LastPass.com Breach

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
111
Posts: 211
Joined: Sat Mar 03, 2012 4:20 am

LastPass.com Breach

Post by 111 »

If you use LastPass you should read this blog post announcing they were breached: https://blog.lastpass.com/2015/06/lastp ... tice.html/

You should probably change your password. And, if you haven't already, consider using 2 Factor Authentication (there is a link in the blog post explaining how.)
neuro84
Posts: 79
Joined: Thu Jul 24, 2014 11:25 am

Re: LastPass.com Breach

Post by neuro84 »

Great. I literally just started using this service 3 days ago, after a BH recommended it.

Thanks for sharing.
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: LastPass.com Breach

Post by VictoriaF »

neuro84 wrote:Great. I literally just started using this service 3 days ago, after a BH recommended it.
It could be worse. You could have put a large lump sum into TSM only to watch the stocks sharply declining a few days later.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: LastPass.com Breach

Post by 2015 »

Could have been (much) better. You could have gone with KeePass which only stores your encrypted info locally, as on your computer or external drive. I knew a breach of this sort would be possible with LastPass which is why I decided against any service where my information would leave my control. KeePass is an outstanding PW manager IMO.
tech_arch
Posts: 253
Joined: Wed May 27, 2015 11:47 am

Re: LastPass.com Breach

Post by tech_arch »

For perspective, here is an ArsTechnica report (http://arstechnica.com/security/2015/06 ... passwords/) on the breach. Overall, your data should be very safe.
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: LastPass.com Breach

Post by 2015 »

tech_arch wrote:For perspective, here is an ArsTechnica report (http://arstechnica.com/security/2015/06 ... passwords/) on the breach. Overall, your data should be very safe.
Ah, the magic words: "should be". Just like my name, SS #, DOB, address, and other pertinent personally identifying information "should have been" safe with Anthem. Until it wasn't. I would never trust my financial future to a cloud based password manager. Not ever.
User avatar
burgrat
Posts: 297
Joined: Sat Apr 24, 2010 11:38 am

Re: LastPass.com Breach

Post by burgrat »

Image
User avatar
TimeRunner
Posts: 1938
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: LastPass.com Breach

Post by TimeRunner »

Image
"Did you salt that password hash 60,000 times, or maybe it was only 50,000. To tell you the truth, I forgot myself in all this excitement."
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
Gemini
Posts: 1029
Joined: Sun May 20, 2012 8:10 am

Re: LastPass.com Breach

Post by Gemini »

Ahhhhhh I was just about to buy this.

Man is there anything out there that is both safe AND convenient? I currently have Keepass on my home computer and on a jump drive. I take the jump drive with me anywhere I need to access this information. I am okay with that, but it is kind of cumbersome. I tried to have my family members do this method and they refused. What are their best options? I was looking at lastpass and 1password.
Bernie's Dad
Posts: 21
Joined: Sun Feb 08, 2015 11:21 pm
Location: Arizona

Re: LastPass.com Breach

Post by Bernie's Dad »

IMHO, LastPass is still one of your safest options, as long as you are using a strong password for your vault and you don't use this same password anywhere else. I agree it is probably less safe than if you only had a single copy of your encrypted password database stored in only one location that is presumably kept as secure as possible, but that's an awfully lot less convenient. I use LastPass from my PC, laptop, work computer, Windows Phone, iPad, and occasionally from my parents' computers while visiting them.

Keep in mind:

The vault is always encrypted on the LastPass servers, using your strong password. LastPass never receives your password.

The locally cached copies of your vault (which you may have if you've chosen to install the browser add-ons or standalone app) are also encrypted on disk at all times.

LastPass said that the vaults were not accessed in this particular attack. If I recall, a few years back, there was an attack where the attackers did potentially have access to the vaults -- but as always, they'd only have your encrypted vault and would need to know your e-mail and guess your password to decrypt.

