Report of leaked LastPass master passwords

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
RonMexico
Posts: 7
Joined: Thu Feb 04, 2021 1:10 pm

Re: Report of leaked LastPass master passwords

Post by RonMexico »

roamingzebra wrote: Sun Jan 16, 2022 2:02 pm
Gadget wrote: Sun Jan 16, 2022 12:21 pm Lots of good info in this thread, but a lot of misunderstanding too. It might help if people read about the difference between encryption, hashing, and salting. I get the impression many people think that Lastpass, 1Password, etc. are storing all your passwords in plain text in the cloud. That isn't the case.

https://www.comparitech.com/blog/inform ... g-salting/
Some data breaches involve hashed passwords and there are people who have developed software to extract useful information from these breaches -- namely conforming that the owner of one account is the same as that of a different account since both accounts use the same (hashed) password. Law enforcement can make good use of this but thankfully a regular hacker would probably not be able to exploit this data in a meaningful way.

Or am I wrong?
You're wrong. Any software company that is serious about security will "salt" the hashes with random values so that the database of password hashes is not vulnerable to the kind of attack that you describe. "Salting" is combining the password with a random value so that it is impossible for someone with access to the hashes to detect that the same password is used multiple times or belongs to a dictionary. Standard password hashing algorithms like PBKDF2 and Argon2 perform salting and also have other properties that make them resilient to brute force attacks with very powerful computers.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Report of leaked LastPass master passwords

Post by Northern Flicker »

A dictionary attack on a set of password cryptohashes is where an attacker generates a precomputed table of passwords and their cryptohash values. The decryption of a potentially sizable subset of the password cryptohash set can be done by essentially a relational database equijoin operation on the password cryptohash values. Properly implemented, salting makes this type of attack much more difficult, requiring knowledge of how the salts were generated.
wfrobinette
Posts: 1879
Joined: Fri Feb 20, 2015 2:14 pm

Re: Report of leaked LastPass master passwords

Post by wfrobinette »

sycamore wrote: Mon Dec 27, 2021 8:14 pm Those reports seem somewhat dubious as I understand that LastPass doesn't actually keep their users' master passwords.

From https://support.logmeininc.com/lastpass ... d-lp070014:
Please be aware that LastPass Support has no knowledge of a user's master password. It is not possible for LastPass Support to reset or change a user's master password if it is forgotten.
From another source https://kb.wisc.edu/security/page.php?id=103569:
LastPass - Does LastPass Keep a Record of My Master Password?

LastPass (LogMeIn) has no knowledge of your Master Password

No, LastPass has a zero-knowledge security model and does not store its users’ Master Passwords.
One explanation for the reports is that some users had their master password somehow compromised, e.g., it was easy enough to guess, or they reused the password on another site that got hacked, etc.
I think this is the most logical explanation. I use a different provider but the same concept applies. You forget your master password you are SOL!
roamingzebra
Posts: 1214
Joined: Thu Apr 22, 2021 3:29 pm

Re: Report of leaked LastPass master passwords

Post by roamingzebra »

Northern Flicker wrote: Mon Jan 17, 2022 12:20 am A dictionary attack on a set of password cryptohashes is where an attacker generates a precomputed table of passwords and their cryptohash values. The decryption of a potentially sizable subset of the password cryptohash set can be done by essentially a relational database equijoin operation on the password cryptohash values. Properly implemented, salting makes this type of attack much more difficult, requiring knowledge of how the salts were generated.
I'm guessing that in layman's terms you're talking about the actual de-hashing of hashed passwords based on comparing breached credentials against large datasets of already known passwords and word lists that have had their hash values calculated? I went back to the podcast where I first learned that LE and other investigators use hashed passwords in their investigations -- both in hashed and de-hashed form. Two points I had missed the first time around:

(1) Salting algorithms are fairly new and will make the exploitation of hashed passwords much harder in the future.

(2) LE and other investigators are often interested in using the hashed or de-hashed passwords associated with online forums to help learn more about their target. For example, if a breached password indicates the target has an account at a Tesla forum, they now know that their target probably drives a Tesla and can use that to their advantage when trying to zero in on the target's movements and activities.

