastpass_was_breached_master_password_hashes/cs7o3k7

@psyko666

So I hope you finally know what you should do :

1. don't panic

2. just change your LastPass master password,

3. and if you still want increase your security level (but lowering convenience) - enable two-factor authentication ,

You should do that here.

4. learn a bit more ...

ad 1.

:lol: ;)

ad 2.

The Intermediate Guide to Mastering Passwords with LastPass

ad 3.

Here's Everywhere You Should Enable Two-Factor Authentication Right Now

ad 4.

How to Audit and Update Your Passwords After a Service Gets Hacked

[mona]

1Password

You control the encrypted files, and can either put it on the cloud, or not. You can sync with LAN Wi-Fi if you think someone would hack into your cloud AND decrypt your keychain.

LastPass is probably the biggest target, since it's all online and it's the most well known.

Anyway, changing your password is useless if it is ever determined that they have bad crypto, and they get their encrypted database dumped.

Why do you mention "password method" only ?

What about 2-factor authentication ? Isn't it really a significant increase of security for those still feeling unsafe ?

[Ponting]

Update: June 16, 2015 @ 4:10 PM EST

We appreciate the patience and support from our community after yesterday’s announcement. As expected, we work tirelessly to make sure that your data is safe. That’s why we quickly detected, contained, evaluated the scope of the incident, and secured all user accounts. We want to assure our users that our cyberattack response worked as designed.

We’ve received many questions so we want to take a moment and provide additional clarification:

Was my master password exposed?

No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.

Am I at risk if I have a weak master password?

An attacker could try to guess your master password, then use your per-user-salt and authentication hash to determine if their guess was correct. Typically, an attacker would try a list of commonly-used passwords or dictionary words (such as 12345678, password1, mustang, robert42, iloveyou). They would have to do this for you specifically, since your “per-user” salt is unique to your account . Because your password is hashed thousands of times locally, and is again hashed 100,000 times before being stored server-side, guesses will be very slow. If your master password is weak or if your password reminder makes it easy-to-guess, then the attacker could significantly reduce the number of attempts needed to guess it correctly. Then the attacker would have your master password, but not your data, since your data vault was not exposed. If the attacker attempted to get access to your data by using these credentials to log into your LastPass account, they’d be stopped by a notification asking them to first verify their email address. We require this security measure for any attempt to access your vault from a new device/location, unless you have multifactor authentication enabled.

Were passwords or other data stored in my vault exposed?

No, your data is safe. Encrypted user vaults were not compromised, so no data stored in your vault is at risk (including form fill profiles, secure notes, site usernames and passwords). However if you used your master password for any other website, we do advise changing it – on LastPass as well as on the other websites. Note that you should never reuse passwords – especially your LastPass master password!

What should I do now?

Our security and processes worked as designed, and customer data was, and is, protected. Because we are requiring verification for any new IP address or device, your account is secure. You will be prompted to update your master password when you login. Not all users will see the prompt immediately, but your account is safe and you can update when prompted. For added security going forward, we recommend enabling multifactor authentication. Also, be wary of phishing emails asking you to disclose your master password, payment information, or any other personal information. Never, ever disclose your master password or any confidential information, even to someone claiming to work for LastPass.

Why did I hear about this in the media first?

Emails have been sent to all users regarding the security incident. Notifying millions of users via email takes time. Therefore, we also announced the security alert to our blog and our social accounts in real-time, and the media quickly picked up the story.

I reset my master password, but now I can’t get in!

If you forgot or mis-typed your new master password, please revert your change: https://lastpass.com/revert.php and login again with the previous master password. Then you can try another change (and be careful of typos!).

I don’t remember my old master password.

Please try password recovery: https://lastpass.com/recover.php on a browser where you’ve used LastPass before. For more information about account recovery, see: https://helpdesk.lastpass.com/account-recovery/

Source

[dcs18]

Have been trying out LastPass periodically - hoping against hope that the latest version would become my go-to password manager.

Just recently when I tried out LastPass . . . . . . . . again - it succeeded in disappointing me . . . . . . . . again.

In its existing pitiful form, I would not care to permit it to be a part of my security arsenal - regardless of whether the Publisher managed to get themselves hacked . . . . . . . . again.

[CODYQX4]

1Password

You control the encrypted files, and can either put it on the cloud, or not. You can sync with LAN Wi-Fi if you think someone would hack into your cloud AND decrypt your keychain.

LastPass is probably the biggest target, since it's all online and it's the most well known.

Anyway, changing your password is useless if it is ever determined that they have bad crypto, and they get their encrypted database dumped.

Why do you mention "password method" only ?

What about 2-factor authentication ? Isn't it really a significant increase of security for those still feeling unsafe ?

I use that everywhere I can.

However, there isn't 2FA on 1Password, as you can't really 2FA against a local encrypted file. 2FA is just another "give us this and we'll send you the data/access you need".

If a place offers 2FA, and it isn't awful SMS, then I use it.