Using LastPass or other similar password vaults/keepers is WAY more secure than trying to remember the password to each service you use, because it lets you use cryptographically random, long, unique passwords for each of your accounts.
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: LastPass.com Breach

Post by Angelus359 »

This "breach" really is no big deal

It'd be near impossible to get your data anyways because lastpass themselves can't access it
Systems Engineer
User avatar
Ged
Posts: 3944
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: LastPass.com Breach

Post by Ged »

Gemini wrote:Ahhhhhh I was just about to buy this.

Man is there anything out there that is both safe AND convenient?
A commonly stated aphorism is "the only things that are truly secure are unusable".

Personally the idea of putting my password file out on the 'cloud' makes me break out into a cold sweat. There are just too many things that could go wrong.
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: LastPass.com Breach

Post by Angelus359 »

If it's not cloud available, its a pain to use. If it is cloud available, then its at risk of brute force attacks after breach.

The only "safe" method is to create a system where brute forcing takes longer than your lifespan to crack, and then rotate passwords.

Problem with that is remembering your long password.
Systems Engineer
leod
Posts: 606
Joined: Tue Sep 22, 2009 2:54 pm

Re: LastPass.com Breach

Post by leod »

Angelus359 wrote:This "breach" really is no big deal

It'd be near impossible to get your data anyways because lastpass themselves can't access it
That cant be true for sure, employees have access to thr data otherwise how can they provide support etc...
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: LastPass.com Breach

Post by VictoriaF »

Angelus359 wrote:If it's not cloud available, its a pain to use. If it is cloud available, then its at risk of brute force attacks after breach.

The only "safe" method is to create a system where brute forcing takes longer than your lifespan to crack, and then rotate passwords.

Problem with that is remembering your long password.
You can use your favorite songs, e.g.,
Yesterday*all*my*troubles*seemed*so*far*away
is long and memorable.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
simmias
Posts: 250
Joined: Sun May 17, 2015 4:18 pm

Re: LastPass.com Breach

Post by simmias »

Gemini wrote:Ahhhhhh I was just about to buy this.

Man is there anything out there that is both safe AND convenient? I currently have Keepass on my home computer and on a jump drive. I take the jump drive with me anywhere I need to access this information. I am okay with that, but it is kind of cumbersome. I tried to have my family members do this method and they refused. What are their best options? I was looking at lastpass and 1password.
I'm sure someone will chime in to tell me why this isn't as secure as I think it is, but keep my KeePass file synched in Dropbox. You can set up KeePass to require both a password and a key file. If you lose either you can't open it. So I keep the file that requires the password in the cloud, and I keep the key file local on each machine I want to access the file on. If someone can crack the password, it doesn't matter since they can't recreate the key file.
ThankYouJack
Posts: 5704
Joined: Wed Oct 08, 2014 7:27 pm

Re: LastPass.com Breach

Post by ThankYouJack »

This is why I never store important passwords on the cloud based password manager. I don't care how many times it's been hashed, salted or peppered. There's always a chance for a breach, brute force, man-in-the-middle, or a number of other things that could go wrong.

There are programs that store the encrypted files locally and sync all of your devices over wifi. It's very convenient and more secure.
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: LastPass.com Breach

Post by VictoriaF »

ThankYouJack wrote:This is why I never store important passwords on the cloud based password manager. I don't care how many times it's been hashed, salted or peppered. There's always a chance for a breach, brute force, man-in-the-middle, or a number of other things that could go wrong.

There are programs that store the encrypted files locally and sync all of your devices over wifi. It's very convenient and more secure.
Let's say that you have a complex password to access the Bogleheads site: $$&D@#se93w34@$seiw3bnaSEEE133s or something similarly memorable. You travel to Spain and want to access the Bogleheads on your iPhone via WiFi at your hotel. Will you store your passwords on the iPhone? What if your iPhone is lost or stolen?