My own suspicion is that it is financial sites that are of most concern to the readers here and probably (hopefully) banks and brokerages are using the latest algorithms (i.e., salting algorithms) and other technologies for storing passwords.

However, other sites are anyone's guess. I still see online forums that use http instead of https. I think it's safe to assume that those site owners may not be using salting algos to store and protect their user's passwords.

And as always, there's what the manual says and what happens in real life. Websites may cut corners, e.g., delay in implementing new technologies, gamble that the new technologies are not worth it, or add some security measures while completely overlooking others, so it's always better not to get too complacent.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

wfrobinette wrote: Mon Jan 17, 2022 10:23 am
sycamore wrote: Mon Dec 27, 2021 8:14 pm Those reports seem somewhat dubious as I understand that LastPass doesn't actually keep their users' master passwords.

From https://support.logmeininc.com/lastpass ... d-lp070014:
Please be aware that LastPass Support has no knowledge of a user's master password. It is not possible for LastPass Support to reset or change a user's master password if it is forgotten.
From another source https://kb.wisc.edu/security/page.php?id=103569:
LastPass - Does LastPass Keep a Record of My Master Password?

LastPass (LogMeIn) has no knowledge of your Master Password

No, LastPass has a zero-knowledge security model and does not store its users’ Master Passwords.
One explanation for the reports is that some users had their master password somehow compromised, e.g., it was easy enough to guess, or they reused the password on another site that got hacked, etc.
I think this is the most logical explanation. I use a different provider but the same concept applies. You forget your master password you are SOL!
IMO, Lastpass has too many ways for master password recovery.
When I change my master password, I type it out on Notepad and make sure that is what I want. Then I open Lastpass and turn on ROTP and log back in. Then I copy and paste the password into back into Notepad below the typed one, making sure it's exactly the same. Then I paste it into Lastpass. Then I close Lastpass. Then I log back into Lastpass. Then I delete some characters of the password in the Notepad as I have always done for years. Then I print out two copies of it. Then I place them in the safe keeping spots along with the authenticator keys. Then I tell my wife I changed our password and where it's located and the missing letters. The as always she says "Ok Honey, I trust whatever it is your doing.". Then I log back in Lastpass and lock it back down. Then I restart the computer.

This way, there is no way in forgetting the password and everything is locked down tight.

And I always stay vigilant of phishing schemes. Lately my wife is getting a ton of "you're email account has been hacked" type of messages. I manage her email account too and recently changed her password doing something similar.
Last edited by squirm on Mon Jan 17, 2022 1:14 pm, edited 2 times in total.
lazydavid
Posts: 5155
Joined: Wed Apr 06, 2016 1:37 pm

Re: Report of leaked LastPass master passwords

Post by lazydavid »

roamingzebra wrote: Mon Jan 17, 2022 11:49 am
Northern Flicker wrote: Mon Jan 17, 2022 12:20 am A dictionary attack on a set of password cryptohashes is where an attacker generates a precomputed table of passwords and their cryptohash values. The decryption of a potentially sizable subset of the password cryptohash set can be done by essentially a relational database equijoin operation on the password cryptohash values. Properly implemented, salting makes this type of attack much more difficult, requiring knowledge of how the salts were generated.
I'm guessing that in layman's terms you're talking about the actual de-hashing of hashed passwords based on comparing breached credentials against large datasets of already known passwords and word lists that have had their hash values calculated? I went back to the podcast where I first learned that LE and other investigators use hashed passwords in their investigations -- both in hashed and de-hashed form. Two points I had missed the first time around:

(1) Salting algorithms are fairly new and will make the exploitation of hashed passwords much harder in the future.
This could not be further from the truth. Salting actually predates hashing. Please see this whitepaper from 1978. Unix-based systems used to salt passwords that were encrypted using DES, starting with version 7 which was released in 1979--long before they started adopting hashing algorithms like MD4, MD5 and SHA in the 1990s.

What is "newer" are password hashing functions and key derivation functions that require a salt to function, and therefore are impossible to use without salting. But even those aren't what I'd call "relatively new". The most popular and commonly used ones are PBKDF2, bcrypt, and scrypt, all of which are over 20 years old. Argon2 is growing rapidly since becoming a standard in 2015, that's probably the only that would fall into the "relatively new" category.

