Hacker News new | past | comments | ask | show | jobs | submit login
LastPass Disclosure Shows Why We Can't Have Nice Things (throwingfire.com)
559 points by thirsteh on May 8, 2011 | hide | past | web | favorite | 82 comments

This is to be expected when you have ignorant people reporting on things that they are not willing to educate themselves about. Anyone who wrote sensational garbage about the LastPass event didn't bother to understand how LastPass works and what the real potential of any breach could be.

Frankly, it leaves me exhausted in the same way the regular stream of sensational ignorant responses to violent video games, boobs in video games, or explicit lyrics in music leave me exhausted. It's extremely difficult to fight an ignorant public being exploited by a willfully ignorant and sensationalistic media.

The likes of Tech Crunch et al who should be in a position to counter such mainstream media reactions and behavior are all too often, unfortunately, jumping right into the fray and showing that they can be just as counter-productive as any big old-media outlets.

Exactly that. I really want to do an HN post asking people to curb all of the sensationalist headlines (especially if you haven't fully researched the situation).

I just feel like it will get lost in the noise though

At least headlines on HN are frequently edited to make them true.

That was always one of the things that drove me batshit crazy about slashdot -- nominally it has editors, but they let straight up flame-bait submissions go through.

Slashdot's discussion of the Lastpass situation was titled LastPass Password Service Hacked and linked to an article at Kaspersky where their title said LastPass Probably Breached.


I use lastpass and 1password. FWIW, I the guys at AgileBits did a pretty reasonable job of not gaming lastpass's bad day. They did a blog post about a relevant detail of their own security, which really seems like a reasonable thing to do on a day like that.


In which case Kaspersky is already being untruthful, which is hardly surprising, considering they sell a competing product. I would expect more honesty when a company reports on it's own game: if you understand full well how subtle things are, then let your reporting reflect that.

People are encouraged to use the original headlines, and someone who tries to de-sensationalize a headline will complained at (and article-flagged and downvoted) more than someone who posts a sensational title as-is.

HN with all the TechCrunch bullshit edited out is much better. I've been skipping any TC link for a while now and it's a big improvement.

It's not ignorance, they know full well what they are doing, generating traffic for their site.

Hanlon's razor[1]. They may very well believe that what they are writing is true. Most people don't engage in dishonesty easily, but they are quick to fool themselves into believing they aren't being dishonest.

[1] http://en.wikipedia.org/wiki/Hanlons_razor

Angrycoder's razor: most people are assholes and will do anything to make a buck.

Hanlon's Razor really should only be applied when you don't have other evidence. In the case of tech crunch, I'm fairly well convinced that they will take any news event in the most sensationalist light possible, regardless of their knowledge of the facts.

It appears you are missing an apostrophe, I think I found it :)


Thanks. It's weird though: I'm sure I copied the url and didn't edit it.

It's part of the HN comment-formatting parser. It often seems to happen with wikipedia URLs in particular, most sites just take apostrophes and such out.

The solution as shown by delta1 is to escape it.

clarke-hanlon: any sufficiently advanced incompetence is indistinguishable from malice.

The media may suck, but I remember cperciva saying that tarsnap signups actually increased after a security bug (http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-...) - prospective customers were impressed by his response. In fact, my opinion of KeePass is higher after this incident ("seem to be properly paranoid") than before ("who?").

Not to be anal here, but the original article is about LastPass[0] as opposed to KeePass[1], which is another password manager (NB: KeePass is locally hosted).

[0] http://lastpass.com/

[1] http://keepass.info/

> ignorant people

Aren't the ones writing "headlines". They are the one's reading and believing "headlines" without understanding.

This is the only sane post I've read about this incident. All the major tech sites blew it way out of proportion. LastPass did everything right, and yet every headline was along the lines of "LastPass has been hacked, panic!".

They deserve better, especially seeing as how transparent they were about the whole situation and how they handled it.

Actually, I think that LastPass overreacted. Seeing the possibility of a breach, and alerting customers is definitely the right thing. But they went so far as to lock customers out of their own data -- it was two full days before my wife was able to get into our bank account.

Was that their failing or yours?

I'd tend to look at these types of services as a convenience, nothing more. If you allow yourself to become reliant on them for access to your personal data, like banking, etc., then I'd say that you put too much faith/trust in them. Shit happens, all the time, despite the best intentions of people working hard to make sure it doesn't.

