Apps

LastPass Hacked: The Last Password App You’ll Ever Use

60

It can be overwhelming remembering all your different passwords (and you should use different passwords) for various websites and services. LastPass aims to make that easier on you by storing all your passwords and allowing you to access them with one master password. Only what if someone were to get that master password?

You’d be screwed… and that’s exactly what LastPass is saying might have happened to their customers. Perhaps they should change their slogan:

Of course LastPass also has an Android Application that allows you to carry all your passwords around with you, auto-fill logins/passwords in the browser, add/update secure notes and more. If you’ve currently got LastPass installed on your phone, it means you probably use LastPass services, which mean your data may have be compromised and you should probably start changing some passwords around.

Uninstalling that app might not be a bad idea either and I’m sure they’ll be getting some bad ratings in the market because of this. Having one location for all your passwords sounds helpful, but it also becomes the Fort Knox of data theft opportunities and if the bad guys get ALL your passwords, you’re pretty screwed.

In this particular case, the company may be reacting to a false alarm:

we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.

Obviously, when it comes to such a sensitive issue, there isn’t such thing as overreacting. Did any of you have LastPass installed on your phones? Did you like it? Will you continue using it, switch to another password provider, or stop using password consolidators altogether?

Rob Jackson
I'm an Android and Tech lover, but first and foremost I consider myself a creative thinker and entrepreneurial spirit with a passion for ideas of all sizes. I'm a sports lover who cheers for the Orange (College), Ravens (NFL), (Orioles), and Yankees (long story). I live in Baltimore and wear it on my sleeve, with an Under Armour logo. I also love traveling... where do you want to go?

Official: Samsung Infuse 4G Coming to AT&T May 15th for $199

Previous article

Access Your Android Phone from Your Browser Using LazyDroid

Next article

You may also like

60 Comments

  1. Use Keepass

  2. +1 to using KeePass. Everything is saved in a local database (or through dropbox) and you can utilize key files for two-way authentication.

    1. FYI Dropbox has your hashed password which can access your dropbox when required.
      Due to these privacy regulations, it isn’t considered as a better solution.

      QUOTE:Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances.
      https://www.dropbox.com/help/27

    2. Isn’t that just the same issue? What if someone steals your dropbox data? Then they have your keypass file at the very least. So you say that file is encrypted, but I sure would not feel comfortable with that in the hands on hackers. Overconfidence in any form of distributed security is a recipe for disaster.

  3. Keepass rules!!! More like a locked box inside a safe deposit box then the “home safe” model of LastPass. Double keys and they are both mine. Hacker has to go thru 3 password levels. Plus I set the “lock difficulty”, cipher type and encryption rounds.

    1. Security vs Inconvenience
      Some people need that balance.

  4. And is why I’ve avoided all of these services, I’d much prefer to have passwords that I change from time to time if I plan to access sensitive dat.

  5. I have this installed for Chrome. Good thing I never actually used it to save any passwords…i think.

  6. This article seems pretty missleading. What the lastpass blog sais is that they saw an amount of data transfer they can’t explain. Because they can’t explain it and it was big enough to have passed enough information for an offline password attack, they are forcing everyone to change their passwords. What that means:
    1. They don’t seem to have proof of an attack, just a suspicion
    2. The worst they could have lost were login, password hash and salt, not passwords.
    3. They are forcing people to change passwords just to be on the safe side.

    I like paranoid people. Especially when they’re managing my security. I’ll stick with lastpass. They’re handling things right.

    1. This is how they’re explaining it publicly. Obviously, from a PR standpoint, they want to choose their words carefully to explain it in a way that benefits them most (or hurts them least). They did a good job, but it sounds fluffed up a bit to me.

      I agree that paranoid people managing security is a good thing. I even mention it could be a false alarm and there is no such thing as overreacting in a situation like this. However, I think it’s a topic worth discussing.

      1. Honestly sounds to me like you’re just defending your fear mongering. It might be a good way to get ad impressions/loads in the short run, but in the long run, it will hurt your reputation.

        1. Listen, when my “Password Storing” solution might have given all my passwords to someone else, I think it’s time to switch. Maybe isn’t acceptable.

          1. If your password storing solution consists of giving control of all your passwords to an outside company and trusting them to secure them for you, the best you’ll ever have is “maybe.”

            I understand your point of view, but here’s the reality: nothing online is more important to me than my bank accounts & credit cards, but the companies I trust those things with WILL be hacked at some point in the future.

            “Maybe” is the price we pay for the convenience of the internet.

