Report of leaked LastPass master passwords

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
AlphaLess
Posts: 3409
Joined: Fri Sep 29, 2017 11:38 pm
Location: Kentucky

Re: Report of leaked LastPass master passwords

Post by AlphaLess »

brian91480 wrote: Mon Dec 27, 2021 7:55 pm Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?

If anything, it's a detriment to online security because any hacker can access every account you have.
I would say that services such as LastPass are created for convenience.
And for that convenience, they need to protect against hacking attempts.
But because they serve as centralize repositories of passwords, they also attract a lot of hackers.
I don't carry a signature because people are easily offended.
AlphaLess
Posts: 3409
Joined: Fri Sep 29, 2017 11:38 pm
Location: Kentucky

Re: Report of leaked LastPass master passwords

Post by AlphaLess »

Silence Dogood wrote: Mon Dec 27, 2021 9:10 pm I recommend securing your password manager (regardless of whichever one you use) with a security key (e.g., a Yubikey).

Best practice is to purchase a back-up key, in case your primary key becomes lost/stolen/damaged/etc.
can you please elaborate on this?

ty
I don't carry a signature because people are easily offended.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

AlphaLess wrote: Sat Jan 15, 2022 10:43 pm I would say that services such as LastPass are created for convenience.
And for that convenience, they need to protect against hacking attempts.
But because they serve as centralize repositories of passwords, they also attract a lot of hackers.
Properly designed password vault should be in encrypted form and should not be decryptable without the masterkey. If they steal the data, it would be just glbbish. If you for example veracrypt something and store it in the cloud, assuming you use a properly secure passphrase, it would be really difficult to decrypt it and get at the content.

If you are still worry about that, there are password managers like Myki or Keepass that doesn't have a centralized repository. Keepass for example have to be manually copied. In my opinion, most centralize repository are secure enough.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

AlphaLess wrote: Sat Jan 15, 2022 10:49 pm can you please elaborate on this?

ty
If you use a hardware key, you really need a backup. Let's say your key is stolen or destroyed or lost, you would not be able to login without the key. There would be no way to recover and your account would be toast. You would need to use the backup key to login and add a new key to replace the one you lost.

This is why hardware keys are not popular. Vendors are more concern with people being locked out than security. People are terrible at doing backup. As a result, they often add a recovery method that doesn't use the hardware key. However, since the recovery method exists, Hacker will just use the recovery method to bypass the hardware key.
Nicolas
Posts: 4923
Joined: Wed Aug 22, 2012 7:41 am

Re: Report of leaked LastPass master passwords

Post by Nicolas »

gavinsiu wrote: Sat Jan 15, 2022 10:36 pm
Nicolas wrote: Sat Jan 15, 2022 9:40 pm LastPass supports Yubikey and it works great.
The last time I checked (a year or two ago?), last pass support Yubikey OTP, but not U2F. I don't think the OTP is any stronger than say a OTP from a different device.
I did not know that. It seems to still be the case unfortunately. If support is not provided by the time my premium subscription is up for renewal, or even before then, I may jump-ship. It appears that the competing 1Password does support U2F, do you concur?
Last edited by Nicolas on Sat Jan 15, 2022 11:34 pm, edited 3 times in total.
brian91480
Posts: 683
Joined: Fri Jan 29, 2021 6:44 pm
Location: Minnesota

Re: Report of leaked LastPass master passwords

Post by brian91480 »

AlphaLess wrote: Sat Jan 15, 2022 10:43 pm
brian91480 wrote: Mon Dec 27, 2021 7:55 pm Do I need to state the obvious irony... this entire industry exists for the sole reason of stopping this specific thing from happening? What's the point of it all if the password can't stay secure?

If anything, it's a detriment to online security because any hacker can access every account you have.
I would say that services such as LastPass are created for convenience.
And for that convenience, they need to protect against hacking attempts.
But because they serve as centralize repositories of passwords, they also attract a lot of hackers.
I'm sorry... but that's a ridiculous take. It's not about convenience. If a person wants convenience, then just make all your passwords "Password123".

This industry is about security. If these sites are hackable, then you have even less security than if you stored passwords the old fashioned way before sites like Last Pass existed.... by writing each password down on a peice of paper and put that in a safe.

--- Brian
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

Nicolas wrote: Sat Jan 15, 2022 11:18 pm I did not know that. It seems to still be the case unfortunately. If support is not provided by the time my premium subscription is up for renewal, or even before then, I may jump-ship. It appears that the competing 1Password does support U2F, do you concur?
Yes, for some reason lastpass has resisted going to a Fido2 implementation that would be more secure. Bitwarden also support Fido2. Before you switch though, make sure you try out the new password manager. It's likely that it will work differently or lack features specific to lastpass. When lastpass announced that they were removing features from the free version, a lot of people bailed and went to competing password manager but then complain that they work differently. Just make sure that you like the interface before jumping ship.

One reason I can think of was probably because not everyone support Fido2 a few years ago. These days even hold outs like Safari support Fido2 and even the original u2f/fido is being deprecated in Chrome next month.