> I'd tend to look at these types of services as a convenience, nothing more.

How do you go about keeping all of your usernames and passwords secure, then?

I'm not the OP, but I use KeePass+DropBox.

The encrypted database is local and synced everywhere. If DropBox goes down I have to fall back to another transport, but I am never "locked out".

Call me crazy, but I use my memory. I also use RSA fobs for the important/big stuff.

Your memory must be much better than mine. Recommended procedure is to use a different and secure password for every site you care about, right? That's three bank accounts, several work-related accounts, a couple of social media sites, etc. I'd have to remember at least 20 difficult passwords on a daily basis.

Maybe it is... who knows.

It's a hell of a lot easier to do if you don't make it about straight random memorization though.

I have a little memory association I do with every site I need an account/pass for, based on various characters out of books I've read.

Every site has a character I've associated with it, to make it easier to remember, and I have a simple (to me) algorithm I use to generate the password that includes various capitalization and special characters.

Sure, it might take a bit of work early on to remember stuff, but if you learn how to memorize things effectively, it makes it much easier.

Mind you, I also know all my CC numbers, passport number, drivers license, etc., as well, so maybe I'm just weird.

Maybe not weird, but definitely better than me. I remember my driver's license, my phone number, my girlfriend's, and my parents'. That's about it.

The mnemonic is a good idea. I've thought about doing that - but then I fear that I'd forget the mnemonic :)

I have to look at my phone every time someone asks me for my phone number. I don't know if this means that my brain is dying or that I don't bother remembering information that I can easily look up...

That's some awesome memory you've got!

I use my memory for all my passwords (lots) and quite a few client / account numbers. I like to do it that way cos it's fast, but on the odd occasion, maybe once a year, I have a 'bad day' when I can't remember -any-.

That's the value proposition of LastPass though, that you use them for all of your passwords...

And they have an "offline" non-browser program everyone can/should use to both keep an exported backup and access passwords in an outage.

That's the marketing offer. I use lastpass for all my websites, but not for my master email, paypal and banks. I have over 120 accounts here and there for websites I test. Before I had three password one for paypal, one for email and one for everything else, then came the gawker debacle. I completly trust lastpass for my twitter account, facebook, affiliation programs, etc...

I do exactly the same. Lastpass has my social sites passwords, and other not-so-relevant sites. I commit to memory my hard-to-guess passwords for email, bank and Paypal accounts.

it was two full days before my wife was able to get into our bank account

Most banks have phone numbers that you can call if you don't know your password. Some banks even let you reset your password if you know your account number and SSN.

Hah! In Poland we have a much more secure system. Any attacker needs to know my mother's family name as well.

EDIT: d'oh. It's maiden name, obviously.

Recently I needed to get my password for my bank account in France (I live in China)... They gave it over the phone after I only gave them my bank account number, my birthday and my name... I then went on to my bank account and transferred money.

With banks this secure, I really don't worry about keeping the login information in something like lastpass

I'm can't if you're saying that banks are secure or insecure. BTW, your name is Guillame Maury, and your birthday is 03/07/1982.

Anyway, I also live in China, and have had problems with banks being so secure that it becomes inconvenient. A few months ago I tried to get into my ING account, for which I'd lost the password. Although I managed to authenticate my identity over the phone, they could only send me a new password to my address in the UK. However, this is a house my family no longer lives in... so the whole affair involved contacting the new occupants to forward the new password letter on to someone I knew. I've also had problems with Natwest's online payment system giving me an "unknown failure" message. After calling up, I found that the system had flagged my transaction as suspicious due to my location as revealed by my IP address. When dealing with such issues, I often feel like I'm trying to steal my own identity.

Anyway, after looking at the options I decided to use PasswordCard to manage my passwords, which is a physical solution (www.passwordcard.org). It's a card of random numbers, symbols and letters that you can print out. You then take a sequence of such symbols to form each new password that you need. I decided not to use a standard password manager since it's not very portable between machines (I travel quite a bit, and also with the current rate of technology change it's likely that in a few years I'll be using a device and OS that doesn't exist yet).

I was being sarcastic when I said that it was secure....

It's true that sometimes having very secure banks can be a pain... But, I would much rather have a bank that is very secure and a bit of a pain to sometimes access compared to a bank like mine where it's trivially easy to get access to someone's bank account...