          2. That’s the thing @robjackson81….

            Your passwords weren’t given to anyone else. The worst case scenario of this whole situation is that they have your email address, hash, and salt.

            So for passwords they have a bunch of garbled random characters.

            If your password was “apple”, it is hashed into “banana”, which is then salted into “cantaloupe”.

            So if the “hackers” have “cantaloupe”, it’s going to take them A LOT of work to crack that and expose “banana”, and THEN they’ll have to crack that to get your “apple” password.

            I’m not worried. At the very most I’ll change my email address.

          3. Except they haven’t given your passwords to anyone. Absolute worst case what someone now has is an encrypted version of your passwords. So you might need to worry if you chose a dictionary oriented master password, as that would make it relatively easy to decrypt your other passwords. But if you chose such a weak master password in the first place… well, more fool you.

          4. I fully respect that position. I don’t blame anyone for wanting to switch at this point. Such comments as “Last time logging in” and the headline ‘Last pass hacked” are not at all true. Last time logging in is unnecessary and just adds to the fud. Last pass hacked it completely the wrong thing to say. Last pass notices something that may or may not be a hack. That is all. You blatantly disregard this till the end, where you say that it cannot be true.

            Your article is akin to hearing something in the other room, calling the police without checking it out, and telling them there is someone in your house, because there is no way you were hearing things, or the noise was innocent.

            That is why you either must enjoy spreading FUD, enjoy the extra add impressions, or just be too ignorant to know that that is what you are doing.

          5. Even if, the master password hash had been compromised, it doesn’t mean all your passwords are compromised too. Even with the hash salt, it would take a long time to generate the rainbow tables required to work out what your master password was, and by then it will definately be changed.

            Lastpass have handled this well, and I feel safe storing my passwords with them still.

            (I also use a Yubikey, so even if they did have my master password, they still couldn’t decrypt my vault.)

          6. @robjackson81:disqus Nobody lost their passwords. Just the salted hash. They still have to run a brute force attack on that to figure out the password.

      2. Did you mention that it could be a false alarm in the headline?

    2. Personally, I’m most concerned that they know someone was downloading a large amount of data, but they don’t have logs of who, or what they were requesting, or how it was accessed exactly… Logging all this is a very basic security measure and I couldn’t trust them again after learning they don’t know basic security.

      1. It’s very hard to tell those kinds of things many times. The logs are at most going to tell you about the network connection. Anything done on the host would likely be done by a compromised account and if it wasn’t the superuser, it probably didn’t get logged.

  7. keepass + portableapps + sugarsync = no worries

    i also change the extension from kdb to something innocuous

  8. I use random.org to generate random hex numbers which I then memorize and use as passwords, which I change by the fortnight

    1. i just use lastpass so i don’t have to memorize those ;)

  9. I started using LastPass when the Gawker passwords were compromised late last year. I (like most) use a LOT of online services, so the ideal solution of a different password for every site wasn’t reasonable. Instead I had 3 ‘common’ passwords – one for super-critical financial stuff (bank, paypal, etc), one mid-range stuff (Amazon, Facebook, etc), and then a common password for low security services (which is the one which was compromised).

    Obviously that was a flawed system, which is why I starting using LastPass. It allows unique, secure, and randomly generated passwords that I don’t need to remember and can access on any machine. My ASSUMPTION was that being in the security business they would guard those passwords as well as possible. So when I first read this I was quite furious that all my passwords may now be compromised.

    Fortunately, as best I can tell, that doesn’t seem to be the case. Reading the actual announcement it seems that the entire issue is based on spikes in data transfer between a system and the internet, as well as a related spike between that system and another. So all that is known at this time is that an unknown person seems to have transfered an unusual amount of data in a suspicious way. Which is very bad – but not a confirmation of a serious breach. Also, any intruder wouldn’t have gotten all of your passwords – or even your master password. At best, they got your password hash. What that means is that they can try brute force attempts and, if successful, will THEN have your master password which could be used to get your other passwords.

    As long as you have a GOOD master password (and you should) and change it asap, then (assuming LastPass being completely honest about the situation) this shouldn’t affect you at all.

    1. Yep. Even if they brute force your master password, it’ll then be useless if you have changed it.

  10. why would you store all your passwords on the internet anyway???

