Report of leaked LastPass master passwords

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Topic Author
VictorStarr
Posts: 746
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Report of leaked LastPass master passwords

Post by VictorStarr »

Today a number of people reported unauthorized attempts to login to their LastPass accounts using a valid master password (https://news.ycombinator.com/item?id=29705957). This may indicate a potential leak of LastPass passwords. Check your email for messages titled “LastPass Security Notification: Login attempt blocked”.

There is no reason to panic but if you have an LastPass account it is prudent to
- change your LastPass password
- enable 2FA for LastPass using authenticator app (if you do not have 2FA enabled)
- if you reused your LastPass password, changes password of other accounts too
- check IPs of latest logins to LastPass account (reports listed Brazil and Thailand IPs used by attackers)
brian91480
Posts: 683
Joined: Fri Jan 29, 2021 6:44 pm
Location: Minnesota

Re: Report of leaked LastPass master passwords

Post by brian91480 »

Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?

If anything, it's a detriment to online security because any hacker can access every account you have.
User avatar
Topic Author
VictorStarr
Posts: 746
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: Report of leaked LastPass master passwords

Post by VictorStarr »

brian91480 wrote: Mon Dec 27, 2021 7:55 pm Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?

If anything, it's a detriment to online security because any hacker can access every account you have.
2FA (especially with hardware key) limits an impact of leaked passwords.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Report of leaked LastPass master passwords

Post by mptfan »

LastPass was bought by LogmeIn in 2015, then LogmeIn was bought by a private equity company. Interpret that how you wish.
sycamore
Posts: 6360
Joined: Tue May 08, 2018 12:06 pm

Re: Report of leaked LastPass master passwords

Post by sycamore »

Those reports seem somewhat dubious as I understand that LastPass doesn't actually keep their users' master passwords.

From https://support.logmeininc.com/lastpass ... d-lp070014:
Please be aware that LastPass Support has no knowledge of a user's master password. It is not possible for LastPass Support to reset or change a user's master password if it is forgotten.
From another source https://kb.wisc.edu/security/page.php?id=103569:
LastPass - Does LastPass Keep a Record of My Master Password?

LastPass (LogMeIn) has no knowledge of your Master Password

No, LastPass has a zero-knowledge security model and does not store its users’ Master Passwords.
One explanation for the reports is that some users had their master password somehow compromised, e.g., it was easy enough to guess, or they reused the password on another site that got hacked, etc.
User avatar
Topic Author
VictorStarr
Posts: 746
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: Report of leaked LastPass master passwords

Post by VictorStarr »

sycamore wrote: Mon Dec 27, 2021 8:14 pm Those reports seem somewhat dubious as I understand that LastPass doesn't actually keep their users' master passwords.
One of the theories that it is a spillover from old vulnerability of LastPass browser extension:
https://news.ycombinator.com/item?id=12171547
Californiastate
Posts: 1516
Joined: Thu Feb 04, 2021 10:52 am

Re: Report of leaked LastPass master passwords

Post by Californiastate »

brian91480 wrote: Mon Dec 27, 2021 7:55 pm Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?

If anything, it's a detriment to online security because any hacker can access every account you have.
I can’t get my head around it either.
YoungSisyphus
Posts: 346
Joined: Mon Sep 24, 2018 7:35 am

Re: Report of leaked LastPass master passwords

Post by YoungSisyphus »

Thanks for this. Hopefully people would be smart enough to never use their master password as a password at another website. In any case, I went ahead and updated my master password. In addition, realized I had been slacking on 2FA and didn't realize how extensive LastPass' support for authenticators was. Was able to add my Microsoft 2FA so it's even stronger.

Very helpful post. :D
BogleFan510
Posts: 1039
Joined: Tue Aug 04, 2020 2:13 pm

Re: Report of leaked LastPass master passwords

Post by BogleFan510 »

Time for hardware encrypted biometrics.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Report of leaked LastPass master passwords

Post by mptfan »

BogleFan510 wrote: Mon Dec 27, 2021 8:29 pm Time for hardware encrypted biometrics.
I think physical security keys that use the FIDO U2F protocol (e.g. Yubikeys) are effectively just as secure.
YoungSisyphus
Posts: 346
Joined: Mon Sep 24, 2018 7:35 am

Re: Report of leaked LastPass master passwords

Post by YoungSisyphus »

If I had to think about this more, I am sure there are data breaches where hackers could quickly find duplicate e-mail addresses used on multiple sites, and see if they used the same password across multiple. Then you may guess there are better odds they did this for LastPass, and they give it a try. Good lesson to not use the same password for sites.
BogleFan510
Posts: 1039
Joined: Tue Aug 04, 2020 2:13 pm

Re: Report of leaked LastPass master passwords

Post by BogleFan510 »

mptfan wrote: Mon Dec 27, 2021 8:32 pm
BogleFan510 wrote: Mon Dec 27, 2021 8:29 pm Time for hardware encrypted biometrics.
I think physical security keys that use the FIDO U2F protocol (e.g. Yubikeys) are effectively just as secure.
It depends on the type, but that said, the average consumer is well served by something they can easy use like faceID, with secure storage of the second factor. Nothing is perfect though. I have been impressed by the Smartcard industry and their more disciplined management of standards and secure access to payment information (was a Smartcard Alliance contributor, now the Secure Technology Alliance). I do like hardware based security factors. Much less so by 'App' companies reliant on websites and software only solutions.
Makefile
Posts: 2657
Joined: Fri Apr 22, 2016 11:03 pm

Re: Report of leaked LastPass master passwords

Post by Makefile »

VictorStarr wrote: Mon Dec 27, 2021 8:03 pm
brian91480 wrote: Mon Dec 27, 2021 7:55 pm Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?