In the case of going from lastpass to bitwarden, the subscription cost went from $36 to $10 a year. Last pass did have a lot of extra feature that was not used, so there wasn't an issue with switching.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Report of leaked LastPass master passwords

Post by Northern Flicker »

VictorStarr wrote: Mon Dec 27, 2021 8:19 pm
sycamore wrote: Mon Dec 27, 2021 8:14 pm Those reports seem somewhat dubious as I understand that LastPass doesn't actually keep their users' master passwords.
One of the theories that it is a spillover from old vulnerability of LastPass browser extension:
https://news.ycombinator.com/item?id=12171547
Inclusion of a browser in the Lastpass attack surface pretty much kills any chance I will ever use Lastpass.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Report of leaked LastPass master passwords

Post by Northern Flicker »

twh wrote: Tue Dec 28, 2021 7:57 pm
lazydavid wrote: Tue Dec 28, 2021 6:34 pm
twh wrote: Tue Dec 28, 2021 5:15 pm The whole idea of a password manager is a bad idea. And, having a browser extension makes it worse. And, the cloud, even more so.
Pretty much every expert in computer security in the entire world disagrees with you, especially the first sentence. But you do you.
Have you seen the title of the thread? This is why it is a bad idea.
I use a password safe. It uses robust encryption, but is not stored on an internet-connected machine.
Nicolas
Posts: 4923
Joined: Wed Aug 22, 2012 7:41 am

Re: Report of leaked LastPass master passwords

Post by Nicolas »

gavinsiu wrote: Sat Jan 15, 2022 11:44 pm
Nicolas wrote: Sat Jan 15, 2022 11:18 pm I did not know that. It seems to still be the case unfortunately. If support is not provided by the time my premium subscription is up for renewal, or even before then, I may jump-ship. It appears that the competing 1Password does support U2F, do you concur?
Yes, for some reason lastpass has resisted going to a Fido2 implementation that would be more secure. Bitwarden also support Fido2. Before you switch though, make sure you try out the new password manager. It's likely that it will work differently or lack features specific to lastpass. When lastpass announced that they were removing features from the free version, a lot of people bailed and went to competing password manager but then complain that they work differently. Just make sure that you like the interface before jumping ship.

One reason I can think of was probably because not everyone support Fido2 a few years ago. These days even hold outs like Safari support Fido2 and even the original u2f/fido is being deprecated in Chrome next month.

In the case of going from lastpass to bitwarden, the subscription cost went from $36 to $10 a year. Last pass did have a lot of extra feature that was not used, so there wasn't an issue with switching.
Wirecutter from the New York Times reviewed password managers last month and recommended 1Password as its top pick. I’ll check the features first for sure. They offer a free two-week trial so there will be ample time.

Here’s the Wirecutter article but it’s probably behind NYT’s paywall. https://www.nytimes.com/wirecutter/revi ... -managers/

Bitwarden is also recommended but it lacks a password strength checker and doesn’t offer encrypted file storage, in case you’d like to save scans of your drivers license, passport, etc. there, which I do. (However, upon rereading that article these features are provided with their $10 per year premium plan, which is cheaper than both LastPass and 1Password).

And, by the way, here’s an article explaining LastPass’s Yubikey phishing weakness:
https://pberba.github.io/security/2020/ ... -phishing/
Last edited by Nicolas on Sun Jan 16, 2022 9:10 am, edited 1 time in total.
AlphaLess
Posts: 3409
Joined: Fri Sep 29, 2017 11:38 pm
Location: Kentucky

Re: Report of leaked LastPass master passwords

Post by AlphaLess »

gavinsiu wrote: Sat Jan 15, 2022 10:56 pm
AlphaLess wrote: Sat Jan 15, 2022 10:43 pm I would say that services such as LastPass are created for convenience.
And for that convenience, they need to protect against hacking attempts.
But because they serve as centralize repositories of passwords, they also attract a lot of hackers.
Properly designed password vault should be in encrypted form and should not be decryptable without the masterkey. If they steal the data, it would be just glbbish. If you for example veracrypt something and store it in the cloud, assuming you use a properly secure passphrase, it would be really difficult to decrypt it and get at the content.

If you are still worry about that, there are password managers like Myki or Keepass that doesn't have a centralized repository. Keepass for example have to be manually copied. In my opinion, most centralize repository are secure enough.
I understand that concept.

However, that does not prevent hackers from attacking the central database of vaults.
Certainly, they will get the vault in encrypted form, but they may have hope that in the future they can the decryption keys, e.g, by attaching the encrypted contents using some techniques.
I don't carry a signature because people are easily offended.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

Nicolas wrote: Sun Jan 16, 2022 8:37 am Wirecutter from the New York Times reviewed password managers last month and recommended 1Password as its top pick. I’ll check the features first for sure. They offer a free two-week trial so there will be ample time.

Here’s the Wirecutter article but it’s probably behind NYT’s paywall. https://www.nytimes.com/wirecutter/revi ... -managers/

Bitwarden is also recommended but it lacks a password strength checker and doesn’t offer encrypted file storage, in case you’d like to save scans of your drivers license, passport, etc. there, which I do. (Upon rereading that article these features are provided with their $10 per year premium plan).

And, by the way, here’s an article explaining LastPass’s Yubikey phishing weakness:
https://pberba.github.io/security/2020/ ... -phishing/
Personally, I think a lot of these things are not needed. Do you really need a password strengh checker if you are going to use the password manager to generate password. Most password manager will allow you to store the license info and passport into your password manager's database. You also have to ask if you really need that info in the cloud in the first place.

