LastPass hacked

[hazelnut]

 

Bad news first, folks. LastPass, our favorite password manager (and yours) has been hacked. It’s time to change your master password. The good news is, the passwords you have saved for other sites should be safe.

 

http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571

[mta]

well, that was only a question of when.

all those eggs in one basket must make for a tempting target.

[Nergal]

well, that was only a question of when.

all those eggs in one basket must make for a tempting target.

I agree, that's why I use an offline manager for my passwords (keepass)

[Winapp2.ini]

via reddit:

 

 

 

I fixed some of the formatting from reddit to here (and removed some profanity), but it's a bit of a mess and in like six quote boxes for some reason!

EDIT: Reposting this comment up here, because the original commenter deleted his reply and my comment got hidden.

Cripes, people, before you run around like headless chickens or start bro-fiving each other for "knowing it all along that online password managers were stupid", RTFA.

 

If you don't understand how hashed passwords work, and you don't have a clue how LastPass works, allow me to educate you in the simplest terms I can think of as to why this is not nearly as big of a deal as you think it is.

**None** of the site passwords (that you enter in for individual sites) were breached. Not in encrypted or even hashed form. All that they got were hashes (https://en.wikipedia.org/wiki/Cryptographic_hash_function)  of your master password (ignore the scary "master" bit of that word if you don't use LastPass).

 

A hash (in ELI5 terms) is the product of using a function to transform your plain-text password into something completely and discernibly different (like converting the string "jackthedog" into "D943HJ#GHG$DNM4O&5UTN@FMN"). The type of function used is what determines how easy it is to revert a hash back to its plain-text. I strongly recommend you look at the linked Wikipedia link to learn more.

 

Now then, the password for your account was hashed with a random salt and 5,000 rounds of client-side PBKDF2-SHA256, and 100,000 rounds of server-side PBKDF2-SHA256. One. Hundred. Thousand. Rounds. Let that sink in. Keep in mind that PBKDF2-SHA256 is purposefully designed to take as much time as possible to even make one attempt at cracking a produced hash.

But hey, let's assume they have this hash and they're actively cracking them one at a time (which is really the only "efficient" way of doing it).The immense power and processing that only the most richest of malicious attackers would have would still require a long, long time. We're taking weeks, even months. Even then, cracking your master password with the extreme level of hashing that LastPass puts it through is cost-prohibitively expensive, and you would have to already have been selected as an extremely valuable target for even the most dumbest of malicious attackers to consider you as a candidate for hash cracking. Eventually, the bills, the heat, the energy would all rack up like mad (several hundred to several thousands of dollars is a conservative ballpark).

 

But hey let's assume that they did it. It's been several weeks, months, or years later, and several hundred or thousand dollars later, and they finally have your password in clear text. Hurrah for the villain. Oh s**t, everything is screwed, all your CCs, passwords, everything is gone!

**Except even then, if they go through all that time, effort, and computing power, *if you take 5 seconds change your password now*, the result they end up with (at whatever point in the future weeks, months or even years from now) will be absolutely freakin' useless, because they'll excitedly run over to lastpass.com, enter in this cracked password, and find it to be invalid, all because you were smart, calm, level-headed, and you changed your password a long, long time before they got to this point.**

 

You are here. You've been made aware of it. Knowing about it is the strongest and most effective weapon you have against this, because every single bit of concern there might be in losing any of your data is dealt with by the five seconds it will take you to change this password. You don't even *need* to enable 2 Factor Authentication, but if you have some time to understand it (it's easy!), you absolutely should do that as well.

The people behind LastPass are much, much more intelligent than you or I in the context of cryptography and online security. They know what they are doing. They know the responsibility they uphold. If the idea of an online password manager was easily debunked by a bunch of mainstream users going "What? Store my passwords online? Haha how stupid", than it wouldn't f***ing exist in the first place. Yes, they got hacked. Yes, it was unfortunate. However, their track record has been pretty good up until this point, and the fact that only hashes of a master password (and not a single password or hash or encrypted file) was all that was retrieved, and combined with the fact they're taking pretty extreme measures going forward including forcing master password resets for everyone and adding additional IP-based authentication checks for foreign IPs, that all tells me that they're taking it seriously enough that this will be less likely going forward.

 

Yes, there is irony in the fact that an online password manager got hacked. But a server is a server is a server. There are many, many things you can do to keep it safe and still be vulnerable, and LastPass does have to balance convenience and security, and thus far, they've done a decent job, and I have no doubt it's going to be now more skewed towards security and not convenience.

Change your master password, and you're perfectly fine. It just simply is not possible for anyone to have cracked your password in the time between the breach and the announcement. The hardware just doesn't even exist, and even if they had the power of the world's supercomputers, it still wouldn't happen before you change your password.

Don't eat FUD. Don't get your security news from CNet or your local TV station. Make an effort to understand security and you'll realize why so few security professionals are worried about this, and why it's an inconvenience at worst to have to change your master password.

[hazelnut]

Almost all hacked sites do damage limitation in posting things like ''well they only got this'' and 'we aren't worried''

 

It made me smile to see ''The people behind LastPass are much, much more intelligent than you or I in the context of cryptography and online security. They know what they are doing'' followed up with ''Yes, they got hacked. Yes, it was unfortunate.''

 

Somewhere someone slipped up at Lastpass no matter how little or how much was taken (we never get the full behind the scenes story anyway) You cannot beat a bit of yellow paper stuck to the wall next to your pc  

[Winapp2.ini]

A bit of sanity admist the chaos these events bring is always refreshing

[mta]

It's pretty damn embarrassing when a security company whose sole aim is to provide a solution to manage all your passwords finds itself in this position.

It makes no difference what was taken or how useful that info was to the hackers, the fact it happened at all must raise fundamental concerns to all LastPass users.

The level of trust would never be the same and purely on that, you'd have to question why you would continue using their service.

[Winapp2.ini]

One could say the same about banks (who themselves often do the robbing too..), yet most people still have accounts!

[hazelnut]

LastPass Joins the LogMeIn Family

https://blog.lastpass.com/2015/10/lastpass-joins-logmein.html/

 

The comments under the article say it all. Not want people wanted to have happen, I can imagine lots of people now searching for a new password manager.