LastPass hacked again

[Vayra86]

Passwords you can remember are bad passwords. Randomly generated passwords, minimum. I use 14 characters, upper & lower case + special characters.

That's the good thing about a password manager. You only have to remember your master password & can generate super secure passwords you don't have to remember for logins.

Nonsense, any database anywhere can get hacked and then most often your super random 14 digit spree of weird characters is in anyone's hands is linked to either an account, an email address or more.

The only real protection is 2FA. Making passwords difficult is just annoying for yourself. I literally have used the same-ish set of 2 (!) passwords followed by a duo of numbers or other characters, one for 8 position- and one for longer password requirements- and have done so for a whopping 24 years of internet life. Work and personal.

The ONLY hack I encountered in my life was on my Ubisoft account, and only because I hadnt activated 2FA! Thats when I email said company and ask them to lock it. Done in 2 days.

And that is even with both my favorite words being heavily traded online. I was part of multiple hacks; DDO server, MySpace leak, etc etc. HaveIbeenpwned loves my email address; again the very same Ive had since going online.

People worry too much

 

[A Computer Guy]

Nonsense, any database anywhere can get hacked and then most often your super random 14 digit spree of weird characters is in anyone's hands is linked to either an account, an email address or more.

The only real protection is 2FA. Making passwords difficult is just annoying for yourself. I literally have used the same-ish set of 2 (!) passwords followed by a duo of numbers or other characters, one for 8 position- and one for longer password requirements- and have done so for a whopping 24 years of internet life. Work and personal.

The ONLY hack I encountered in my life was on my Ubisoft account, and only because I hadnt activated 2FA! Thats when I email said company and ask them to lock it. Done in 2 days.

And that is even with both my favorite words being heavily traded online. I was part of multiple hacks; DDO server, MySpace leak, etc etc. HaveIbeenpwned loves my email address; again the very same Ive had since going online.

People worry too much

The only time I tell people girth doesn't matter is when it comes to passwords where length is king, particularly if it's easy to remember.

 

[W1zzard]

Geez, what's all the fuzz about? Didn't you read the article?

Indeed I’m always impressed by peoples inability to read

+1 for bitwarden (and lastpass)

 

[silentbogo]

Even if they got the vaults they are encrypted, cracking them would take years.

Yep. And back in a day people used to say that MD5 was the last encryption you'll ever need. Until rainbow tables happened...
And bruteforce attacks were also "theoretical and impractical" until GPGPU and cheap cloud compute(AWS) happened.

Indeed I’m always impressed by peoples inability to read

W1zz, it's more about reading between the lines. We don't know what exactly was accessed beyond vague "development server". Maybe it'll be a little piece of code that may or may not help developing a collision attack on their specific implementation of PBKDF2-SHA256, or it may be something that may give hackers an ability to turn all lastpass users into a big-ass botnet. Having access to "hashes" is the last thing to worry about, cause there are other ways to collect those.

 

[W1zzard]

say that MD5 was the last encryption you'll ever need

MD5 is not encryption, never was, I get what you're saying though, security research and its claims has developed a lot since 1991 (!)

on their specific implementation of PBKDF2-SHA256

It's open source

GitHub - lastpass/lastpass-cli: LastPass command line interface tool

LastPass command line interface tool. Contribute to lastpass/lastpass-cli development by creating an account on GitHub.

github.com

 

[Count von Schwalbe]

And SHA-256 works great. Until quantum computing advances to anywhere near classical.

Really though, we don't know what they stole. It could have been one critical link in the chain of encryption - or completely useless. If it is critical, we can just hope that LastPass devs patch it out before the hackers develop a exploit based on it. I reckon that that is pretty likely, and we really don't have too much to worry about.

 

[80-watt Hamster]

Nonsense, any database anywhere can get hacked and then most often your super random 14 digit spree of weird characters is in anyone's hands is linked to either an account, an email address or more.

Well sure, if the hacked party was daft enough to store a database of plains. A hash of 14 truly random characters is pretty strong against common attacks.

 

[R-T-B]

Nonsense, any database anywhere can get hacked and then most often your super random 14 digit spree of weird characters is in anyone's hands is linked to either an account, an email address or more.

That's only partially true.

The hash of the password will be in their hands. And on an ultra special passphrase like that, you aren't deriving squat from the hash.

 

[Totally]

I think it was just a few years ago when media told that LastPass got hacked and now again millions of passwords got stolen.

read at forbes.com

I use another password manager (paid version) but i recommended LP to my girlfriend who doesn't want to pay for it. After reading the news today I tried to setup the 2-step-authentification for LP for her, but this is not a free feature. Kind of annoying. Why can a security feature even be a paid option?!

Now the Saturday task will be to change all her passwords and maybe even switch to an alternative manager.
What do you guys think about Google Chrome Password manager?

I'm confused, you are worried about security but you are handing over your credentials to a third party.

 

[Count von Schwalbe]

That's only partially true.

The hash of the password will be in their hands. And on an ultra special passphrase like that, you aren't deriving squat from the hash.

That is usually true, but I was thinking about it and realized that LastPass syncs across devices. They may be encrypted but they could not do that if it was just the hash. Unless they are acting as a P2P service, establishing a direct link between your devices.

 

[lexluthermiester]

I think it was just a few years ago when media told that LastPass got hacked and now again millions of passwords got stolen.

read at forbes.com

I use another password manager (paid version) but i recommended LP to my girlfriend who doesn't want to pay for it. After reading the news today I tried to setup the 2-step-authentification for LP for her, but this is not a free feature. Kind of annoying. Why can a security feature even be a paid option?!

Now the Saturday task will be to change all her passwords and maybe even switch to an alternative manager.
What do you guys think about Google Chrome Password manager?

It's a bit of a non-story. Because of the way LassPass works, no hacker can ever crack an individual user account, and there's no way around it. Ever. People are complaining about nothing.

 

[chrcoluk]

I have just moved my 2FA to Aegis from Authy (online storage owned by same company), although I havent yet deleted the data from Authy.

 

[W1zzard]

That is usually true, but I was thinking about it and realized that LastPass syncs across devices. They may be encrypted but they could not do that if it was just the hash. Unless they are acting as a P2P service, establishing a direct link between your devices.

There's a blob storage of encrypted data on their servers, you just sync the encrypted blob, which gets decrypted on your device only, using whatever you provide as passphrase. Wrong passphrase, the decryption result is just gibberish.