LastPass Security Breach

FloofyNewfie

The Floofy Administrator
Staff member
The password managing software known as LastPass has had a major security breach. This breach affected their 1 million + users. If you use LastPass to store your passwords here and anywhere else, I'd advise changing your password immediately manually.

If you use this software to store your passwords you might have already heard about the breach, but just in case some users here that use LastPass to access this site haven't heard about it, I figured I'd post a public service announcement here.

Affected users: To change your password click on your profile icon --> click Password and Security --> type in your old password (which you may have to retrieve from LastPass) and then type in a new password --> Click Save

While not required for best security practices I'd encourage you to create a password with at least 1 number, 1 special character, and 1 Capital letter.
 
The password managing software known as LastPass had had a major security breach. This breach affected their 1 million + users. If you use LastPass to store your passwords here and anywhere else, I'd advise changing your password immediately manually. If you don't use this software, your account should be fine.

If you use this software to store your passwords you might have already heard about the breach, but just in case some users here that use LastPass to access this site haven't heard about it, I figured I'd post a public service announcement here.

Affected users: To change your password click on your profile icon --> click Privacy and Security --> type in your old password and then a new password. --> Click Save

While not required for best security practices I'd encourage you to create a password with at least 1 number, 1 special character, and 1 Capital letter.
Thanks for the suggestions 👍

Many places it is still requisted to use both numbers, special characters and capital letters.
BUT because such a password is difficult to remember, many user just invent one password and reuse it ! A bad habit 😱
I have read that the most important is to have a very long password.
I have made up a long strange sentence, from which I can remember the password.
 
Why should users change their master password?

Last I heard the encrypted password vaults and the user's personal information (email, address, list of websites, etc) in plain text were stolen. There are two scenarios: they crack the encryption on the user's password vaults, in which case all of their passwords that was stored in last pass need to be changed, or they don't and then the user is safe from password theft. They shouldn't have a way to find out the master password in that case.
It stemmed from a phishing attack that a high ranking employee of LastPass fell for. The cybercriminals in question gained unauthorized access to both encrypted and unencrypted information. According to their initial statement Usernames/Websites/Organizations/Passwords/Names/IPs have all been potentially compromised. Anyone who has their passwords saved through the LastPass needs to change all passwords immediately especially the master password.

That's not coming directly from me, I'm basically repeating the memo from FastPass's initial breach statement.

According to a more recent statement your passwords are *more than likely fine* if you've updated the master password as soon as the breach happened. But most tech websites are advising that you change all of your passwords to be on the safe side. So, to be on the safe side it would be advisable to just change your password if you use LastPass.
 
Also, as a side note, if you're using the same password from ZooVille 1.0 for ZooVille 2.0 (current iteration of ZooVille) you should absolutely change your password to something else. As the previous forum software we used, vBulletin, also suffered a very substantial data breach. It's why we moved over to XenForo instead.
 
Why should users change their master password?

Last I heard the encrypted password vaults and the user's personal information (email, address, list of websites, etc) in plain text were stolen. There are two scenarios: they crack the encryption on the user's password vaults, in which case all of their passwords that was stored in last pass need to be changed, or they don't and then the user is safe from password theft. They shouldn't have a way to find out the master password in that case.
If they manage to brute force the master password, because a user didn't follow LastPass' own recommendations for creating one, and that user is still for some reason using LastPass and doesn't have multifactor authentication enabled, the attackers can simply log into the user's account directly and get access to their current (i.e. changed) passwords.

Changing the master password for the live vault would prevent that.
 
There was a thread about Last Pass over at privacyguides. Seems like its worse than LP is suggesting in their blog post, and at the same time the product hasn't been trustworthy for a lengthy amount of time.

I really think it's quite atrocious that LastPass didn't encrypt ALL THE DATA...like the URL, or using AES in ECB mode.

That's not even getting started on the fact old accounts had dangerously low iterations of PBKDF2. This is something which Bitwarden is unfortunately also guilty of. Fortunately you can increase that, and they are also implementing the more modern Argon2 derivation function which should make it harder to crack passwords with ASICs, GPUs, FGPAs etc as it introduces new settings such as memory, parallelism, time tweaks.
 
Last edited:
The password managing software known as LastPass has had a major security breach. This breach affected their 1 million + users. If you use LastPass to store your passwords here and anywhere else, I'd advise changing your password immediately manually.

If you use this software to store your passwords you might have already heard about the breach, but just in case some users here that use LastPass to access this site haven't heard about it, I figured I'd post a public service announcement here.

Affected users: To change your password click on your profile icon --> click Password and Security --> type in your old password (which you may have to retrieve from LastPass) and then type in a new password --> Click Save

While not required for best security practices I'd encourage you to create a password with at least 1 number, 1 special character, and 1 Capital letter.
Thank you for warning and caring
 
I will bite... What is this "lastpass" purpose anyway? I mean I know it's a scam but what was the purpose they were projecting.

What would make this one more unique versus any other ones? (Besides the hilarious scam scheme)
 
I will bite... What is this "lastpass" purpose anyway? I mean I know it's a scam but what was the purpose they were projecting.

What would make this one more unique versus any other ones? (Besides the hilarious scam scheme)
Just a simple password manager product. I've barely seen much of a difference from others. I think they were selling more on convivence vs. the competition.
 
Just a simple password manager product. I've barely seen much of a difference from others. I think they were selling more on convivence vs. the competition.
Weird... I can't imagine who would fall for this. There's like so many things heck even a notepad. Why would anybody want this?

And yes I understand the concept "if it exists then there's an audience."
 
