Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC: LastPass Problems SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
LastPass Problems

Scott writes:

"It seems that LastPass is claiming a possible breach and has taken extraordinary measures that may be causing a bigger issue.

http://blog.lastpass.com/2011/05/lastpass-security-notification.html

Users are reporting the inability to get access to their data, and when I finally completed the REQUIRED migration process, my data appears corrupted and unusable. A second has already reported the same coruption. So this is not an isolated case.

http://forums.lastpass.com/viewtopic.php?f=12&t=24329&start=50

There is no followup from support yet, so who knows, but I strongly suspect my data is irrevocobaly lost, as that was a one time data reencrytion process (with no option to perform a backup!)

Recommendation for other LastPass users - wait until support comes back with an update."

John sent us a link to a Brian Krebs article on the topic

http://krebsonsecurity.com/2011/05/lastpass-forces-users-to-pick-another-password/

Leave a diary comment and let us know what you think about password managers and how you (hopefully) manage unique usernames and passwords for every site you visit.

Personally, I have an algorithm I've developed that allows me to determine a unique username and password for every online account I have, that I can figure out when arriving at the site.

Christopher Carboni - Handler On Duty

Chris

140 Posts
May 5th 2011
Password managers that store to the cloud are an accident waiting to happen as demonstrated by Lastpass.
I keep my passwords ONLY encrpted on my computer and external USB for that reason. No cloud storage.
Anonymous
Personally I like the 1 Password software approach, files are stored locally and not on their servers. I can sync with Dropbox if I like. That way Agile doesn't store my password.
P. Bossley

1 Posts
Cloud password storage is just begging for compromise. To be honest a post-it note tucked under your keyboard is probably more secure. At least that way whoever compromises it isn't guaranteed to be a tech-savvy criminal who was out to get your details anyway.
Algorithmic password generation works well in many situations (I use it myself a fair amount) but it has always occurred to me that it enables to possibility of other passwords being compromised from the discovery of just one.

Tiered passwords work well for me. I have a lot of accounts on sites that mean nothing to me that share passwords.
P. Bossley
12 Posts
Carboni: their forum tells how you can recover your lastpass password/data.
Anonymous said...

Seriously dude, this is bad stuff. I'm locked out of ALL my different accounts, and it isn't accepting my lastpass master passphrase. I guess I learned my lesson here. There is no way in hell that I'm storing my important logins/passwords in the cloud again.
May 4, 2011 11:53 PM
Joe Siegrist said...

@Anonymous "locked out" -- We can revert your password change if you did one, email support@lastpass.com with your account email - a surprising number of people immediately forget their new password, we're working on this. If you haven't changed your password yet see my first comment on this thread.
May 4, 2011 11:57 PM
Anonymous said...

Ok Joe I will do that. I just found your account recovery page here: http://helpdesk.lastpass.com/account-recovery/

If anyone else needs it.
P. Bossley
1 Posts
I'm not having any issues with Lastpass.
Login is a bit different the first time, but now it just logs me in.

I can't reach the Forums probably because it is too busy now.
Bud
P. Bossley
20 Posts
We're using Password Safe to store user ids and passwords for all our servers, routers, service accounts, test equipment etc: http://www.schneier.com/passsafe.html

The service car's fuel card PIN code is in there too :-)
Scofield

3 Posts
@SoundMix: "Password managers that store to the cloud are an accident waiting to happen as demonstrated by Lastpass."

I think storing any critical data on just one medium is the accident waiting to happen. Like anything else there is always a tradeoff with Security vs. Accessability. With Lastpass you have the convenience of online portability, if you do not also backup your passwords to a local file then yup you can end up locked out. But the software has the option to export your credentials to be stored locally, you can have the best of both worlds simply by following normal best practice for data storage - the problem is that most people don't. Also they have the Pocket utility that can read your local LastPass file and allow export even if the service is unavailable. This is what I used yesterday when my online account was inaccessable, it was actually quite easy to do (and I was impressed it still used my Yubikey even for the local utility).
Don't get me wrong I'm a bit pissed with the way they handled this, there seems to have been a few sequential knee-jerk reactions but they deserve some Kudos for at least trying to be proactive in defending the data. The service itself (especially when paired with a Yubikey) is a great option for a secure credential vault - perfect...no...but then we all know in security there are no absolutes.
Scofield
8 Posts
As the source of the post here, I want to say that LastPass announced late last night that some percent of users had issues, requiring a rollback on their master password/changes. I was apaprently one of them and now my OLD password is back to working (thank god I kept that random password elsewhere). As for the impact to myself - I use KeePass primarily, this was an attempt to see how far I could trust LastPass, and that answer is now obvious. I had no passwords not already stored in KeePass, so no concern to me, but I wasn't 100% sure until I just checked.

The idea of LastPass is great (much better than KeePass+DropBox), but the implementation requires some more thought on helping users retain access to their content.
Anonymous
The LastPass instructions inform us about their offline program "Pocket" for keeping an offline copy of your passwords. Read the FAQ https://lastpass.com/support.php?cmd=showfaq&id=1376. Analyses of their technology has been done (http://www.grc.com/sn/sn-256.htm) and all data are encrypted before going to the cloud using a hash of your account and password. I agree their website may have problems - everyone's site will sooner or later.
JimC

17 Posts

Sign Up for Free or Log In to start participating in the conversation!