If anything, it's a detriment to online security because any hacker can access every account you have.
2FA (especially with hardware key) limits an impact of leaked passwords.
I suspect "1FA" (2FA with no password at all) might be the eventual end result.
Remember that the most popular "password manager" is the browser's remember password feature, which in its default configuration stores the password locally using reversible encryption with no master password at all, and also leaks the password to Google/Apple/Microsoft/Mozilla servers if the user is using a syncing feature. So arguably browsers, making the "do you want to remember this password" increasingly aggressive over time, and removing the autocomplete=off opt-out feature that previously existed, are just an elaborate phishing attack making passwords increasingly pointless as a guarantee of anything about the person sitting in front of the keyboard.
Second Round
Posts: 240
Joined: Thu Sep 30, 2021 8:16 am

Re: Report of leaked LastPass master passwords

Post by Second Round »

Biometrics have always struck me as being like a password you can never change ... or, alternatively, an irretrievable one in some cases of aging, disfigurement, etc. And we leave our fingerprints everywhere, and images of our face are very easy to obtain. For 2FA, nothing is perfect, but I'm likely to purchase some hardware keys soon.

Also, I never understood why anyone with sense enough to use a password manager would want it to reside in the cloud or accessible through browser. Obviously online access is a form of convenience when using multiple devices to interface with the same account, but I would think people would realize cloud is just someone else's computer, and someone can be working on picking that lock without you even knowing it. It seemed to me an unnecessary risk - there have been SO many breaches, so many false assurances of tight security, etc. I just use KeePass, offline.
SimonJester
Posts: 2500
Joined: Tue Aug 16, 2011 12:39 pm

Re: Report of leaked LastPass master passwords

Post by SimonJester »

Who didnt see this coming a mile away...
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Report of leaked LastPass master passwords

Post by Silence Dogood »

I recommend securing your password manager (regardless of whichever one you use) with a security key (e.g., a Yubikey).

Best practice is to purchase a back-up key, in case your primary key becomes lost/stolen/damaged/etc.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Report of leaked LastPass master passwords

Post by Silence Dogood »

Makefile wrote: Mon Dec 27, 2021 8:40 pm I suspect "1FA" (2FA with no password at all) might be the eventual end result.
A security key (something you have) combined with a PIN* (something you know) is very secure.

* Or, optionally, combined with a fingerprint (something you are). However, I do have some misgivings about bio-metrics...
lazydavid
Posts: 5156
Joined: Wed Apr 06, 2016 1:37 pm

Re: Report of leaked LastPass master passwords

Post by lazydavid »

Second Round wrote: Mon Dec 27, 2021 8:58 pm Also, I never understood why anyone with sense enough to use a password manager would want it to reside in the cloud or accessible through browser. Obviously online access is a form of convenience when using multiple devices to interface with the same account, but I would think people would realize cloud is just someone else's computer, and someone can be working on picking that lock without you even knowing it. It seemed to me an unnecessary risk - there have been SO many breaches, so many false assurances of tight security, etc. I just use KeePass, offline.
Because we understand the math, and know that with any current or near-term technology the encryption is unbreakable. As long as you have a secure master password that is resistant to brute-forcing, you could post your encrypted passwords on a billboard or email them to every person on earth, and not increase your likelihood of compromise in any significant way.
Second Round
Posts: 240
Joined: Thu Sep 30, 2021 8:16 am

Re: Report of leaked LastPass master passwords

Post by Second Round »

lazydavid wrote: Tue Dec 28, 2021 3:53 am Because we understand the math, and know that with any current or near-term technology the encryption is unbreakable.
You would be right if brute force was the only way. It's not; if it was, Enigma wouldn't have been broken when it was. [I understand the mathematics of combinatorics too, and a bit about cryptography too] There are many ways to bypass brute forcing. Even ignoring such bypass methods, occasionally weaknesses (intentional or otherwise) are discovered in encryption methods, like Dual_EC_DRBG.
lazydavid
Posts: 5156
Joined: Wed Apr 06, 2016 1:37 pm

Re: Report of leaked LastPass master passwords

Post by lazydavid »

Second Round wrote: Tue Dec 28, 2021 6:49 am You would be right if brute force was the only way. It's not; if it was, Enigma wouldn't have been broken when it was. [I understand the mathematics of combinatorics too, and a bit about cryptography too] There are many ways to bypass brute forcing.
Disagree with this example. The VAST majority of the process of breaking Enigma was in reverse-engineering its theory of operation, ie mapping out how the algorithm work. This is in stark contrast to modern cryptography, where the algorithms are published, reviewed, and exhaustively attacked to look for flaws, just like AES (used in most password managers, including LastPass) has been for the past two decades. Parameters on modern algorithms are also generally not protected secrets, so essentially all of this work was to collect information that is now freely given away because it's not considered sensitive.

