Hacker News new | comments | show | ask | jobs | submit login
LastPass requesting password reset after facing unknown anomaly (lastpass.com)
111 points by sathyabhat 1907 days ago | hide | past | web | 63 comments | favorite

I am perfectly fine with them being paranoid. They should be. They are being paranoid for me. They are doing a good job protecting the user.

I completely agree, but I'm not particularly happy about the apparent lack of detail in their logs/IDS system.

I'm curious about why they have an Asterix server on the same network as their database... is there a voice authentication feature, or are we just talking about their office phones?

Either way, they seem to be taking this seriously, even if they are just being overly paranoid, I find it comforting.

i'm surprised by the reactions here. maybe i am misunderstanding the blog post, or maybe others are?

as far as i can see they are being extremely paranoid. they seem to be monitoring (and following up on!) traffic flow, which is itself pretty impressive, are flagging this even though they have no other error signs, and have done a good enough job in their implementation that can say, without any more details, that the only risk is via brute force cracking.

i use keepassx locally, but my take on this is that they are way better than average. this kind of report would make me use a company, not switch from them.

Not happy that I'm finding this out via a blog post and not an email.

I found this out when trying to login to LastPass, was redirected to "re-enable your LastPass account" page https://lastpass.com/activate.php

I just tried logging out and back in a few times, nothing. Very weird.

"Joe Siegrist said... @SEV We're only forcing the issue right now you when we see you come from an IP you haven't used in the past few weeks (if you disable logging logins this might mean immediately)." http://blog.lastpass.com/2011/05/lastpass-security-notificat...

Same here. I changed my master password but I was never prompted to do so.

Nice to see a company so transparent about situations which could easily have been hushed down.

I didn't think it was transparent at all. More like the minimum corpspeak required to inform their users that they should change their passwords

Transparent would have been describing exactly what they saw

The blog post said that they detected traffic patterns in their network that they couldn't account for. They also said that they checked logs and checksums and found no intrusion yet.

So the post basically means: "we have no idea what's going on/went on, but here we are, informing you early. Here's the steps we have taken and here's the steps we are going to take"

You can't have everything: On one hand, everyone wants to be notified early (see playstation network breach), on the other hand, people want to know everything when they get the information.

I think that's asking a bit much. Either we get informed early ("we've seen something strange, but we have no idea what's going on") or you want all information ("we've discovered and researched a breach. here is what's happened", followed by a story that spans two weeks).

As lastpass contains potentially sensitive data, I'm happy they chose to inform early, even before they had a complete picture.

(disclaimer: I'm not using LastPass nor any other password manager as the risk of losing access to that and to all the services I used them with is too high for me)

No, you're totally right.

This sounds exactly like the release we got from Sony a few weeks ago, detailing the points of entry, the volumes of data released from their servers, and estimates about who is and isn't affected. And who can forget when Sony told us all exactly what steps they were taking to make sure this wouldn't happen again?


What kind of additional information are you looking for that would be useful to you? Would be good to understand precisely what you're after.

Can you point out some examples of "corpspeak" in their notification?

Interesting, it isn't prompting me to do any such thing.

Anyway, since many are mentioning 1Password - I used that for a couple years and switched to lastpass, because I was tired of having to install plugins across all the browsers on a platform and then having to find workarounds with Dropbox for syncing on additional machines and the lack of a Windows client, when I'm stuck working on Windows.

Also, since I use two-factor authentication, I wonder if that's the reason they have not asked me to change my password?

I used that for a couple years and switched to lastpass, because I was tired of having to install plugins across all the browsers on a platform and then having to find workarounds with Dropbox for syncing on additional machines and the lack of a Windows client, when I'm stuck working on Windows.

I find that Keepass, with the database saved on my Dropbox folder, works well. No browser integration needed - Keepass registers an OS hotkey (at least on Windows) for ctrl+shift+A which will autotype ${USER}TAB${PASS} in the currently focused field, using the title of the browser window as the entry to look for in the pw database. Great for a free solution.


Just wanted to add that it's possible to configure any auto-typing (the default is ${USER}TAB${PASS}), which means sites having all sorts of other info are easy to work with as well.

I actually wrote a blog post about using Keepass with various tricks: http://www.loopycode.com/solving-sign-up-anxiety/

In my mind, that's the primary design flaw with traditional password managers. Why should end users store passwords? It introduces so many issues. Must have proper encryption. Must deal with synchronization. Must have master password. The list could go on and on. Passwords should be generated (locally on your device) when needed, and never stored in any way.

