I'm curious about why they have an Asterix server on the same network as their database... is there a voice authentication feature, or are we just talking about their office phones?
Either way, they seem to be taking this seriously, even if they are just being overly paranoid, I find it comforting.
i'm surprised by the reactions here. maybe i am misunderstanding the blog post, or maybe others are?
as far as i can see they are being extremely paranoid. they seem to be monitoring (and following up on!) traffic flow, which is itself pretty impressive, are flagging this even though they have no other error signs, and have done a good enough job in their implementation that can say, without any more details, that the only risk is via brute force cracking.
i use keepassx locally, but my take on this is that they are way better than average. this kind of report would make me use a company, not switch from them.
"Joe Siegrist said...
@SEV We're only forcing the issue right now you when we see you come from an IP you haven't used in the past few weeks (if you disable logging logins this might mean immediately)."
http://blog.lastpass.com/2011/05/lastpass-security-notificat...
The blog post said that they detected traffic patterns in their network that they couldn't account for. They also said that they checked logs and checksums and found no intrusion yet.
So the post basically means: "we have no idea what's going on/went on, but here we are, informing you early. Here's the steps we have taken and here's the steps we are going to take"
You can't have everything: On one hand, everyone wants to be notified early (see playstation network breach), on the other hand, people want to know everything when they get the information.
I think that's asking a bit much. Either we get informed early ("we've seen something strange, but we have no idea what's going on") or you want all information ("we've discovered and researched a breach. here is what's happened", followed by a story that spans two weeks).
As lastpass contains potentially sensitive data, I'm happy they chose to inform early, even before they had a complete picture.
(disclaimer: I'm not using LastPass nor any other password manager as the risk of losing access to that and to all the services I used them with is too high for me)
This sounds exactly like the release we got from Sony a few weeks ago, detailing the points of entry, the volumes of data released from their servers, and estimates about who is and isn't affected. And who can forget when Sony told us all exactly what steps they were taking to make sure this wouldn't happen again?
Interesting, it isn't prompting me to do any such thing.
Anyway, since many are mentioning 1Password - I used that for a couple years and switched to lastpass, because I was tired of having to install plugins across all the browsers on a platform and then having to find workarounds with Dropbox for syncing on additional machines and the lack of a Windows client, when I'm stuck working on Windows.
Also, since I use two-factor authentication, I wonder if that's the reason they have not asked me to change my password?
I used that for a couple years and switched to lastpass, because I was tired of having to install plugins across all the browsers on a platform and then having to find workarounds with Dropbox for syncing on additional machines and the lack of a Windows client, when I'm stuck working on Windows.
I find that Keepass, with the database saved on my Dropbox folder, works well. No browser integration needed - Keepass registers an OS hotkey (at least on Windows) for ctrl+shift+A which will autotype ${USER}TAB${PASS} in the currently focused field, using the title of the browser window as the entry to look for in the pw database. Great for a free solution.
Just wanted to add that it's possible to configure any auto-typing (the default is ${USER}TAB${PASS}), which means sites having all sorts of other info are easy to work with as well.
In my mind, that's the primary design flaw with traditional password managers. Why should end users store passwords? It introduces so many issues. Must have proper encryption. Must deal with synchronization. Must have master password. The list could go on and on. Passwords should be generated (locally on your device) when needed, and never stored in any way.
Edit: Some more negatives to password storage. Must protect stored password file. May be required to log access to stored password file for compliance reasons. Stored password files may become corrupt and stop working.
End users don't need to memorize any passwords. They don't know them and they do not care what the passwords are (nor should they). They only need to know how to generate them when needed. Read about SHA1_Pass and try it out. I use it (and wrote it) to deal with hundreds of passwords that change frequently.
I tried to make traditional password managers work for a number of years, before realizing that the traditional approach (password storage, master password) is fundamentally flawed and introduces more problems than it solves.
I've looked at SHA1_Pass when it was posted here on HN a while back, and I'm not impressed. You have to memorize a passphrase, which is only marginally easier than remembering a master password, but you also have to remember an individual word for each account/website. Yes this is easier than remembering individual passwords but not as easy as just remembering one master password that unlocks an encrypted database (like Keepass). From the FAQ for SHA1_Pass, it says "when your bank asks you to change your password, just increment your word from BILLS to BILLS1 or BILLS2". More stuff to remember, which BILLS was I on again?
Additionally, some accounts have restrictions on usable characters or password length. The FAQ for SHA1_Pass says "try base64 half-encoding, its only 14 characters, and if that's too long maybe you shouldn't be using that website". Well I'm sorry but some BANKS do not allow passwords that long. You and I both know it's idiotic, but some banks have a small maximum password length, and some of them even restrict you to alphanumeric characters only.
I applaud SHA1_pass for trying to be innovative, you don't know what works unless you try it, but it looks like the result is a failure to me... too much complexity generated around the goal of trying to make passwords easy to remember, yet hashed to be secure. Just generate a random password with Keepass, whatever length and character sets you want, and store it.