But anyway, back to Enigma. Once the theory of operation was nailed down, only one secret remained. And this in fact was cracked by brute forcing a known plaintext:
The only remaining secret of the daily key would be the ring settings, and the Poles would attack that problem with brute force. Most messages would start with the three letters "ANX" (an is German for "to" and the "X" character was used as a space). It may take almost 26×26×26=17576 trials, but that was doable. Once the ring settings were found, the Poles could read the day's traffic.
Second Round wrote: Tue Dec 28, 2021 6:49 amEven ignoring such bypass methods, occasionally weaknesses (intentional or otherwise) are discovered in encryption methods, like Dual_EC_DRBG.
True. And they are generally discovered quickly, as that one was two years prior to its publication; and confirmed four months after the first draft was published. And again, AES has been highly scrutinized for over 20 years. In all that time, the very best key recovery attack that has been achieved reduces the effective key length by about two bits, thus reducing the brute force search for a common 256-bit key space from 2^256 to 2^254.3. So if the algorithm itself is effectively impregnable, we're back to needing to attack the implementation or the password.
Last edited by lazydavid on Tue Dec 28, 2021 7:57 am, edited 1 time in total.
ThankYouJack
Posts: 5704
Joined: Wed Oct 08, 2014 7:27 pm

Re: Report of leaked LastPass master passwords

Post by ThankYouJack »

Californiastate wrote: Mon Dec 27, 2021 8:20 pm
brian91480 wrote: Mon Dec 27, 2021 7:55 pm Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?

If anything, it's a detriment to online security because any hacker can access every account you have.
I can’t get my head around it either.
What do you do for an alternative?

Some of the password managers can sync over wifi instead of the cloud. You can also take additional precautions like "salting"/padding passwords in your password manager. And of course 2FA is a must for all important accounts.

I feel pretty good with my set up, it's extremely convenient but it's not perfect (nothing will be). My biggest risk may be a $5 wrench attack with my phone.
Second Round
Posts: 240
Joined: Thu Sep 30, 2021 8:16 am

Re: Report of leaked LastPass master passwords

Post by Second Round »

lazydavid wrote: Tue Dec 28, 2021 7:56 am But anyway, back to Enigma. Once the theory of operation was nailed down, only one secret remained. And this in fact was cracked by brute forcing a known plaintext:
We actually agree here, though you are phrasing it in a way that seems to imply otherwise. Enigma was not mostly solved by brute force, it was finding cribs and noticing loop patterns that implied the operation. I have a few resources on Enigma specifically and could quote stuff too, but the bulk of the work was reducing search space (and then the British automating the process after that). My point was that Enigma was not conquered by brute force ... meaning, trying the full range of possible combinations. The vastly reduced search space - yes.

In any case in modern times I don't even think it's a matter of encryption methods so much as other techniques - keyloggers and related MITM attacks (mousejack, keyjack), malware, JS exploits, memory overflow or forcing exploits, poor server security, compromised tech support, you name it - other weaknesses. I'm not questioning the algorithms, and agree that open standards that can be publicly examined and critiqued are valuable. It's just that the attack surface is so much larger than the algorithm itself that I would not put my password db in the cloud. If that's overly cautious, that's OK with me, I'd rather err on that side.
Second Round
Posts: 240
Joined: Thu Sep 30, 2021 8:16 am

Re: Report of leaked LastPass master passwords

Post by Second Round »

ThankYouJack wrote: Tue Dec 28, 2021 7:57 am What do you do for an alternative?

Some of the password managers can sync over wifi instead of the cloud. You can also take additional precautions like "salting"/padding passwords in your password manager. And of course 2FA is a must for all important accounts.

I feel pretty good with my set up, it's extremely convenient but it's not perfect (nothing will be). My biggest risk may be a $5 wrench attack with my phone.
When traveling (not much in pandemic times!) I carry on my person an encrypted flash drive, on which is my encrypted password database (and generally, it is a subset of the full database, excluding any banking or investment logins - the theory being, that stuff can almost always wait til I'm back home).

$5 wrench attack is always a risk. Defenses against that is a separate conversation.
Cody
Posts: 1053
Joined: Sun Dec 02, 2007 8:19 am
Location: Stillwater, Mn

Re: Report of leaked LastPass master passwords

Post by Cody »

Several days ago I posted a Lastpass complaint about support (really no support as the support pull down in my paid version of LP is dead).

Could we spend a bit more time directly with this latest problem?

Step 1: change your Masterpassword. (easy)

Step 2: set up 2fi. (easy but inconvient if you have 2 different users, as one phone # would be used to authenticate. I'll call that the master mobile phone number. The second person does not have easy access that phone and therefor they must access that phone to get the code.