    1. you don’t store your passwords with lastpass. without your master password what’s stored there is pure junk. the master password is used for local decryption.

      this article was really, really, bad

  11. I’m going to be sticking with LastPass. They haven’t done me wrong thus far, and they’re only going to continue getting more secure. My password is not dictionary based, and even if it were, I enabled to grid check security measure for all not yet approved computers, so there’s a 0% chance a hacker could get in unless LastPass is making this out to be better than it actually is.

  12. Fud article. Why are you trying to scare people unnecessarily?

    LastPass only stores hashes of stuff, nothing in plain text. Only way to get passwords would be to try brute force. Good luck with that on my master password.

    They say that there is a possibility that they may have had a very small amount of data transferred. But it doesn’t mean squat unless your master password is ” password ”

    1. Oh crap, time to change my master password…

  13. Well, I went ahead and changed my master password. So, if someone has the old one, which I HIGHLY doubt, good for them. It’s useless at this point.

    1. Even if they got access to the database storing your other passwords? Albeit salted.

      1. Exactly, salted. So unless you were an idiot and used “mommy” for your master password, the attacker would still have to spend an obscene amount of computing time to brute force crack what your password is. IF they have it. IF this was an attack. To what Nth degree are you trying to protect? To me LastPass is still the best solution to manage passwords and still have convenient access. When other websites get hacked and they stored their passwords in plain text or something, I can be like, no biggie, I’ll just generate a new random password. Websites get hacked all the time, at least with something like this you can limit the damage. I’m usually a big fan of phandroid but I have to say this article left a sour taste in my mouth.

      2. I suggest going and listening to episode 256 of security now:
        http://www.grc.com/securitynow.htm

  14. I would never give a company (apk) access to ALL of my passwords, even if it’s for something like this: to keep track of them all. There’s too much at stake. It’s bad enough the information on my PS3 was hacked recently. I wouldn’t want to have to reset all of my passwords over something like this. I keep a copy of my passwords on a file on the SD card on my now unused mp3 player, which is also password protected and change/rotate them about every 3 months or so.

    1. Just imagine if that SD Card fails.
      Is that SD Card encrypted?
      If it isn’t someone can just remove the SD Card and read it elsewhere.

  15. Everyone who say KeePASS + Dropbox is not entirely correct. The issue with KeePass + Dropbox is the same thing that happens with LastPass an din many ways could actually be worse. Dropbox is not built to be super secure as LastPass as their intentions are for file syncing and not security. The only way to be absolute secure is to not use the cloud at all. Seems like people are either overreacting or just misinformed and don’t understand how the system works. Besides all the encrypting and decrypting is done on your computer so it’s not like the hackers are having it easy unless your master password is really weak then whether you use LastPas, Keepass + Dropbox, 1Password, or any other password system with online capabilities, you’re screwed if they are able to hack the online system. In this case, LastPass was being paranoid and yet I see a lot of misleading articles titles that it’s hacked.

  16. I don’t understand why everyone is saying use Keepass + dropbox. Thats basically what LastPass. All the encryption is done on your local computer (just like KeePass) and then the encrypted blob is stored on their servers (just like dropbox)

    1. Technically Dropbox isn’t all that encrypted before the files hit their servers.

      …hence the commotion last week. Files stored in Dropbox are protected… but only against someone on the outside. Once they’re inside the Dropbox servers (hacked in or on the Dropbox payroll), they have full access to any files you have not encrypted yourself (use TrueCrypt to fix that).

      1. Keepass encrypts its password database, so it doesn’t matter that Dropbox doesn’t. There is a difference between LastPass and Keepass + Dropbox though; if someone is able to get your Dropbox hash and brute force it, that doesn’t necessarily mean they will be able to access your Keepass database (if you use different passwords).
        With lastpass your account password(/hash) is used in the encryption process, so if they brute forced it they could get in. Of course, it doesn’t look like any or many password databases were (possibly) downloaded, so they are stuck with millions of passwords to crack to figure out how to open those few databases they may have gotten. As for anyone else, their master password will change therefore will the encryption. This article as a whole stinks of FUD.

  17. Syncing KeePass Databases just means someone could get your KBD file, and offline brute force it without you ever knowing. You are copying multiple instances of that database around, do you keep track of them all?

    The only way to secure KeePass is to keep it on a USB stick, and never copy it anywhere, but it’s not that convenient especially on non-USB devices. Tradeoffs of security vs convenience.

    Brute Forcing LastPass would definitely be detected.

    Also, if you are not using 2 Factor on your email, once your email is compromised all they have to do is intercept your password reset emails, and it’s all over.