Now has every company been salting their passwords for 40+ years? clearly not. But those that have even the slightest hint of security consciousness have been doing it for well over a decade at this point.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Report of leaked LastPass master passwords

Post by Northern Flicker »

The term "salt" for the added bits to a Unix password indeed goes back to the 1970's. In that case, the purpose was to increase the computation cost/time for a single execution of the encryption algorithm. This increased the running time and CPU resource required for a brute force attack. Unix passwords were up to 8 characters in those days.
dave8228
Posts: 30
Joined: Thu May 28, 2020 8:09 am

Re: Report of leaked LastPass master passwords

Post by dave8228 »

VictorStarr wrote: Mon Dec 27, 2021 7:48 pm Today a number of people reported unauthorized attempts to login to their LastPass accounts using a valid master password (https://news.ycombinator.com/item?id=29705957). This may indicate a potential leak of LastPass passwords. Check your email for messages titled “LastPass Security Notification: Login attempt blocked”.

There is no reason to panic but if you have an LastPass account it is prudent to
- change your LastPass password
- enable 2FA for LastPass using authenticator app (if you do not have 2FA enabled)
- if you reused your LastPass password, changes password of other accounts too
- check IPs of latest logins to LastPass account (reports listed Brazil and Thailand IPs used by attackers)
There is a way to help mitigate the issue of logins from countries other than the one you live in, or visit, etc. https://support.logmeininc.com/lastpass ... s-lp030008

Within your LastPass vault, Account Settings, General tab, Enable Advanced Settings, there's a "Country Restriction" option to only allow logins from selected countries. One could enable login only from countries they will ever be in. It's not perfect given that the "bad guys" could use a VPN to have the traffic originate from a country that they aren't in, but it may help.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Report of leaked LastPass master passwords

Post by Northern Flicker »

roamingzebra wrote: I'm guessing that in layman's terms you're talking about the actual de-hashing of hashed passwords based on comparing breached credentials against large datasets of already known passwords and word lists that have had their hash values calculated?
Yes, but it does not have to be a dataset of already known passwords. It is straightforward to generate a table of passwords and their hash values. The maximum allowable password length needs to be large enough that the size of the table becomes too large for it to be practical to generate a complete table of all of them.

There probably are tables of subsets of password spaces generating using some popular frameworks people use when formulating their passwords.

A successful dictionary attack also assumes that a service you use was already compromised and cryptohashes of passwords were breached. Hopefully, the service provider has controls adequate to detect such an event, and 2FA.

Ultimately, vendors traditionally liked things the way they mostly have been. They want e-commerce of all stripes to be as frictionless as possible to maximize revenue. Challenge-response authentication (also known since the 1970's) solves this problem, but it requires possible purchase of additional hardware and some configuration by a customer before the customer can do business with a service.

What we are seeing now is the frequency and cost of attacks is getting high enough that service providers are finding that some friction for the customer may not reduce revenue as much as the cost of a breach, and more robust solutions are starting to be implemented.
Last edited by Northern Flicker on Mon Jan 17, 2022 5:08 pm, edited 1 time in total.
gavinsiu
Posts: 4538
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

Note that several people on this thread appear to have a better knowledge of hashing and salting, so what let's hope what I am saying is correct. Note that I am a software engineer but not a security expert.

When you have a password, it should never be stored in plain text. Instead, the password is hashed where it gets converted one way to what appears to be glbbish. So if you type in a password of password1, it turns into 47djsdf!!#3478 (just an example). This is why a system can't send you a password when you forget your password, it generates a temp password. If your system can return your password, be very afraid.

To authenticate, when you login, your password is hashed and then compared to the hash stored. So when you enter your password of "password1", it turns into 47djsdf!!#3478, which matches and you are in. If the hacker stole your list of password, all they are getting is a bunch of hash.