Is there a work around on that problem of one family member (wife in this case) not having easy access to the master mobile phone number?
lazydavid
Posts: 5156
Joined: Wed Apr 06, 2016 1:37 pm

Re: Report of leaked LastPass master passwords

Post by lazydavid »

Second Round wrote: Tue Dec 28, 2021 8:28 am
lazydavid wrote: Tue Dec 28, 2021 7:56 am But anyway, back to Enigma. Once the theory of operation was nailed down, only one secret remained. And this in fact was cracked by brute forcing a known plaintext:
We actually agree here, though you are phrasing it in a way that seems to imply otherwise. Enigma was not mostly solved by brute force, it was finding cribs and noticing loop patterns that implied the operation. I have a few resources on Enigma specifically and could quote stuff too, but the bulk of the work was reducing search space (and then the British automating the process after that). My point was that Enigma was not conquered by brute force ... meaning, trying the full range of possible combinations. The vastly reduced search space - yes.
Fair, and that was my point. In order to reduce the search space, they had to reverse-engineer a black box algorithm--albeit one based on physical wiring and rotors rather than theoretical calculations. Such a thing could be done for modern cryptography, but all of that difficult, painstaking work generally isn't necessary because all that information is widely published. What was left after the algorithm was known was breaking the key.
Second Round wrote: Tue Dec 28, 2021 8:28 amIn any case in modern times I don't even think it's a matter of encryption methods so much as other techniques - keyloggers and related MITM attacks (mousejack, keyjack), malware, JS exploits, memory overflow or forcing exploits, poor server security, compromised tech support, you name it - other weaknesses. I'm not questioning the algorithms, and agree that open standards that can be publicly examined and critiqued are valuable. It's just that the attack surface is so much larger than the algorithm itself that I would not put my password db in the cloud. If that's overly cautious, that's OK with me, I'd rather err on that side.
Fair enough.
Cody
Posts: 1053
Joined: Sun Dec 02, 2007 8:19 am
Location: Stillwater, Mn

Re: Report of leaked LastPass master passwords

Post by Cody »

In February from the Verge.

Security researcher recommends against LastPass after detailing 7 trackers

1Password has zero trackers, and Bitwarden two
User avatar
Blues
Posts: 2501
Joined: Wed Dec 10, 2008 10:58 am
Location: Blue Ridge Mtns

Re: Report of leaked LastPass master passwords

Post by Blues »

I can find no confirmation of any vulnerability or issue currently with LastPass. And I agree with the poster above, let's please keep this on topic.

If LastPass has no record of the master password, the issue of the master password being compromised must reside elsewhere...if this is actually a thing.
sk.dolcevita
Posts: 332
Joined: Sat Aug 23, 2014 11:55 am

Re: Report of leaked LastPass master passwords

Post by sk.dolcevita »

Cody wrote: Tue Dec 28, 2021 8:47 am Several days ago I posted a Lastpass complaint about support (really no support as the support pull down in my paid version of LP is dead).

Could we spend a bit more time directly with this latest problem?

Step 1: change your Masterpassword. (easy)

Step 2: set up 2fi. (easy but inconvient if you have 2 different users, as one phone # would be used to authenticate. I'll call that the master mobile phone number. The second person does not have easy access that phone and therefor they must access that phone to get the code.

Is there a work around on that problem of one family member (wife in this case) not having easy access to the master mobile phone number?
You can use Authy.

Or you can take a picture of the QR code with both phones when setting up 2FA for an account.

On another note - I use Keepass. It probably is not as user friendly as LastPass, etc., but I feel more reassured using it. I do have a copy of the Keepass db on Dropbox as there is no other option if one needs access on multiple devices. The master password is 17 characters long and consists of small and large case alphabets, numbers and special characters. And then there is the 2FA key that resides only locally.
DoTheMath
Posts: 671
Joined: Sat Jul 04, 2015 1:11 pm
Location: The Plains

Re: Report of leaked LastPass master passwords

Post by DoTheMath »

Blues wrote: Tue Dec 28, 2021 8:59 am I can find no confirmation of any vulnerability or issue currently with LastPass. And I agree with the poster above, let's please keep this on topic.

If LastPass has no record of the master password, the issue of the master password being compromised must reside elsewhere...if this is actually a thing.
+1

In this day and age, it would be horrific malpractice for LastPass to have users' master passwords. It would be an obvious and unnecessary vulnerability. Indeed, according to LastPass "Please be aware that LastPass Support has no knowledge of a user's master password. It is not possible for LastPass Support to reset or change a user's master password if it is forgotten." If so, then the reports cannot be correct.

If this is a false statement, then they should be sued into oblivion.