As for the article, it's because LastPass uses Yubikey OTP instead of the Fido implementation, the latter is more phish proof.
lazydavid
Posts: 5155
Joined: Wed Apr 06, 2016 1:37 pm

Re: Report of leaked LastPass master passwords

Post by lazydavid »

Northern Flicker wrote: Sun Jan 16, 2022 3:02 am
VictorStarr wrote: Mon Dec 27, 2021 8:19 pm
sycamore wrote: Mon Dec 27, 2021 8:14 pm Those reports seem somewhat dubious as I understand that LastPass doesn't actually keep their users' master passwords.
One of the theories that it is a spillover from old vulnerability of LastPass browser extension:
https://news.ycombinator.com/item?id=12171547
Inclusion of a browser in the Lastpass attack surface pretty much kills any chance I will ever use Lastpass.
Um, you do realize pretty much every password manager has an optional browser extension, right? If you don't like it, don't use it.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

FYI,
LastPass saves a disabled OTP locally by default to aid in account recovery. I specifically turned that setting off. Same with SMS recovery option.

For those using LastPass, is there a good reason to increase the password interations? I'm afraid if i increase it, to say a million from the default, it might screw up something and i won't be able to login again, which would give me painful angina.
RonMexico
Posts: 7
Joined: Thu Feb 04, 2021 1:10 pm

Re: Report of leaked LastPass master passwords

Post by RonMexico »

It sounds like there's a ton of misinformation flying around. As someone already said, none of these password managers actually stores your master password. They store a value that is derived from the password (called a salted hash) that can be used to verify that the password that the user supplied is correct but cannot be used to obtain the password.

According to the LastPass documentation, they use an algorithm called PBKDF2 for verifying master passwords, which is an industry standard method for doing password verification without actually storing the passwords. PBKDF2 and other algorithms like it (Argon2 is another algorithm that does the same thing) are designed to be resilient to brute force attacks so that even if the attacker obtains the database containing the salted hashes for all users and has massive amounts of computing power at their disposal, they will not be able to obtain any user passwords.
Nicolas
Posts: 4923
Joined: Wed Aug 22, 2012 7:41 am

Re: Report of leaked LastPass master passwords

Post by Nicolas »

gavinsiu wrote: Sun Jan 16, 2022 9:14 am
Nicolas wrote: Sun Jan 16, 2022 8:37 am Wirecutter from the New York Times reviewed password managers last month and recommended 1Password as its top pick. I’ll check the features first for sure. They offer a free two-week trial so there will be ample time.

Here’s the Wirecutter article but it’s probably behind NYT’s paywall. https://www.nytimes.com/wirecutter/revi ... -managers/

Bitwarden is also recommended but it lacks a password strength checker and doesn’t offer encrypted file storage, in case you’d like to save scans of your drivers license, passport, etc. there, which I do. (Upon rereading that article these features are provided with their $10 per year premium plan).

And, by the way, here’s an article explaining LastPass’s Yubikey phishing weakness:
https://pberba.github.io/security/2020/ ... -phishing/
Personally, I think a lot of these things are not needed. Do you really need a password strengh checker if you are going to use the password manager to generate password. Most password manager will allow you to store the license info and passport into your password manager's database. You also have to ask if you really need that info in the cloud in the first place.

As for the article, it's because LastPass uses Yubikey OTP instead of the Fido implementation, the latter is more phish proof.
No I really don’t need a strength checker as I use the onboard generator using all characters and sufficient length. So I already know my passwords are strong. But I can’t say the same about my wife’s practices. One nice feature of LastPass is that you can check your entire vault for password strength and repeated passwords in one operation. My wife has a tendency to use simple and repeat passwords, so using this feature I can catch them.

Not only licenses and passport scans but I keep notes and even screen captures of chat sessions with banks, brokerages, and etc. in my password manager’s encrypted notes which come in handy later on if I need to dispute something.

Yes I understand now about OTP vs. U2F. I thought the article gave a good explanation.
Last edited by Nicolas on Sun Jan 16, 2022 10:35 am, edited 1 time in total.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

AlphaLess wrote: Sun Jan 16, 2022 8:57 am I understand that concept.

However, that does not prevent hackers from attacking the central database of vaults.
Certainly, they will get the vault in encrypted form, but they may have hope that in the future they can the decryption keys, e.g, by attaching the encrypted contents using some techniques.
They could, but keep in mind that each vault in the database would have a separate key. If the master password was setup properly, then it would take centuries to decrypt using today's technology. People see hackers in movie using advance techology to hack into someone's account. In reality, most hacks are often very low tech. Annoymous managed to hack a security expert's account by texting the expert's assistant and telling the assistant to reset password.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

lazydavid wrote: Sun Jan 16, 2022 9:15 am Um, you do realize pretty much every password manager has an optional browser extension, right? If you don't like it, don't use it.
You can also use a password manager without a password extension. You can cut and paste from the password manager desktop app. If you are worry about centralize database, you can use keepass that stores password locally.

Keep in mind that nothing is truly safe. Someone could have install a keylogger, which would log your keypresses. Malware can read your clipboard.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

squirm wrote: Sun Jan 16, 2022 9:23 am FYI,
LastPass saves a disabled OTP locally by default to aid in account recovery. I specifically turned that setting off. Same with SMS recovery option.

