
LastPass Security Notice - jwcrux
https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
======
jjarmoc
While LastPass seems to be responding well, I find their entire service
exceeds my tolerance for risk.

If you don't use a password manager, you've got 99 problems, but a centralized
store of your credentials for everything that's a huge target by virtue of
having thousands of similarly centralized users ain't one.

Using a password manager (good idea) and then storing all your passwords on a
3rd party service of which you have no control seems inherently risky.
Lastpass is a huge target, and while I believe they generally take reasonable
security measures, for many the risk of compromise may be greater than an
encrypted stand-alone password database. Use a password manager, please, but
keep it offline and don't aggregate it with loads of other people's databases.

This is one area where I feel strongly that the conveniences of 'Cloud' are
outweighed by the risks.

~~~
pdabbadabba
But this depends on the alternative. If, instead of using a password manager,
uses only one (or even two or three) passwords across all the websites they
frequent, then you are still, in effect, trusting _numerous_ third parties to
keep your password safe in the cloud--if any one of these sites is
compromised, then your password for all (or half, or 1/3rd, etc.) is
compromised along with it.

I agree with you that an offline password manager is better in theory. But the
problem is that I am aware of no such service that is easy to use across
numerous devices, so much so that none has struck me as a viable option given
my patterns of usage. Maybe there are people out there who will accept much
more inconvenience in exchange for avoiding the risk associated with a cloud-
based service. But, for me, the inconvenience is simply too much.

So the choice once more, for me, becomes cloud-based password manager or no
password manager at all.

(Though if you've found a good option, that will allow me to easily sync
across my home desktop, laptop, office pc, tablet, and smartphone, without
using the cloud, I would absolutely love to hear about it! Maybe something
Bluetooth based?)

~~~
tbabb
My compromise has been to come up with a password permutation scheme-- I have
a long, secure, high-entropy password which I can modify/salt in a way that's
predictable (to me) across sites, such that each site's credentials are
unique. Obviously this works across all devices, because the scheme is in my
head, and it's simple enough to remember. I don't use any password manager,
because like OP, that seems like too much of an eggs-and-baskets risk for my
taste.

A catastrophic compromise would require an attacker to see actual credentials
(not just the hashes) across many sites, and on top of that reverse engineer
my specific permutation scheme. This seems much less likely to me than a very
public, high-profile centralized cloud service forgetting to cross a T
somewhere and getting hacked.

~~~
snarfy
If your password for foo.com is foo-hunter2-XYZ and your password for bar.com
is bar-hunter2-XYZ, you've got problems.

~~~
archinal
But if your password for foo.com is 10,000 rounds of PBKDF2-SHA256(foo-
hunter2-XYZ) and so on, this is extremely effective.

~~~
dzhiurgis
Yeah that would be nice. I actually think browsers should have this as a
feature.

But the problem is that not all websites accept long passwords. My bank
wouldn't take longer than 8 characters and doesn't even have a second factor
auth.

Office 365 wouldn't accept more than 16 characters. I think it was Paypal who
wouldn't take more than 10.

~~~
mynameisvlad
Be happy, one of my banks has a 6-digit numeric PIN (I shit you not) as their
"security".

~~~
rickyc091
Banks also lock the accounts after 3 failed attempts though. The short
passwords are to avoid having to deal with phone calls that go something like,
"Hello, I forgot my password."

~~~
dzhiurgis
Overlooking 6 characters vs 20 over a shoulder is must easier though.

------
AdmiralAsshat
See quite a few nods to 1Password in here, which is good, although I tend to
favor KeePass myself, given that it's FOSS.

It also has a way better Firefox add-on than any of the others I've seen
(which is my main browser), and the Android apps, if unofficial, aren't bad
either [0]. Importantly, they feature the ability to either pull from a local
Keepass DB or to get it from a connected Google Drive account. I've taken to
using the latter to make sure my database is synced across all my devices.

At this point it works fairly well across everything I use, with the one
exception that trying to keep the database synced on my Windows box requires
an extension that looked a tad shady to me [1], so I opted to simply manually
upload a new version each time instead.