Adding 2FA is also a good idea (belt + suspenders and all that). It appears LastPass supports various authenticator apps. This would be the easiest option for most. This makes it easy to have multiple authentication devices for shared accounts.
“I am losing precious days. I am degenerating into a machine for making money. I am learning nothing in this trivial world of men. I must break away and get out into the mountains...” -- John Muir
countmein
Posts: 653
Joined: Fri Dec 06, 2013 8:10 pm

Re: Report of leaked LastPass master passwords

Post by countmein »

Use a cerebro-algorithmic password system-- a master algorithm for every account that is also specific to that account. Unhackable, but you will need a back up in place if you become mentally disabled.
mouth
Posts: 654
Joined: Sun Apr 19, 2015 6:40 am

Re: Report of leaked LastPass master passwords

Post by mouth »

sk.dolcevita wrote: Tue Dec 28, 2021 9:05 am
Cody wrote: Tue Dec 28, 2021 8:47 am Several days ago I posted a Lastpass complaint about support (really no support as the support pull down in my paid version of LP is dead).

Could we spend a bit more time directly with this latest problem?

Step 1: change your Masterpassword. (easy)

Step 2: set up 2fi. (easy but inconvient if you have 2 different users, as one phone # would be used to authenticate. I'll call that the master mobile phone number. The second person does not have easy access that phone and therefor they must access that phone to get the code.

Is there a work around on that problem of one family member (wife in this case) not having easy access to the master mobile phone number?
You can use Authy.

Or you can take a picture of the QR code with both phones when setting up 2FA for an account.

On another note - I use Keepass. It probably is not as user friendly as LastPass, etc., but I feel more reassured using it. I do have a copy of the Keepass db on Dropbox as there is no other option if one needs access on multiple devices. The master password is 17 characters long and consists of small and large case alphabets, numbers and special characters. And then there is the 2FA key that resides only locally.
Google Authenticator has allowed backup / duplication of keys for well over a year now. Not saying not to use Authy (it had backups before google), just that there ARE ways to have the same key on multiple devices without having to do it at the moment of creation.

KeePass w/yubikey user here as well :sharebeer. But I still don't put it online. My pattern of life allows me to avoid needing my passwords on the go for all but the most trivial things.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

It's not like these actors cracked the passwords (how would you decrypt aes128 or 256bit anyways) i bet they got a hold of existing email addresses and passwords then tried the combination on various sites including LastPass and voila, they were able to get into some of them. People need to understand to never reuse passwords. Best thing is a 2FA with a complex password. You can even use a secrete email address with LastPass. Also go through your LastPass options and check or uncheck certain things such as only allow logins from your country, verify your trusted devices and never login from a public computer or at least use the one time password if you do.
Last edited by squirm on Tue Dec 28, 2021 10:59 am, edited 1 time in total.
mouth
Posts: 654
Joined: Sun Apr 19, 2015 6:40 am

Re: Report of leaked LastPass master passwords

Post by mouth »

countmein wrote: Tue Dec 28, 2021 10:16 am Use a cerebro-algorithmic password system-- a master algorithm for every account that is also specific to that account. Unhackable, but you will need a back up in place if you become mentally disabled.
This is demonstrably untrue and a bad idea. Whatever "algorithm" you come up with is almost surely something that is guessable / already thought of by a hacker. The hacker doesn't have to guess your algorithm exactly to narrow the search space to start an effective attack against a breached password database in which your credentials reside.

Any algorithm your brain can think of and remember isn't robust enough to withstand an attack and if you make it complex enough to hold up AND not reuse passwords for similar accounts is likely going to be impossible to actually remember.

And despite my use of the word "you" I'm not suggesting a scenario where "you" are targeted. Breaches don't work that way, but they DO leverage all of the common variations of "algorithms" to extract passwords and then they start to get creative.

https://www.youtube.com/watch?v=7U-RbOKanYs
Second Round
Posts: 240
Joined: Thu Sep 30, 2021 8:16 am

Re: Report of leaked LastPass master passwords

Post by Second Round »

FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
countmein
Posts: 653
Joined: Fri Dec 06, 2013 8:10 pm

Re: Report of leaked LastPass master passwords

Post by countmein »

mouth wrote: Tue Dec 28, 2021 10:55 am
countmein wrote: Tue Dec 28, 2021 10:16 am Use a cerebro-algorithmic password system-- a master algorithm for every account that is also specific to that account. Unhackable, but you will need a back up in place if you become mentally disabled.
This is demonstrably untrue and a bad idea. Whatever "algorithm" you come up with is almost surely something that is guessable / already thought of by a hacker. The hacker doesn't have to guess your algorithm exactly to narrow the search space to start an effective attack against a breached password database in which your credentials reside.

Any algorithm your brain can think of and remember isn't robust enough to withstand an attack and if you make it complex enough to hold up AND not reuse passwords for similar accounts is likely going to be impossible to actually remember.

And despite my use of the word "you" I'm not suggesting a scenario where "you" are targeted. Breaches don't work that way, but they DO leverage all of the common variations of "algorithms" to extract passwords and then they start to get creative.

https://www.youtube.com/watch?v=7U-RbOKanYs
First of all, how many hackers are sitting around guessing at one's personal mental algorithm? They don't work that way. Second, the algorithm incorporates personal history and associations, like security questions but deeper once you integrate associations.

