Good Sam Community

bcsdguy · ‎Jun-25-2015

I see where LastPass password security company has fallen victum to the hacking community. Anyone having passwords with them ought to change them. Here is an excerpt from them:

The hackers were able to make off with the email addresses of everyone who uses the service, along with password reminders, authentication hashes and server per user salts. Of these, the most troubling are the authentication hashes, as this is what LastPass uses to determine that you’re you, and have permission to access your account.

According to the company’s blog, even with the authentication hashes in hand, it would be virtually impossible for a hacker to actually breach your account and get into your password safe. That is of some comfort, but of course, the company was supposed to be essentially unhackable to begin with, so take that with a grain of salt.

What You Should Do

About the only thing that’s absolutely required is to change your Master Password. That way, if LastPass is wrong about the hackers not being able to use the authentication hashes to break into your password safe, they’ll be using the wrong password – it will render the hashes irrelevant.

As an added security precaution, the company has locked accounts down, so that if you’re not accessing your account from a trusted IP address you’ve used before, you’ll also have to take the step of verifying your email. According to the company’s website, the data that the hackers got shouldn’t put your other passwords at risk, but you’ll definitely want to change your Master Password. No further action should be required, but if it is, you’ll be getting detailed instructions from LastPass.

No person is completely worthless ... one can always serve as a bad example.

fj12ryder · ‎Jun-25-2015

SCR wrote:
tvman44 wrote:
I have been trying to find a good password program that is local, on my computer or a jump drive.

The safest password vault is the one located directly behind your eyes.

Otherwise RoboForm works pretty well.

Yup, that's the one. I've been using it for over 15 years.

Howard and Peggy

"Don't Panic"

SCR · ‎Jun-25-2015

bcsdguy wrote:
SCR wrote:
tvman44 wrote:
I have been trying to find a good password program that is local, on my computer or a jump drive.

The safest password vault is the one located directly behind your eyes.

Otherwise RoboForm works pretty well.

Thank you! I would never put my passwords on a website no matter what they claim.

You're Welcome. Robo is a handy program. Just a point of reference LastPass isn't what you would call a website. I've used it for years but only for the most mundane passwords, like this forum and others along with some junk email accounts.

I do believe that LastPass is safe but I'm a little upset with their slow roll out of notification that they had an incident. I happen to see it on a network news site three days after it happened. I didn't get an official notification for 5 days. Entirely to slow... and an eternity in the security field. They should feel quite embarrassed but I doubt they do. They did post it on their forum but it's not a place I visit everyday.

Some of the less important ones like my regular email accounts are in RoboForm. I've used that for years as well mostly for convenience.

The real important ones like financial accounts are behind my eyes and between my ears. Having said that I should add that I'm getting up there in years and may have to start relying more on RoboForm.. Things are getting a little mushy behind the eyes. :E

Now where did I put my keys..:h

pconroy328 · ‎Jun-25-2015

bcsdguy wrote:
bwanshoom wrote:
This is relatively old news at this point, but the reasoning in your post behind changing your master password is flawed. The master password is used to protect the encryption key for the password vault - where all your various passwords are stored. If the intruders got a copy of the vaults, changing your master password after the fact will have no affect. That will only create a new encrypted copy of the vault stored with LastPass - the old encrypted copy using the master password whose hash was stolen remains unchanged. It would remain vulnerable to offline brute force attack. But because each password has a unique salt (a bit of random information added to a password to defeat dictionary attacks) added to it the intruders cannot brute force every stolen password - each password would take a ridiculous amount of time and computing power to break.

LastPass has more information on the breach here.

This isn't my information, it is from Lastpass. So if it is flawed like you say, then it is their problem.