[0]:
[https://play.google.com/store/apps/details?id=keepass2androi...](https://play.google.com/store/apps/details?id=keepass2android.keepass2android)

[1]:
[http://keepass.info/plugins.html#kpgsync](http://keepass.info/plugins.html#kpgsync)

~~~
rwhitman
I don't understand why 1Password's approach to the cloud - syncing via Dropbox
or Google Drive - is considered that much more secure than LastPass. If
anything relying on Dropbox has always seemed to me to be a huge liability

~~~
dragontamer
If you wanted security, you'd use a SHA256 hash of a master-password + domain
name.

[http://angel.net/~nic/passwdlet.html](http://angel.net/~nic/passwdlet.html)

Storage is unnecessary. LastPass, 1Password... every one of them has
centralized storage. No one needs a central server, but a central server is
the only way a "service" can sell itself.

~~~
StavrosK
There are multiple problems with this approach. SHA is way too fast, some site
is always going to have Auth requirements that won't be the same as the ones
you have set (one service wants mandatory special characters, one wants
mandatory alphanumeric only), and, most importantly, you can't change the
passwords unless you change the master password and remember which you used
where.

~~~
dragontamer
Fair point. But proper key strengthening is a well-known solution to this
well-known problem. The general methodology of using password-safe hash +
master password + domain name is useful.

As you note, SHA isn't appropriate for this purpose. PBKDF2-strenghtened SHA,
SCrypt, BCrypt and other functions should be used.

~~~
StavrosK
I agree, I wish browsers performed some key strengthening built in.

------
LawnGnome
I don't use LastPass, but one thing that impresses me about their blog post:
they didn't hide behind "your passwords are hashed" or something equally
weaselly, but instead said exactly and clearly how passwords are hashed. Every
online company should take note.

~~~
wepple
I would however appreciate more detail on the breach. This would at least give
an indication of their general security posture.

I'm reading this as an embarrassing security lapse in general security, so
they misdirect by talking in depth about password hashing.

~~~
jjarmoc
I would also appreciate more detail, but that shouldn't be their first
priority.

They note that they discovered the breach on 'Friday' so I imagine they have
an ongoing Incident Response right now. They may not have or be ready to share
this information at this time, and that's fine. They might be working with law
enforcement, further hardening systems, and continuing to confirm their
findings to date to ensure they've mitigated the full impacts.

What's important now is conveying how users are impacted and what steps they
should take to protect themselves; hopefully the rest comes in time.

~~~
developer1
Another pain point is the delay from Friday's discovery to Monday's
disclosure. While it's better than the sometimes _weeks_ other companies have
taken, it screams of the discovery happening at 4pm on a Friday, and everybody
then saying "bah fuck it, go home for the weekend, we'll work on it Monday". A
security compromise like this should have been made known by Saturday at the
latest, and worked on over the weekend. 3 days is a long time for leaked
passwords to go unnoticed to users, regardless of the encryption scheme being
used.

~~~
jjarmoc
I feel like that's a reasonable timeframe from 'hmm, something is odd' to
'we're pretty sure we fully understand the impact, time to notify users.'

There's a balance between early notification and misstating the impact.

------
sroerick
No mention of pass?

[http://www.passwordstore.org/](http://www.passwordstore.org/)

gpg password storage. Synchronization with rsync.

Beats the heck out of proprietary cloud hosted software.

~~~
steveax
I like pass a lot and it's pretty darn convenient and fast. It's my password
manager of choice. GPG encrypted text files, simple, secure.

------
tptacek
Do they know how they were compromised?

~~~
jjarmoc
"Answer unclear, ask again later"

~~~
tptacek
I get why they can't provide details. But a close read of that incident report
doesn't answer whether they even know how it happened. Did I miss something?

~~~
joeblau
With these types of incidents, you want to make sure you have the facts before
you make claims. They are probably doing tons of investigation to figure out
what actually happened. This could be difficult depending on the level of
sophistication of the attackers.

If LastPass says "Attackers took everything" when the attackers only took a
few non-identifiable pieces of info; it will be a huge non-recoverable media
event about attackers taking everything even if it's not true.

If LastPass say "Attackers didn't do anything" but stole a lot of sensitive
info, then it makes LastPass look incompetent.

This is really a situation where they need to understand the scope of the
situation before making a detailed comment.

------
robto
I've been using LastPass for a while now, but I was recently evaluating the
landscape for something more open. I came across Mitro[0], and it looks like
it fits the bill. Unfortunately it doesn't look like it has been much
maintained since its open-sourcing last year.

Mitro checked a lot of boxes on my checklist, so it's a bit disappointing that
it has a smaller community.

[0]: [https://www.mitro.co/security-faq.html](https://www.mitro.co/security-
faq.html)

------
alexnewman
I'm now too paranoid for lastpass ever again.

Sandstorm made setting up a private gitlab about a 5 second thing. I'll just
checkin gpg encrypted textfiles once more.

There's a bunch of shell scripts called pass [http://git.zx2c4.com/password-
store/](http://git.zx2c4.com/password-store/) which know about gpg, git and
this format of text files. There's browser and android plugin as well.
Amusingly it has basic import/export from every other password manager. I
exported from lastpass and now all I have to do is switch to a new gpg key and
buy all new hardware