There is zero chance anybody on earth can guess the algorithm and it wouldn't be economical to try. That isn't the risk. The risk is that it's all in my head and what if something happens to said head.
ThankYouJack
Posts: 5704
Joined: Wed Oct 08, 2014 7:27 pm

Re: Report of leaked LastPass master passwords

Post by ThankYouJack »

Even if someone knows your master password, don't most password managers have multiple levels of protection? With LastPass, would a hacker also need to know your account key and have access to your email account to get access to your password vault?
Second Round wrote: Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
My concern with this would be forgetting the long random passphrase. I remember a post from the past where the OP forgot his master password and it would a massive hassle having to access and update all of his accounts.
User avatar
sperry8
Posts: 3065
Joined: Sat Mar 29, 2008 9:25 pm
Location: Miami FL

Re: Report of leaked LastPass master passwords

Post by sperry8 »

VictorStarr wrote: Mon Dec 27, 2021 7:48 pm Today a number of people reported unauthorized attempts to login to their LastPass accounts using a valid master password (https://news.ycombinator.com/item?id=29705957). This may indicate a potential leak of LastPass passwords. Check your email for messages titled “LastPass Security Notification: Login attempt blocked”.

There is no reason to panic but if you have an LastPass account it is prudent to
- change your LastPass password
- enable 2FA for LastPass using authenticator app (if you do not have 2FA enabled)
- if you reused your LastPass password, changes password of other accounts too
- check IPs of latest logins to LastPass account (reports listed Brazil and Thailand IPs used by attackers)
Fake news it appears:

https://support.logmeininc.com/lastpass ... e-lp070015
BH Contests: 23 #89 of 607 | 22 #512 of 674 | 21 #66 of 636 |20 #253/664 |19 #233/645 |18 #150/493 |17 #516/647 |16 #121/610 |15 #18/552 |14 #225/503 |13 #383/433 |12 #366/410 |11 #113/369 |10 #53/282
Second Round
Posts: 240
Joined: Thu Sep 30, 2021 8:16 am

Re: Report of leaked LastPass master passwords

Post by Second Round »

ThankYouJack wrote: Tue Dec 28, 2021 1:05 pm Even if someone knows your master password, don't most password managers have multiple levels of protection? With LastPass, would a hacker also need to know your account key and have access to your email account to get access to your password vault?
Second Round wrote: Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
My concern with this would be forgetting the long random passphrase. I remember a post from the past where the OP forgot his master password and it would a massive hassle having to access and update all of his accounts.
I get in my password database daily, often more than once; in less than a week I had the passphrase memorized. You can have the phrase written down and locked up as backup (I do).

You need some way of getting in to your database to use it, so I'd think the alternative is to trust some application (like a browser or browser extension) to memorize it for you. As I've seen too many browser extensions prove to have security vulnerabilities or even be plain malware themselves, I prefer to just start the KeePass program locally (KeePass2, or KeePassDX). You don't have to use a second factor for opening the database (it'll work with passphrase alone), but you can require a keyfile in addition to the passphrase.

Can't speak for how one accesses the LastPass vault. Is it not a subscription service? Subject to change in terms, features, conditions? That's not an appealing set of characteristics to me.
User avatar
Topic Author
VictorStarr
Posts: 746
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: Report of leaked LastPass master passwords

Post by VictorStarr »

sperry8 wrote: Tue Dec 28, 2021 1:23 pm
VictorStarr wrote: Mon Dec 27, 2021 7:48 pm Today a number of people reported unauthorized attempts to login to their LastPass accounts using a valid master password (https://news.ycombinator.com/item?id=29705957). This may indicate a potential leak of LastPass passwords. Check your email for messages titled “LastPass Security Notification: Login attempt blocked”.

There is no reason to panic but if you have an LastPass account it is prudent to
- change your LastPass password
- enable 2FA for LastPass using authenticator app (if you do not have 2FA enabled)
- if you reused your LastPass password, changes password of other accounts too
- check IPs of latest logins to LastPass account (reports listed Brazil and Thailand IPs used by attackers)
Fake news it appears:

https://support.logmeininc.com/lastpass ... e-lp070015
See my earlier response: viewtopic.php?p=6408502#p6408502
User avatar
Tyler9000
Posts: 740
Joined: Fri Aug 21, 2015 11:57 am

Re: Report of leaked LastPass master passwords

Post by Tyler9000 »

Here is an official response from LastPass:
LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
https://www.howtogeek.com/776450/lastpa ... -password/
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

Tyler9000 wrote: Tue Dec 28, 2021 2:32 pm Here is an official response from LastPass:
LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
https://www.howtogeek.com/776450/lastpa ... -password/
Thanks for that, as i use LastPass, although i am not surprised by this method as i wrote earlier... It's not like someone can crack 128 or 256 bit encryption anyways.
mouth
Posts: 654
Joined: Sun Apr 19, 2015 6:40 am

Re: Report of leaked LastPass master passwords

Post by mouth »

countmein wrote: Tue Dec 28, 2021 12:46 pm
mouth wrote: Tue Dec 28, 2021 10:55 am
countmein wrote: Tue Dec 28, 2021 10:16 am Use a cerebro-algorithmic password system-- a master algorithm for every account that is also specific to that account. Unhackable, but you will need a back up in place if you become mentally disabled.
This is demonstrably untrue and a bad idea. Whatever "algorithm" you come up with is almost surely something that is guessable / already thought of by a hacker. The hacker doesn't have to guess your algorithm exactly to narrow the search space to start an effective attack against a breached password database in which your credentials reside.

Any algorithm your brain can think of and remember isn't robust enough to withstand an attack and if you make it complex enough to hold up AND not reuse passwords for similar accounts is likely going to be impossible to actually remember.

And despite my use of the word "you" I'm not suggesting a scenario where "you" are targeted. Breaches don't work that way, but they DO leverage all of the common variations of "algorithms" to extract passwords and then they start to get creative.

https://www.youtube.com/watch?v=7U-RbOKanYs
First of all, how many hackers are sitting around guessing at one's personal mental algorithm? They don't work that way. Second, the algorithm incorporates personal history and associations, like security questions but deeper once you integrate associations.

There is zero chance anybody on earth can guess the algorithm and it wouldn't be economical to try. That isn't the risk. The risk is that it's all in my head and what if something happens to said head.
I'm aware hackers don't target one person's mental algorithm. In fact I said exactly that very specifically when I said,
And despite my use of the word "you" I'm not suggesting a scenario where "you" are targeted. Breaches don't work that way
There is a very good chance someone could guess the algorithm because a person doesn't have to. You mention security questions, that means answers with words which will be in a breached database hacker's dictionary attack. Then they will add rules to those words to come up with many combinations / variations. That includes "associations" which might also be words, site names, etc It would be VERY economical to try.

I suggest you watch the video I posted. Which is from 2016 and a LOT has happened in computing, hacking tools, and dictionaries since them. The moment you have a password with ANY word found in ANY dictionary on earth you have SIGNIFICANTLY reduced the search space to something VERY economical to search through. You can't control the web site's choice of hashing algorithm so password complexity is your only leverage. Obscurity is not a lever that works.
mouth
Posts: 654
Joined: Sun Apr 19, 2015 6:40 am

Re: Report of leaked LastPass master passwords

Post by mouth »

ThankYouJack wrote: Tue Dec 28, 2021 1:05 pm Even if someone knows your master password, don't most password managers have multiple levels of protection? With LastPass, would a hacker also need to know your account key and have access to your email account to get access to your password vault?
Second Round wrote: Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
My concern with this would be forgetting the long random passphrase. I remember a post from the past where the OP forgot his master password and it would a massive hassle having to access and update all of his accounts.
Two solutions. First off, you're typing it often enough to remember it better than multiple passwords. Second, you can write it down and put it in a lock box. If someone breaks into your house you have bigger problems AND you know it happened so you can start changing passwords. Heck, DON'T put it in a lock box. Hide it in something no one will steal, even a book, but is easy access for you. Your threat surface is WAY smaller if they have to steal a piece of paper from your actual house vs. "cyber space" where they are guessing your non-random, possibly reused, hashed-password residing in a database they stole from a web server. Because that is how it's done and your only defense is password complexity.

As for LastPass itself, this is why they don't store your password at all. All database decryption happens on your hardware so the plaintext result only exists on your machine as does the database decryption password. If your machine itself has been hacked, or someone steals it, all bet are off because losing physical security is the end of the ball game and you better start changing passwords / making phone calls like your digital life depends on it. And again, WAY smaller of a threat footprint than having easy to guess passwords floating out there in the ether.
mouth
Posts: 654
Joined: Sun Apr 19, 2015 6:40 am

Re: Report of leaked LastPass master passwords

Post by mouth »

Second Round wrote: Tue Dec 28, 2021 1:52 pm , but you can require a keyfile in addition to the passphrase.
Good news, you can use a Yubikey with KP as well. It is effectively nothing more than a keyfile (aka long strong of random characters added to the master key for decryption) but it isn't stored in plain text on your machine and can be made to require a finger press to trigger. So a keyfile on steroids.
ThankYouJack
Posts: 5704
Joined: Wed Oct 08, 2014 7:27 pm

Re: Report of leaked LastPass master passwords

Post by ThankYouJack »

mouth wrote: Tue Dec 28, 2021 4:01 pm
ThankYouJack wrote: Tue Dec 28, 2021 1:05 pm Even if someone knows your master password, don't most password managers have multiple levels of protection? With LastPass, would a hacker also need to know your account key and have access to your email account to get access to your password vault?
Second Round wrote: Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
My concern with this would be forgetting the long random passphrase. I remember a post from the past where the OP forgot his master password and it would a massive hassle having to access and update all of his accounts.
Two solutions. First off, you're typing it often enough to remember it better than multiple passwords. Second, you can write it down and put it in a lock box. If someone breaks into your house you have bigger problems AND you know it happened so you can start changing passwords. Heck, DON'T put it in a lock box. Hide it in something no one will steal, even a book, but is easy access for you. Your threat surface is WAY smaller if they have to steal a piece of paper from your actual house vs. "cyber space" where they are guessing your non-random, possibly reused, hashed-password residing in a database they stole from a web server. Because that is how it's done and your only defense is password complexity.

As for LastPass itself, this is why they don't store your password at all. All database decryption happens on your hardware so the plaintext result only exists on your machine as does the database decryption password. If your machine itself has been hacked, or someone steals it, all bet are off because losing physical security is the end of the ball game and you better start changing passwords / making phone calls like your digital life depends on it. And again, WAY smaller of a threat footprint than having easy to guess passwords floating out there in the ether.
I am a big fan of password managers. I'm just thinking about the risk/convenance factor for using a really long password as your password manager pw (say more than 12-15 characters). I'd feel pretty safe with a 12 character password for my password manager if someone also needs access to my account key and email account to get access to my password vault.

I want to be more secure than the majority of people out there, but don't want to get paranoid with the what ifs and feel I need a 30+ character long password to stay secure.
Second Round
Posts: 240
Joined: Thu Sep 30, 2021 8:16 am

Re: Report of leaked LastPass master passwords

Post by Second Round »

mouth wrote: Tue Dec 28, 2021 3:53 pm I suggest you watch the video I posted. Which is from 2016 and a LOT has happened in computing, hacking tools, and dictionaries since them. The moment you have a password with ANY word found in ANY dictionary on earth you have SIGNIFICANTLY reduced the search space to something VERY economical to search through. You can't control the web site's choice of hashing algorithm so password complexity is your only leverage. Obscurity is not a lever that works.
That's an excellent video, has me thinking about the Diceware method. For a dictionary of 8000 words, and say 7 words long, you're talking about 2x 10^27 combinations (roughly). If your pw db is not online and the (hashed) password is not stored online or even nominally offline by another entity, is it really bad to be using such a passphrase?

If nothing else, this discussion has increased my interest in adding a hardware security key - to as many logins as I can (and for my pw db).

Edit: video that was shot right after the one you recommended does address my question to you - looks good for passphrases, though he does not specifically address the Diceware method(s) of randomization / selection.
Last edited by Second Round on Tue Dec 28, 2021 5:30 pm, edited 1 time in total.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

mouth wrote: Tue Dec 28, 2021 4:01 pm
ThankYouJack wrote: Tue Dec 28, 2021 1:05 pm Even if someone knows your master password, don't most password managers have multiple levels of protection? With LastPass, would a hacker also need to know your account key and have access to your email account to get access to your password vault?
Second Round wrote: Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
My concern with this would be forgetting the long random passphrase. I remember a post from the past where the OP forgot his master password and it would a massive hassle having to access and update all of his accounts.
Two solutions. First off, you're typing it often enough to remember it better than multiple passwords. Second, you can write it down and put it in a lock box. If someone breaks into your house you have bigger problems AND you know it happened so you can start changing passwords. Heck, DON'T put it in a lock box. Hide it in something no one will steal, even a book, but is easy access for you. Your threat surface is WAY smaller if they have to steal a piece of paper from your actual house vs. "cyber space" where they are guessing your non-random, possibly reused, hashed-password residing in a database they stole from a web server. Because that is how it's done and your only defense is password complexity.

As for LastPass itself, this is why they don't store your password at all. All database decryption happens on your hardware so the plaintext result only exists on your machine as does the database decryption password. If your machine itself has been hacked, or someone steals it, all bet are off because losing physical security is the end of the ball game and you better start changing passwords / making phone calls like your digital life depends on it. And again, WAY smaller of a threat footprint than having easy to guess passwords floating out there in the ether.
That's what i do, it's written down except for one small word at the end. It's out of sight in the house. Even if someone finds it they won't know what it is and even if they try they don't have the whole password.
twh
Posts: 1775
Joined: Sat Feb 08, 2020 2:15 pm

Re: Report of leaked LastPass master passwords

Post by twh »

The whole idea of a password manager is a bad idea. And, having a browser extension makes it worse. And, the cloud, even more so.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

Second Round wrote: Tue Dec 28, 2021 5:13 pm
mouth wrote: Tue Dec 28, 2021 3:53 pm I suggest you watch the video I posted. Which is from 2016 and a LOT has happened in computing, hacking tools, and dictionaries since them. The moment you have a password with ANY word found in ANY dictionary on earth you have SIGNIFICANTLY reduced the search space to something VERY economical to search through. You can't control the web site's choice of hashing algorithm so password complexity is your only leverage. Obscurity is not a lever that works.
That's an excellent video, has me thinking about the Diceware method. For a dictionary of 8000 words, and say 7 words long, you're talking about 2x 10^27 combinations (roughly). If your pw db is not online and the (hashed) password is not stored online or even nominally offline by another entity, is it really bad to be using such a passphrase?

If nothing else, this discussion has increased my interest in adding a hardware security key - to as many logins as I can (and for my pw db).
But the passwords get salted too.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Report of leaked LastPass master passwords

Post by mptfan »

mouth wrote: Tue Dec 28, 2021 4:04 pm Good news, you can use a Yubikey with KP as well. It is effectively nothing more than a keyfile (aka long strong of random characters added to the master key for decryption) but it isn't stored in plain text on your machine and can be made to require a finger press to trigger. So a keyfile on steroids.
It's actually more than that.
Post Reply