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
stan1
Posts: 14235
Joined: Mon Oct 08, 2007 4:35 pm

Re: LastPass.com Breach

Post by stan1 »

ThankYouJack wrote:
There are programs that store the encrypted files locally and sync all of your devices over wifi.
Such as?
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Sidney
Posts: 6784
Joined: Thu Mar 08, 2007 5:06 pm

Re: LastPass.com Breach

Post by Sidney »

VictoriaF wrote:Let's say that you have a complex password to access the Bogleheads site: $$&D@#se93w34@$seiw3bnaSEEE133s or something similarly memorable. You travel to Spain and want to access the Bogleheads on your iPhone via WiFi at your hotel. Will you store your passwords on the iPhone? What if your iPhone is lost or stolen?
What would be the downside? I'd be more concerned about losing my phone than the consequence of someone logging into BH as me.
I always wanted to be a procrastinator.
Sidney
Posts: 6784
Joined: Thu Mar 08, 2007 5:06 pm

Re: LastPass.com Breach

Post by Sidney »

stan1 wrote:
ThankYouJack wrote:
There are programs that store the encrypted files locally and sync all of your devices over wifi.
Such as?
Not sure what Jack means but I use Keepass and store the file in a Dropbox folder which synchs on all my devices. There is an Android Keepass app that can open the KP database.
I always wanted to be a procrastinator.
Angelus359
Posts: 846
Joined: Mon Mar 03, 2014 11:56 pm

Re: LastPass.com Breach

Post by Angelus359 »

Using keepass with Dropbox is less secure than lastpass, lol

It's still doing the same thing!

Oh, as to lastpass providing support... They can't reset your password. If you lose it, its gone.
Systems Engineer
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: LastPass.com Breach

Post by VictoriaF »

Sidney wrote:
VictoriaF wrote:Let's say that you have a complex password to access the Bogleheads site: $$&D@#se93w34@$seiw3bnaSEEE133s or something similarly memorable. You travel to Spain and want to access the Bogleheads on your iPhone via WiFi at your hotel. Will you store your passwords on the iPhone? What if your iPhone is lost or stolen?
What would be the downside? I'd be more concerned about losing my phone than the consequence of someone logging into BH as me.
The iPhone would store hundreds of your passwords, not just the Bogleheads one. It the phone is lost or stolen all these passwords would be compromised. On the other hand, if you don't put passwords on the iPhone, you can't read the Bogleheads in your dental office because you can't possibly remember a password like the one I produced above.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Sidney
Posts: 6784
Joined: Thu Mar 08, 2007 5:06 pm

Re: LastPass.com Breach

Post by Sidney »

Angelus359 wrote:Using keepass with Dropbox is less secure than lastpass, lol

It's still doing the same thing!
Possibly, although they would have to be targeting my drop box folder (probably a less rich target), know or figure out the name of the db file amongst all the other chaff in the folder and finally, they wouldn't get user names for accounts - I don't store those with passwords.
I always wanted to be a procrastinator.
stan1
Posts: 14235
Joined: Mon Oct 08, 2007 4:35 pm

Re: LastPass.com Breach

Post by stan1 »

Sidney wrote:
stan1 wrote:
ThankYouJack wrote:
There are programs that store the encrypted files locally and sync all of your devices over wifi.
Such as?
Not sure what Jack means but I use Keepass and store the file in a Dropbox folder which synchs on all my devices. There is an Android Keepass app that can open the KP database.
Yep, that's syncing the encrypted data file over the cloud. LastPass does have a big bulls eye painted on them because of the type of data they store. I think I can go along with the idea that an individual who is not high profile is probably better off with a properly encrypted file on Dropbox than LastPass. High profile individuals who might be targeted for a spear phishing attack might be better off on LastPass (celebrity or holder of intellectual property/insider information such as a C-level executive, director of international sales, etc.) although I'm pretty sure such individuals should follow the Hillary Clinton model of putting their own server in the basement rather than using the cloud.
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Sidney
Posts: 6784
Joined: Thu Mar 08, 2007 5:06 pm

Re: LastPass.com Breach

Post by Sidney »

VictoriaF wrote: you can't read the Bogleheads in your dental office because you can't possibly remember a password like the one I produced above.
Of course you can. I read them all the time without logging in.
I always wanted to be a procrastinator.
stan1
Posts: 14235
Joined: Mon Oct 08, 2007 4:35 pm

Re: LastPass.com Breach

Post by stan1 »

