LastPass Security Breach

[FloofyNewfie]

The password managing software known as LastPass has had a major security breach. This breach affected their 1 million + users. If you use LastPass to store your passwords here and anywhere else, I'd advise changing your password immediately manually.

If you use this software to store your passwords you might have already heard about the breach, but just in case some users here that use LastPass to access this site haven't heard about it, I figured I'd post a public service announcement here.

Affected users: To change your password click on your profile icon --> click Password and Security --> type in your old password (which you may have to retrieve from LastPass) and then type in a new password --> Click Save

While not required for best security practices I'd encourage you to create a password with at least 1 number, 1 special character, and 1 Capital letter.

 

[humananimal]

The password managing software known as LastPass had had a major security breach. This breach affected their 1 million + users. If you use LastPass to store your passwords here and anywhere else, I'd advise changing your password immediately manually. If you don't use this software, your account should be fine.

If you use this software to store your passwords you might have already heard about the breach, but just in case some users here that use LastPass to access this site haven't heard about it, I figured I'd post a public service announcement here.

Affected users: To change your password click on your profile icon --> click Privacy and Security --> type in your old password and then a new password. --> Click Save

While not required for best security practices I'd encourage you to create a password with at least 1 number, 1 special character, and 1 Capital letter.

Thanks for the suggestions

Many places it is still requisted to use both numbers, special characters and capital letters.
BUT because such a password is difficult to remember, many user just invent one password and reuse it ! A bad habit
I have read that the most important is to have a very long password.
I have made up a long strange sentence, from which I can remember the password.

 

[underdoge]

Why should users change their master password?

Last I heard the encrypted password vaults and the user's personal information (email, address, list of websites, etc) in plain text were stolen. There are two scenarios: they crack the encryption on the user's password vaults, in which case all of their passwords that was stored in last pass need to be changed, or they don't and then the user is safe from password theft. They shouldn't have a way to find out the master password in that case.

 

[FloofyNewfie]

Why should users change their master password?

Last I heard the encrypted password vaults and the user's personal information (email, address, list of websites, etc) in plain text were stolen. There are two scenarios: they crack the encryption on the user's password vaults, in which case all of their passwords that was stored in last pass need to be changed, or they don't and then the user is safe from password theft. They shouldn't have a way to find out the master password in that case.

It stemmed from a phishing attack that a high ranking employee of LastPass fell for. The cybercriminals in question gained unauthorized access to both encrypted and unencrypted information. According to their initial statement Usernames/Websites/Organizations/Passwords/Names/IPs have all been potentially compromised. Anyone who has their passwords saved through the LastPass needs to change all passwords immediately especially the master password.

That's not coming directly from me, I'm basically repeating the memo from FastPass's initial breach statement.

According to a more recent statement your passwords are *more than likely fine* if you've updated the master password as soon as the breach happened. But most tech websites are advising that you change all of your passwords to be on the safe side. So, to be on the safe side it would be advisable to just change your password if you use LastPass.

 

[underdoge]

Thanks!

 

[FloofyNewfie]

Also, as a side note, if you're using the same password from ZooVille 1.0 for ZooVille 2.0 (current iteration of ZooVille) you should absolutely change your password to something else. As the previous forum software we used, vBulletin, also suffered a very substantial data breach. It's why we moved over to XenForo instead.

 

[flukeofnature]

Why should users change their master password?

Last I heard the encrypted password vaults and the user's personal information (email, address, list of websites, etc) in plain text were stolen. There are two scenarios: they crack the encryption on the user's password vaults, in which case all of their passwords that was stored in last pass need to be changed, or they don't and then the user is safe from password theft. They shouldn't have a way to find out the master password in that case.

If they manage to brute force the master password, because a user didn't follow LastPass' own recommendations for creating one, and that user is still for some reason using LastPass and doesn't have multifactor authentication enabled, the attackers can simply log into the user's account directly and get access to their current (i.e. changed) passwords.

Changing the master password for the live vault would prevent that.

 

[scruffypup]

There was a thread about Last Pass over at privacyguides. Seems like its worse than LP is suggesting in their blog post, and at the same time the product hasn't been trustworthy for a lengthy amount of time.

I really think it's quite atrocious that LastPass didn't encrypt ALL THE DATA...like the URL, or using AES in ECB mode.

That's not even getting started on the fact old accounts had dangerously low iterations of PBKDF2. This is something which Bitwarden is unfortunately also guilty of. Fortunately you can increase that, and they are also implementing the more modern Argon2 derivation function which should make it harder to crack passwords with ASICs, GPUs, FGPAs etc as it introduces new settings such as memory, parallelism, time tweaks.

 

[annijma16]

The password managing software known as LastPass has had a major security breach. This breach affected their 1 million + users. If you use LastPass to store your passwords here and anywhere else, I'd advise changing your password immediately manually.

If you use this software to store your passwords you might have already heard about the breach, but just in case some users here that use LastPass to access this site haven't heard about it, I figured I'd post a public service announcement here.

Affected users: To change your password click on your profile icon --> click Password and Security --> type in your old password (which you may have to retrieve from LastPass) and then type in a new password --> Click Save

While not required for best security practices I'd encourage you to create a password with at least 1 number, 1 special character, and 1 Capital letter.

Thank you for warning and caring

 

[IHO]

It's incidents like these that make me happy I still store my passwords in my head.

 

[Reconscope]

I will bite... What is this "lastpass" purpose anyway? I mean I know it's a scam but what was the purpose they were projecting.

What would make this one more unique versus any other ones? (Besides the hilarious scam scheme)

 

[dogluver101]

I will bite... What is this "lastpass" purpose anyway? I mean I know it's a scam but what was the purpose they were projecting.

What would make this one more unique versus any other ones? (Besides the hilarious scam scheme)

Just a simple password manager product. I've barely seen much of a difference from others. I think they were selling more on convivence vs. the competition.

 

[Reconscope]

Just a simple password manager product. I've barely seen much of a difference from others. I think they were selling more on convivence vs. the competition.

Weird... I can't imagine who would fall for this. There's like so many things heck even a notepad. Why would anybody want this?

And yes I understand the concept "if it exists then there's an audience."

 

[underdoge]

If you have 15+ character randomly generated passwords that are different for all of your websites either memorized or on your notepad then I'm impressed. Most people can't do that. If you don't then you're vulnerable. Websites sharing passwords means that you can get multiple services compromised at a time because one of them got breached. Passwords that are not random can be guessed a lot easier by computers.

 

[humananimal]

If you have 15+ character randomly generated passwords that are different for all of your websites either memorized or on your notepad then I'm impressed. Most people can't do that. If you don't then you're vulnerable. Websites sharing passwords means that you can get multiple services compromised at a time because one of them got breached. Passwords that are not random can be guessed a lot easier by computers.

A very simple way to avoid computers guessing your password is that all those login page doesn’t accept loads of new passwords attempts.
In my country we have a ‘masterID’ which is used to access banks, tax, insurance a.s.I. It also requires a two stage confirmation in an app made for that. If I type wrong I will have to wait 29 seconds.

 

[annijma16]

It's incidents like these that make me happy I still store my passwords in my head.

I do too - thats good securitypolicy

 

[underdoge]

A very simple way to avoid computers guessing your password is that all those login page doesn’t accept loads of new passwords attempts.
In my country we have a ‘masterID’ which is used to access banks, tax, insurance a.s.I. It also requires a two stage confirmation in an app made for that. If I type wrong I will have to wait 29 seconds.

Yes but consider what happened with last pass. They stole encrypted data that they now have unlimited attempts at cracking. There are other websites that encrypt your data with your password too.

 

[Mosteel]

I will bite... What is this "lastpass" purpose anyway? I mean I know it's a scam but what was the purpose they were projecting.

What would make this one more unique versus any other ones? (Besides the hilarious scam scheme)

it's putting all your eggs in one basket, that has the strength of an egg.

 

[Reconscope]

it's putting all your eggs in one basket, that has the strength of an egg.

Well in this case it's the strength of a rotten egg.

 

[annijma16]

Yes but consider what happened with last pass. They stole encrypted data that they now have unlimited attempts at cracking. There are other websites that encrypt your data with your password too.

Well - first - use VPN - second use TORbrowser

 

[flukeofnature]

Well - first - use VPN - second use TORbrowser

That would have been entirely ineffective as a defense against the LastPass breach. They literally gained access to LastPass' own backup storage, which stored their backups of users' password vaults.

With access to the data stored in those, a VPN or TOR wouldn't protect you for one second.

 

[annijma16]

If you have windows/utube/facefuck/tweeets in use/installed - then yes your right.... a keylogger is installed too, and dont think that any government on earth will fight for privacy - they would never give up their ways to spy on their citicens. They dont see themselves as our servants - but as our rulors.
We are their subordinants, not their voters.

 

[Alpha-Fox]

this is why I keep using my old trusty notebook to store the important ones

 

[annijma16]

I try to keep important outside my PC
Passwords in the head

 

[CatTech89]

I keep all mine very secret and never in any cloud or in anyone's hands. Some, I even keep in my brain only!

 

[SyzygySin]

I highly recommend KeePassXC. There's nothing in the cloud.

 

[majolica]

Firstly:
If you have problems remembering complicated passwords I recommend starting your password with Qq1! and then adding on your normal password. IE if your password was HappyBoy it now becomes Qq1!HappyBoy. Obviously it could go at the end of the pass word instead, and it doesn't specifically have to be Qq1!. You could use QWqw12!" or something along those lines. It's the principal that's important.

Secondly:
I recommend storing your passwords in a text file in a password-protected, encrypted file/drive/container on a small external hard drive. Obviously something like Bitlocker or Veracrypt, (free) will create a password-protected encrypted file/drive/container, but even creating a simple .rar or .zip file with a strong password will give you significant protection. That way you only have to remember the 1 password. Not much difference between that and using 1 of these password management sites.

 

[Stash]

never use online password manager - the category is "only for idiots"

 

[Reconscope]

never use online password manager - the category is "only for idiots"

The best password manager is a safe.

 

[Stash]

The best password manager is a safe.

Most sought after information is the most protected one then ? If someone knows about that safe they are going to crack it for fun despite the password was written on the Ms. Octobers tits on the wall calendar next to it. And it was not "Ken sent me"