[hpwamr]

Just one of the many reasons why I dumped this LastPass.

whats ur alternative now ?

regards

A good alternative is "Sticky Password v8"

Your master password is known only to you. No one else :o

"We never save it on our servers or send it over the Internet. By default, we don’t even save it on your devices. It only exists in your head"

More about : //www.nsaneforums.com/topic/243386-sticky-password-80243/ or : https://www.stickypassword.com/

Download page : https://www.stickypassword.com/help/download

[mona]

Just one of the many reasons why I dumped this LastPass.

whats ur alternative now ?

regards

A good alternative is "Sticky Password v8"

Your master password is known only to you. No one else :o

"We never save it on our servers or send it over the Internet. By default, we don’t even save it on your devices. It only exists in your head"

More about : //www.nsaneforums.com/topic/243386-sticky-password-80243/ or : https://www.stickypassword.com/

Download page : https://www.stickypassword.com/help/download

'

Agreee. This is very decent password manager.

As I mentioned earlier I've been using Sticky Password for most important passwords (only), - and therefore totally offline ... - with SYNC DISABLED and blocked by firewall (just to be absolutely sure)

[banned]

Your master password is known only to you. No one else

Congratulations for doing password management the same way every other respectable crypto company does.

[hpwamr]

Just one of the many reasons why I dumped this LastPass.

whats ur alternative now ?

regards

A good alternative is "Sticky Password v8"

Your master password is known only to you. No one else :o

"We never save it on our servers or send it over the Internet. By default, we don’t even save it on your devices. It only exists in your head"

More about : //www.nsaneforums.com/topic/243386-sticky-password-80243/ or : https://www.stickypassword.com/

Download page : https://www.stickypassword.com/help/download

More about Sticky Password Security :o

Question & Answer from Sticky Password Forum - Source : lastpass and your defence

Q: It is known that Lastpass password manager was hacked.

Please write me in understandable way how Sticky password defense technology is different from LastPass one. I am afraid of my private passwords first of all.

Especially, I am interested if they are hashed or storied by stickypassword.com

A: the main difference between Sticky Password and LastPass is probably the fact that Sticky Password stores your database primarily on the device with which you are currently working.

In case of synchronization between your devices the encryption of the data also occurs locally before being send either to the cloud storage or via wi-fi or the local network to the other device.

You may check the more detailed description of our security solution here :

https://www.stickypassword.com/security

and in our Security White Paper :

https://www.stickypassword.com/download ... ePaper.pdf

In case you would have more questions, please let us know.

[TeActive]

There is no software which can't be cracked. The more bullet-proof guarantees, the more chances that someone will want to break it.

If it can be cracked it can be hacked that's for sure :lol: I put my passwords in the old way . Always have. I just keep them in a safe place .

Sorry to inform you sir, but this is the least secure way. Now if you are talking stuff that has never been on the internet (the computer) never will be, and is encrypted, then yes it would be. Research the videos on youtube about nsa. I have watched many of them, and if I remembered which one that exposed this, I would link to it. I however downloaded the video and already exported it for future viewing just in case, which I do not have access to at the moment without looking all over youtube for the original.

[TeActive]

till get hacked :P

Hackers stole every single Federal government workers SSN and info in the USA . Do you think some cheap software can protect you when Governments with all the money they need at there disposal can't even protect themselves ? ;)

The government is so incompetent. Many of them still use xp and have paid somewhere around 20 million to receive updates. Never mind the fact that they allowed snowden to literally walk away with all that info, which according to many sources, it was everything.

[TeActive]

LastPass and other web-based options store your passwords in encrypted databases in the cloud, which is inherently vulnerable, while KeePass and 1Password default to storing locally, which means they store your encrypted password database on a file on a device, like your phone or computer. Local storage is more secure, since it’s not on the web, but it’s less convenient. (Our sister site Lifehacker has a more detailed breakdown of the best password managers.)

http://gizmodo.com/am-i-an-idiot-for-still-using-a-password-manager-1711673486

I dont trust storing noting in a cloud that's important to me as in the past millions have lost or had there all there data stolen . If I had to use one I would use one that stored them locally.

I agree, however I would make sure that your conflictor (aka computer) was not compromised in any way, which these days is literally non existent.

[TeActive]

I'm not a genius in these things... but guys... should I remove/delete my LastPass account or not?

I mean.. is it still safe to use?

There is nothing like absolute security. If the program was made by a human, so it can also be hacked / cracked by (another) human. [Note : the same situation is with door locks.]

But on other hand - security is not the only factor we need to take under account. Convenience of use does matter also.

IMO the clue is to choose a reasonable proportions between security and ease of use.

It is obvious that all our data stored in the cloud are less safe than that stored offline on our HDD.

But using programs like Last Pass browser extensions with their automatic log on to most often used sites are so extremely convenient ! Far more convenient than any offline password manager.

Therefore I use them both :

The most important passwords (like bank accounts credentials, credit cards and social security numbers) and other important information of any sort I use to keep offline in Sticky Password (free version WITHOUT online synchronization) , but KeePass can do as well. In this case security definitely outweighs convenience.

But login credentials from frequently used but less important sites and forums are another cattle of fish for me. Having them handy or even been able to be logged in automatically to all those places is too tempting. And that's why I use online solution, like LastPass browser addons in that case.

This DUAL system has worked for me for many years already without any problems, so I can recommend it especially to those who are confused and feel frustrated with what has happened today.

Cheers. :showoff:

I have to add that I don't necessarily like the lastpass system of where you can change your info on your secure notes while logged in but offline. Later when you login and then restart your pc thinking that your passwords were changed, they are not and you loose access to whatever your info on your secure notes you put in as it was not synced as its only the original displayed and not the changed version. Now if someone knows how to contact them, it would be appreciated that they relay this info to them. Thx in adv.