One of the benefit of hashing is that it is not reversible. Given 47djsdf!!#3478, you cannot reverse it and get password1. What a hacker could do is to generate the hash themselves and compare the hash. The easiest way is to generate the hash of the most common passwords. So a hacker may run through and generate the hash for password1, password, etc. If they can't find it, they can brute force it by trying all combination. Let's say you can have 95 possible characters. A one character password would have 95 different combination. A 2 character would be 95 x 95, a 3 character would be 95 x 95 x 95 combination. While these seemed like a large number, it is nothing to a computer. However, even computers have limit, the longer the password, more difficult it is to computer. A 50 character password would be 95 to the power of 50 and probably can't be broken with the current computing technology.

It gets worse, a hacker can pre-generate the hash, they could generate a table with every combination of ahead of time. When your passoword hash is stolen, they will know every passowrd that matches the hash. When you hear that the your password has been stolen, it's most likely that the hash got stolen.

To combat pre-compute, enter the salt. A salt is a string of characters that are generated for the user unique to the user. Let's say your salt is #78iofsduiowe. This salt is unique to your user. When you set your password, the system will do an append so that your password1 is append with the salt password1#78iofsduiowe and then put through the hash function. What you are essentially doing is making it longer and more difficult to computer a hash for. Note that the salt is going to be store somewhere with your account and can be stolen, However, the salt does make it difficult for the hacker because each user has a different salt, so the hacker can precomputer the hash table.

What's the take away from this
1. Do not use common passwords.
2. Use really long passwords.

A good password manager, if you pay for the subscription usually has access to a dictionary of common password and can generate long password for you. However, you can do this yourself. You can look up if your password is common (there are sites) and you can generate the password somehow as long as you make it long.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

Couldn't they use a simple pepper that's kept outside the database, in some config file. So if the database is stolen, hopefully the pepper value wasn't.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Report of leaked LastPass master passwords

Post by Gadget »

RonMexico wrote: Sun Jan 16, 2022 10:16 pm
roamingzebra wrote: Sun Jan 16, 2022 2:02 pm
Gadget wrote: Sun Jan 16, 2022 12:21 pm Lots of good info in this thread, but a lot of misunderstanding too. It might help if people read about the difference between encryption, hashing, and salting. I get the impression many people think that Lastpass, 1Password, etc. are storing all your passwords in plain text in the cloud. That isn't the case.

https://www.comparitech.com/blog/inform ... g-salting/
Some data breaches involve hashed passwords and there are people who have developed software to extract useful information from these breaches -- namely conforming that the owner of one account is the same as that of a different account since both accounts use the same (hashed) password. Law enforcement can make good use of this but thankfully a regular hacker would probably not be able to exploit this data in a meaningful way.

Or am I wrong?
You're wrong. Any software company that is serious about security will "salt" the hashes with random values so that the database of password hashes is not vulnerable to the kind of attack that you describe. "Salting" is combining the password with a random value so that it is impossible for someone with access to the hashes to detect that the same password is used multiple times or belongs to a dictionary. Standard password hashing algorithms like PBKDF2 and Argon2 perform salting and also have other properties that make them resilient to brute force attacks with very powerful computers.
RonMexico is correct.

Take 1Password for instance. Let's say that for some reason, you and I shared all the same password info for every site. Our master password was also identical. Without salting, all our hashed database information saved in the cloud would be identical. The attacker would know that we're using the same password, and finding one match leaked from any login would break our passwords. However, since 1Password uses a 128 bit salt (called your secret key) in conjunction with your master password, all our database entires are completely different hashed values.

I'm not aware of any way an attacker could get meaningful info from the 1Password database saved in the cloud for each user due to the secret key salting. So the 1Password server is hacked and all database info is gone. They'd probably recommend to change your master password anyway, but I'm not sure how your actual passwords could be compromised without a working quantum computer or some nation state level brute force method.
roamingzebra
Posts: 1214
Joined: Thu Apr 22, 2021 3:29 pm

Re: Report of leaked LastPass master passwords

Post by roamingzebra »

gavinsiu wrote: Mon Jan 17, 2022 2:23 pm One of the benefit of hashing is that it is not reversible. Given 47djsdf!!#3478, you cannot reverse it and get password1. What a hacker could do is to generate the hash themselves and compare the hash. The easiest way is to generate the hash of the most common passwords. So a hacker may run through and generate the hash for password1, password, etc. If they can't find it, they can brute force it by trying all combination. Let's say you can have 95 possible characters. A one character password would have 95 different combination. A 2 character would be 95 x 95, a 3 character would be 95 x 95 x 95 combination. While these seemed like a large number, it is nothing to a computer. However, even computers have limit, the longer the password, more difficult it is to computer. A 50 character password would be 95 to the power of 50 and probably can't be broken with the current computing technology.