Angelus359 wrote:
Oh, as to lastpass providing support... They can't reset your password. If you lose it, its gone.
Are you saying you want LastPass to put in a backdoor so they can reset your master password?
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
User avatar
midareff
Posts: 7711
Joined: Mon Nov 29, 2010 9:43 am
Location: Biscayne Bay, South Florida

Re: LastPass.com Breach

Post by midareff »

VictoriaF wrote:
ThankYouJack wrote:This is why I never store important passwords on the cloud based password manager. I don't care how many times it's been hashed, salted or peppered. There's always a chance for a breach, brute force, man-in-the-middle, or a number of other things that could go wrong.

There are programs that store the encrypted files locally and sync all of your devices over wifi. It's very convenient and more secure.
Let's say that you have a complex password to access the Bogleheads site: $$&D@#se93w34@$seiw3bnaSEEE133s or something similarly memorable. You travel to Spain and want to access the Bogleheads on your iPhone via WiFi at your hotel. Will you store your passwords on the iPhone? What if your iPhone is lost or stolen?

Victoria

Speaking of which... LastPass also enables access to be restricted by country. Obviously, hackers can work around that if they knew what the country was. With multiple financial and banking sites long strong passwords (no redundancy) seemingly require something on paper of hanging a mini USB around your neck or on your keychain. I see the paper or secondary USB approach as more of a hazard than additional security.
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: LastPass.com Breach

Post by VictoriaF »

Sidney wrote:
VictoriaF wrote: you can't read the Bogleheads in your dental office because you can't possibly remember a password like the one I produced above.
Of course you can. I read them all the time without logging in.
Touché!

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
autonomy
Posts: 334
Joined: Fri Jan 24, 2014 1:22 pm

Re: LastPass.com Breach

Post by autonomy »

2015 wrote:Could have been (much) better. You could have gone with KeePass which only stores your encrypted info locally, as on your computer or external drive. I knew a breach of this sort would be possible with LastPass which is why I decided against any service where my information would leave my control. KeePass is an outstanding PW manager IMO.
I had the same reasoning against LastPass. You can sync your KeePass file across PCs via Google Drive/Dropbox, but again, you are putting that into the cloud, although you'd have to be specifically targeted for your password file. In that case you should use a 'keyfile' together with a password.

P.S. As an exercise, I tried cracking a WinRAR password once (a year ago or so). I think it went at something like 8 guesses/second. Would've taken many, many years to go through all combinations to guess an 8-character password. Today's crackers are more efficient, but it would still take them a long time to brute-force LastPass passwords.
User avatar
Ketawa
Posts: 2521
Joined: Mon Aug 22, 2011 1:11 am
Location: DC

Re: LastPass.com Breach

Post by Ketawa »

I use KeePass and keep my database file synced in the cloud with Dropbox. My master password is 20+ characters long, complicated, and not used anywhere else, so I don't worry about anyone cracking it unless I had a keylogger installed on one of my devices.
ThankYouJack
Posts: 5704
Joined: Wed Oct 08, 2014 7:27 pm

Re: LastPass.com Breach

Post by ThankYouJack »

stan1 wrote:
ThankYouJack wrote:
There are programs that store the encrypted files locally and sync all of your devices over wifi.
Such as?
1password

I would think there are others too. I'm surprised Keepass doesn't have this option
User avatar
surfer1
Posts: 260
Joined: Fri Jan 08, 2010 8:35 pm
Location: Philadelphia

Re: LastPass.com Breach

Post by surfer1 »

My two cents.

The best reasonable option is to use Keepass and store the database file on your local PC. You can keep a backup on a private cloud storage, such as Google Drive or even Dropbox, but do not keep a publicly accessible link and do not allow syncing.

Do not re-use passwords across sites.
Do not use dictionary words as your password.
Do not use phrases from songs as your password.
Use the generated random password from Keepass. It should be 20+ characters long, upper-case, lower-case, digits.

Some have mentioned using a public Dropbox url to sync with the intention of security-through-obscurity, but this is like leaving a key under the house mat. Yes, the Keepass file is well encrypted, but still. I always recommend being very careful about what files you make publicly accessible over cloud storage - and your password manager database is not one of them.