~~~
zeckalpha
Excellent. I've used this for the last 3 years. The mailing list has a good
community.

------
Someone1234
I just deleted, regenerated, and re-associated Google Authenticator and then
altered the number of iterations from 10,000 to 10,001 (causing it to re-
encrypt the database). None of this is really required but it has invalidated
much of the information they could have stolen.

The thing that really bugs me about this, is the email address. I have a very
low spam level on that account (sub-1 per day on average) and I want to keep
it that way. Last thing I need is someone to dump this theft onto a Pirate
Bay-like site and then to get spammed by everyone and the kitchen sink.

~~~
driverdan
How will that invalidate the info they have?

~~~
Zombieball
I presume he is under the assumption that the secret seed to the OTP algorithm
was compromised.

By disabling / deleting your OTP token and re-adding it, you are essentially
re-generating this seed.

I am not sure I understood the comment "altered the number of iterations from
10,000 to 10,001 (causing it to re-encrypt the database)", care to elaborate
@Someone1234?

~~~
Someone1234
LastPass double-hashes (ignoring iterations) master passwords. It has a client
component based on PBKDF2 and a server component (per this article) also
PBKDF2 based.

If the bad guys stole the hashes after they were hashed by LastPass's servers
then changing the client iterations wouldn't do a damn thing. However because
LastPass have an unknown network compromise one could worry that the bad guys
intercepted LastPass client-hashed passwords between the client and server.

IF they modified the LastPass client, they could have it send LastPass's
servers the already client-hashed password and therefore login even without
knowing someone's plain text master password.

By altering your account iterations even by 1, you've now effectively forced
them to decrypt the client hash (to plain text) before they could use it to
login to LastPass's servers.

Again this only helps if they intercepted network traffic on LastPass's
internal network.

PS - The OTP thing is as you said. PPS - A better idea is just to change your
master password.

------
hawkes
I've learnt a lot reading this thread. Thank you all.

But I can't believe almost everyone here, talking about security, is talking
about Dropbox even as a hypothetical cloud option for storing password related
info.

\- Dropbox (and most of the other cloud storage services) do not encrypt your
data, or if they do now as they claim, with SHA256, I'd say they must be able
to decrypt it whenever they want to, as they give you the "Did you forgot your
password" option to change it, so they have to be able to decrypt it and
encrypt it with your new password o whatever they use to encrypt) and they
hired ¡Condoleeza Rice! for their board of executives (she puts "national
security" over any privacy so...), so you can count any worker at Dropbox can
peep at everything you upload whenever they want to.

Of course you'll think: "I'm not a terrorist, I don't care." Well, if a worker
can take a look, and you don't even know him... The threat is quite clear to
me.

MEGA, for example, does encrypt everything you upload taking as seed some
derivation of your password, but they DO NOT store your password, so they
can't ever decrypt it for themselves. Probably no one could know even the
names of the files you have uploaded unless they already had your password (of
course, if you lose it, you lose all of the files uploaded!!! Beware!!!).

I rather trust MEGA than Condoleeza's (big-brother government) Dropbox,
seriously.

There must be other cloud storage services which encrypt data not storing
enough info to decrypt it without your input. I just stumbled upon MEGA and
liked the synch app.

~~~
jasonsync
sync.com

------
bcg1
"Service as a software substitute"

[http://www.gnu.org/philosophy/who-does-that-server-really-
se...](http://www.gnu.org/philosophy/who-does-that-server-really-
serve.en.html)

------
redwards510
If you are using LastPass without 2FA (YubiKey, etc), people attacking
LastPass itself is really the least of your problems. I'd be much more
concerned about keyloggers grabbing your password. BeEF can pop up a LastPass
phishing prompt if you just happen to load the wrong javascript file.