It gets worse, a hacker can pre-generate the hash, they could generate a table with every combination of ahead of time. When your passoword hash is stolen, they will know every passowrd that matches the hash. When you hear that the your password has been stolen, it's most likely that the hash got stolen.
One of the other interesting things I learned from the podcast is that the computational power to do the types of stuff you're describing is "crowd-sourced" by various hacker groups. They collectively combine word lists, password lists, hashed passwords and heavy-duty CPUs with the end result being databases of "de-hashed" passwords and "pre-computed" hashed passwords (did I get that right? lol) distributed over the dark web and elsewhere.

Another tidbit ... and I think I got this right (all errors my own) ... is the LinkedIn breach that occurred in 2011 (?) had all passwords revealed even though they were stored as SHA-1, a type of hash. (I tend to disbelieve that ALL passwords were revealed, but let's assume that is correct.) Whether 100% or not, this seems to have been a successful breach, and to my amateur mind the probability that the hashed passwords were salted was slim. I say this because while salting may be an old technology, my understanding is that salted hashes were not used frequently or widely enough to be a huge barrier to hackers back then. I only bring up the example of LinkedIn because I find it helpful for us non-technical types to have real-world examples to help understand this arcane stuff. :)
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Report of leaked LastPass master passwords

Post by Northern Flicker »

Don't assume that all providers store passwords as 1-way hash values. In particular, answers to so-called security questions often are not.

There are more subtleties to salting. The origjnal Unix salt was a fixed constant for all passwords. You could incorporate whatever salt you wanted in a Unix build, but I'm not aware of the salt being parametrized at runtime.

But if a salt is unique per user or even unique per instance of the authentication software component, then the salt becomes private data, which opens up a can of worms. Some key value or seed value has to be protected and access to it monitored so you know if it were potentially compromised. One implementation would be to encapsulate an authentication server on standalone hardware and monitor TCP/IP and login logs.
roamingzebra wrote: Another tidbit ... and I think I got this right (all errors my own) ... is the LinkedIn breach that occurred in 2011 (?) had all passwords revealed even though they were stored as SHA-1, a type of hash. (I tend to disbelieve that ALL passwords were revealed, but let's assume that is correct.) Whether 100% or not, this seems to have been a successful breach, and to my amateur mind the probability that the hashed passwords were salted was slim.
If my memory serves, I don't think LinkedIn was storing passwords as 1-way hashes at that time, but rather as an encrypted file of cleartext passwords, but I'm not certain. 1-way hash algorithms that do not use some form of salting are fairly uncommon, since that was how encrypted passwords originally were implemented for Unix. The first version of Unix stored passwords as cleartext in a file or area only accessible by root, which was at one time considered an acceptable implementation technique for an operating system. I worked with one system that only had a password for the admin account stored on a hard disk outside the file system.
gavinsiu wrote: One of the benefit of hashing is that it is not reversible. Given 47djsdf!!#3478, you cannot reverse it and get password1. What a hacker could do is to generate the hash themselves and compare the hash.
There are other techniques that can be used such as differential cryptanalysis. If 6 random English words are concatenated, and the first 2 were cracked by an analytical method, the remaining 4 might be cracked with a dictionary attack.
Last edited by Northern Flicker on Mon Jan 17, 2022 6:04 pm, edited 1 time in total.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Report of leaked LastPass master passwords

Post by Northern Flicker »

I should add that differential cryptanalysis is generally used to try to decrypt an encrypted but unknown message, not to recover a key from an encrypted constant. With a 1-way hash of a salted constant, it would be used to try to find the salt, not a part of the key, as I suggested above.
roamingzebra
Posts: 1214
Joined: Thu Apr 22, 2021 3:29 pm

Re: Report of leaked LastPass master passwords

Post by roamingzebra »

Northern Flicker wrote: Mon Jan 17, 2022 5:08 pm If my memory serves, I don't think LinkedIn was storing passwords as 1-way hashes at that time, but rather as an encrypted file of cleartext passwords, but I'm not certain. 1-way hash algorithms that do not use some form of salting are fairly uncommon, since that was how encrypted passwords originally were implemented for Unix.