I realize it's a pain to download the Keepass database to your mobile device (using iTunes and a local file) and any other PCs that you use, but that's the price to pay for security. :)
ThankYouJack
Posts: 5704
Joined: Wed Oct 08, 2014 7:27 pm

Re: LastPass.com Breach

Post by ThankYouJack »

VictoriaF wrote:
The iPhone would store hundreds of your passwords, not just the Bogleheads one. It the phone is lost or stolen all these passwords would be compromised.
If your phone is stolen:
1. You should do a remote swipe (deletes everything on it).
2. Rest assured that the thief would need to know 2 of your passwords to access them
3. Change your financial and some other important passwords if you're still concerned
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: LastPass.com Breach

Post by VictoriaF »

surfer1 wrote:Do not use phrases from songs as your password.
Why not? A phrase from a song seems like an ideal passphrase. It's long. You can easily remember it. It does not have to be your favorite song so that you won't accidentally mention it in Facebook. You can customize it, e.g., by inserting special characters between words as I did above, so that a hacker trying all possible songs would still have to guess the wild card.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
User avatar
midareff
Posts: 7711
Joined: Mon Nov 29, 2010 9:43 am
Location: Biscayne Bay, South Florida

Re: LastPass.com Breach

Post by midareff »

VictoriaF wrote:
Sidney wrote:
VictoriaF wrote: you can't read the Bogleheads in your dental office because you can't possibly remember a password like the one I produced above.
Of course you can. I read them all the time without logging in.
Touché!

Victoria

While we all like security, a password for Bogleheads and a password for Vanguard have very different requirements IMHO.
simmias
Posts: 250
Joined: Sun May 17, 2015 4:18 pm

Re: LastPass.com Breach

Post by simmias »

I still haven't seen anyone post anything to make me believe using Keepass synced through Dropbox with a required local key file isn't the best compromise of safety and convenience. Again, even if they can crack the password they can't replicate the key file.
User avatar
bobcat2
Posts: 6074
Joined: Tue Feb 20, 2007 2:27 pm
Location: just barely Outside the Beltway

Re: LastPass.com Breach

Post by bobcat2 »

I use LastPass with YubiKey Authentication. That seems fairly secure to me.

BobK
In finance risk is defined as uncertainty that is consequential (nontrivial). | The two main methods of dealing with financial risk are the matching of assets to goals & diversifying.
User avatar
Drain
Posts: 1404
Joined: Mon Feb 26, 2007 12:27 pm
Location: Maryland

Re: LastPass.com Breach

Post by Drain »

This is nothing. It's a non-event, other than that I will probably change my master password, which I intended to do anyway. The LastPass service was designed with the expectation that this sort of "breach" was going to happen. It's not a surprise to anyone, including the developers. That's why your passwords are encrypted before they leave your machine.

I repeat: this is expected, and that expectation informed the design of the service. As long as you used a strong master password, you're fine.
Darin
User avatar
Drain
Posts: 1404
Joined: Mon Feb 26, 2007 12:27 pm
Location: Maryland

Re: LastPass.com Breach

Post by Drain »

simmias wrote:I still haven't seen anyone post anything to make me believe using Keepass synced through Dropbox with a required local key file isn't the best compromise of safety and convenience. Again, even if they can crack the password they can't replicate the key file.
Isn't a key file just another long, static password? If so, it's inadequate as a second authentication factor. But I've never used one, so perhaps I'm misunderstanding what it is.
Darin
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: LastPass.com Breach

Post by jchef »

surfer1 wrote: Some have mentioned using a public Dropbox url to sync with the intention of security-through-obscurity, but this is like leaving a key under the house mat. Yes, the Keepass file is well encrypted, but still. I always recommend being very careful about what files you make publicly accessible over cloud storage - and your password manager database is not one of them.
You don't need to make your Keepass file publically accessible to download it to a mobile.