Using just one string of characters to protect ALL of your passwords is
insane.

~~~
ja27
> If you are using LastPass without 2FA

There is no 2FA with LastPass.

Don't believe me? Set up a LastPass account and turn on 2FA. Go log in on an
untrusted browser. Enter your password. At the 2FA prompt screen, there is a
giant red "If you lost your Google Authenticator device, click here to disable
Google Authenticator authentication" link.

That's right. They give the attacker the option to disable 2FA for your
account.

~~~
indianburger
They send you an email and only with the link in the email can you login.
Email is the second factor here.

------
cheetos
Slightly off-topic: am I naive to believe that my personal system of password
management is just about as good something like 1Password or LastPass? Hear me
out. My passwords are generated as follows:

[Low|Med|Hi] + [Key] + [Initials] + [Number]

Low|Med|High = One of three keys based on how sensitive the site is. High:
banking / work / email, Low: I don't trust the site, Med: other.

Key = Random string that only I know, with the most important accounts having
a unique string

Initials = Initials of site name based on domain name + TLD, with the initials
moved up x letters (for example, capitalone.com -> COC -> DPD)

Number = One of three random sets of numbers I use. Sometimes I forget which
number I use for each site, but I can figure it out after a few incorrect
attempts.

This means a unique password for every site generated by a system that only I
know with no central storage except my brain.

What is wrong with this? What would be the advantage to using 1Password /
LastPass over this?

~~~
NeutronBoy
> What is wrong with this? What would be the advantage to using 1Password /
> LastPass over this?

My Keepass database currently has 221 entries in it. Some of these I only use
once per year. There's no possible way for me to manage that without a program
to help me record them.

------
itaysk
Password reset page is down:

"Oops! Our servers are a bit overloaded right now.

Please try your password change again shortly, we will catch up soon."

~~~
Zombieball
I am sure they are just overloaded with legitimate requests. But it that would
be pretty interesting if the attackers first stole data from their servers and
promptly followed this attack with a DDOS attack to their password reset
endpoints!

~~~
sjwright
Imagine if the blog post was malicious and the password reset endpoint was
actually a honeypot to collect your master password?

No thank you, I'll trust the encryption to do its job. Don't see how changing
the master password is going to help any.

------
Tomte
Oh great, just the day before yesterday I finally jumped to LastPass (because
obviously WinKee is not compatible to my new Lumia phone), using my best
password (long, no real syllables, memorized).

It sounds like the password is still safe enough, but it's a very unfortunate,
inconvenient timing indeed.

~~~
sfeng
Try 1Password.

~~~
Tomte
I did just quickly evaluate it on my iPad (got it in some promotion ages ago),
but it didn't "click" with me.

OTOH I'm not terribly sold on LastPass's UI, either.

I don't know, but I'm going to sleep a few days over it and check out my
options on the weekend. This isn't an "everything's on fire" event, anyway.

~~~
pavel_lishin
LastPass's UI is one step up from atrocious, but I stuck with them because it
works, is convenient, and doesn't charge me per-OS/device. :/

------
kenjackson
Why not just use KeePass? It seems to work great. A bit less convenient, but
overall a nice option.

~~~
peu4000
> A bit less convenient

This is why I use Lastpass.

------
MarkMc2412
Hi, creator of StrongBox Password Safe
([https://itunes.apple.com/us/app/strongbox-password-
safe/id89...](https://itunes.apple.com/us/app/strongbox-password-
safe/id897283731)) here. I think LastPass have done a pretty good job of being
upfront and honest about their techniques and have a handy little product.
Comments above mention the centralised nature of storage and indeed it is an
issue as it becomes a real bullseye for hackers. Ultimately it’s a tradeoff
between convenience and security. For what it’s worth my app uses the standard
Password Safe format
([http://passwordsafe.sourceforge.net/](http://passwordsafe.sourceforge.net/)),
designed by Bruce Schneier. It can store your encrypted password databases
locally on device or on Dropbox or Google Drive. This can be easily exported
or imported. An added bonus is you can store other tidbits of information in
there, notes of any kind, not just passwords. Might be useful for those of you
with more stringent security in mind, or more general encryption requirements.
It’s also free.