By all accounts, the data was hashed via SHA-1 and unsalted, but it took awhile to find an actual technical paper) analyzing the breach. Note that it's a pdf file.

Here's the introductory material:
Like most web services, LinkedIn hashed its passwords. The company passed user information through a SHA-1 hash function.[6] The original breach, speculated to be through a SQL injection attack, occurred on June 5th 2012, and was reported by a number of news agencies. LinkedIn confirmed the breach the following day. [17] It was first thought that the breach exposed around 6.5 million passwords. However, in 2016, the full dump of the hack was posted, exposing the accounts of over 117 million users, whose information had been compromised but not made public. [5] The severity of the breach was compounded by improper use of cryptographic hash functions to conceal the password plaintext.

Password hashing works by taking a password input of variable length, and providing a fixed-length output that seems like a random string. SHA-1, the specific hash function used by LinkedIn, was published in the 1990s. SHA-1 can encode an up to 2 64 bit input into a 160 bit message digest.[4] However, LinkedIn’s implementation of SHA-1 failed to include salts – random numbers unique to every user – instead simply storing hashed passwords directly to the server.[8]
LinkedIn did say after the breach that they would start using salting. But as the NY Times points out, companies like LinkedIn suffer few consequences for lax security because there are no legal penalties; customers rarely defect; and in LinkedIn’s case, its stock price actually rose in the days after the breach.
Second Round
Posts: 240
Joined: Thu Sep 30, 2021 8:16 am

Re: Report of leaked LastPass master passwords

Post by Second Round »

VictoriaF wrote: Sat Jan 15, 2022 3:10 pm
Second Round wrote: Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
Can you be sure that Diceware itself does not track you? If it did, and you used its suggested words or their combinations, your Master Password would be dead on arrival.

Victoria
As said by others upthread, Diceware is an offline, air-gapped, manual, paper/pen/dice process. It can't track you anymore than a non-electronic version of Yahtzee (dice, cup, paper, pencil) can. It's not a program on a phone or computer. You literally roll dice and record the numbers that come up, then look up strings of those numbers (e.g., 5 digits) in a Diceware dictionary, and write down / record the words that correspond to those numbers. String several of those words together and you have a very secure passphrase, at least secure from brute forcing. Something else becomes the weakest link, like your home's door locks, alarm system, where you keep your keys, etc.
HawkeyePierce
Posts: 2351
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Report of leaked LastPass master passwords

Post by HawkeyePierce »

gavinsiu wrote: Sun Jan 16, 2022 5:39 pm My employer forbids us to access public wifi without a vpn, so I am sort of train not to do it.
Fortunately VPNs are finally starting to go away in favor of zero-trust networks. My employer (high-profile tech company) is actively moving internal services off the VPN.

A VPN is a kludge, too many companies use it to avoid building proper internal security controls and service-to-service auth/encryption. If your internal traffic is encrypted using HTTPS or mutual-TLS, and internal services all require their own auth (eg Okta), a VPN is unnecessary. Our Okta configuration requires a Yubikey to get into anything.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Report of leaked LastPass master passwords

Post by Mudpuppy »

VictoriaF wrote: Sat Jan 15, 2022 3:10 pm
Second Round wrote: Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
Can you be sure that Diceware itself does not track you? If it did, and you used its suggested words or their combinations, your Master Password would be dead on arrival.

Victoria
You can always go old-school Diceware, with actual dice instead of using a website. Take the wordlists on Diceware's website, or even find other wordlists intended for physical dice. Roll a set of physical dice (how many dice depends on the wordlist). Select the indicated word out of the wordlist based on your dice rolls. Repeat for however many words you want in your passphrase.