For those using LastPass, is there a good reason to increase the password interations? I'm afraid if i increase it, to say a million from the default, it might screw up something and i won't be able to login again, which would give me painful angina.
No, the vault encryption is safe enough in my opinion.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

IMO, the most secure way is to lockdown Lastpass as much as possible, and of course use a random complex password. Write down your password, or everything but a letter or two and save that along with the authenticator keys. Save that someplace secure or hidden. The very last thing I would worry about is brute forcing 2^128, good luck with that...I would even worry less, if it was even remotely possible about 2^256.

Phishing is much more likely or malware.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

gavinsiu wrote: Sun Jan 16, 2022 10:40 am
squirm wrote: Sun Jan 16, 2022 9:23 am FYI,
LastPass saves a disabled OTP locally by default to aid in account recovery. I specifically turned that setting off. Same with SMS recovery option.

For those using LastPass, is there a good reason to increase the password interations? I'm afraid if i increase it, to say a million from the default, it might screw up something and i won't be able to login again, which would give me painful angina.
No, the vault encryption is safe enough in my opinion.
Ok thanks, then I won't mess with it.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

Getting on my soap box for a minute. I think too much emphasizes have been put into password manager security. The feeling is that the password manager is the weak link in the chain. This is not the case, password manager vendor live and die on security. It is their product and business model. The weak link in the chain of security is people. How you implement your security has more impact than what password manager you use.

Let's start with the password. People are terrible with coming up with password. They often use too short of a password or use a common phrase. There are also something that are not so obivous, for example the password ji32k7au4a83 seems secure but is terrible beause it is a common phoenetic phrase in Mandarin. If you store crappy password in your password manager, you will still get hacked (most password manager will warn you of bad password).

Setup two factor authentication if possible. It's a good protection in the event that your account is hacked. Unless they enter the second factor, they can't login.

Beyond password and 2fa look at yoru recovery methods. A lot of banks allow you to have a recovery method that you answer a security question. Let's say you have a 50 character password with a Yubikey. It would be next to impossible to hack using a login. They can bypass that by calling up the bank and guessing the security question. "what's your favorite tv show" "Game of Thrones" you are in.

You want to protect your cell phone, too. Call up your wireless provider and ask them to add a pin to your account (and save that pin). If you don't, a hacker can call your phone provider and say that you have lost your phone and need a new SIM. Suddenly, all your text go to the hacker. Keep in mind that PIN protection is spotty. A hacker can still call up your provider and protect to forget the pin or use a forged ID, allowing the human to override the pin.

Phishing are getting sophisticated. I keep getting email and text from what appears to be my bank or my friends. I never click on unknown links and will call up friends and vendor if I get a email. If my bank email me to click on a link, i would log into the website directly and see if there is a secure message from my vendor. If a vendor calls me to call a particular number because of fraud, I would call the main number directly so I don't get a scammer.

Your phone are often setup to connect to a public wifi like "att", don't connect to public wifi if sensitive info will be exchanged. I would set up my phone not to connect to public wifi automatically. You can setup public wifi where they record info being pass through.
MidwestMike
Posts: 153
Joined: Fri Jun 30, 2017 10:12 pm

Re: Report of leaked LastPass master passwords

Post by MidwestMike »

I answer my security questions with answers that make zero sense. My favorite tv show is blindtablefox98. This isn’t my real answer but something similar.
tibbitts
Posts: 23716
Joined: Tue Feb 27, 2007 5:50 pm

Re: Report of leaked LastPass master passwords

Post by tibbitts »

gavinsiu wrote: Sun Jan 16, 2022 11:01 am ...for example the password ji32k7au4a83 seems secure but is terrible beause it is a common phoenetic phrase in Mandarin.
I think you just encouraged everybody to give up and go back to "password" on every site.
Nicolas
Posts: 4923
Joined: Wed Aug 22, 2012 7:41 am

Re: Report of leaked LastPass master passwords

Post by Nicolas »

gavinsiu wrote: Sun Jan 16, 2022 11:01 am Getting on my soap box for a minute. I think too much emphasizes have been put into password manager security. The feeling is that the password manager is the weak link in the chain. This is not the case, password manager vendor live and die on security. It is their product and business model. The weak link in the chain of security is people. How you implement your security has more impact than what password manager you use.

Let's start with the password. People are terrible with coming up with password. They often use too short of a password or use a common phrase. There are also something that are not so obivous, for example the password ji32k7au4a83 seems secure but is terrible beause it is a common phoenetic phrase in Mandarin. If you store crappy password in your password manager, you will still get hacked (most password manager will warn you of bad password).

Setup two factor authentication if possible. It's a good protection in the event that your account is hacked. Unless they enter the second factor, they can't login.

Beyond password and 2fa look at yoru recovery methods. A lot of banks allow you to have a recovery method that you answer a security question. Let's say you have a 50 character password with a Yubikey. It would be next to impossible to hack using a login. They can bypass that by calling up the bank and guessing the security question. "what's your favorite tv show" "Game of Thrones" you are in.

You want to protect your cell phone, too. Call up your wireless provider and ask them to add a pin to your account (and save that pin). If you don't, a hacker can call your phone provider and say that you have lost your phone and need a new SIM. Suddenly, all your text go to the hacker. Keep in mind that PIN protection is spotty. A hacker can still call up your provider and protect to forget the pin or use a forged ID, allowing the human to override the pin.