In iOS you can just go into your Dropbox app and download it into your Keepass app. In Android you can do the same, or you can give an app permission to access the Dropbox app. In neither case are you making your Keepass database publically available through a URL.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: LastPass.com Breach

Post by jchef »

Drain wrote: Isn't a key file just another long, static password? If so, it's inadequate as a second authentication factor. But I've never used one, so perhaps I'm misunderstanding what it is.
It depends on what is your definition of 2FA. If you define it as something you have and something you know, it fits the definition quite well. (I know my password and I have my keyfile).

I'm not worried about someone brute forcing or guessing my keyfile. You would have a better chance of just guessing the 6 digit number that is normally used for 2FA.
User avatar
Ice-9
Posts: 1579
Joined: Wed Oct 15, 2008 12:40 pm
Location: MD

Re: LastPass.com Breach

Post by Ice-9 »

I'm actually a LastPass user, but noted that several KeyPass users in this thread lamented using a cloud service like Dropbox to sync the necessary file to all devices, with some saying the process had no advantage over using a cloud based password service.

I can't help but suggest BitTorrent Sync for this. It lets you sync to all your devices without putting it up on the cloud. (The devices need to be awake at the same time as the most recently updated one in order for the sync to work, since there's no "always on" cloud storage.) I think KeePass users should consider it.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: LastPass.com Breach

Post by jchef »

Ice-9 wrote: I can't help but suggest BitTorrent Sync for this. It lets you sync to all your devices without putting it up on the cloud. (The devices need to be awake at the same time as the most recently updated one in order for the sync to work, since there's no "always on" cloud storage.) I think KeePass users should consider it.
The devices needing to be awake at the same time is a bit of a hassle. And on iOS you actually need to open up the BitTorrent Sync app for syncing to occur (unless that has changed with a recent update).

With Dropbox you know you'll be able to get the most up to date version as long as you have internet access.
CAP_theorem
Posts: 75
Joined: Tue Aug 12, 2014 10:19 am

Re: LastPass.com Breach

Post by CAP_theorem »

Trust the math.

I'm not changing my password (other then on my usual schedule). Good luck brute forcing the hash. I don't recall the exact amount of entropy, but it's 80+ bits. Estimators that don't know how the password was generated think it's 120 bits.

Your password material is only as secure as the math used to hash and encrypt it. Doesn't matter whether you used LastPass or KeePass or 1Password. If you don't trust the math don't use any of them.
Last edited by CAP_theorem on Tue Jun 16, 2015 11:48 am, edited 1 time in total.
User avatar
TimeRunner
Posts: 1938
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: LastPass.com Breach

Post by TimeRunner »

I use Lastpass along with Google Authenticator app on my smartphone. Like Yubikey, etc, it's something you know (username/pw) and something you have (the Auth software which generates a new code every 30 seconds with my instance of the Auth software tied to Lastpass). It seems like a good combo, and I like LP's security model.

Of course LP is a target. So is the US Treasury and US OPM. Well, OK, maybe not the best example. :annoyed
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
User avatar
Drain
Posts: 1404
Joined: Mon Feb 26, 2007 12:27 pm
Location: Maryland

Re: LastPass.com Breach

Post by Drain »

jchef wrote:
Drain wrote: Isn't a key file just another long, static password? If so, it's inadequate as a second authentication factor. But I've never used one, so perhaps I'm misunderstanding what it is.
It depends on what is your definition of 2FA. If you define it as something you have and something you know, it fits the definition quite well. (I know my password and I have my keyfile).

I'm not worried about someone brute forcing or guessing my keyfile. You would have a better chance of just guessing the 6 digit number that is normally used for 2FA.
But what is the advantage over simply having your primary password be long and strong?

I think keyfiles were probably useful in the days when password rules severely limited strength and there were no options for second factors. The keyfile was essentially your "true" password. But if a keyfile is just another strong password, it is not a substitute for a legitimate second factor.

The point of a second factor is to help protect you in case your primary factor is stolen. A keyfile can be stolen the same ways a password can be. It is not really "something you have" in the sense that people mean. If you use a Yubikey, for example, the Yubikey produces one-time passwords that only it could produce. They prove that the person attempting to authenticate has the single, specific, only device that could produce them. This is not the case with a keyfile, since it can be intercepted during transmission and then replicated.

