Lastpass Was hacked!

Discussion in 'Mac Apps and Mac App Store' started by Michaelgtrusa, Jun 15, 2015.

  1. ck2875 macrumors 6502a

    ck2875

    Joined:
    Mar 25, 2009
    Location:
    Brighton
  2. ardchoille50 macrumors 68020

    Joined:
    Feb 6, 2014
    #3
    The scope of the application would logically make it an attractive target to hackers. Who'd have thought?
     
  3. JohnArtist macrumors member

    Joined:
    Nov 9, 2007
    Location:
    New York
    #4
    Reporter: "Sir, how was Lastpass hacked?"
    Lastpass Preident: "Our mainframe password was '1234'."
     
  4. ardchoille50 macrumors 68020

    Joined:
    Feb 6, 2014
    #5
    "That's amazing! I've got the same combination on my luggage!"
     
  5. AlliFlowers Contributor

    AlliFlowers

    Joined:
    Jan 1, 2011
    Location:
    L.A. (Lower Alabama)
  6. firedept macrumors 603

    firedept

    Joined:
    Jul 8, 2011
    Location:
    Somewhere!
    #7
    But this same password has never been hacked on any of my other sites I use it on.
     
  7. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #8
    Nice Spaceballs reference!
     
  8. ardchoille50 macrumors 68020

    Joined:
    Feb 6, 2014
    #9
    I wondered if anyone would get that! Best movie Ever!
     
  9. steve23094 macrumors 68000

    steve23094

    Joined:
    Apr 23, 2013
    #10
    At least 1Password keeps your files local.
     
  10. Mr. McMac Suspended

    Mr. McMac

    Joined:
    Dec 21, 2009
    Location:
    Far away from liberals
    #11
    I still trust lastpass. That being said, I changed my master password yesterday just in case.
     
  11. steve23094 macrumors 68000

    steve23094

    Joined:
    Apr 23, 2013
    #12
    Apparently you're vulnerable if you use a relatively simple master password.
     
  12. Mr. McMac Suspended

    Mr. McMac

    Joined:
    Dec 21, 2009
    Location:
    Far away from liberals
    #13
    Mine was and still is very long and complex. It's over 20 characters with numbers, upper and lower case letters and symbols
     
  13. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #14
    Agreed and this is why I opted for 1Password over Lastpass.

    The trouble for people is that if you do what most of us fall into, using the same password across different sites, then that master password may actually compromise other locations.
     
  14. steve23094 macrumors 68000

    steve23094

    Joined:
    Apr 23, 2013
    #15
    I'm pretty good. Using 1P all my passwords are unique, I recently migrated from using 16 to 24 character passwords. What frustrates me sometimes is when websites have over restrictive password rules which don't allow you to use a very secure one.
     
  15. AndyK macrumors 65816

    AndyK

    Joined:
    Jan 10, 2008
    #16
    Why anyone would use a password manager that stores all your passwords on their servers is beyond me.
     
  16. FoxFifth macrumors 6502

    Joined:
    Oct 18, 2012
    #17
    I haven't changed my master password, but I did finally add multi-factor using Google Authenticator. I'd been meaning to do it and I was already using 2-factor on my other important accounts, but just hadn't gotten around to understanding Google Authenticator and 2-factor with LastPass. Here is one article, but the LastPass and Google help pages were what I used to walk me through it. http://www.zdnet.com/article/lastpa...ortance-of-using-multi-factor-authentication/
     
  17. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #18
    Agreed, the keys to your kingdom are in one place and you're relying on another entity to protect them. I'm not willing to risk my data, and security.
     
  18. ardchoille50 macrumors 68020

    Joined:
    Feb 6, 2014
    #19
    Exactly! If something happened to their servers (natural disaster, terrorist action, etc.), how do the affected folks obtain their passwords? This breach is a perfect example of why one should never allow their passwords to be controlled by a others. And, whether you want to believe it or not, if you passwords are stored on someone else's server, those passwords are not under your complete control. I find it better to use a password manager that keeps passwords local.
     
  19. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #20
    and if natural disaster or hardware failure affects the local machine? Really you can move risk around, change the category but you can't eliminate it. If you want the convenience of being able to use the same set of passwords on several devices then you have to put your passwords somewhere they can be shared, else they can't be kept up to date etc etc...and convenient security is the best kind, then it gets used. Having them strongly encrypted on a server makes better sense than plain-text locally IMHO but as they are having to warn users with weak passwords to change them clearly some have used a weak link, those individuals are likely to have weak links in whatever security mechanism they use.

