
LastPass requesting password reset after facing unknown anomaly  - sathyabhat
http://blog.lastpass.com/2011/05/lastpass-security-notification.html
======
twodayslate
I am perfectly fine with them being paranoid. They should be. They are being
paranoid for me. They are doing a good job protecting the user.

~~~
frio
I completely agree, but I'm not particularly happy about the apparent lack of
detail in their logs/IDS system.

------
mbreese
I'm curious about why they have an Asterix server on the same network as their
database... is there a voice authentication feature, or are we just talking
about their office phones?

Either way, they seem to be taking this seriously, even if they are just being
overly paranoid, I find it comforting.

------
andrewcooke
i'm surprised by the reactions here. maybe i am misunderstanding the blog
post, or maybe others are?

as far as i can see they are being extremely paranoid. they seem to be
monitoring (and following up on!) traffic flow, which is itself pretty
impressive, are flagging this even though they have no other error signs, and
have done a good enough job in their implementation that can say, without any
more details, that the only risk is via brute force cracking.

i use keepassx locally, but my take on this is that they are way better than
average. this kind of report would make me use a company, not switch from
them.

------
jonursenbach
Not happy that I'm finding this out via a blog post and not an email.

~~~
sathyabhat
I found this out when trying to login to LastPass, was redirected to "re-
enable your LastPass account" page <https://lastpass.com/activate.php>

~~~
3dFlatLander
I just tried logging out and back in a few times, nothing. Very weird.

~~~
Jencha
"Joe Siegrist said... @SEV We're only forcing the issue right now you when we
see you come from an IP you haven't used in the past few weeks (if you disable
logging logins this might mean immediately)."
[http://blog.lastpass.com/2011/05/lastpass-security-
notificat...](http://blog.lastpass.com/2011/05/lastpass-security-
notification.html?showComment=1304568208559#c6006851993433158567)

------
kjetil
Nice to see a company so transparent about situations which could easily have
been hushed down.

~~~
nikcub
I didn't think it was transparent at all. More like the minimum corpspeak
required to inform their users that they should change their passwords

Transparent would have been describing exactly what they saw

~~~
pilif
The blog post said that they detected traffic patterns in their network that
they couldn't account for. They also said that they checked logs and checksums
and found no intrusion yet.

So the post basically means: "we have no idea what's going on/went on, but
here we are, informing you early. Here's the steps we have taken and here's
the steps we are going to take"

You can't have everything: On one hand, everyone wants to be notified early
(see playstation network breach), on the other hand, people want to know
everything when they get the information.

I think that's asking a bit much. Either we get informed early ("we've seen
something strange, but we have no idea what's going on") or you want all
information ("we've discovered and researched a breach. here is what's
happened", followed by a story that spans two weeks).

As lastpass contains potentially sensitive data, I'm happy they chose to
inform early, even before they had a complete picture.

(disclaimer: I'm not using LastPass nor any other password manager as the risk
of losing access to that and to all the services I used them with is too high
for me)

------
pstack
Interesting, it isn't prompting me to do any such thing.

Anyway, since many are mentioning 1Password - I used that for a couple years
and switched to lastpass, because I was tired of having to install plugins
across all the browsers on a platform and then having to find workarounds with
Dropbox for syncing on additional machines and the lack of a Windows client,
when I'm stuck working on Windows.

Also, since I use two-factor authentication, I wonder if that's the reason
they have not asked me to change my password?

~~~
brown9-2
_I used that for a couple years and switched to lastpass, because I was tired
of having to install plugins across all the browsers on a platform and then
having to find workarounds with Dropbox for syncing on additional machines and
the lack of a Windows client, when I'm stuck working on Windows._

I find that Keepass, with the database saved on my Dropbox folder, works well.
No browser integration needed - Keepass registers an OS hotkey (at least on
Windows) for ctrl+shift+A which will autotype ${USER}TAB${PASS} in the
currently focused field, using the title of the browser window as the entry to
look for in the pw database. Great for a free solution.