What's the big deal? Yes, there's a chance that Keepass didn't do their encryption properly and your master password will be crackable, and someone will hack into your dropbox account and then have all your passwords. But with SHA1_pass there's also a chance someone will guess or socially engineer your passphrase, and since all your site words are "facebook" for facebook etc etc they too have full access to all your accounts.
This is an inaccurate statement. You remember a sentence. Sentences are naturally and easy to recall. The fat, green stick. for example. And then a word for each site you visit. That's it. You can use it anyway you like and take my samples for what they are... samples.
What's the big deal?
Controlling your passwords on your devices and not relying on others. Passwords are IT Security 101, if you get them wrong you fail.
"We're only forcing the issue right now you when we see you come from an IP you haven't used in the past few weeks (if you disable logging logins this might mean immediately)."
Thanks. I had seen someone else asking in the comments on that page about two form authentication with regard to this, but hadn't seen any further comments about who this may or may not affect at the time I read it. Of course, I went ahead and changed it anyway, since it was getting to be about time.
Wow, Lastpass won't let me login to my account now, and doesn't throw any error message whatsoever. When I try to change my password it says I can't because I don't have their browser plugin. Wacky, this is quite frustrating
Someone brought up the same issue in the comments on that post. Here's the solution given, two options:
1) Login in 'offline mode' then reconnect your cable/wireless connection and go to gmail... This is the preferred method.
2) Download Pocket, and have it find your local offline copy from the drop down of files and login there.
People using two factor authentication, eg with a Yubikey, can not log in, in offline mode. Some people will also have turned this feature off. No idea what Pocket is.
I would say use SHA1_Pass and never store, synchronize or forget a password again. I'm biased though, I wrote it and use it daily. It's entirely free, cross-platform (GPL licensed) and you can get the source code from github.
Edit: Also, SHA1_Pass does not rely on websites or anything remote from your device to operate. It just requires you (the user) and your brain ;) That's the biggest reason I wrote it.
That's not very smart considering that a lot of people won't be able to lockin to their email to verify their emails because they don't have access to the login details of their email because they haven't verified it.
And why the hell didn't they use scrybt in the first place? For a company so paranoid, that seems to border on neglect.
And that, right there, highlights why all of my passwords aren't kept with their (or any) service - for many, it just introduced a single point of failure. Imagine being locked out of every website you have an account on, just like that.
Nope. I'll make strong passwords on my own and encrypt my own copies, thanks.
This is simply not a feasible solution for the general public. LastPass has demonstrated that they are 1. paranoid as hell and 2. that the only real vulnerability in this situation is that if you have a dictionary password, it may be able to be brute forced, if the worst case scenario happened. They even outlined steps that they are taking to fix this problem.
LastPass is an incredibly smart security solution for the majority of people. Telling us that they are taking steps to protect their users because of an event that they haven't even verified was a compromise is better than you discovering that your bank password was stolen because you forgot to update your firewall.
Well done, hopefully more will do following this type of incident. You can also use Yubikey to add two factor authentication to your Lastpass account if you want keep using LP
LastPass make it pretty clear that your main email address is a point of recovery for your account. The two passwords I know are my LastPass master pass and my email password.
I do the same, and I think that's the best approach. Your email password is just too important for anyone to have it. Just remember two strong passwords (email + LastPass), and you're reasonably secure.
That's the final straw for me. Just exported my login details, emptied out my lastpass vault and uninstalled the addon. Will stick to storing my login details in a Dropbox distributed GnuPG protected flat file. Less convenient, but at least I'm not reliant on a third party.
That was my initial thought, but no. All dropbox files are local. You only rely on Dropbox for synchronizing across your designated machines and backing up on Dropbox, but Dropbox going down does not restrict access to any local Dropbox folder.
I don't understand why you think I wont be able to access my data anytime? Dropbox synchronises the files so you have a local copy on each of your Dropbox hosts. So if Dropbox is offline, or you get disconnected from the Internet, you can still access them...
Worse case scenario is something causes the file to get deleted and that propagates to all of the other hosts and deletes their local copies. But yes, I have backups so that isn't a problem.
This is an irresponsible position to take and akin to telling people to "make stronger passwords." It simply isn't realistic. LastPass allows creation of randomly generated passwords very easily and encrypts and stores them so you can use them anywhere. The alternative for most normal users is to create one or two passwords and use them everywhere, compromising the security of all of their accounts. Obviously your response to this would be that they shouldn't do that but the fact is, without something like LastPass, they have little other choice.
This freakout reminds me of the radiation poison bullshit from a few months back. Bananas have radiation therefore bananas are dangerous. Practicality dictates that you are plain wrong.
Yeah 1Password is pretty awful when you consider the amount of features you get with LastPass like multi-factor authentication. 1Password relies on Dropbox. Your passwords are all stored on your computer. Granted they're in an encrypted format, but if you have a jerk for a room mate they could copy your encrypted files, key log your vault password, and have access to all your passwords.
On the other hand, if you get my LastPass password you better have my grid too (I keep it online so I can access it wherever, password protected). Additionally LastPass is working on SMS codes for login.
But you can control the risk of exposure to keyloggers. You have zero control over risks to LastPass's infrastructure - which, as this blog post mentions, is a much juicier target than your passwords on their own.