I currently use 1password because it's not hosted, it's portable and I find it quite convenient...

BTW: You got my name but haven't got my correct birthday date. I've avoided having it in clear on internet because of identity thefts :-)

If you ever drop by Shanghai, feel free to hit me up for a drink

Nitpick: It's usually mother's maiden name - is that what they need to know?

Personally, my bank account is one part of my online identity I wouldn't trust in the hands of any password manager.

But why? What are you worried about? The anti-fraud systems being employed by your bank are damned good. Moreover, All banks (U.S.) provide fraud protection... Looking at my Bank's website for a moment reveals that a potential attacker could, I assume, change my ATM PIN (If they already knew it) do some bill pay, and possibly create an ACH transfer... Which I could reveal as fraudulent to my bank...

Why should I be worried about this? I'm not trolling... I just don't understand what we are all supposed to be afraid of.

This. For me, Lastpass gets everything except email and banking. That means I have to remember 3 logins, which I am okay with.

Just 3 ... problem is between banks, CC and brokerage accounts I have at least a dozen accounts which are 'financial' in nature.

I wish there was a way of securing all of them with the same secondary authentication token.

Something like this? https://www.pwdhash.com/ You can use the same password but the local browser plugin will use the site's URL to hash the password you type into something unique to that URL. I haven't used it personally and haven't researched it in detail but I like the concept.

Sounds like supergenpass which was implemented in Javascript as a bookmarklet, which is pretty good idea, except that any website with malicious code could grab your master pass from the DOM, and then they could use that for your account on any other website.

It looks like pwdhash works around this by functioning as a browser plugin (making your master password in accessible from the DOM) but I'd still be slightly worried about browser exploits allowing malicious sites to get at your master password.

It's remarkably hard to get this right. pwdhash notes[1] that being a browser plugin stops JavaScript grabbing the password, but it's still possible with Flash. Third-party ports to other browsers don't even have the JS protection.

pwdhash still leaks the length of the password since it aims to give users visual feedback of characters being typed.

Then you've also got the issue of automatic update of plugins being compromised. The question is really: is it more secure than the alternatives?

1: http://crypto.stanford.edu/PwdHash/pwdhash.pdf

Maybe you use trust-level master passwords. E.g.

Financial institutions you type in: 'myfinancialpassword' Other sites you type: 'myrelativelysecurepassword'

It took your wife two days to verify her account by email, or login from a previous location?

Would you rather have a slight inconvenience and have a company act in your best interests (security and safety), or would you prefer your data run the risk of compromise?

I'd like to be able to decide for myself how much risk to expose myself to. In this case, all signs were for minimal risk, so I think that they went overboard.

You can do that by not using LastPass. Offering "yeah, I want a little security, but not too much" would be kinda silly; they want their data to be safe.

I'm curious why she was locked out. I'm a LastPass user and the only thing I noticed is that my Chrome browser plugin had logged me out. I was able to log in with no problems, though, and the plugin continued to autofill websites as usual.

I couldn't log in for about 20 minutes at some point - which was bad, because I was at work, and stored work credentials via LastPass.

"Sorry, boss, can't work on that bug because I don't have my Redmine password. I also don't have the password for our build machine, so I can't sudo anything."

Wait, you rely on a password instead of a public key for your build machine?

To log in I use keys, but from there I still need to type in a password for root access.

We also have a client who gave us remote access via a Java applet to SSH in with - can't use keys on those.

Precisely. My first reaction when I read LastPass's release was relief that they actually cared about user security more than the potential bad press.

I liked the transparency. That's actually why I signed up and started using LastPass after the 'incident.' I figured a company that would react the way that they demonstrates a lot of integrity. People expect great products, so it is very difficult to give somebody a product that exceeds expectations. Service, however, is rarely expected to be great. It's far easier to exceed expectations in that area. So when I see great service (which I think LastPass provided), I'm a fan.

You would deprive all of the tech sites with the ad revenue generated by the lemming rush! How cruel...

This reminds me of the recent story of an Applebee's (an American chain restaurant) employee that accidentally served alcohol to a toddler. All the commentary I read on the story said that the employee should be fired. But as long as it was an honest mistake, that's a terrible idea. No employee will ever be as careful with drinks as that guy will now. You shouldn't ask for experience when looking for employees and then fire them for getting it.

You have to be careful though because sometimes a mistake like that is not an honest mistake, but carelessness. To bring it back to the topic at hand, LastPass (possibly) made an honest mistake somewhere. Sony is careless. Fire Sony, run to LastPass because now they will be even more paranoid.

Wait a second. I mean it's nice and all that LastPass was being overly cautious. But how reassuring is it that they noticed an anomaly but weren't able to figure out what it was?

And this is a serious question, as I'm no expert in the field, but it seemed strange to me that they couldn't explain what actually happened with any certainty.

Here is an attempt to answer your serious question.

When was the last time that you "could have sworn" that you left your keys on the desk, but they're on the counter instead. Suppose that happened; it almost certainly means you just misremembered where you left your keys, but there is a TINY chance that someone might have stolen the keys, copied them, and put them back in the wrong place.

Just to be 100% certain, you immediately call a locksmith, and get your locks changed. And all the neighbors start talking about how poor you are at security for having allowed a burglar into your house.

THAT would be a reasonable analogy for what LastPass did.

Yes, I didn't need an analogy. I wanted to know why, in a secure house which presumably had cameras and sign in sheets, why couldn't they review the video tapes to see if someone had actually taken the keys or not. (to extend your analogy)

And they do - and the cameras and sign sheets didn't explain the mysterious key movement. So they're replacing the locks.

The traffic is encrypted and they couldn't read it.

I would bet that many of us who manage servers have multiple anomalies in logs we can't explain, but we just don't scan our logs in enough detail to find the anomalies in the first place.

The fact that LastPass has methods to notice small anomalies like this is reassuring.

If they were logging access logs, the logs may have not shown what was accessed specifically in a program. Just ip addresses connecting to machine/software but no request disclosure. They have reasonable suspicion to be overly cautious: "After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)."

I hope they explain how they are going to resolve this for the future.

Don't know if there would have been a way for LastPass to disclose this information without getting the response they did, but in addition to the stupid the coverage they got, they pulled me in as a customer after seeing how goot they were at what they did. So I think there were good fallout from the coverage as well.

Agreed - I recently started using LastPass based on various recommendations around the web. Knowing they are paying this much attention to things increases my confidence rather than decreasing it.

I love this reaction. Signing up for an account with them now after seeing how seriously they monitor security.

Does LastPass know my passwords? If so, why it needs to know my passwords?

I thought that my passwords are encrypted on my computer with master password known only to me, but same master password leaves my computer every time I log in to LastPass site via their website.

Could someone point me to where it is detailed how they manage without knowing my password or where it is explained why they need to know it?

Nope they don't know your password, they just have the salted hash.

Hopefully people using the service and those interested in it will read past sensationalist articles, and actually check out the service.

The sad thing is that most people who were previously unfamiliar with LastPass probably won't dare to try it out now. That's the kind of press LastPass just didn't deserve.

Actually I've decided to give LastPass a shot DUE to how well they've handled this, and knowing that they will probably have a sufficiently paranoid response to situations in the future, as well as knowing they have an excellent hash algorithm in place.

Unfortunately you are right for the overwhelming majority of users who will see "LastPass Hacked!" then note "Don't use LastPass".

They are good at what they do. But they might become more careful about disclosing the problems next time.

I hope that LastPass realised that they would receive this negative publicity by handling this event so publicly, and that they went ahead and did it anyway. That would show great integrity. If something similar happens again and they sweep it under the carpet to avoid a repeat of this bad publicity, then they're the same as every other company.

It would be interesting to see statistics on how much the negative press actually affected LastPass. It seems likely that the sort of people who would use LastPass is also the sort of people capable of deciding for themselves how safe their data are.

I agree on the overall subject but I'm still shocked that LastPass hasn't got anything better than "spike in the traffic" IDS, better logging etc? If you are in a business with this kind of data you have to expect to get hacked everyday and you have to be ready for it. Even your business plan should include this stuff.

Unless they have a really awkward reason not having proper idea about possible hack is not a good sign.

A security breach is never OK. Disclosure helps but does not absolve anyone. We cannot accept that these things just happen.

Besides, it's a password manager. Of course it's going to be held to a higher standard of security. It failed at the one and only thing it is supposed to do.

The explanation given (slight chance others may have accessed encrypted password data) and the action taken (locking user accounts) don't go together and led to the media frenzy.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact