Report of leaked LastPass master passwords
- VictorStarr
- Posts: 746
- Joined: Sat Jan 04, 2020 9:13 pm
- Location: Washington
Report of leaked LastPass master passwords
Today a number of people reported unauthorized attempts to login to their LastPass accounts using a valid master password (https://news.ycombinator.com/item?id=29705957). This may indicate a potential leak of LastPass passwords. Check your email for messages titled “LastPass Security Notification: Login attempt blocked”.
There is no reason to panic but if you have an LastPass account it is prudent to
- change your LastPass password
- enable 2FA for LastPass using authenticator app (if you do not have 2FA enabled)
- if you reused your LastPass password, changes password of other accounts too
- check IPs of latest logins to LastPass account (reports listed Brazil and Thailand IPs used by attackers)
There is no reason to panic but if you have an LastPass account it is prudent to
- change your LastPass password
- enable 2FA for LastPass using authenticator app (if you do not have 2FA enabled)
- if you reused your LastPass password, changes password of other accounts too
- check IPs of latest logins to LastPass account (reports listed Brazil and Thailand IPs used by attackers)
-
- Posts: 683
- Joined: Fri Jan 29, 2021 6:44 pm
- Location: Minnesota
Re: Report of leaked LastPass master passwords
Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?
If anything, it's a detriment to online security because any hacker can access every account you have.
If anything, it's a detriment to online security because any hacker can access every account you have.
- VictorStarr
- Posts: 746
- Joined: Sat Jan 04, 2020 9:13 pm
- Location: Washington
Re: Report of leaked LastPass master passwords
2FA (especially with hardware key) limits an impact of leaked passwords.brian91480 wrote: ↑Mon Dec 27, 2021 7:55 pm Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?
If anything, it's a detriment to online security because any hacker can access every account you have.
Re: Report of leaked LastPass master passwords
LastPass was bought by LogmeIn in 2015, then LogmeIn was bought by a private equity company. Interpret that how you wish.
Re: Report of leaked LastPass master passwords
Those reports seem somewhat dubious as I understand that LastPass doesn't actually keep their users' master passwords.
From https://support.logmeininc.com/lastpass ... d-lp070014:
From https://support.logmeininc.com/lastpass ... d-lp070014:
From another source https://kb.wisc.edu/security/page.php?id=103569:Please be aware that LastPass Support has no knowledge of a user's master password. It is not possible for LastPass Support to reset or change a user's master password if it is forgotten.
One explanation for the reports is that some users had their master password somehow compromised, e.g., it was easy enough to guess, or they reused the password on another site that got hacked, etc.LastPass - Does LastPass Keep a Record of My Master Password?
LastPass (LogMeIn) has no knowledge of your Master Password
No, LastPass has a zero-knowledge security model and does not store its users’ Master Passwords.
- VictorStarr
- Posts: 746
- Joined: Sat Jan 04, 2020 9:13 pm
- Location: Washington
Re: Report of leaked LastPass master passwords
One of the theories that it is a spillover from old vulnerability of LastPass browser extension:
https://news.ycombinator.com/item?id=12171547
-
- Posts: 1516
- Joined: Thu Feb 04, 2021 10:52 am
Re: Report of leaked LastPass master passwords
I can’t get my head around it either.brian91480 wrote: ↑Mon Dec 27, 2021 7:55 pm Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?
If anything, it's a detriment to online security because any hacker can access every account you have.
-
- Posts: 346
- Joined: Mon Sep 24, 2018 7:35 am
Re: Report of leaked LastPass master passwords
Thanks for this. Hopefully people would be smart enough to never use their master password as a password at another website. In any case, I went ahead and updated my master password. In addition, realized I had been slacking on 2FA and didn't realize how extensive LastPass' support for authenticators was. Was able to add my Microsoft 2FA so it's even stronger.
Very helpful post.
Very helpful post.
-
- Posts: 1039
- Joined: Tue Aug 04, 2020 2:13 pm
Re: Report of leaked LastPass master passwords
Time for hardware encrypted biometrics.
Re: Report of leaked LastPass master passwords
I think physical security keys that use the FIDO U2F protocol (e.g. Yubikeys) are effectively just as secure.
-
- Posts: 346
- Joined: Mon Sep 24, 2018 7:35 am
Re: Report of leaked LastPass master passwords
If I had to think about this more, I am sure there are data breaches where hackers could quickly find duplicate e-mail addresses used on multiple sites, and see if they used the same password across multiple. Then you may guess there are better odds they did this for LastPass, and they give it a try. Good lesson to not use the same password for sites.
-
- Posts: 1039
- Joined: Tue Aug 04, 2020 2:13 pm
Re: Report of leaked LastPass master passwords
It depends on the type, but that said, the average consumer is well served by something they can easy use like faceID, with secure storage of the second factor. Nothing is perfect though. I have been impressed by the Smartcard industry and their more disciplined management of standards and secure access to payment information (was a Smartcard Alliance contributor, now the Secure Technology Alliance). I do like hardware based security factors. Much less so by 'App' companies reliant on websites and software only solutions.
Re: Report of leaked LastPass master passwords
I suspect "1FA" (2FA with no password at all) might be the eventual end result.VictorStarr wrote: ↑Mon Dec 27, 2021 8:03 pm2FA (especially with hardware key) limits an impact of leaked passwords.brian91480 wrote: ↑Mon Dec 27, 2021 7:55 pm Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?
If anything, it's a detriment to online security because any hacker can access every account you have.
Remember that the most popular "password manager" is the browser's remember password feature, which in its default configuration stores the password locally using reversible encryption with no master password at all, and also leaks the password to Google/Apple/Microsoft/Mozilla servers if the user is using a syncing feature. So arguably browsers, making the "do you want to remember this password" increasingly aggressive over time, and removing the autocomplete=off opt-out feature that previously existed, are just an elaborate phishing attack making passwords increasingly pointless as a guarantee of anything about the person sitting in front of the keyboard.
-
- Posts: 240
- Joined: Thu Sep 30, 2021 8:16 am
Re: Report of leaked LastPass master passwords
Biometrics have always struck me as being like a password you can never change ... or, alternatively, an irretrievable one in some cases of aging, disfigurement, etc. And we leave our fingerprints everywhere, and images of our face are very easy to obtain. For 2FA, nothing is perfect, but I'm likely to purchase some hardware keys soon.
Also, I never understood why anyone with sense enough to use a password manager would want it to reside in the cloud or accessible through browser. Obviously online access is a form of convenience when using multiple devices to interface with the same account, but I would think people would realize cloud is just someone else's computer, and someone can be working on picking that lock without you even knowing it. It seemed to me an unnecessary risk - there have been SO many breaches, so many false assurances of tight security, etc. I just use KeePass, offline.
Also, I never understood why anyone with sense enough to use a password manager would want it to reside in the cloud or accessible through browser. Obviously online access is a form of convenience when using multiple devices to interface with the same account, but I would think people would realize cloud is just someone else's computer, and someone can be working on picking that lock without you even knowing it. It seemed to me an unnecessary risk - there have been SO many breaches, so many false assurances of tight security, etc. I just use KeePass, offline.
-
- Posts: 2500
- Joined: Tue Aug 16, 2011 12:39 pm
Re: Report of leaked LastPass master passwords
Who didnt see this coming a mile away...
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Report of leaked LastPass master passwords
I recommend securing your password manager (regardless of whichever one you use) with a security key (e.g., a Yubikey).
Best practice is to purchase a back-up key, in case your primary key becomes lost/stolen/damaged/etc.
Best practice is to purchase a back-up key, in case your primary key becomes lost/stolen/damaged/etc.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Report of leaked LastPass master passwords
A security key (something you have) combined with a PIN* (something you know) is very secure.
* Or, optionally, combined with a fingerprint (something you are). However, I do have some misgivings about bio-metrics...
Re: Report of leaked LastPass master passwords
Because we understand the math, and know that with any current or near-term technology the encryption is unbreakable. As long as you have a secure master password that is resistant to brute-forcing, you could post your encrypted passwords on a billboard or email them to every person on earth, and not increase your likelihood of compromise in any significant way.Second Round wrote: ↑Mon Dec 27, 2021 8:58 pm Also, I never understood why anyone with sense enough to use a password manager would want it to reside in the cloud or accessible through browser. Obviously online access is a form of convenience when using multiple devices to interface with the same account, but I would think people would realize cloud is just someone else's computer, and someone can be working on picking that lock without you even knowing it. It seemed to me an unnecessary risk - there have been SO many breaches, so many false assurances of tight security, etc. I just use KeePass, offline.
-
- Posts: 240
- Joined: Thu Sep 30, 2021 8:16 am
Re: Report of leaked LastPass master passwords
You would be right if brute force was the only way. It's not; if it was, Enigma wouldn't have been broken when it was. [I understand the mathematics of combinatorics too, and a bit about cryptography too] There are many ways to bypass brute forcing. Even ignoring such bypass methods, occasionally weaknesses (intentional or otherwise) are discovered in encryption methods, like Dual_EC_DRBG.
Re: Report of leaked LastPass master passwords
Disagree with this example. The VAST majority of the process of breaking Enigma was in reverse-engineering its theory of operation, ie mapping out how the algorithm work. This is in stark contrast to modern cryptography, where the algorithms are published, reviewed, and exhaustively attacked to look for flaws, just like AES (used in most password managers, including LastPass) has been for the past two decades. Parameters on modern algorithms are also generally not protected secrets, so essentially all of this work was to collect information that is now freely given away because it's not considered sensitive.Second Round wrote: ↑Tue Dec 28, 2021 6:49 am You would be right if brute force was the only way. It's not; if it was, Enigma wouldn't have been broken when it was. [I understand the mathematics of combinatorics too, and a bit about cryptography too] There are many ways to bypass brute forcing.
But anyway, back to Enigma. Once the theory of operation was nailed down, only one secret remained. And this in fact was cracked by brute forcing a known plaintext:
The only remaining secret of the daily key would be the ring settings, and the Poles would attack that problem with brute force. Most messages would start with the three letters "ANX" (an is German for "to" and the "X" character was used as a space). It may take almost 26×26×26=17576 trials, but that was doable. Once the ring settings were found, the Poles could read the day's traffic.
True. And they are generally discovered quickly, as that one was two years prior to its publication; and confirmed four months after the first draft was published. And again, AES has been highly scrutinized for over 20 years. In all that time, the very best key recovery attack that has been achieved reduces the effective key length by about two bits, thus reducing the brute force search for a common 256-bit key space from 2^256 to 2^254.3. So if the algorithm itself is effectively impregnable, we're back to needing to attack the implementation or the password.Second Round wrote: ↑Tue Dec 28, 2021 6:49 amEven ignoring such bypass methods, occasionally weaknesses (intentional or otherwise) are discovered in encryption methods, like Dual_EC_DRBG.
Last edited by lazydavid on Tue Dec 28, 2021 7:57 am, edited 1 time in total.
-
- Posts: 5704
- Joined: Wed Oct 08, 2014 7:27 pm
Re: Report of leaked LastPass master passwords
What do you do for an alternative?Californiastate wrote: ↑Mon Dec 27, 2021 8:20 pmI can’t get my head around it either.brian91480 wrote: ↑Mon Dec 27, 2021 7:55 pm Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?
If anything, it's a detriment to online security because any hacker can access every account you have.
Some of the password managers can sync over wifi instead of the cloud. You can also take additional precautions like "salting"/padding passwords in your password manager. And of course 2FA is a must for all important accounts.
I feel pretty good with my set up, it's extremely convenient but it's not perfect (nothing will be). My biggest risk may be a $5 wrench attack with my phone.
-
- Posts: 240
- Joined: Thu Sep 30, 2021 8:16 am
Re: Report of leaked LastPass master passwords
We actually agree here, though you are phrasing it in a way that seems to imply otherwise. Enigma was not mostly solved by brute force, it was finding cribs and noticing loop patterns that implied the operation. I have a few resources on Enigma specifically and could quote stuff too, but the bulk of the work was reducing search space (and then the British automating the process after that). My point was that Enigma was not conquered by brute force ... meaning, trying the full range of possible combinations. The vastly reduced search space - yes.
In any case in modern times I don't even think it's a matter of encryption methods so much as other techniques - keyloggers and related MITM attacks (mousejack, keyjack), malware, JS exploits, memory overflow or forcing exploits, poor server security, compromised tech support, you name it - other weaknesses. I'm not questioning the algorithms, and agree that open standards that can be publicly examined and critiqued are valuable. It's just that the attack surface is so much larger than the algorithm itself that I would not put my password db in the cloud. If that's overly cautious, that's OK with me, I'd rather err on that side.
-
- Posts: 240
- Joined: Thu Sep 30, 2021 8:16 am
Re: Report of leaked LastPass master passwords
When traveling (not much in pandemic times!) I carry on my person an encrypted flash drive, on which is my encrypted password database (and generally, it is a subset of the full database, excluding any banking or investment logins - the theory being, that stuff can almost always wait til I'm back home).ThankYouJack wrote: ↑Tue Dec 28, 2021 7:57 am What do you do for an alternative?
Some of the password managers can sync over wifi instead of the cloud. You can also take additional precautions like "salting"/padding passwords in your password manager. And of course 2FA is a must for all important accounts.
I feel pretty good with my set up, it's extremely convenient but it's not perfect (nothing will be). My biggest risk may be a $5 wrench attack with my phone.
$5 wrench attack is always a risk. Defenses against that is a separate conversation.
Re: Report of leaked LastPass master passwords
Several days ago I posted a Lastpass complaint about support (really no support as the support pull down in my paid version of LP is dead).
Could we spend a bit more time directly with this latest problem?
Step 1: change your Masterpassword. (easy)
Step 2: set up 2fi. (easy but inconvient if you have 2 different users, as one phone # would be used to authenticate. I'll call that the master mobile phone number. The second person does not have easy access that phone and therefor they must access that phone to get the code.
Is there a work around on that problem of one family member (wife in this case) not having easy access to the master mobile phone number?
Could we spend a bit more time directly with this latest problem?
Step 1: change your Masterpassword. (easy)
Step 2: set up 2fi. (easy but inconvient if you have 2 different users, as one phone # would be used to authenticate. I'll call that the master mobile phone number. The second person does not have easy access that phone and therefor they must access that phone to get the code.
Is there a work around on that problem of one family member (wife in this case) not having easy access to the master mobile phone number?
Re: Report of leaked LastPass master passwords
Fair, and that was my point. In order to reduce the search space, they had to reverse-engineer a black box algorithm--albeit one based on physical wiring and rotors rather than theoretical calculations. Such a thing could be done for modern cryptography, but all of that difficult, painstaking work generally isn't necessary because all that information is widely published. What was left after the algorithm was known was breaking the key.Second Round wrote: ↑Tue Dec 28, 2021 8:28 amWe actually agree here, though you are phrasing it in a way that seems to imply otherwise. Enigma was not mostly solved by brute force, it was finding cribs and noticing loop patterns that implied the operation. I have a few resources on Enigma specifically and could quote stuff too, but the bulk of the work was reducing search space (and then the British automating the process after that). My point was that Enigma was not conquered by brute force ... meaning, trying the full range of possible combinations. The vastly reduced search space - yes.
Fair enough.Second Round wrote: ↑Tue Dec 28, 2021 8:28 amIn any case in modern times I don't even think it's a matter of encryption methods so much as other techniques - keyloggers and related MITM attacks (mousejack, keyjack), malware, JS exploits, memory overflow or forcing exploits, poor server security, compromised tech support, you name it - other weaknesses. I'm not questioning the algorithms, and agree that open standards that can be publicly examined and critiqued are valuable. It's just that the attack surface is so much larger than the algorithm itself that I would not put my password db in the cloud. If that's overly cautious, that's OK with me, I'd rather err on that side.
Re: Report of leaked LastPass master passwords
In February from the Verge.
Security researcher recommends against LastPass after detailing 7 trackers
1Password has zero trackers, and Bitwarden two
Security researcher recommends against LastPass after detailing 7 trackers
1Password has zero trackers, and Bitwarden two
Re: Report of leaked LastPass master passwords
I can find no confirmation of any vulnerability or issue currently with LastPass. And I agree with the poster above, let's please keep this on topic.
If LastPass has no record of the master password, the issue of the master password being compromised must reside elsewhere...if this is actually a thing.
If LastPass has no record of the master password, the issue of the master password being compromised must reside elsewhere...if this is actually a thing.
-
- Posts: 332
- Joined: Sat Aug 23, 2014 11:55 am
Re: Report of leaked LastPass master passwords
You can use Authy.Cody wrote: ↑Tue Dec 28, 2021 8:47 am Several days ago I posted a Lastpass complaint about support (really no support as the support pull down in my paid version of LP is dead).
Could we spend a bit more time directly with this latest problem?
Step 1: change your Masterpassword. (easy)
Step 2: set up 2fi. (easy but inconvient if you have 2 different users, as one phone # would be used to authenticate. I'll call that the master mobile phone number. The second person does not have easy access that phone and therefor they must access that phone to get the code.
Is there a work around on that problem of one family member (wife in this case) not having easy access to the master mobile phone number?
Or you can take a picture of the QR code with both phones when setting up 2FA for an account.
On another note - I use Keepass. It probably is not as user friendly as LastPass, etc., but I feel more reassured using it. I do have a copy of the Keepass db on Dropbox as there is no other option if one needs access on multiple devices. The master password is 17 characters long and consists of small and large case alphabets, numbers and special characters. And then there is the 2FA key that resides only locally.
Re: Report of leaked LastPass master passwords
+1Blues wrote: ↑Tue Dec 28, 2021 8:59 am I can find no confirmation of any vulnerability or issue currently with LastPass. And I agree with the poster above, let's please keep this on topic.
If LastPass has no record of the master password, the issue of the master password being compromised must reside elsewhere...if this is actually a thing.
In this day and age, it would be horrific malpractice for LastPass to have users' master passwords. It would be an obvious and unnecessary vulnerability. Indeed, according to LastPass "Please be aware that LastPass Support has no knowledge of a user's master password. It is not possible for LastPass Support to reset or change a user's master password if it is forgotten." If so, then the reports cannot be correct.
If this is a false statement, then they should be sued into oblivion.
Adding 2FA is also a good idea (belt + suspenders and all that). It appears LastPass supports various authenticator apps. This would be the easiest option for most. This makes it easy to have multiple authentication devices for shared accounts.