    If your email was hacked, they could just set a mail filter rule to forward those to some throwaway inbox, and just try to request resets at popular sites. You would most likely not notice anything, since the mail would never hit your inbox, and I doubt many people check their mail filter rules frequently.

    LastPass + YubiKey, and 2 Factor auth on email…

  18. can anyone say ROBOFORM. Yes, there’s a lite version that let’s you store online but I prefer the version that stores the passcards locally. It’s a pain to sync but better than LastPass.

  19. How bout you just remember your passwords a lot easier than all this crap….who would share their passwords with an app it just sounds stupid….stop being lazy and take a day to learn your passwords problem solved

    1. I have 12 unique username/password combinations for work alone – none of which are capable of being stored anywhere. If you add to that the 148 individual sites I currently have stored with LastPass – and you’re talking about requiring an eidetic memory just to browse the internet.

      And unless you’re a prodigious autistic savant, then I’m assuming you’re using maybe two or three different passwords for ALL your logins. I don’t see how thats any more secure than using a service (in my case – paid service) to maintain a greater variety of login credentials.

      Either philosophy ends the same way: if one domino falls, they all fall. I just like my chances of the first domino being in the hands of a company dedicated to security rather than my own.

  20. I have been using Secrets for Android by Google Inc. for ove a year https://market.android.com/details?id=net.tawacentral.roger.secrets&feature=search_result Works great. It’s only stored locally on the phone and backed up to the SD Card. All encrypted.

    For those that criticize why someone would store all their passwords in an app like this, well you probably use the same (or similar) passwords for the dozens of accounts you have on the internet, and that’s the worst thing to do.

  21. Nice job with the FUD there. Too bad you didn’t read in LastPass’s own statement that they are purposely overreacting to some anomalous traffic in their network, and telling everyone to change their password. It’s the equivalent of the US going to DEFCON 1 tomorrow because some goat in South Korea accidentally knocked a stone to within a mile of the DMZ.

  22. Rob,

    I use lastpass on my Chrome browser and had it once when it first came out (I think) on my DX but decided I hated it and deleted it. Should I be concerned?

    Steven

    1. No… and if you don’t use it anymore I’d suggest deleting your account to prevent any future issues.

      1. @robjackson81:disqus wow, you really don’t get it do you. The data is already transferred from last pass.

        @Steven58:disqus
        You should be concerned if your passwords are the same now as when you put them in last pass. Simply deleting your account won’t do anything, the possible attackers already have the data from last pass. Change your password on any site you think is important to protect and that you entered in last pass.

  23. Funny, just talking about this product over on HOWTOGEEK, and I saw no point in it… just use a password system I developed called pattern passwords. Draw a patter on your keyboard, using the SHIFT key for some of the letters. The pattern is easy to remember and near impossible to crack. No need for all this other crap. Try it:

    VFR45678uhb

    A triangle. Easy to remember the shape…brute force can’t crack it. Since there are an infinite number of shapes you can come up with, this is a pretty safe system. Try it!

    1. Great. How well does it scale? Was that one website you wanted to comment on a circle or a triangle, and where did it start?

  24. Lets not over react. They are only allowing logins from known IP addresses you have logged into before. And they are prompting people, in stages, to Change their passwords. And if you have a long and complicated password it will take an unreasonable amount of time to hack. And its not as if your passwords are stored in plain text unencrypted form. Lastly, your passwords are safer on their servers than they are on your own computer. This could happen on your computer and you would never know about it. And that type of hacking is automated, so don’t think that you’re safe because you’re a nobody.

  25. The FUD in this article is appalling and at the same time justifies my ad blocker. Way to be part of the negative, yet uninformed, media machine.

  26. Lastpass have been transparent and timely with their response. Their business is secure storage of your passwords and the evidence is that they care very much abouy their business and users.

    I can’t speak for any other users but I am reassured by their response and trust their risk assessment. I will be remaining a paid customer, albeit one who now makes use of their multifactor authentication options.

  27. LastPass is amazing and the reaction to the issue is also amazing. I will keep using the service. No passwords were taken and if you changed your password no harm could of been done. Or if you have a very secure password that would require a massive amount of brute force you are also ok.. like I am.

  28. sticking with LP even if they are canadian, putting anything in dropbox and thinking it is ‘secure’ is foolhardy.

  29. I never used it. I use AI Roboform on my PC. I havent heard anything about this with them ever. Might need to start doing some research.

  30. Quite disappointed with another poorly reported article. I refer you to http://zite.to/jDdcyE

Leave a reply

Your email address will not be published. Required fields are marked *

More in Apps