~~~
16s
In my mind, that's the primary design flaw with traditional password managers.
Why should end users store passwords? It introduces so many issues. Must have
proper encryption. Must deal with synchronization. Must have master password.
The list could go on and on. Passwords should be generated (locally on your
device) when needed, and never stored in any way.

Edit: Some more negatives to password storage. Must protect stored password
file. May be required to log access to stored password file for compliance
reasons. Stored password files may become corrupt and stop working.

~~~
brown9-2
I don't think I understand this - if the password isn't stored, do you expect
the user to memorize all the various passwords?

~~~
16s
End users don't need to memorize any passwords. They don't know them and they
do not care what the passwords are (nor should they). They only need to know
how to generate them when needed. Read about SHA1_Pass and try it out. I use
it (and wrote it) to deal with hundreds of passwords that change frequently.

I tried to make traditional password managers work for a number of years,
before realizing that the traditional approach (password storage, master
password) is fundamentally flawed and introduces more problems than it solves.

~~~
pzxc
I've looked at SHA1_Pass when it was posted here on HN a while back, and I'm
not impressed. You have to memorize a passphrase, which is only marginally
easier than remembering a master password, but you also have to remember an
individual word for each account/website. Yes this is easier than remembering
individual passwords but not as easy as just remembering one master password
that unlocks an encrypted database (like Keepass). From the FAQ for SHA1_Pass,
it says "when your bank asks you to change your password, just increment your
word from BILLS to BILLS1 or BILLS2". More stuff to remember, which BILLS was
I on again?

Additionally, some accounts have restrictions on usable characters or password
length. The FAQ for SHA1_Pass says "try base64 half-encoding, its only 14
characters, and if that's too long maybe you shouldn't be using that website".
Well I'm sorry but some BANKS do not allow passwords that long. You and I both
know it's idiotic, but some banks have a small maximum password length, and
some of them even restrict you to alphanumeric characters only.

I applaud SHA1_pass for trying to be innovative, you don't know what works
unless you try it, but it looks like the result is a failure to me... too much
complexity generated around the goal of trying to make passwords easy to
remember, yet hashed to be secure. Just generate a random password with
Keepass, whatever length and character sets you want, and store it.

What's the big deal? Yes, there's a chance that Keepass didn't do their
encryption properly and your master password will be crackable, and someone
will hack into your dropbox account and then have all your passwords. But with
SHA1_pass there's also a chance someone will guess or socially engineer your
passphrase, and since all your site words are "facebook" for facebook etc etc
they too have full access to all your accounts.

~~~
16s
_"You have to memorize a passphrase"_

This is an inaccurate statement. You remember a sentence. Sentences are
naturally and easy to recall. _The fat, green stick._ for example. And then a
word for each site you visit. That's it. You can use it anyway you like and
take my samples for what they are... samples.

 _What's the big deal?_

Controlling your passwords on your devices and not relying on others.
Passwords are IT Security 101, if you get them wrong you fail.

------
kitcar
Wow, Lastpass won't let me login to my account now, and doesn't throw any
error message whatsoever. When I try to change my password it says I can't
because I don't have their browser plugin. Wacky, this is quite frustrating

~~~
ukdm
Someone brought up the same issue in the comments on that post. Here's the
solution given, two options:

1) Login in 'offline mode' then reconnect your cable/wireless connection and
go to gmail... This is the preferred method. 2) Download Pocket, and have it
find your local offline copy from the drop down of files and login there.

~~~
mike-cardwell
People using two factor authentication, eg with a Yubikey, can not log in, in
offline mode. Some people will also have turned this feature off. No idea what
Pocket is.