~~~
pckspcks
I like Bruce. I trust Bruce. However, as far as I can tell, this is a black
box. There is no documentation on formats, protocols, and similar. I have no
reason to trust the security of this system. The closest I could come would be
to read the source code.

~~~
MarkMc2412
Sorry, should have mentioned a bit about that. The Password Safe format is
public, open, and available here [1]. There's also plenty of code/libraries
you can use to write your own clients, e.g. Javascript [2], Java [3], Python
[4]. For what it's worth the core data encryption is done using the Twofish
cipher. Hope that helps.

[1]: [http://sourceforge.net/p/passwordsafe/git-
code/ci/master/tre...](http://sourceforge.net/p/passwordsafe/git-
code/ci/master/tree/docs/formatV3.txt)

[2]:
[https://github.com/scintill/pwsafejs](https://github.com/scintill/pwsafejs)

[3]:
[http://sourceforge.net/projects/jpwsafe/](http://sourceforge.net/projects/jpwsafe/)

[4]: [https://github.com/ronys/pypwsafe](https://github.com/ronys/pypwsafe)

~~~
pckspcks
That both does and doesn't help. There is the format, which looks sensible.
There are the protocols around it, key generation, salt generation, overall
design, etc. which are not.

What actually scares me about the design is if my machine is compromised, an
attacker can grab my Password Safe file (plus keylogs or whatever) and has
access to all of my passwords. The design seems not very robust at a
designs+protocols level.

(In contrast, right now, if a machine is compromised, it only compromises the
passwords I've used from that machine).

------
Asparagirl
Title should be edited to be more specific:

 _" [W]e have found no evidence that encrypted user vault data was taken, nor
that LastPass user accounts were accessed. The investigation has shown,
however, that LastPass account email addresses, password reminders, server per
user salts, and authentication hashes were compromised."_

So, a breach of LastPass itself but not a breach of its users' non-LastPass
per-website passwords/data.

------
eyeareque
Now I don't feel so out of touch for not using last pass. It always seemed
like a bad idea to put all of your trust in a single point.

~~~
outworlder
What do you use instead? Do you ever reuse passwords?

~~~
ocdtrekkie
Reusing passwords is not a crime.*

*Unless it's your email password or your bank password, basically.

People have been scared into this "unique password for every site", but let's
be honest: My Hacker News password getting hacked doesn't cost me anything.
Why does it need a unique password with some random other forum I comment on
that has no personal information on it?

------
sarciszewski
The LastPass blog won't let me post any comment that mentions KeePassX, so I'm
mentioning it here.

Other security folks might recommend other password managers that they prefer
(e.g. 'tptacek likes 1Password). Generally, you should listen to them over me.

KeePassX is open source and NOT cloud based, so if those are two points on
your mental checklist, it's worth checking out.

------
Zaheer
Thoughts on LastPass vs 1Password?

~~~
xbryanx
I use 1Password for personal/family stuff. It's a much better interface and
has many fewer bugs.

I manage a Last Pass Enterprise instance at work. I love/hate it. The
interface is terrible and buggy. However, it's the only tool I've found to
manage passwords across many users (some medium to non-technical) who need
access to shared accounts within an organization. 1Password doesn't really do
this, and sharing vaults over Dropbox doesn't really cut it. Despite all the
bug pain, it's so much better than what we were doing before, sharing
passwords via email and other embarrassing methods.

How can there really only be one company doing what LastPass Enterprise does?
There must be other systems that I just can't find in my research. Any
recommendations for other managed password stores for organizations?

~~~
orthecreedence
Hi, creator of Turtl here ([https://turtl.it](https://turtl.it)). Turtl is not
a password manager per-se, and is still fairly early in development, but is a
client-side encrypted note-taking tool. It could conceivably be used as a
primary password manager service.

Some features that are useful: client-side crypto (key is derived from
username/password, ALL data is encrypted by default), sharing between accounts
via asym encryption, open source client & server means it could be run
completely in-house if required (as opposed to using the hosted service).

It doesn't have mobile apps right now, but those are coming pretty quick
(either end of June or in July).

One of our slated features is a password note type, and possibly eventual
integration with browsers.

Might be worth a look. Like I said, Turtl is new and is missing a lot of
features you'd want in a pure-password-manager solution, but it has the
potential to grow into this space a lot due to its security, sharing, and
hosting features.

------
pgrote
I found out from an article on Lifehacker. Still have yet to get an
announcement in email, extension or app from LastPass themselves.