Original Diceware website explaining the approach with physical dice: https://theworld.com/~reinhold/diceware.html
EFF blog also explaining the approach and providing some new wordlists: https://www.eff.org/deeplinks/2016/07/n ... assphrases
yoyo6713
Posts: 154
Joined: Thu May 10, 2018 8:48 pm

Re: Report of leaked LastPass master passwords

Post by yoyo6713 »

How do people here let the heir know how to gain access with master passphrase not stored anywhere? write on a piece of paper and stick it to the computer monitor? :twisted:
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Report of leaked LastPass master passwords

Post by Mudpuppy »

yoyo6713 wrote: Sun Jan 23, 2022 4:48 pm How do people here let the heir know how to gain access with master passphrase not stored anywhere? write on a piece of paper and stick it to the computer monitor? :twisted:
The executor of the estate can gain access to the accounts through other means after your death. There is no need for them to have your passwords. It may be common for people to share passwords, but it is not necessary to settle an estate.
User avatar
Doom&Gloom
Posts: 5417
Joined: Thu May 08, 2014 3:36 pm

Re: Report of leaked LastPass master passwords

Post by Doom&Gloom »

yoyo6713 wrote: Sun Jan 23, 2022 4:48 pm How do people here let the heir know how to gain access with master passphrase not stored anywhere? write on a piece of paper and stick it to the computer monitor? :twisted:
My master passphrase (for KeePass) for my database with most passwords is with my "death book" instructions. Not likely to be compromised, but not the end of the world if it is.

My master passphrase (also KeePass) for my database with my retirement account (bulk of my financial assets) passwords is not written anywhere. It dies with me or my cognitive functioning. Somebody will sort it out when necessary.
SnowBog
Posts: 4699
Joined: Fri Dec 21, 2018 10:21 pm

Re: Report of leaked LastPass master passwords

Post by SnowBog »

yoyo6713 wrote: Sun Jan 23, 2022 4:48 pm How do people here let the heir know how to gain access with master passphrase not stored anywhere? write on a piece of paper and stick it to the computer monitor? :twisted:
One of my favorite features of LastPass "family" plan is the ability to "share" accounts with others, including giving the ability to let someone get "emergency access" to your accounts/passwords.

For this later part, my spouse is designated as having the ability to request "emergency access". If I recall, I set it up so that if I have not denied that request within 48 hours - they'll be granted access. This way, if I'm incapacitated (or dead), they can gain access in roughly 48 hours of requesting. https://blog.lastpass.com/2016/01/how-t ... ncy-access To be blunt, it's the only reason I still pay for LastPass - as the built-in password manager in Edge and the Authenticator app manage the "day-to-day" needs.

Long-term, and especially if I'm dead, they should be requesting access to the underlying accounts, not using my password(s). But I'd rather err on the side of ensuring they have access while they work through the longer-term process(es).
leland
Posts: 267
Joined: Sun Sep 12, 2021 5:21 pm
Location: PNW

Re: Report of leaked LastPass master passwords

Post by leland »

Bitwarden has roughly the same emergency access feature: https://bitwarden.com/help/emergency-ac ... %20Premium.

Premium is $10/yr. Export from LastPass is easy. I migrated in ~10 minutes. I made the move from LP after the last price hike / service nerfing. UX is not as clean, but I prefer the service and appreciate Windows Hello login on my PC. Haven't set up Bitwarden to pass TOTP yet, but think that's soon to come. I also haven't setup an emergency access contact, definitely on the to do list.
Dottie57
Posts: 12379
Joined: Thu May 19, 2016 5:43 pm
Location: Earth Northern Hemisphere

Re: Report of leaked LastPass master passwords

Post by Dottie57 »

mptfan wrote: Mon Dec 27, 2021 8:12 pm LastPass was bought by LogmeIn in 2015, then LogmeIn was bought by a private equity company. Interpret that how you wish.
Iwish more financial sites used a physical key.
SnowBog
Posts: 4699
Joined: Fri Dec 21, 2018 10:21 pm

Re: Report of leaked LastPass master passwords

Post by SnowBog »

mptfan wrote: Mon Dec 27, 2021 8:12 pm LastPass was bought by LogmeIn in 2015, then LogmeIn was bought by a private equity company. Interpret that how you wish.
I'm curious... How do you interpret it?

RSA one of the "leaders" (or at least used to be) in identity protection for corporations is owned by a private equity group.

I believe Fidelity is privately owned.

Is there something inherently wrong with companies that aren't traded on the open market?
Post Reply