------
alanh
Result of me trying to log in to delete my account, just in case (having
switched to 1Password): <http://cl.ly/3T0B2W09262N3k2j2U3k>

------
dfischer
So I just started using 1password and was thinking of lastpass. I'm still
trying to figure out which is better. Anyone have any comments?

~~~
16s
I would say use SHA1_Pass and never store, synchronize or forget a password
again. I'm biased though, I wrote it and use it daily. It's entirely free,
cross-platform (GPL licensed) and you can get the source code from github.

Edit: Also, SHA1_Pass does not rely on websites or anything remote from your
device to operate. It just requires you (the user) and your brain ;) That's
the biggest reason I wrote it.

------
tomjen3
That's not very smart considering that a lot of people won't be able to lockin
to their email to verify their emails because they don't have access to the
login details of their email because they haven't verified it.

And why the hell didn't they use scrybt in the first place? For a company so
paranoid, that seems to border on neglect.

~~~
incongruity
And that, right there, highlights why all of my passwords aren't kept with
their (or any) service - for many, it just introduced a single point of
failure. Imagine being locked out of every website you have an account on,
just like that.

Nope. I'll make strong passwords on my own and encrypt my own copies, thanks.

~~~
VMG
just separately save your email password, all other services restore the
password via email

~~~
bruceboughton
Making your email password the weakest link...

~~~
crocowhile
My gmail account is actually more secure than lastpass since I have OTP
enabled with two factors identification.

~~~
rakkhi
Well done, hopefully more will do following this type of incident. You can
also use Yubikey to add two factor authentication to your Lastpass account if
you want keep using LP

------
mike-cardwell
That's the final straw for me. Just exported my login details, emptied out my
lastpass vault and uninstalled the addon. Will stick to storing my login
details in a Dropbox distributed GnuPG protected flat file. Less convenient,
but at least I'm not reliant on a third party.

~~~
y0ghur7_xxx
You still rely on Dropbox.

~~~
eitland
As for not getting his passwords compromised: no, not more than a vpn user
relies on internet to keep his data secret.

As for getting access to his data anytime: Yes, except if he has a backup.

~~~
mike-cardwell
I don't understand why you think I wont be able to access my data anytime?
Dropbox synchronises the files so you have a local copy on each of your
Dropbox hosts. So if Dropbox is offline, or you get disconnected from the
Internet, you can still access them...

Worse case scenario is something causes the file to get deleted and that
propagates to all of the other hosts and deletes their local copies. But yes,
I have backups so that isn't a problem.

------
jojo1
IMHO everyone who is using such a service is a moron.

~~~
latortuga
This is an irresponsible position to take and akin to telling people to "make
stronger passwords." It simply isn't realistic. LastPass allows creation of
randomly generated passwords very easily and encrypts and stores them so you
can use them anywhere. The alternative for most normal users is to create one
or two passwords and use them everywhere, compromising the security of all of
their accounts. Obviously your response to this would be that they shouldn't
do that but the fact is, without something like LastPass, they have little
other choice.

This freakout reminds me of the radiation poison bullshit from a few months
back. Bananas have radiation therefore bananas are dangerous. Practicality
dictates that you are plain wrong.

------
maguay
Suddenly, I'm glad I switched to 1Password.

~~~
RyanKearney
Yeah 1Password is pretty awful when you consider the amount of features you
get with LastPass like multi-factor authentication. 1Password relies on
Dropbox. Your passwords are all stored on your computer. Granted they're in an
encrypted format, but if you have a jerk for a room mate they could copy your
encrypted files, key log your vault password, and have access to all your
passwords.

On the other hand, if you get my LastPass password you better have my grid too
(I keep it online so I can access it wherever, password protected).
Additionally LastPass is working on SMS codes for login.

~~~
bigiain
The there's somebody how can key log hardware you (think you can) trust,
you're hosed whatever security you're relying on.

~~~
ZoFreX
Negative, LastPass can generate one-time passwords which you can then use on
computers you suspect to be insecure.

~~~
pzxc
But most of the damage from keyloggers happens to people who do NOT suspect
they are using an insecure system (their own).

------
crocowhile
Does anyone know if there is a way to encrypt my lastpass db using both a
password and an RSA private key?

------
kmfrk
Let this be a reminder to LastPass to include a password expiration date by
default.

~~~
beaumartinez
...So you then have to replace a safe, well-thought-out password for a less
safe one?

