LastPass Hacked, Change Your Master Password Now
-
Wow, that is one significant hack!!
-
Not sure, as per Lastpass blog, "The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."
https://blog.lastpass.com/2015/06/lastpass-security-notice.html/So might be as a best practice, the advice for changing master password.
One reason, I use 1Password, data is with me
-
An authentication hash does not give you access. You have to crack other parts of the system to be able to utilize that. A hash cannot be used instead of the password itself.
-
@scottalanmiller said:
An authentication hash does not give you access. You have to crack other parts of the system to be able to utilize that. A hash cannot be used instead of the password itself.
Yeah, but they still have the ability to crack them.
-
In other news, the settings part (where you change the password) on the last pass site is now timing out for me.
-
@thecreativeone91 said:
@scottalanmiller said:
An authentication hash does not give you access. You have to crack other parts of the system to be able to utilize that. A hash cannot be used instead of the password itself.
Yeah, but they still have the ability to crack them.
Yes, it's a huge risk. But it hasn't been completely broken yet (as far as anyone knows.)
-
@Ambarishrh said:
https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
This begs the question if it was found on Friday why did they wait so long to tell about it? Why where we not notified on Friday? @AmberLastPass
-
Got to the settings page then got this. Pretty annoying as a paying premium member.
-
Others are saying that Servers are busy has been happening since 11am or so this morning. No signs of actually being able to change passwords yet, still getting the message.
-
@thecreativeone91 said:
How can they say the passwords for other sites where not taken? if they have the master passwords they have everything.
Apparently the database where the master password hashes are stored was compromised, but not the database that stores all of your actual passwords that are used to log into sites. I'm assuming they are kept separate both for security reasons, and because the encryption on your site passwords has to be reversible whereas the master password they can just store a hash.
-
@thecreativeone91 said:
Got to the settings page then got this. Pretty annoying as a paying premium member.
Still not working but, hey they added graphics to it now.
-
Ouch - I've been considering using Password Card - if they are still around...
Which they are....
-
Well, I'm changing my password. I even considered moving away from LastPass but I think that's a bit extreme.
-
I didn't even know lastpass existed until reading this and so nothing of significance was lost... for me. I feel bad for anyone who does suffer because of whatever the issue here was. Being able to take a bunch of hashes really almost always is a result of an SQL injection, probably UNION SELECT to just pull down all of the password hashes. For god's sake escape your queries.
-
Everything I've read suggests that the encryption method LastPass uses means that even with the hashes and salts, brute forcing passwords would take a very long time, even with the weakest of passwords. As long as you change your password in the near future I'd say that you're safe.
-
Yes, cracking a good password hash is very non-trivial. Assuming that they have access to the Amazon cloud fleet, I'm guessing this is still quite some time to crack.
-
I agree with Nick and Scott - while this is not good, it's definitely not as bad as it sounds... the bad thing - non technical people won't understand why and they'll just crucify LastPass instead.
If I mentioned this to my boss she would kill my desire to push out this service to our users.
-
@Dashrender said:
I agree with Nick and Scott - while this is not good, it's definitely not as bad as it sounds... the bad thing - non technical people won't understand why and they'll just crucify LastPass instead.
If I mentioned this to my boss she would kill my desire to push out this service to our users.
Pushing last pass to users- is it as a suggestion to all users to manage their own pass or will it be used as a password manager for company use?
-
Yeah, I was not even going to try and change passwords today. The last time this happened (2010 ??) the reset servers were completely overwhelmed.
-
@Dashrender said:
I agree with Nick and Scott - while this is not good, it's definitely not as bad as it sounds... the bad thing - non technical people won't understand why and they'll just crucify LastPass instead.
I'll include myself as non technical person here. It does further put me off hosted solutions. That's not the only reason I use on-premise (Keepass) as I didn't really like LastPass when I tried it anyway. I do store my Keepass databases in the cloud though, but that's a different risk.