“I am losing precious days. I am degenerating into a machine for making money. I am learning nothing in this trivial world of men. I must break away and get out into the mountains...” -- John Muir
Re: Report of leaked LastPass master passwords
Use a cerebro-algorithmic password system-- a master algorithm for every account that is also specific to that account. Unhackable, but you will need a back up in place if you become mentally disabled.
Re: Report of leaked LastPass master passwords
Google Authenticator has allowed backup / duplication of keys for well over a year now. Not saying not to use Authy (it had backups before google), just that there ARE ways to have the same key on multiple devices without having to do it at the moment of creation.sk.dolcevita wrote: ↑Tue Dec 28, 2021 9:05 amYou can use Authy.Cody wrote: ↑Tue Dec 28, 2021 8:47 am Several days ago I posted a Lastpass complaint about support (really no support as the support pull down in my paid version of LP is dead).
Could we spend a bit more time directly with this latest problem?
Step 1: change your Masterpassword. (easy)
Step 2: set up 2fi. (easy but inconvient if you have 2 different users, as one phone # would be used to authenticate. I'll call that the master mobile phone number. The second person does not have easy access that phone and therefor they must access that phone to get the code.
Is there a work around on that problem of one family member (wife in this case) not having easy access to the master mobile phone number?
Or you can take a picture of the QR code with both phones when setting up 2FA for an account.
On another note - I use Keepass. It probably is not as user friendly as LastPass, etc., but I feel more reassured using it. I do have a copy of the Keepass db on Dropbox as there is no other option if one needs access on multiple devices. The master password is 17 characters long and consists of small and large case alphabets, numbers and special characters. And then there is the 2FA key that resides only locally.
KeePass w/yubikey user here as well . But I still don't put it online. My pattern of life allows me to avoid needing my passwords on the go for all but the most trivial things.
Re: Report of leaked LastPass master passwords
It's not like these actors cracked the passwords (how would you decrypt aes128 or 256bit anyways) i bet they got a hold of existing email addresses and passwords then tried the combination on various sites including LastPass and voila, they were able to get into some of them. People need to understand to never reuse passwords. Best thing is a 2FA with a complex password. You can even use a secrete email address with LastPass. Also go through your LastPass options and check or uncheck certain things such as only allow logins from your country, verify your trusted devices and never login from a public computer or at least use the one time password if you do.
Last edited by squirm on Tue Dec 28, 2021 10:59 am, edited 1 time in total.
Re: Report of leaked LastPass master passwords
This is demonstrably untrue and a bad idea. Whatever "algorithm" you come up with is almost surely something that is guessable / already thought of by a hacker. The hacker doesn't have to guess your algorithm exactly to narrow the search space to start an effective attack against a breached password database in which your credentials reside.
Any algorithm your brain can think of and remember isn't robust enough to withstand an attack and if you make it complex enough to hold up AND not reuse passwords for similar accounts is likely going to be impossible to actually remember.
And despite my use of the word "you" I'm not suggesting a scenario where "you" are targeted. Breaches don't work that way, but they DO leverage all of the common variations of "algorithms" to extract passwords and then they start to get creative.
https://www.youtube.com/watch?v=7U-RbOKanYs
-
- Posts: 240
- Joined: Thu Sep 30, 2021 8:16 am
Re: Report of leaked LastPass master passwords
FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
Re: Report of leaked LastPass master passwords
First of all, how many hackers are sitting around guessing at one's personal mental algorithm? They don't work that way. Second, the algorithm incorporates personal history and associations, like security questions but deeper once you integrate associations.mouth wrote: ↑Tue Dec 28, 2021 10:55 amThis is demonstrably untrue and a bad idea. Whatever "algorithm" you come up with is almost surely something that is guessable / already thought of by a hacker. The hacker doesn't have to guess your algorithm exactly to narrow the search space to start an effective attack against a breached password database in which your credentials reside.
Any algorithm your brain can think of and remember isn't robust enough to withstand an attack and if you make it complex enough to hold up AND not reuse passwords for similar accounts is likely going to be impossible to actually remember.
And despite my use of the word "you" I'm not suggesting a scenario where "you" are targeted. Breaches don't work that way, but they DO leverage all of the common variations of "algorithms" to extract passwords and then they start to get creative.
https://www.youtube.com/watch?v=7U-RbOKanYs
There is zero chance anybody on earth can guess the algorithm and it wouldn't be economical to try. That isn't the risk. The risk is that it's all in my head and what if something happens to said head.
-
- Posts: 5704
- Joined: Wed Oct 08, 2014 7:27 pm
Re: Report of leaked LastPass master passwords
Even if someone knows your master password, don't most password managers have multiple levels of protection? With LastPass, would a hacker also need to know your account key and have access to your email account to get access to your password vault?
My concern with this would be forgetting the long random passphrase. I remember a post from the past where the OP forgot his master password and it would a massive hassle having to access and update all of his accounts.Second Round wrote: ↑Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
Re: Report of leaked LastPass master passwords
Fake news it appears:VictorStarr wrote: ↑Mon Dec 27, 2021 7:48 pm Today a number of people reported unauthorized attempts to login to their LastPass accounts using a valid master password (https://news.ycombinator.com/item?id=29705957). This may indicate a potential leak of LastPass passwords. Check your email for messages titled “LastPass Security Notification: Login attempt blocked”.
There is no reason to panic but if you have an LastPass account it is prudent to
- change your LastPass password
- enable 2FA for LastPass using authenticator app (if you do not have 2FA enabled)
- if you reused your LastPass password, changes password of other accounts too
- check IPs of latest logins to LastPass account (reports listed Brazil and Thailand IPs used by attackers)
https://support.logmeininc.com/lastpass ... e-lp070015
BH Contests: 23 #89 of 607 | 22 #512 of 674 | 21 #66 of 636 |20 #253/664 |19 #233/645 |18 #150/493 |17 #516/647 |16 #121/610 |15 #18/552 |14 #225/503 |13 #383/433 |12 #366/410 |11 #113/369 |10 #53/282
-
- Posts: 240
- Joined: Thu Sep 30, 2021 8:16 am
Re: Report of leaked LastPass master passwords
I get in my password database daily, often more than once; in less than a week I had the passphrase memorized. You can have the phrase written down and locked up as backup (I do).ThankYouJack wrote: ↑Tue Dec 28, 2021 1:05 pm Even if someone knows your master password, don't most password managers have multiple levels of protection? With LastPass, would a hacker also need to know your account key and have access to your email account to get access to your password vault?
My concern with this would be forgetting the long random passphrase. I remember a post from the past where the OP forgot his master password and it would a massive hassle having to access and update all of his accounts.Second Round wrote: ↑Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
You need some way of getting in to your database to use it, so I'd think the alternative is to trust some application (like a browser or browser extension) to memorize it for you. As I've seen too many browser extensions prove to have security vulnerabilities or even be plain malware themselves, I prefer to just start the KeePass program locally (KeePass2, or KeePassDX). You don't have to use a second factor for opening the database (it'll work with passphrase alone), but you can require a keyfile in addition to the passphrase.
Can't speak for how one accesses the LastPass vault. Is it not a subscription service? Subject to change in terms, features, conditions? That's not an appealing set of characteristics to me.
- VictorStarr
- Posts: 746
- Joined: Sat Jan 04, 2020 9:13 pm
- Location: Washington
Re: Report of leaked LastPass master passwords
See my earlier response: viewtopic.php?p=6408502#p6408502sperry8 wrote: ↑Tue Dec 28, 2021 1:23 pmFake news it appears:VictorStarr wrote: ↑Mon Dec 27, 2021 7:48 pm Today a number of people reported unauthorized attempts to login to their LastPass accounts using a valid master password (https://news.ycombinator.com/item?id=29705957). This may indicate a potential leak of LastPass passwords. Check your email for messages titled “LastPass Security Notification: Login attempt blocked”.
There is no reason to panic but if you have an LastPass account it is prudent to
- change your LastPass password
- enable 2FA for LastPass using authenticator app (if you do not have 2FA enabled)
- if you reused your LastPass password, changes password of other accounts too
- check IPs of latest logins to LastPass account (reports listed Brazil and Thailand IPs used by attackers)
https://support.logmeininc.com/lastpass ... e-lp070015
Re: Report of leaked LastPass master passwords
Here is an official response from LastPass:
https://www.howtogeek.com/776450/lastpa ... -password/LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
Re: Report of leaked LastPass master passwords
Thanks for that, as i use LastPass, although i am not surprised by this method as i wrote earlier... It's not like someone can crack 128 or 256 bit encryption anyways.Tyler9000 wrote: ↑Tue Dec 28, 2021 2:32 pm Here is an official response from LastPass:
https://www.howtogeek.com/776450/lastpa ... -password/LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
Re: Report of leaked LastPass master passwords
I'm aware hackers don't target one person's mental algorithm. In fact I said exactly that very specifically when I said,countmein wrote: ↑Tue Dec 28, 2021 12:46 pmFirst of all, how many hackers are sitting around guessing at one's personal mental algorithm? They don't work that way. Second, the algorithm incorporates personal history and associations, like security questions but deeper once you integrate associations.mouth wrote: ↑Tue Dec 28, 2021 10:55 amThis is demonstrably untrue and a bad idea. Whatever "algorithm" you come up with is almost surely something that is guessable / already thought of by a hacker. The hacker doesn't have to guess your algorithm exactly to narrow the search space to start an effective attack against a breached password database in which your credentials reside.
Any algorithm your brain can think of and remember isn't robust enough to withstand an attack and if you make it complex enough to hold up AND not reuse passwords for similar accounts is likely going to be impossible to actually remember.
And despite my use of the word "you" I'm not suggesting a scenario where "you" are targeted. Breaches don't work that way, but they DO leverage all of the common variations of "algorithms" to extract passwords and then they start to get creative.
https://www.youtube.com/watch?v=7U-RbOKanYs
There is zero chance anybody on earth can guess the algorithm and it wouldn't be economical to try. That isn't the risk. The risk is that it's all in my head and what if something happens to said head.
There is a very good chance someone could guess the algorithm because a person doesn't have to. You mention security questions, that means answers with words which will be in a breached database hacker's dictionary attack. Then they will add rules to those words to come up with many combinations / variations. That includes "associations" which might also be words, site names, etc It would be VERY economical to try.And despite my use of the word "you" I'm not suggesting a scenario where "you" are targeted. Breaches don't work that way
I suggest you watch the video I posted. Which is from 2016 and a LOT has happened in computing, hacking tools, and dictionaries since them. The moment you have a password with ANY word found in ANY dictionary on earth you have SIGNIFICANTLY reduced the search space to something VERY economical to search through. You can't control the web site's choice of hashing algorithm so password complexity is your only leverage. Obscurity is not a lever that works.
Re: Report of leaked LastPass master passwords
Two solutions. First off, you're typing it often enough to remember it better than multiple passwords. Second, you can write it down and put it in a lock box. If someone breaks into your house you have bigger problems AND you know it happened so you can start changing passwords. Heck, DON'T put it in a lock box. Hide it in something no one will steal, even a book, but is easy access for you. Your threat surface is WAY smaller if they have to steal a piece of paper from your actual house vs. "cyber space" where they are guessing your non-random, possibly reused, hashed-password residing in a database they stole from a web server. Because that is how it's done and your only defense is password complexity.ThankYouJack wrote: ↑Tue Dec 28, 2021 1:05 pm Even if someone knows your master password, don't most password managers have multiple levels of protection? With LastPass, would a hacker also need to know your account key and have access to your email account to get access to your password vault?
My concern with this would be forgetting the long random passphrase. I remember a post from the past where the OP forgot his master password and it would a massive hassle having to access and update all of his accounts.Second Round wrote: ↑Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
As for LastPass itself, this is why they don't store your password at all. All database decryption happens on your hardware so the plaintext result only exists on your machine as does the database decryption password. If your machine itself has been hacked, or someone steals it, all bet are off because losing physical security is the end of the ball game and you better start changing passwords / making phone calls like your digital life depends on it. And again, WAY smaller of a threat footprint than having easy to guess passwords floating out there in the ether.
Re: Report of leaked LastPass master passwords
Good news, you can use a Yubikey with KP as well. It is effectively nothing more than a keyfile (aka long strong of random characters added to the master key for decryption) but it isn't stored in plain text on your machine and can be made to require a finger press to trigger. So a keyfile on steroids.Second Round wrote: ↑Tue Dec 28, 2021 1:52 pm , but you can require a keyfile in addition to the passphrase.
-
- Posts: 5704
- Joined: Wed Oct 08, 2014 7:27 pm
Re: Report of leaked LastPass master passwords
I am a big fan of password managers. I'm just thinking about the risk/convenance factor for using a really long password as your password manager pw (say more than 12-15 characters). I'd feel pretty safe with a 12 character password for my password manager if someone also needs access to my account key and email account to get access to my password vault.mouth wrote: ↑Tue Dec 28, 2021 4:01 pmTwo solutions. First off, you're typing it often enough to remember it better than multiple passwords. Second, you can write it down and put it in a lock box. If someone breaks into your house you have bigger problems AND you know it happened so you can start changing passwords. Heck, DON'T put it in a lock box. Hide it in something no one will steal, even a book, but is easy access for you. Your threat surface is WAY smaller if they have to steal a piece of paper from your actual house vs. "cyber space" where they are guessing your non-random, possibly reused, hashed-password residing in a database they stole from a web server. Because that is how it's done and your only defense is password complexity.ThankYouJack wrote: ↑Tue Dec 28, 2021 1:05 pm Even if someone knows your master password, don't most password managers have multiple levels of protection? With LastPass, would a hacker also need to know your account key and have access to your email account to get access to your password vault?
My concern with this would be forgetting the long random passphrase. I remember a post from the past where the OP forgot his master password and it would a massive hassle having to access and update all of his accounts.Second Round wrote: ↑Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
As for LastPass itself, this is why they don't store your password at all. All database decryption happens on your hardware so the plaintext result only exists on your machine as does the database decryption password. If your machine itself has been hacked, or someone steals it, all bet are off because losing physical security is the end of the ball game and you better start changing passwords / making phone calls like your digital life depends on it. And again, WAY smaller of a threat footprint than having easy to guess passwords floating out there in the ether.
I want to be more secure than the majority of people out there, but don't want to get paranoid with the what ifs and feel I need a 30+ character long password to stay secure.
-
- Posts: 240
- Joined: Thu Sep 30, 2021 8:16 am
Re: Report of leaked LastPass master passwords
That's an excellent video, has me thinking about the Diceware method. For a dictionary of 8000 words, and say 7 words long, you're talking about 2x 10^27 combinations (roughly). If your pw db is not online and the (hashed) password is not stored online or even nominally offline by another entity, is it really bad to be using such a passphrase?mouth wrote: ↑Tue Dec 28, 2021 3:53 pm I suggest you watch the video I posted. Which is from 2016 and a LOT has happened in computing, hacking tools, and dictionaries since them. The moment you have a password with ANY word found in ANY dictionary on earth you have SIGNIFICANTLY reduced the search space to something VERY economical to search through. You can't control the web site's choice of hashing algorithm so password complexity is your only leverage. Obscurity is not a lever that works.
If nothing else, this discussion has increased my interest in adding a hardware security key - to as many logins as I can (and for my pw db).
Edit: video that was shot right after the one you recommended does address my question to you - looks good for passphrases, though he does not specifically address the Diceware method(s) of randomization / selection.
Last edited by Second Round on Tue Dec 28, 2021 5:30 pm, edited 1 time in total.
Re: Report of leaked LastPass master passwords
That's what i do, it's written down except for one small word at the end. It's out of sight in the house. Even if someone finds it they won't know what it is and even if they try they don't have the whole password.mouth wrote: ↑Tue Dec 28, 2021 4:01 pmTwo solutions. First off, you're typing it often enough to remember it better than multiple passwords. Second, you can write it down and put it in a lock box. If someone breaks into your house you have bigger problems AND you know it happened so you can start changing passwords. Heck, DON'T put it in a lock box. Hide it in something no one will steal, even a book, but is easy access for you. Your threat surface is WAY smaller if they have to steal a piece of paper from your actual house vs. "cyber space" where they are guessing your non-random, possibly reused, hashed-password residing in a database they stole from a web server. Because that is how it's done and your only defense is password complexity.ThankYouJack wrote: ↑Tue Dec 28, 2021 1:05 pm Even if someone knows your master password, don't most password managers have multiple levels of protection? With LastPass, would a hacker also need to know your account key and have access to your email account to get access to your password vault?
My concern with this would be forgetting the long random passphrase. I remember a post from the past where the OP forgot his master password and it would a massive hassle having to access and update all of his accounts.Second Round wrote: ↑Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
As for LastPass itself, this is why they don't store your password at all. All database decryption happens on your hardware so the plaintext result only exists on your machine as does the database decryption password. If your machine itself has been hacked, or someone steals it, all bet are off because losing physical security is the end of the ball game and you better start changing passwords / making phone calls like your digital life depends on it. And again, WAY smaller of a threat footprint than having easy to guess passwords floating out there in the ether.
Re: Report of leaked LastPass master passwords
The whole idea of a password manager is a bad idea. And, having a browser extension makes it worse. And, the cloud, even more so.
Re: Report of leaked LastPass master passwords
But the passwords get salted too.Second Round wrote: ↑Tue Dec 28, 2021 5:13 pmThat's an excellent video, has me thinking about the Diceware method. For a dictionary of 8000 words, and say 7 words long, you're talking about 2x 10^27 combinations (roughly). If your pw db is not online and the (hashed) password is not stored online or even nominally offline by another entity, is it really bad to be using such a passphrase?mouth wrote: ↑Tue Dec 28, 2021 3:53 pm I suggest you watch the video I posted. Which is from 2016 and a LOT has happened in computing, hacking tools, and dictionaries since them. The moment you have a password with ANY word found in ANY dictionary on earth you have SIGNIFICANTLY reduced the search space to something VERY economical to search through. You can't control the web site's choice of hashing algorithm so password complexity is your only leverage. Obscurity is not a lever that works.
If nothing else, this discussion has increased my interest in adding a hardware security key - to as many logins as I can (and for my pw db).
Re: Report of leaked LastPass master passwords
It's actually more than that.mouth wrote: ↑Tue Dec 28, 2021 4:04 pm Good news, you can use a Yubikey with KP as well. It is effectively nothing more than a keyfile (aka long strong of random characters added to the master key for decryption) but it isn't stored in plain text on your machine and can be made to require a finger press to trigger. So a keyfile on steroids.