If you have 15+ character randomly generated passwords that are different for all of your websites either memorized or on your notepad then I'm impressed. Most people can't do that. If you don't then you're vulnerable. Websites sharing passwords means that you can get multiple services compromised at a time because one of them got breached. Passwords that are not random can be guessed a lot easier by computers.
A very simple way to avoid computers guessing your password is that all those login page doesn’t accept loads of new passwords attempts.
In my country we have a ‘masterID’ which is used to access banks, tax, insurance a.s.I. It also requires a two stage confirmation in an app made for that. If I type wrong I will have to wait 29 seconds.
 
I will bite... What is this "lastpass" purpose anyway? I mean I know it's a scam but what was the purpose they were projecting.

What would make this one more unique versus any other ones? (Besides the hilarious scam scheme)
it's putting all your eggs in one basket, that has the strength of an egg.
 
Yes but consider what happened with last pass. They stole encrypted data that they now have unlimited attempts at cracking. There are other websites that encrypt your data with your password too.
Well - first - use VPN - second use TORbrowser
 
Well - first - use VPN - second use TORbrowser
That would have been entirely ineffective as a defense against the LastPass breach. They literally gained access to LastPass' own backup storage, which stored their backups of users' password vaults.

With access to the data stored in those, a VPN or TOR wouldn't protect you for one second.
 
If you have windows/utube/facefuck/tweeets in use/installed - then yes your right.... a keylogger is installed too, and dont think that any government on earth will fight for privacy - they would never give up their ways to spy on their citicens. They dont see themselves as our servants - but as our rulors.
We are their subordinants, not their voters.
 
Firstly:
If you have problems remembering complicated passwords I recommend starting your password with Qq1! and then adding on your normal password. IE if your password was HappyBoy it now becomes Qq1!HappyBoy. Obviously it could go at the end of the pass word instead, and it doesn't specifically have to be Qq1!. You could use QWqw12!" or something along those lines. It's the principal that's important.

Secondly:
I recommend storing your passwords in a text file in a password-protected, encrypted file/drive/container on a small external hard drive. Obviously something like Bitlocker or Veracrypt, (free) will create a password-protected encrypted file/drive/container, but even creating a simple .rar or .zip file with a strong password will give you significant protection. That way you only have to remember the 1 password. Not much difference between that and using 1 of these password management sites.
 
The best password manager is a safe.
Most sought after information is the most protected one then ? If someone knows about that safe they are going to crack it for fun despite the password was written on the Ms. Octobers tits on the wall calendar next to it. And it was not "Ken sent me"
 
Last edited:
Most sought after information is the most protected one then ? If someone knows about that safe they are going to crack it for fun despite the password was written on the Ms. Octobers tits on the wall calendar next to it. And it was not "Ken sent me"
...That's hidden beneath the ocean lol lol

But really. A safe that's in a well guarded spot is the most optimal thing
 
...That's hidden beneath the ocean lol lol

But really. A safe that's in a well guarded spot is the most optimal thing
the lesson here is not to write down your complete passwords anywhere - call the non written down part of it a "personal token" - its simple as a special character or a letter added to any of your passwords that are saved anywhere
 
Thanks for the suggestions 👍

Many places it is still requisted to use both numbers, special characters and capital letters.
BUT because such a password is difficult to remember, many user just invent one password and reuse it ! A bad habit 😱
I have read that the most important is to have a very long password.
I have made up a long strange sentence, from which I can remember the password.
All that matters for active authentication is that you can remember it and it isn't easily guessed.

Active authentication can't be brute forced because any such attempt would appear as a DDoS attack (in the context of an authentication server), but also local active authentication like OS user passwords have limits to how often you can try in an arbitrary period.

All 'cybersecurity experts' who claim that having an element of randomness to your password are poorly educated. They or their teachers conflate an encryption key with a password.

Sometimes the terms are used interchangeably but they are very different in practice.

An encryption key is the solution to an encryption. Encrypted data is just data, not an authentication system. It just sits there, it can't have timeouts. It can (in theory) be brute-forced provided the enemy has your encrypted files.

That is why every sane and competent developer of secure systems does not let users choose their own encryption keys. They are generated for you and they are long (sometimes 512 bits or 64 characters long).

As this breach may show (I don't know if it's real or not), keeping it in your head is a lot safer than trusting a company, and if they are syncing your passwords over the internet through their own servers that's trusting them.

Using the same password for everything is certainly dangerous because whenever you setup a password for a remote authentication server (say Zooville) they may or may not be able to keep that password safe.

Using a nonsense password doesn't help with that problem at all, except insofar as it reminds you that you should generate a new password for each authentication server.

Best = Use passwords that you can remember with no clear pattern, size doesn't matter. Problem is no real person can remember a way to do this.

Second Best = Have one password you can remember, long enough to be used as an encryption key. That is the access to a local file containing the unique passwords of all the different credentials. Doesn't matter if they are nonsense or not because you aren't trying to remember them. Then backup the encrypted file to a cloud sharing service.

This is not trusting the cloud sharing service with your passwords, it's just trusting it to sync a file. So long as your single memorized password is long enough brute forcing the encryption would be unrealistic.

If you don't feel the need to sync the file, all the better.

If you find some open source software that manages the passwords for you LOCALLY that is just a convenient form of this strategy. I have never felt the need for such software, a simple text file works for me.

Not Good = Trusting a company to keep your passwords either by trusting their staff and server administration or by trusting their proprietary software that may be piping your info back to them secretly.

Absolute Worst = Using the same password for everything. The first database to be compromised breaks your entire universe.

Notice how having random characters and lack of dictionary words doesn't ever enter into the equation. It's a red herring. The cybersecurity equivalent of wearing a tin foil hat.

99% of hacking happens when someone gets access to your password. None of it (statistically speaking) is due to brute force decryption. Anything that makes you write down your password on paper is a bigger threat than having a memorable password.
 
but who would guess my password for anything is my username backwards and a personal token
 
Back
Top