Phishing are getting sophisticated. I keep getting email and text from what appears to be my bank or my friends. I never click on unknown links and will call up friends and vendor if I get a email. If my bank email me to click on a link, i would log into the website directly and see if there is a secure message from my vendor. If a vendor calls me to call a particular number because of fraud, I would call the main number directly so I don't get a scammer.

Your phone are often setup to connect to a public wifi like "att", don't connect to public wifi if sensitive info will be exchanged. I would set up my phone not to connect to public wifi automatically. You can setup public wifi where they record info being pass through.
Great post! For my required password hints I never use real responses like favorite color, etc. These responses can be simply guessed by someone or they can look up your info on FB like your pet’s name. Instead I use long gibberish strings generated by my password manager which I keep in the encrypted notes.

As for SIM swapping attacks on your wireless provider there’ve been cases of bribery where the provider’s employees will switch your number to a hacker for a fee. I can’t cite such cases but I’ve heard of them. So try to avoid using text for 2FA.

In public WiFi it’s best to not transact or look up sensitive info at all. But I use a VPN for all mobile activity so it’s all encrypted anyway.

And by the way, it make take centuries to brute force a password using today’s technology but with tomorrow’s technology, quantum computing, it’ll be trivial.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

tibbitts wrote: Sun Jan 16, 2022 11:18 am I think you just encouraged everybody to give up and go back to "password" on every site.
On the contrary, if you use a password manager, it will warn you that particular phrase is a bad password.
tibbitts
Posts: 23716
Joined: Tue Feb 27, 2007 5:50 pm

Re: Report of leaked LastPass master passwords

Post by tibbitts »

gavinsiu wrote: Sun Jan 16, 2022 11:26 am
tibbitts wrote: Sun Jan 16, 2022 11:18 am I think you just encouraged everybody to give up and go back to "password" on every site.
On the contrary, if you use a password manager, it will warn you that particular phrase is a bad password.
My point was that if you tell people "ji32k7au4a83" isn't a good password, they're going to completely give up, and end up with the absolute minimum either the website or password manager will let them get by with. So they might end up with "passw0rd." or something like that, no matter if they see a warning message or not.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

Nicolas wrote: Sun Jan 16, 2022 11:20 am
gavinsiu wrote: Sun Jan 16, 2022 11:01 am Getting on my soap box for a minute. I think too much emphasizes have been put into password manager security. The feeling is that the password manager is the weak link in the chain. This is not the case, password manager vendor live and die on security. It is their product and business model. The weak link in the chain of security is people. How you implement your security has more impact than what password manager you use.

Let's start with the password. People are terrible with coming up with password. They often use too short of a password or use a common phrase. There are also something that are not so obivous, for example the password ji32k7au4a83 seems secure but is terrible beause it is a common phoenetic phrase in Mandarin. If you store crappy password in your password manager, you will still get hacked (most password manager will warn you of bad password).

Setup two factor authentication if possible. It's a good protection in the event that your account is hacked. Unless they enter the second factor, they can't login.

Beyond password and 2fa look at yoru recovery methods. A lot of banks allow you to have a recovery method that you answer a security question. Let's say you have a 50 character password with a Yubikey. It would be next to impossible to hack using a login. They can bypass that by calling up the bank and guessing the security question. "what's your favorite tv show" "Game of Thrones" you are in.

You want to protect your cell phone, too. Call up your wireless provider and ask them to add a pin to your account (and save that pin). If you don't, a hacker can call your phone provider and say that you have lost your phone and need a new SIM. Suddenly, all your text go to the hacker. Keep in mind that PIN protection is spotty. A hacker can still call up your provider and protect to forget the pin or use a forged ID, allowing the human to override the pin.

Phishing are getting sophisticated. I keep getting email and text from what appears to be my bank or my friends. I never click on unknown links and will call up friends and vendor if I get a email. If my bank email me to click on a link, i would log into the website directly and see if there is a secure message from my vendor. If a vendor calls me to call a particular number because of fraud, I would call the main number directly so I don't get a scammer.

Your phone are often setup to connect to a public wifi like "att", don't connect to public wifi if sensitive info will be exchanged. I would set up my phone not to connect to public wifi automatically. You can setup public wifi where they record info being pass through.
Great post! For my required password hints I never use real responses like favorite color, etc. These responses can be simply guessed by someone or they can look up your info on FB like your pet’s name. Instead I use long gibberish strings generated by my password manager which I keep in the encrypted notes.

As for SIM swapping attacks on your wireless provider there’ve been cases of bribery where the provider’s employees will switch your number to a hacker for a fee. I can’t cite such cases but I’ve heard of them. So try to avoid using text for 2FA.

In public WiFi it’s best to not transact or look up sensitive info at all. But I use a VPN for all mobile activity so it’s all encrypted anyway.

And by the way, it make take centuries to brute force a password using today’s technology but with tomorrow’s technology, quantum computing, it’ll be trivial.

