Lastpass users

Discussion in 'Tech Talk - Gadgets, Gizmos and Technology' started by dpeters11, May 5, 2011.

  1. dpeters11

    dpeters11 Hall Of Fame

    16,344
    505
    May 30, 2007
    Cincinnati
    Lastpass has announced that they've seen traffic on their network that they can't account for. At this point, they can't for sure say whether they were compromised, but they've taken several measures to be safe.

    As of right now, all logins from mobile devices and IPs that you hadn't recently used before this traffic have been disabled. To use those you'll need to change your Lastpass master key.

    If a hacker had gotten the encrypted passwords, plus the salting formula Lastpass uses, they could theoretically successfully figure out your password by comparing the hashes. Currently, Lastpass hashes a hash and "salts" it to make it more difficult to brute force.

    They are also going to start requiring 100,000 hashing iterations per passphrase which will make a brute force attack very computationally expensive.

    I've changed my password, mainly because I use the iPhone and Blackberry apps.
     
  2. klang

    klang Hall Of Fame

    1,268
    2
    Oct 14, 2003
    Near...
    Never heard of it. Had to Google it.

    Online password management? No thanks.
     
  3. dpeters11

    dpeters11 Hall Of Fame

    16,344
    505
    May 30, 2007
    Cincinnati
    It's a lifesaver for me. I switched after the Gizmodo issue, each site has it's own randomly generated password. Keep in mind, they never see unencrypted data. It's encrypted on the client side. It's not like Dropbox where they can access private files you put there. If I remember the process correctly, your computer creates a hash that is salted with random numbers to create a 256 character string, then that is hashed with your password+username and salted to another 256 character string. That result is what is stored on their servers, and sent over SSL for good measure. Besides, you can use two factor authentication, so they'd need your Yubikey or password grid sheet as well.

    People have analyzed the packets sent and have verified this. I feel much safer with this, than say financial sites (Capital One for example) that allow you to use mixed case for a password, but then ignore case for authentication plus not allowing many symbols. Plus we're finding more places that apparently stored passwords in the clear. If someone got my PSN password, they only got that.
     

Share This Page