While the blog post was nice, it would have been better to directly let
subscribers know.

I am a premium subscriber with 2fa enabled.

Just received the announcement at 6:54pm CT:

Dear LastPass User,

We wanted to alert you that, recently, our team discovered and immediately
blocked suspicious activity on our network. No encrypted user vault data was
taken, however other data, including email addresses and password reminders,
was compromised.

We are confident that the encryption algorithms we use will sufficiently
protect our users. To further ensure your security, we are requiring
verification by email when logging in from a new device or IP address, and
will be prompting users to update their master passwords.

We apologize for the inconvenience, but ultimately we believe this will better
protect LastPass users. Thank you for your understanding, and for using
LastPass.

Regards, The LastPass Team

------
spacko
_Schneier 's Password Safe_ is the real deal:

[http://passwordsafe.sourceforge.net/](http://passwordsafe.sourceforge.net/)

I use it on:

\- Ubuntu

\- Windows

\- Android

Synchronisation of the password db files is accomplished by storing a master
file on Google Drive (Multi-Fac Auth here). I only change passwords on Ubuntu
- upload to Drive and download to Android and Company.

------
tomjen3
Any good tricks on how to generate a new master password that is a) secure
enough and b) I can memorize?

~~~
gervase
[http://world.std.com/~reinhold/diceware.html](http://world.std.com/~reinhold/diceware.html)

[https://www.random.org/](https://www.random.org/)

I believe the current suggestion is 7 words. It shouldn't be hard to come up
with a mnemonic device to match your new password.

------
kriro
On a related note...I'm using KeePass+Yubikey but am a bit worried that the
project is still hosted on sourceforge. The devteam seems to think it's no
problem at least that's the impression I get from reading the forum.

------
SpendBig
"LastPass strengthens the authentication hash with a random salt and 100,000
rounds of server-side PBKDF2-SHA256, in addition to the rounds performed
client-side. This additional strengthening makes it difficult to attack the
stolen hashes with any significant speed."

I wouldn't mention that if your data has just been compromised. Although it
makes is hard to handle that data, it is more info about how the data is
encrypt.

------
systematical
I switched to lastpass a year ago for all non-critical accounts, basically
everything thats not email or my personal finances. Its still a bit of a risk,
but this way I only need to remember about 5 passwords. I guess I'll slowly be
updating all the passwords on my lastpass sites and coming up with a new
master password today.

In short, more major sites need to implement a Google Authenticator style
service.

------
maxtaco
Plug for [https://oneshallpass.com](https://oneshallpass.com). Open source.
Your site-specific password is an HMAC; the key is your password and the
payload is the site you're logging in to. Works perfectly offline. You can
optionally store an encrypted list of the sites you use (and parameters like
number of symbols) to the server.

------
moepstar
I commend them for their honesty, so thanks for the heads up :)

One thing i noticed: They used quite a few german words ("dennoch", "jedoch",
"dann") which i haven't seen used elsewhere up to now.

Is that common? I know that quite a few words are used commonly in English
like "kindergarten" for instance, but this is the first time i've seen those
in an english blog...

~~~
chrisboesing
Are you from Germany or do you have your Browser set to German? The first time
I visited the site I got redirected to
[https://blog.lastpass.com/de/2015/06/lastpass-security-
notic...](https://blog.lastpass.com/de/2015/06/lastpass-security-notice.html/)
(notice the "de" in the domain), which has the German words. The second time I
visited the site I didn't get redirected to the German site and didn't see the
English words. Maybe some weird automatic translation bug.

~~~
moepstar
Yes and yes, so i guess that makes at least some sense :)

And yes, i've seen the same behavior - getting redirected on first visit and
not on the second, so i guess you're right regarding a weird auto-translation
bug...

------
wstrange
Time to kill the password.

Federated login using OpenID Connect seems like a far better solution. I can't
fathom why so many web sites want the awful responsibility of storing your
password. Why not leave that to Google, Facebook or Microsoft? Or you bank for
that matter...

And yes - you should secure your IDP login with multi-factor authentication.

------
guylepage3
Wow! More and more centralized services are being hacked. Time for something
more decentralized.

------
foobar81
Phew. Good thing I use
[http://www.passwordstore.org](http://www.passwordstore.org) and [https://git-
annex.branchable.com](https://git-annex.branchable.com).

------
JoshTriplett
Things like this are why I prefer Firefox Sync. Works across all my devices
(home laptop, work laptop, Android phone), and uses _client-side encryption_ ,
so a compromise of the Sync server provides the attacker with nothing of
value.

------
Kelly2
I don't understand the use case for LastPass/Dropbox/FTP storage of password,
1Password (and probably others) allow to sync through wifi, isn't that enough?
Why would you need to do it over the cloud?

------
rtz12
I have a German system from a German IP and some of the words in the article
are German. Weird. Do they have some kind of auto translation that kicks in
even though they didn't translate the whole article?

------
crusso
Does LastPass keep the encrypted copy of the password file for non-premium
accounts? For accounts that don't sync and just use it from a single browser?

~~~
ne0n
All of the accounts sync even if you don't use mobile, if that's what you're
saying. You can always log into their website and view your passwords.

------
dbs
Strange fact: changed my master password a few min ago. But there's a message
saying it was changed _23_ hours ago.

------
Gonzih
And now they are under heavy load because of people changing their master
passwords. Can't change mine :)

------
kolev
How many times does LastPass need to screw up before you guys flee it? Pick
your security vendors carefully!

------
AndrewDMcG
This is what I recommend to non-technical users:
[http://www.amazon.co.uk/Silvine-Executive-Pocket-
Notebook-14...](http://www.amazon.co.uk/Silvine-Executive-Pocket-
Notebook-143x90mm-x/dp/B006O8915M/)

I use a hand-rolled gpg + git + owncloud for myself, but that's not convenient
if you don't routinely have terminal windows open.

------
magoon
iCloud Keychain doesn't store your passwords on Apple-controlled servers when
you do not configure an iCliud Keychain storage PIN; you can use it in a mode
that simply syncs keychains across devices, all of which allow password-based
encryption.

------
HaoZeke
Wouldn't the solution be something akin to enpass?

------
h43k3r
One another incident that reminds me, why 2 factor authentication is
absolutely necessary for important information.

~~~
davis_m
If the authentication database is being breached, presumably the 2FA shared
secret is going to be in the same database. Constructing the 2FA code would be
trivial. After all, the server needs a way to check that a given 2FA code is
correct for an authenticating user, so there has to be some way to generate
those as well.

It would help protect against any other sites that you use the same password
on, with a different 2FA shared secret.

~~~
flurpitude
So it would be wise to change the LastPass master password and also regenerate
the Google Authenticator key. LastPass does enable you to regenerate this key
from the account settings page.

------
Animats
_" LastPass simplifies your online life by remembering your passwords for
you."_

You had one job. And you blew it.

------
bernadus_edwin
The year is 2015 and they still dont have mobile site to change password.
Amazing

~~~
becausecomputer
Actually, master password changes require the decrypting and then re-
encrypting of the entire database, done locally. Mobile javascript engines
would die.

------
oneJob
you had one job. one.

------
fredsted
I've always had the feeling that LastPass was held together by sticks and duct
tape, especially the frontend.

~~~
benjarrell
Behind the scenes, most software is.

~~~
fredsted
Bad software is.

LastPass' user interface is really badly designed. There's lots of bugs and
weird behavior. Experienced web developers can tell it's made without care.
You don't want a password manager where the company doesn't care about its
product.

There were other weird bugs, like assigning users to teams was finicky. Shared
passwords didn't show up.

All this doesn't come as a surprise. The LastPass team didn't know what they
were doing.

------
joshstrange
Perhaps this isn't the thread to discuss this but I feel like the state of
access in 2015 is dismal at best...

Every option out there either sucks ass on mobile or only integrates with a
TINY percentage of apps and on desktop they aren't much better. How does
Chrome (on iOS and OS X) blow every other PW manager out of the water? It
"Just Works (tm)" while every other PW manager makes me just through a shit
ton of hoops... I want to be safe but I can't be the only one who feels
"chore" doesn't even begin to describe what maintaining and using a PW is
like. My "Master" PW is secure but I'm not typing that thing every 5 minutes,
1Pass got better with Touch ID but it still makes me want to smash my phone
every time I have to use it (Also, 1Browser, yeah how about FUCK NO).

~~~
L_Rahman
Every other password manager is an extension on top of a browser whereas
Chrome itself is the browser. This means that non-Chrome password managers
have many constraints that Chrome does not.