If in public, just hotspot to your phone and use the cell connection.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Report of leaked LastPass master passwords

Post by Gadget »

Lots of good info in this thread, but a lot of misunderstanding too. It might help if people read about the difference between encryption, hashing, and salting. I get the impression many people think that Lastpass, 1Password, etc. are storing all your passwords in plain text in the cloud. That isn't the case.

https://www.comparitech.com/blog/inform ... g-salting/
Nicolas
Posts: 4923
Joined: Wed Aug 22, 2012 7:41 am

Re: Report of leaked LastPass master passwords

Post by Nicolas »

squirm wrote: Sun Jan 16, 2022 11:55 am If in public, just hotspot to your phone and use the cell connection.
I don’t have unlimited data so I use Wi-Fi to save $$$.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

tibbitts wrote: Sun Jan 16, 2022 11:31 am My point was that if you tell people "ji32k7au4a83" isn't a good password, they're going to completely give up, and end up with the absolute minimum either the website or password manager will let them get by with. So they might end up with "passw0rd." or something like that, no matter if they see a warning message or not.
Point taken, but I just wanted to make sure that people be aware that if they come up with a random password, they should run it through some sort of online password checker or their password manager. It may not be secure as you think.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

Nicolas wrote: Sun Jan 16, 2022 12:55 pm I don’t have unlimited data so I use Wi-Fi to save $$$.
Fair enough, but best not to do banking or anything sensitive over public wifi. Surfing the web for example should be fine.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

Nicolas wrote: Sun Jan 16, 2022 12:55 pm
squirm wrote: Sun Jan 16, 2022 11:55 am If in public, just hotspot to your phone and use the cell connection.
I don’t have unlimited data so I use Wi-Fi to save $$$.
Same here,
When I out on vacation or out and about, I use the public wifi too, but when using lastpass or any bank, or any other sensitive stuff, I disconnect and use my hotspot.
HawkeyePierce
Posts: 2351
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Report of leaked LastPass master passwords

Post by HawkeyePierce »

Accessing banking or other sensitive sites over public wifi is secure. Those sites all use HTTPS, there is no risk of an attacker eavesdropping on your connection.
roamingzebra
Posts: 1214
Joined: Thu Apr 22, 2021 3:29 pm

Re: Report of leaked LastPass master passwords

Post by roamingzebra »

Gadget wrote: Sun Jan 16, 2022 12:21 pm Lots of good info in this thread, but a lot of misunderstanding too. It might help if people read about the difference between encryption, hashing, and salting. I get the impression many people think that Lastpass, 1Password, etc. are storing all your passwords in plain text in the cloud. That isn't the case.

https://www.comparitech.com/blog/inform ... g-salting/
Some data breaches involve hashed passwords and there are people who have developed software to extract useful information from these breaches -- namely conforming that the owner of one account is the same as that of a different account since both accounts use the same (hashed) password. Law enforcement can make good use of this but thankfully a regular hacker would probably not be able to exploit this data in a meaningful way.

Or am I wrong?
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Report of leaked LastPass master passwords

Post by Northern Flicker »

squirm wrote: Sun Jan 16, 2022 9:23 am FYI,
LastPass saves a disabled OTP locally by default to aid in account recovery. I specifically turned that setting off. Same with SMS recovery option.

For those using LastPass, is there a good reason to increase the password interations? I'm afraid if i increase it, to say a million from the default, it might screw up something and i won't be able to login again, which would give me painful angina.
Increasing the encryption iterations to millions of iterations so that it takes say 5 seconds to encrypt or decrypt on a laptop enhances the protection against brute force attacks by exhaustive search of the key space. If you use 20M iterations then a brute force attack takes 20M times the CPU resources relative to a single iteration.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Report of leaked LastPass master passwords

Post by Northern Flicker »

MidwestMike wrote: Sun Jan 16, 2022 11:06 am I answer my security questions with answers that make zero sense. My favorite tv show is blindtablefox98. This isn’t my real answer but something similar.
Many security question implementations store answers using insecure methods on sites that use them. Pretty much if a provider has so-called security questions, it typically is an indication that the organization does not have a robust security engineering competency. It may lack the expertise, or may have competent security staff, but lack the organizational competence to utilize their expertise appropriately.
quietseas
Posts: 901
Joined: Fri Dec 27, 2013 3:43 pm

Re: Report of leaked LastPass master passwords

Post by quietseas »

Northern Flicker wrote: Sun Jan 16, 2022 2:17 pm
MidwestMike wrote: Sun Jan 16, 2022 11:06 am I answer my security questions with answers that make zero sense. My favorite tv show is blindtablefox98. This isn’t my real answer but something similar.
Many security question implementations store answers using insecure methods on sites that use them. Pretty much if a provider has so-called security questions, it typically is an indication that the organization does not have a robust security engineering competency. It may lack the expertise, or may have competent security staff, but lack the organizational competence to utilize their expertise appropriately.
What is the best way for a consumer facing company with tens of millions of customers -- many of whom are not IT savvy -- to reset an account login that has been locked due to repeated failed login attempts?
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: Report of leaked LastPass master passwords

Post by VictoriaF »

lazydavid wrote: Sat Jan 15, 2022 10:25 pm
VictoriaF wrote: Sat Jan 15, 2022 3:10 pm
Second Round wrote: Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
Can you be sure that Diceware itself does not track you? If it did, and you used its suggested words or their combinations, your Master Password would be dead on arrival.

Victoria
Clearly you don't know what Diceware is.
That depends on what the meaning of "is" is.

I know what Diceware produces. I did not look into its code. I wonder if it creates a security vulnerability.

For example, I've just rolled a dice and Diceware gave me a passphrase ScapegoatHasteRepressedFinerSwaddlingUnbridle . Let's say I repeated this several times and selected a combination of words produced by Diceware as my Master passphrase. What stops Diceware from tracking me with cookies and using dictionary attacks where the dictionary contains combinations of words that Diceware has produced for me?

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Report of leaked LastPass master passwords

Post by Northern Flicker »

quietseas wrote: What is the best way for a consumer facing company with tens of millions of customers -- many of whom are not IT savvy -- to reset an account login that has been locked due to repeated failed login attempts?
Security questions are a form of 2-factor authentication. There are more robust 2FA protocols available. For robust password reset you need 3-factor authentication. Password plus 1 extra factor for login, both auxilliary factors for password reset. Examples:

1. Password + hardware token for login. Hardware token plus email code plus account identifying info for reset. (SMS code plus hardware token would be ok, but is vulnerable to one's phone and hardware token both being lost or stolen at the same time).

2. Password plus SMS code for login. SMS code plus one time use secondary password plus account identifying info for reset.

3. Password plus SMS code for login. SMS code plus email code plus account identifying info for reset.

The third one is weakened some if the email address is mapped to the phone where the SMS is received.

Suggesting that a weaker protocol is justified due to needing to administer millions of accounts doesn't fly when the application is a password safe. If there is not a robust authentication mechanism, then web access is not an acceptable architecture for a password safe.
Nicolas
Posts: 4923
Joined: Wed Aug 22, 2012 7:41 am

Re: Report of leaked LastPass master passwords

Post by Nicolas »

VictoriaF wrote: Sun Jan 16, 2022 3:09 pm
lazydavid wrote: Sat Jan 15, 2022 10:25 pm
VictoriaF wrote: Sat Jan 15, 2022 3:10 pm
Second Round wrote: Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
Can you be sure that Diceware itself does not track you? If it did, and you used its suggested words or their combinations, your Master Password would be dead on arrival.

Victoria
Clearly you don't know what Diceware is.
That depends on what the meaning of "is" is.

I know what Diceware produces. I did not look into its code. I wonder if it creates a security vulnerability.

For example, I've just rolled a dice and Diceware gave me a passphrase ScapegoatHasteRepressedFinerSwaddlingUnbridle . Let's say I repeated this several times and selected a combination of words produced by Diceware as my Master passphrase. What stops Diceware from tracking me with cookies and using dictionary attacks where the dictionary contains combinations of words that Diceware has produced for me?

Victoria
This possibility can be avoided by creating your own diceware passphrase manually. Just take an Oxford Unabridged (really any dictionary of sufficient size) close your eyes and randomly put your index finger on six or seven of its pages and construct a phrase. It can’t be hacked. I’m sure this occurred to you.
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: Report of leaked LastPass master passwords

Post by VictoriaF »

Nicolas wrote: Sun Jan 16, 2022 3:45 pm
VictoriaF wrote: Sun Jan 16, 2022 3:09 pm
lazydavid wrote: Sat Jan 15, 2022 10:25 pm
VictoriaF wrote: Sat Jan 15, 2022 3:10 pm
Second Round wrote: Tue Dec 28, 2021 11:48 am FWIW, generating a master passphrase using Diceware is pretty secure and a heck of a lot easier to remember than an equally-secure string of mixed-case letters and numbers.
Can you be sure that Diceware itself does not track you? If it did, and you used its suggested words or their combinations, your Master Password would be dead on arrival.

Victoria
Clearly you don't know what Diceware is.
That depends on what the meaning of "is" is.

I know what Diceware produces. I did not look into its code. I wonder if it creates a security vulnerability.

For example, I've just rolled a dice and Diceware gave me a passphrase ScapegoatHasteRepressedFinerSwaddlingUnbridle . Let's say I repeated this several times and selected a combination of words produced by Diceware as my Master passphrase. What stops Diceware from tracking me with cookies and using dictionary attacks where the dictionary contains combinations of words that Diceware has produced for me?

Victoria
This possibility can be avoided by creating your own diceware passphrase manually. Just take an Oxford Unabridged (really any dictionary of sufficient size) close your eyes and randomly put your index finger on six or seven of its pages and construct a phrase. It can’t be hacked. I’m sure this occurred to you.
Of course, this occurred to me: I watched enough of Cold War movies to think of that. But in all cyber security discussions, the fun part is not how the manuals and FAQs say the thing works but trying to figure out how it fails.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
lazydavid
Posts: 5155
Joined: Wed Apr 06, 2016 1:37 pm

Re: Report of leaked LastPass master passwords

Post by lazydavid »

VictoriaF wrote: Sun Jan 16, 2022 3:09 pm
lazydavid wrote: Sat Jan 15, 2022 10:25 pm Clearly you don't know what Diceware is.
That depends on what the meaning of "is" is.

I know what Diceware produces. I did not look into its code. I wonder if it creates a security vulnerability.

For example, I've just rolled a dice and Diceware gave me a passphrase ScapegoatHasteRepressedFinerSwaddlingUnbridle . Let's say I repeated this several times and selected a combination of words produced by Diceware as my Master passphrase. What stops Diceware from tracking me with cookies and using dictionary attacks where the dictionary contains combinations of words that Diceware has produced for me?

Victoria
What code? Someone may have developed an automated dictionary to make using the framework easier, which of course you are free to use if you like. But at its heart, Diceware is literally just a text file containing strings that are indexed to numbers that you randomly select via dice rolls. When I did a presentation on it a few years ago, I literally printed copies of the word list and handed them out, along with a set of multicolored dice, so the participants only had to roll once per word. Zero electrons were required for a couple dozen people to start generating secure pass phrases.

