Kitz Forum
Computer Software => Security => Topic started by: kitz on June 16, 2015, 12:13:03 PM
-
LastPass hacked: cybersecurity and password firm loses passwords in attack
http://www.independent.co.uk/life-style/gadgets-and-tech/news/lastpass-hacked-cybersecurity-and-password-firm-loses-passwords-in-attack-10322876.html
-
More info
Bad news first, folks. LastPass, our favorite password manager (and yours) has been hacked. It’s time to change your master password. The good news is, the passwords you have saved for other sites should be safe.
LastPass has announced on their company blog that they detected an intrusion to their servers. While encrypted user data (read: your stored passwords for other sites) was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account.
According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. If you use LastPass, you should do this immediately.
http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571
-
Unfortunately, the subject of this thread does not surprise me. :-X I would never trust any organisation attempting to provide such a service. :no:
-
I must admit the theory is very good... but I myself haven't used one because of fears of something like this happening.
-
I must admit to using this service and was notified by email overnight of this breach. I find it difficult to remember all the login passwords and memorable data I have and certainly I can’t remember the unpronounceable ones. It is also very convenient to have access to this information when travelling. Apparently none of the encrypted data was accessed, but I have changed my password which automatically re-encrypts the data and have multi factor authentication enabled, so I am pretty confident my data has not been compromised. :fingers: However, I did have a bit of a wobble when I first read the email and blog. :o
-
The thing is with the complexity of passwords that we are advised to use and use a different password on each site, it makes it impossible for the average user to do this and remember them all.
It is also very convenient to have access to this information when travelling.
Indeed, because that is were I would come unstuck and one of the reasons why I was at one time considering using it myself.
-
Dear LastPass User,
We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.
We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.
We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.
Regards,
The LastPass Team
Although I don't use LastPass at all but I may of registered because I do remember taking a look but decided against using it, which is probably where my details have come from for them to send me the email notification above.
-
I use LastPass,have done for quite some time without any problems.I find it very useful but do not save any financial sites I use on there.I have just changed my master password as a precaution. :)
-
I'm still old school with a written list, obviously with a title that is nothing do do with password etc but also does not contain any banking information, that's still down down to pen and paper.
I just checked my written list (excel sheet) of sites requiring a password and the count is 88 (I think that's all of them), I find it convenient because it also has a link to the site, so in a way it's a bit like having your list of favourites complete with passwords all in one place.
Not forgetting one of the main problems I don't think is forgetting ones password, but more likely to be not remembering the correct user name, because if the username you would like to use has already been taken then you have to chose something with a slightly different format, even my 'oldfogy' has been rejected on some sites simply because at some stage someone else decided to use it, and much the same as with 'Phil-H, Phil_H, phil-h, phil_h, ........... the combinations are endless
-
I have over 200 entries on LastPass and used to maintain a list on my computer, but was nervous about having such information stored locally as I was certain my bank might frown upon such a practice. However the other evening I had to call my bank for assistance with my online banking and was advised to write my details down! :o This advice given presumably because the young lady on the help desk assumed I was of an age that I could not remember my password when in fact the bank’s system had decided to change my username to some random string. >:( However I didn’t mention I kept my login details on LastPass so could not have had such a lapse of memory, the banks can become quite uppity about such matters. :)
-
According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account.
I agree, they should be. The question is, are they?
It's a bit too woolly for my liking :(