Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Technology

LastPass Says It Didn't Leak Your Password 25

Posted by msmash from the PSA dept.
Did LastPass get hacked? Gizmodo: Some users of the popular password manager recently received emails from the company warning them of suspicious login attempts that were utilizing their master password -- definitely never a great sign. Speculation soon spread that LastPass may have suffered a data breach that exposed users' credentials, thus allowing for the malicious activity to take place.

According to LastPass itself, the answer is: We don't think so. When reached for comment by Gizmodo, the company provided us with a statement blaming the irregular activity on "credential stuffing" attempts by some unknown threat actor: "LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted 'credential stuffing' activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.
This discussion has been archived. No new comments can be posted.

LastPass Says It Didn't Leak Your Password More

LastPass Says It Didn't Leak Your Password

Comments Filter:

  • session cookies (Score:3)

    by awwshit ( 6214476 ) on Tuesday December 28, 2021 @03:01PM (#62122927)

    For LastPass I'd bet capturing session cookies from a browser is the best bet for access.

  • Why would anyone use a cloud based manager? (Score:5, Interesting)

    by Snotnose ( 212196 ) on Tuesday December 28, 2021 @03:03PM (#62122935)
    I use Keepass. It saves an encrypted file that I have on my laptop, NAS, phone, and the thumb drive I carry around. No cloud needed, as long as I have access to the .kpx database I can recover my passwords. If someone else gets my .kpx file then, well, have fun. I just ran through the master password in my head, it's 31 characters, upper lower case, 1 number, and 2 symbols.

    The only pain in the ass is when I update the .kpx file, then I have to copy the damned thing around. Which happens maybe every 6 months tops now that I rely on it.

    • Your second-to-last sentences is exactly why people want a cloud-based solution. With password rotation policies, and needing to create logins for systems several times a week, something that doesn't require manual syncing is necessary for most people. Personally, I also use Keypass, but keep the file on a cloud service.

      Lucky you that can get away with only needing to update once every 6 months. Your use-case is rare.

      • Lucky you that can get away with only needing to update once every 6 months. Your use-case is rare.

        No kidding. I’m adding things to my password manager (Bitwarden) every few days - secure notes, most often.

        And every so often I dump the whole thing into a JSON file that’s kept on an encrypted disk image. So as long as I have access to that, I can recover all my passwords and secure notes - no cloud needed.

      • This is the answer: KeePass, with a strong password, stored on a cloud service. Those of us who are especially paranoid put it on a service that we manage, but really, something like Dropbox is fine.

        I don't trust browser-based solutions, because browsers present a big attack surface. I also don't trust any service that has its own cloud integration, because you cannot be certain that they cannot see the unencrypted data.

        • Re: (Score:1)

          by Anonymous Coward

          This is the answer: KeePass, with a strong password, stored on a cloud service. Those of us who are especially paranoid put it on a service that we manage, but really, something like Dropbox is fine.

          An improvement would be: KeePass, with a password and a local key file.

          The key file functions as an additional pre-shared key (PSK) that is automatically combined with your passphrase and without which your KeePass database file cannot be decrypted.

          Once you securely copy the key file to all your devices, you can freely share your KeePass database file on cloud storage without worry, even if you have a weak password or don't trust the storage provider.

    • I tried to use Keepass and it could satisfy my robustness requirements

    • Re: (Score:1)

      by Hymer ( 856453 )

      The only pain in the ass is when I update the .kpx file, then I have to copy the damned thing around. Which happens maybe every 6 months tops now that I rely on it.

      You could have the .kpx file on OwnCloud then it would replicate to all devices.

    • For syncing the kpx, look into SyncThing.

    • The only pain in the ass is when I update the .kpx file, then I have to copy the damned thing around. Which happens maybe every 6 months tops now that I rely on it.

      That's your answer. Sooner or later someone forgets to update the .kpx file and then loses access to a critical system. I used Keepass and LastPass both. Although they are password managers, in reality, they are very different tools. Each tool is for a job, and it is neither safe nor secure to think one can replace the other in the general case.

  • You have to be insane to use lastpass (Score:5, Informative)

    by klipclop ( 6724090 ) on Tuesday December 28, 2021 @03:04PM (#62122939)
    Lastpass was great about 6 years ago when there was a free offline option. But if you are now using lastpass and their "cloud" (internet facing) service with important credentials (i.e financial, tax, healthcare, etc...) you are going to get burned very badly one day. Most people don't have the technical aptitude to come up with a good master password only for one service, so the fact a credential stuffing attack is even remotely possible with lastpass is a redflag itself. (I'd expect better security / mitigation from them)
    • Well LastPass does their best to educate users. Most local password managers are not reliable or overly complicated to setup and make robust. Password stuffing, which according to LastPass, they did in fact block, is still the responsibility of the user and any password manager would suffer from this attack vector. Calling people idiots for using an encrypted password manager is a little to far. Especially when a large portion of society still relies on physical notepads for passwords. If the passwords we

    • Re: (Score:2)

      by nasch ( 598556 )

      Do you mean you would be insane to use a weak master password? If I have a huge master password that is not ever used for anything else, how am I vulnerable?

  • No matter what you think about the general security of cloud-based password managers, why on earth would you RE-USE a password as your master password? You *know* the crims are going to try credential stuffing because password managers are pretty high value targets.

  • You fools do not know how to make a password. I mean, look at my password, which is Sl%ashD0tSuxx9000, notice how I use multiple special characters, a mix of upper and lower case, and digits. It also has no spelling that matches a Websterâ(TM)s dictionary word, and consists of a phrase that nobody would ever think of saying. I am certain my password will not be cracked for a while.

  • From the early reports I read, the accounts that were compromised were mostly old, seldom-used accounts, with passwords that hadn't been changed in (maybe) years. All of this suggests to me that the breaches were the result of plain old hacking attempts -- brute force attacks, rainbow tables, etc. If there really was a way to "hack" LastPass and get plaintext passwords, I would suggest everybody get off that service immediately. But I doubt there is a way to do that. I doubt LastPass even stores anybody's p

    • Re: (Score:3)

      by swell ( 195815 )

      When you are a big corporation with a single task: to secure other peoples' information; you are incentivized to do that task correctly. And as your reputation grows, the incentive grows stronger.

      I have more important things to worry about. LastPass has been valuable and convenient to me and I'm inclined to trust them until I see strong evidence otherwise. My schedule allows only so much time for paranoia so I direct it elsewhere.

    • Re: (Score:2)

      by gweihir ( 88907 )

      I tend to agree. Especially as credential stuffing with data from breaches is a standard, low-skill attack. Sounds like some users re-used their passwords and one of the uses got compromised.

    • All of this suggests to me that the breaches were the result of plain old hacking attempts -- brute force attacks, rainbow tables

      You do know that you can only use rainbow tables if you have the hashed passwords, right? So for an attack using rainbow tables you would need the hashes from the LastPass database. Ergo a successful attack on LastPass would have to have taken place.

  • I know they didn't because... (Score:3)

    by l0ungeb0y ( 442022 ) on Tuesday December 28, 2021 @04:25PM (#62123171) Homepage Journal
    Every time a client tried to get me to use LastPass or similar service I would flatly refuse and explain that by it's very nature it was a single point of failure and an avenue for a catastrophic security breach. Never got any pushback

    • What alternative did you propose that wasn't a single source of failure? Is it something that your average user could implement across their devices?

      On a side note, if I'm being pedantic, any system that allows you to independently access your data has a single point of failure when exposed to a little rubber hose cryptanalysis [xkcd.com].

  • Reminder that LastPass explicitly shares your password metadata (ex: site urls, etc) with whoever they want, including advertisers or data brokers. Again, the metadata is NOT encrypted. Don't trust em.

Slashdot Top Deals

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Close