As I’m sure you’re aware, there’s no such thing as cookies where a stack of paper and a handful of acrylic cubes are concerned. Unless they’re chocolate chip, of course. :) And the framework is designed such that even if your attacker knows for a fact that you generated your password using Diceware (and how would they?), the dictionary is so large that the search space is not manageable with current or near-term computing technology.
roamingzebra
Posts: 1214
Joined: Thu Apr 22, 2021 3:29 pm

Re: Report of leaked LastPass master passwords

Post by roamingzebra »

I just installed diceware on my Linix distro (Ubuntu-based). A new toy. :)

It's a command-line tool and just typing in diceware without any parameters, I got: ShrineMauveChumpPleadingHarmonicaAgreeing :D

Scanning over the parameters, you can specify no-caps, add delimeters, specify the number of words to use and so on.
AlphaLess
Posts: 3409
Joined: Fri Sep 29, 2017 11:38 pm
Location: Kentucky

Re: Report of leaked LastPass master passwords

Post by AlphaLess »

gavinsiu wrote: Sun Jan 16, 2022 10:32 am
AlphaLess wrote: Sun Jan 16, 2022 8:57 am I understand that concept.

However, that does not prevent hackers from attacking the central database of vaults.
Certainly, they will get the vault in encrypted form, but they may have hope that in the future they can the decryption keys, e.g, by attaching the encrypted contents using some techniques.
They could, but keep in mind that each vault in the database would have a separate key. If the master password was setup properly, then it would take centuries to decrypt using today's technology. People see hackers in movie using advance techology to hack into someone's account. In reality, most hacks are often very low tech. Annoymous managed to hack a security expert's account by texting the expert's assistant and telling the assistant to reset password.
Exactly.

A human in the loop is the biggest security threat.

I think "they" (whoever they are) are more likely to intercept me in person, and pressure me to give out my vault password vs hacking.

So, one has to be reasonable.

But I could see that maybe in 30 or 40 years, they might be able to break today's encryption.

At any rate, resetting passwords frequently (like once every 1 or 2 years) is helpful.
I don't carry a signature because people are easily offended.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

HawkeyePierce wrote: Sun Jan 16, 2022 1:50 pm Accessing banking or other sensitive sites over public wifi is secure. Those sites all use HTTPS, there is no risk of an attacker eavesdropping on your connection.
You are correct. When you connect to a public wifi, your traffic isn't encrypted. However when you connect https, traffic are included. A hacker will see that you connect to your bank and then nothing but gibblish between your device and your bank.

In the old days, you can do https stripping. You can create a fake wifi spot like starbucks, and then people connect to it. When the fake wifi can then lower your traffic from https to just plan http. Unless you play attention to the lock icon and the url, you may not notice that you have been dropped.

For this reason, a lot of browsers have not required https traffic and if its not throw up a warning page that you have to click to bypass. The problem is that a lot of sites still have bad certificates, so people may get used to bypassing the warning. A lot of people may still be using an older browser like IE. If you reuse password and access a non-https site, the hacker can collect that password and see that you went to bank of america and use that password. Assume that when you are on public wifi, the hacker can see where you go but not necessary when you are doing at those sites.

My employer forbids us to access public wifi without a vpn, so I am sort of train not to do it.
gavinsiu
Posts: 4536
Joined: Sun Nov 14, 2021 11:42 am

Re: Report of leaked LastPass master passwords

Post by gavinsiu »

quietseas wrote: Sun Jan 16, 2022 2:33 pm What is the best way for a consumer facing company with tens of millions of customers -- many of whom are not IT savvy -- to reset an account login that has been locked due to repeated failed login attempts?
I have the same question myself. I may have to do some research in this area. One idea would be to us some sort of government mandated id that would be hard to fake such as a Real ID, but not everyone can get one.

In my opinion, they should probably have some sort of different level of security. Let accounts default to the usual sms fallback, but for people who are want more security, they should allow them to remove the fallback. People who want to use Yubikey usually know what they are doing.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Report of leaked LastPass master passwords

Post by Northern Flicker »

Nicolas wrote: This possibility can be avoided by creating your own diceware passphrase manually. Just take an Oxford Unabridged (really any dictionary of sufficient size) close your eyes and randomly put your index finger on six or seven of its pages and construct a phrase. It can’t be hacked.
Shall we be more precise? It cannot be hacked by exhaustive search of the key space (with levels of computer power that reasonably could be marshalled today).
Last edited by Northern Flicker on Sun Jan 16, 2022 11:08 pm, edited 1 time in total.
leland
Posts: 267
Joined: Sun Sep 12, 2021 5:21 pm
Location: PNW

Re: Report of leaked LastPass master passwords

Post by leland »

Pretty pleased to be on the of the many people who fled LP for BitWarden after they nerfed the free tier of service. Highly recommend it for $10.

That said the UX is a bit rough - recommended 1Password for other friends and family - the apps are just better.

If the Apple/Google/MSFT offerings had some methodology for sharing passwords with a significant other or family that would be the easiest option, but for now they're more of a pain than anything.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Report of leaked LastPass master passwords

Post by squirm »

I also print out and stash my email recovery codes.
Post Reply