Having something like Google Authenticator on your smartphone is similar to the Yubikey example. The one-time codes it gives you serve as proof that you have that specific phone in your possession.
Darin
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: LastPass.com Breach

Post by jchef »

Drain wrote: But what is the advantage over simply having your primary password be long and strong?
The same advantage as using Google Authenticator or a Yubikey. If someone gets hold of my database and knows my password that's still not enough for them to open the database. They need something else.

A keyfile can be stolen the same ways a password can be.
True. But your phone running Google Authenticator can also be stolen.

Perfect security doesn't exist, but you can still takes steps to strengthen your security. By using a keyfile, I'm comfortable loading my Keepass database into the cloud. Because if someone breaks into the cloud, steals the database and for some reason knows the database password, they still don't have enough to open the database. They don't have the keyfile, because I don't store the it in the cloud.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: LastPass.com Breach

Post by Epsilon Delta »

VictoriaF wrote:
surfer1 wrote:Do not use phrases from songs as your password.
Why not? A phrase from a song seems like an ideal passphrase. It's long. You can easily remember it. It does not have to be your favorite song so that you won't accidentally mention it in Facebook. You can customize it, e.g., by inserting special characters between words as I did above, so that a hacker trying all possible songs would still have to guess the wild card.

Victoria
Because there are only so many songs in the world, and it's not enough.

One estimate is that counting garage bands and all there are only 97 million, perhaps a million available on iTunes, probably a couple of thousand that have made the charts.

A clever brute force attack will start with the songs on the charts and work out from there, but you're example was the Beatles, so it's one of the first 100 or so they try. Game over. But even 97 million songs is only 27 bits.

You'll argue that you modified the song by use asterisk for space. But how many ways can you modify the song. Different characters for space, using first letters, second letters, camel case, backward, ... . Can you even come up with a thousand? That would be another 10 bits. So we're up to 37 bits. Current estimates is that you need 60 bits to protect against criminal gangs.

Your song is a weak password, as long as the people attacking it know that you used a song as the base and modified it in some way. They can know this either because you tell them how you pick a password, or because there are popular websites that tell people this is a good way to pick a password. The attacker simply bets that some people follow that advice and breaks the passwords of some of the people who do.
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: LastPass.com Breach

Post by VictoriaF »

Epsilon Delta wrote:
VictoriaF wrote:
surfer1 wrote:Do not use phrases from songs as your password.
Why not? A phrase from a song seems like an ideal passphrase. It's long. You can easily remember it. It does not have to be your favorite song so that you won't accidentally mention it in Facebook. You can customize it, e.g., by inserting special characters between words as I did above, so that a hacker trying all possible songs would still have to guess the wild card.

Victoria
Because there are only so many songs in the world, and it's not enough.

One estimate is that counting garage bands and all there are only 97 million, perhaps a million available on iTunes, probably a couple of thousand that have made the charts.

A clever brute force attack will start with the songs on the charts and work out from there, but you're example was the Beatles, so it's one of the first 100 or so they try. Game over. But even 97 million songs is only 27 bits.

You'll argue that you modified the song by use asterisk for space. But how many ways can you modify the song. Different characters for space, using first letters, second letters, camel case, backward, ... . Can you even come up with a thousand? That would be another 10 bits. So we're up to 37 bits. Current estimates is that you need 60 bits to protect against criminal gangs.

Your song is a weak password, as long as the people attacking it know that you used a song as the base and modified it in some way. They can know this either because you tell them how you pick a password, or because there are popular websites that tell people this is a good way to pick a password. The attacker simply bets that some people follow that advice and breaks the passwords of some of the people who do.
I don't need to choose the title of a song as my password, it can be a line (or two). If we have 100m songs, and each song has an average of 10 unique lines, we have 1B lines. I can combine lines of different songs, I can add symbols at the end and beginning of songs, I can increase the number of spaces between words from 1 to 2. I want to make the brute force on songs as difficult as the brute force on random text.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Post Reply