Edit: Some more negatives to password storage. Must protect stored password file. May be required to log access to stored password file for compliance reasons. Stored password files may become corrupt and stop working.

I don't think I understand this - if the password isn't stored, do you expect the user to memorize all the various passwords?

End users don't need to memorize any passwords. They don't know them and they do not care what the passwords are (nor should they). They only need to know how to generate them when needed. Read about SHA1_Pass and try it out. I use it (and wrote it) to deal with hundreds of passwords that change frequently.

I tried to make traditional password managers work for a number of years, before realizing that the traditional approach (password storage, master password) is fundamentally flawed and introduces more problems than it solves.

I've looked at SHA1_Pass when it was posted here on HN a while back, and I'm not impressed. You have to memorize a passphrase, which is only marginally easier than remembering a master password, but you also have to remember an individual word for each account/website. Yes this is easier than remembering individual passwords but not as easy as just remembering one master password that unlocks an encrypted database (like Keepass). From the FAQ for SHA1_Pass, it says "when your bank asks you to change your password, just increment your word from BILLS to BILLS1 or BILLS2". More stuff to remember, which BILLS was I on again?

Additionally, some accounts have restrictions on usable characters or password length. The FAQ for SHA1_Pass says "try base64 half-encoding, its only 14 characters, and if that's too long maybe you shouldn't be using that website". Well I'm sorry but some BANKS do not allow passwords that long. You and I both know it's idiotic, but some banks have a small maximum password length, and some of them even restrict you to alphanumeric characters only.

I applaud SHA1_pass for trying to be innovative, you don't know what works unless you try it, but it looks like the result is a failure to me... too much complexity generated around the goal of trying to make passwords easy to remember, yet hashed to be secure. Just generate a random password with Keepass, whatever length and character sets you want, and store it.

What's the big deal? Yes, there's a chance that Keepass didn't do their encryption properly and your master password will be crackable, and someone will hack into your dropbox account and then have all your passwords. But with SHA1_pass there's also a chance someone will guess or socially engineer your passphrase, and since all your site words are "facebook" for facebook etc etc they too have full access to all your accounts.

"You have to memorize a passphrase"

This is an inaccurate statement. You remember a sentence. Sentences are naturally and easy to recall. The fat, green stick. for example. And then a word for each site you visit. That's it. You can use it anyway you like and take my samples for what they are... samples.

What's the big deal?

Controlling your passwords on your devices and not relying on others. Passwords are IT Security 101, if you get them wrong you fail.

In the comments it states:

"We're only forcing the issue right now you when we see you come from an IP you haven't used in the past few weeks (if you disable logging logins this might mean immediately)."

It hit me straight away even though I'm using a static IP, because I disabled the logging of logins after this happened: https://grepular.com/LastPass_Vulnerability_Exposes_Account_...

Thanks. I had seen someone else asking in the comments on that page about two form authentication with regard to this, but hadn't seen any further comments about who this may or may not affect at the time I read it. Of course, I went ahead and changed it anyway, since it was getting to be about time.

Wow, Lastpass won't let me login to my account now, and doesn't throw any error message whatsoever. When I try to change my password it says I can't because I don't have their browser plugin. Wacky, this is quite frustrating

Someone brought up the same issue in the comments on that post. Here's the solution given, two options:

1) Login in 'offline mode' then reconnect your cable/wireless connection and go to gmail... This is the preferred method. 2) Download Pocket, and have it find your local offline copy from the drop down of files and login there.

People using two factor authentication, eg with a Yubikey, can not log in, in offline mode. Some people will also have turned this feature off. No idea what Pocket is.

What if there are no files in the drop down? Where are the files located?

Result of me trying to log in to delete my account, just in case (having switched to 1Password): http://cl.ly/3T0B2W09262N3k2j2U3k

So I just started using 1password and was thinking of lastpass. I'm still trying to figure out which is better. Anyone have any comments?

I would say use SHA1_Pass and never store, synchronize or forget a password again. I'm biased though, I wrote it and use it daily. It's entirely free, cross-platform (GPL licensed) and you can get the source code from github.

Edit: Also, SHA1_Pass does not rely on websites or anything remote from your device to operate. It just requires you (the user) and your brain ;) That's the biggest reason I wrote it.

I use Passpack. Uses a password and a packing key -you have the option to use a yubikey as well.

You can read up http://www.passpack.com/en/faq/

That's not very smart considering that a lot of people won't be able to lockin to their email to verify their emails because they don't have access to the login details of their email because they haven't verified it.

And why the hell didn't they use scrybt in the first place? For a company so paranoid, that seems to border on neglect.