They posted some updates. The last one I think was 16-June.
I'm a long time Lastpass user.

bcsdguy · ‎Jun-25-2015

bwanshoom wrote:
This is relatively old news at this point, but the reasoning in your post behind changing your master password is flawed. The master password is used to protect the encryption key for the password vault - where all your various passwords are stored. If the intruders got a copy of the vaults, changing your master password after the fact will have no affect. That will only create a new encrypted copy of the vault stored with LastPass - the old encrypted copy using the master password whose hash was stolen remains unchanged. It would remain vulnerable to offline brute force attack. But because each password has a unique salt (a bit of random information added to a password to defeat dictionary attacks) added to it the intruders cannot brute force every stolen password - each password would take a ridiculous amount of time and computing power to break.

LastPass has more information on the breach here.

This isn't my information, it is from Lastpass. So if it is flawed like you say, then it is their problem.

No person is completely worthless ... one can always serve as a bad example.

bcsdguy · ‎Jun-25-2015

SCR wrote:
tvman44 wrote:
I have been trying to find a good password program that is local, on my computer or a jump drive.

The safest password vault is the one located directly behind your eyes.

Otherwise RoboForm works pretty well.

Thank you! I would never put my passwords on a website no matter what they claim.

No person is completely worthless ... one can always serve as a bad example.

SCR · ‎Jun-25-2015

tvman44 wrote:
I have been trying to find a good password program that is local, on my computer or a jump drive.

The safest password vault is the one located directly behind your eyes.

Otherwise RoboForm works pretty well.

tvman44 · ‎Jun-25-2015

I have been trying to find a good password program that is local, on my computer or a jump drive.

Papa Bob
1* 2008 Brookside by Sunnybrook 32'
1* 2002 F250 Super Duty 7.3L PSD
Husky 16K hitch, Tekonsha P3,
Firestone Ride Rite Air Springs, Trailair Equa-Flex, Champion C46540
"A bad day camping is better than a good day at work!"

rwbradley · ‎Jun-25-2015

There is an important distinction in the OP that the main stream media seem to miss or conveniently forget for ratings purposes. Lastpass passwords were NOT breached. The company was breached and encrypted master password hashes were taken. Although Lastpass will likely not admit their security posture publically, in all reality the contents of the vaults are likely stored in a secondary more secure network that only the servers that authenticate the master password on would have access to. Breaching the servers hosting the vaults would require penetrating multiple layers of security, like getting into the inner rings of the Pentagon. Lastpass as stated publically that the vaults were not part of the breach, thus there is no risk of an old copy of the master password being used later to get into a stolen copy of the vaults.

As mentioned in the news users are not at immediate threat of data theft, but are being told to change master passwords incase they find a way to crack the passwords from the information that was taken. Further if you have 2 factor authentication enabled, it would even more difficult to get access to the passwords.

With that said, their advice is obviously sound to change the master password on Lastpass and any other site that you use that same password on, this is not another Sony or Target, it only could be if a hacker finds/found a flaw/bug in their systems to gain access before people change their master passwords.

Rob
rvtechwithrvrob.com

fj12ryder · ‎Jun-25-2015

An excellent reason not to store anything really important online. If a company like LastPass can be compromised, then basically anything can be compromised. IMO anything sensitive should be kept locally.

Howard and Peggy

"Don't Panic"

bwanshoom · ‎Jun-25-2015

This is relatively old news at this point, but the reasoning in your post behind changing your master password is flawed. The master password is used to protect the encryption key for the password vault - where all your various passwords are stored. If the intruders got a copy of the vaults, changing your master password after the fact will have no affect. That will only create a new encrypted copy of the vault stored with LastPass - the old encrypted copy using the master password whose hash was stolen remains unchanged. It would remain vulnerable to offline brute force attack. But because each password has a unique salt (a bit of random information added to a password to defeat dictionary attacks) added to it the intruders cannot brute force every stolen password - each password would take a ridiculous amount of time and computing power to break.

LastPass has more information on the breach here.

2010 Cougar 322 QBS
2008 Chevy Silverado 2500HD LMM CC/SB 4x4 LTZ
Pullrite SuperGlide 18K

joebedford · ‎Jun-25-2015

Never put anything important in the cloud.

Good Sam Community

LastPass security company