    Any data the hackers harvested is time-decaying, they know that, they won't spend 5yrs trying to crack all the encryption, they will spend a few hours cracking the weak master passwords, use/sell the resulting data and move on...they apply the 80:20 rule like anyone else.
     
  20. steve23094 macrumors 68000

    steve23094

    Joined:
    Apr 23, 2013
    #21
    To be fair the poster your quoted didn't say use a plain-text local file. They recommended a password manager which stored the files locally, and they would be encrypted.
     
  21. jasnw macrumors 6502

    Joined:
    Nov 15, 2013
    Location:
    Seattle Area (NOT! Microsoft)
    #22
    This is a definite issue (picture your house burning to the ground with all your technology). I use 1P and periodically make a copy of the (encrypted) 1P database on a USB stick which I keep in a safe deposit box. Your password collection does NOT belong in The Cloud.
     
  22. Temptin, Jun 17, 2015
    Last edited: Jun 17, 2015

    Temptin macrumors member

    Temptin

    Joined:
    Jun 16, 2015
    #23
    Ha ha ha ha ha! A password manager that stores your passwords online. Who'd have thought hackers would want access to it? This is why you use 1Password on all your machines instead. I've never been a LastPass user and I find this breach hilariously obvious, and will still never be a LastPass user. Passwords belong with you, not with a 3rd party. I might get flack from LastPass users for saying this, but it's still the unfortunate truth, as this breach has proven. And they've been hacked at least once before (link), with the exact same type of hack (leak of master password hashes). Sure, it's possible to use LastPass completely safely if you have a super strong master password, and I could do that, but why bother when there's the completely offline 1Password instead? And most regular people don't choose strong passwords, so I imagine a lot of people will have to change their LastPass details now.

    Let's hope LastPass are telling the truth and that they "only" lost the hashes for your master password. In that case, the only way the hacker can log in and get your actual website passwords is if they first figure out your master password and then log in to LastPass' servers with it. Changing your password would be necessary to prevent them from logging in, because whoever grabbed the hashes is right now running a dictionary cracker against them. People with common passwords like "dog" and "bird" and "cow" and "password" and "12345" will be popping up in their results, and they'll be able to log in to the LastPass accounts of those people.

    So do all of these things right now:
    1. Change your LastPass master password immediately and make it very strong (Suggestion: Use the password haystacks method with your own custom padding: https://www.grc.com/haystack.htm, or the Diceware* password system). Of course, you don't need to change anything if your password was already unfeasible to crack.
    2. Change the password on any website that used the same login email address and password as your LastPass login details in. Because you can be sure the hackers will be trying any discovered password and email combinations on sites like PayPal too. Oh, and in the future, don't use your LastPass master password on any other sites, if you were actually doing that...
    3. If your LastPass master password was super weak (a basic dictionary word or two, or a very common password like "Password54321"), I would also take the precaution of assuming the hacker has logged in to my LastPass account already and would be changing the passwords on *all* sites stored in my LastPass account.

    PS: Obligatory Diceware* xkcd comic:

    [​IMG]

    You can measure your diceware password strength at the GRC password haystacks page too. Regardless of what system you use, you'll want a password with a cracking time that will outlast your lifetime.

    To put that sentence into perspective: If you already had such an uncrackable password, it wouldn't matter if the hackers got both the master password hash and the actual password database. It wouldn't even matter if they were the NSA and had a thousand working quantum computers. Given a sufficiently powerful password (one with strengths of at least "trillions of centuries" at GRC's "massive cracking array scenario" strength indicator), no living person will ever be able to crack your master password to decrypt any passwords, and any future person would just find passwords to ancient, long-dead sites like Facebook. ;-)
     
  23. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #24
    A solid backup plan will mitigate and lower the risks. For instance, I backup my computer on a portable drive and I take that portable drive to my office. So in the event of a natural disaster that destroys my home and computer my data is safe.

    If there's a natural disaster that destroys my home and office location, well then I have bigger things to worry.
     
  24. AndyK macrumors 65816

    AndyK

    Joined:
    Jan 10, 2008
    #25
    I just keep a second backup that I refresh weekly in a fireproof safe I have in the house with other various 'important' things inside it (passports etc).
     

Share This Page