And that, right there, highlights why all of my passwords aren't kept with their (or any) service - for many, it just introduced a single point of failure. Imagine being locked out of every website you have an account on, just like that.

Nope. I'll make strong passwords on my own and encrypt my own copies, thanks.

> encrypt my own copies

This is simply not a feasible solution for the general public. LastPass has demonstrated that they are 1. paranoid as hell and 2. that the only real vulnerability in this situation is that if you have a dictionary password, it may be able to be brute forced, if the worst case scenario happened. They even outlined steps that they are taking to fix this problem.

LastPass is an incredibly smart security solution for the majority of people. Telling us that they are taking steps to protect their users because of an event that they haven't even verified was a compromise is better than you discovering that your bank password was stolen because you forgot to update your firewall.

just separately save your email password, all other services restore the password via email

Making your email password the weakest link...

My gmail account is actually more secure than lastpass since I have OTP enabled with two factors identification.

Well done, hopefully more will do following this type of incident. You can also use Yubikey to add two factor authentication to your Lastpass account if you want keep using LP

LastPass make it pretty clear that your main email address is a point of recovery for your account. The two passwords I know are my LastPass master pass and my email password.

I do the same, and I think that's the best approach. Your email password is just too important for anyone to have it. Just remember two strong passwords (email + LastPass), and you're reasonably secure.

That's the final straw for me. Just exported my login details, emptied out my lastpass vault and uninstalled the addon. Will stick to storing my login details in a Dropbox distributed GnuPG protected flat file. Less convenient, but at least I'm not reliant on a third party.

Why not use KeePass/Keepassx it is a little more functional than a flat file at least.

You still rely on Dropbox.

That was my initial thought, but no. All dropbox files are local. You only rely on Dropbox for synchronizing across your designated machines and backing up on Dropbox, but Dropbox going down does not restrict access to any local Dropbox folder.

As for not getting his passwords compromised: no, not more than a vpn user relies on internet to keep his data secret.

As for getting access to his data anytime: Yes, except if he has a backup.

I don't understand why you think I wont be able to access my data anytime? Dropbox synchronises the files so you have a local copy on each of your Dropbox hosts. So if Dropbox is offline, or you get disconnected from the Internet, you can still access them...

Worse case scenario is something causes the file to get deleted and that propagates to all of the other hosts and deletes their local copies. But yes, I have backups so that isn't a problem.

In what way do I rely on Dropbox for securing or accessing my login details?

My passwords are encrypted and accessible at all times, even if Dropbox is down or I lack Internet access...

So is LastPass, you just click the 'log in locally' checkbox.

I never claimed anything different...

However, to be more accurate:

"So is LastPass, unless you disable offline login, or enable the use of a Yubikey"

IMHO everyone who is using such a service is a moron.

This is an irresponsible position to take and akin to telling people to "make stronger passwords." It simply isn't realistic. LastPass allows creation of randomly generated passwords very easily and encrypts and stores them so you can use them anywhere. The alternative for most normal users is to create one or two passwords and use them everywhere, compromising the security of all of their accounts. Obviously your response to this would be that they shouldn't do that but the fact is, without something like LastPass, they have little other choice.

This freakout reminds me of the radiation poison bullshit from a few months back. Bananas have radiation therefore bananas are dangerous. Practicality dictates that you are plain wrong.

Suddenly, I'm glad I switched to 1Password.

Yeah 1Password is pretty awful when you consider the amount of features you get with LastPass like multi-factor authentication. 1Password relies on Dropbox. Your passwords are all stored on your computer. Granted they're in an encrypted format, but if you have a jerk for a room mate they could copy your encrypted files, key log your vault password, and have access to all your passwords.

On the other hand, if you get my LastPass password you better have my grid too (I keep it online so I can access it wherever, password protected). Additionally LastPass is working on SMS codes for login.

The there's somebody how can key log hardware you (think you can) trust, you're hosed whatever security you're relying on.

Negative, LastPass can generate one-time passwords which you can then use on computers you suspect to be insecure.

But most of the damage from keyloggers happens to people who do NOT suspect they are using an insecure system (their own).

But you can control the risk of exposure to keyloggers. You have zero control over risks to LastPass's infrastructure - which, as this blog post mentions, is a much juicier target than your passwords on their own.

Unfortunately, there's always potential security vulnerabilities: http://xkcd.com/538/

LastPass also has YubiKey support for really nice 2-factor auth.

Does anyone know if there is a way to encrypt my lastpass db using both a password and an RSA private key?

Let this be a reminder to LastPass to include a password expiration date by default.

...So you then have to replace a safe, well-thought-out password for a less safe one?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact