 MxxCon
join:1999-11-19
Brooklyn, NY | LastPass Security Notification LastPass is taking "better safe than sorry" approach:
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password. Read the details at »blog.lastpass.com/2011/05/lastpa···ion.html
--
Check out my awesome city of MxxTopia »mxxtopia.myminicity.com/ind or »mxxtopia.myminicity.com (the more people visit, the bigger it is) |
|
 Smokey Bearveritas odium paritPremium
join:2008-03-15
Annie's Pub
kudos:4 | Update by GFI Labs Blog - May 5, 2011:
quote:
It seems many users are having issues logging in to their Lastpass accounts since changes were made to prevent unauthorised access. Here are some tips posted by users to the Lastpass blog, these may be useful to you:
1) For all of you who are affected by the "Your account settings have restricted you from logging in from this mobile device." problem: I was able to login with one of my One-Time-Passwords I had generated when I set up the account. I was then asked again to change my master password, but this time I was asked for grid authentication, and after passing this the change succeeded. - Anon
2) If you get this message: An error occurred while retrieving your accounts. Close all of your browsers, clear cookies and log in again. It worked for me. - Anon
3) Ok so I got pwned by this message: "Your account settings have restricted you from logging in from this mobile device." and had to delete and recreate my account. Here is how I did it.
- Download Lastpass pocket -> hxxps://lastpass.com/pocket.exe
- Run pocket.exe and login using your existing username and password.
- Export your stuff to a csv file
- Delete your lastpass account -> »helpdesk.lastpass.com/account-recovery/ (4th option)
- Recreate the lastpass account by signing in at lastpass.com
- Using your lastpass browser extension -> Tools -> Import from -> Other -> Select "CSV" from drop down
-> Copy and paste the contents of the lastpass export csv file into the window and import everything. - Owais
»sunbeltblog.blogspot.com/2011/05···ter.html
--
Smokey's Security Forums »www.smokey-services.eu/forums/
* Site Member ASAP - Alliance of Security Analysis Professionals
* Site Member AQMRB - Alliance of Qualified Malware Removal Boards |
|
 AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | catch 22 quote:
Yansky said...
Quick question; lastpass seems to be unusable until I change my master password, but I can't login to gmail without lastpass giving me my gmail password. So how do I reset my lastpass master password if I can't login to my email?
--
Standard disclaimers apply.
Atomic batteries to power. Turbines to speed. |
|
 gt7697cPremium
join:2001-02-16
The Hive | reply to MxxCon
Re: LastPass Security Notification After going through the problem here, and seeing all the recommendations for LastPass, I knew it was only going to be a matter of time. They are an attractive target to every hacker or would be hacker. Thanks for reporting.
There is a previous thread at Wilders where LastPass had an earlier security problem.
»www.wilderssecurity.com/showthre···t=293992
--
Just my 2 bits. |
|
MxxCon
join:1999-11-19
Brooklyn, NY | said by gt7697c:After going through the problem here, and seeing all the recommendations for LastPass, I knew it was only going to be a matter of time. A matter of time for what? They don't know that information was leaked. They suspect it might have been. So there is no known security compromise.
Your claim "I knew it was only going to be a matter of time." is no different from fortune telling or horoscopes. You ignore all the misses and the moment you get one random hit you draw everybody's attention to it.
said by gt7697c:They are an attractive target to every hacker or would be hacker. Thanks for reporting. No different from KeePass, Roboform, Browser's password storage or any other password management solution. So what do you suggest? Stop using them and use the same password everywhere?
And LastPass responded to it by improving their security even more, read »blog.lastpass.com/2011/02/cross-···ity.html
Yes, security problems happen, but just because they happen doesn't mean they are all the same and that it's the end of the world. This is (so far) nowhere near as bad as some of the recent security we saw, including on this site. Actually thanks to LastPass, for me security problems on other sites were limited to only those sites. w/o LastPass I'd still be using the same 3-4 passwords everywhere.
--
Check out my awesome city of MxxTopia »mxxtopia.myminicity.com/ind or »mxxtopia.myminicity.com (the more people visit, the bigger it is) |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | Well, you could, horror of horrors, not login on mobile devices and keep a physical list of passwords (different one for each site) near your desktop computer. I would never use any of these. I've tried several in the distant past and my reward was constant crashing of the computer, BSODs, loss of ALL passwords, etc. I don't do the mobile internet thing and I keep a written list of passwords near my desktop computer. Mobile computing is simply something of so called "convenience" that really is not that convenient.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | on your suggestion, I have cancelled my cellphone. Thank you!! I'm free now. |
|
 HA NutPremium
join:2004-05-13
USA | reply to MxxCon
Definitely an interesting issue! I was forced to change my password @ LastPass but 2 co-workers were not. Very odd!
As for myself, I am not really concerned as my master pw was very good. But changing it didn't really hurt anything either... |
|
MxxCon
join:1999-11-19
Brooklyn, NY | reply to Mele20
said by Mele20:Well, you could, horror of horrors, not login on mobile devices and keep a physical list of passwords (different one for each site) near your desktop computer. I'm not sure if you are serious or trolling...but I'll bite..
your house turns down, and you "physical list of passwords" goes with it. your house gets robbed and now thieves have a nicely arranged list of account to screw around with, and when you have to login to your credit card company to check/cancel/notify them, you can't because thieves took your passwords. you opened a window, a light spring breeze and now you are searching for your password sheet all over the house. your cat decided to jump on your desk and either exercise its claws or pee on your precious password list. you accidentally spilled a drink on your desk and your password list. you changed a password or username on some site, what do you do now? cross it out and pencil-in new info or rewrite the whole list from scratch?
but wait, i hear you say, you keep a backup copy in your bank's safe-deposit box. the moment you change a single password, your backup copy is already useless.
said by Mele20:I've tried several in the distant past and my reward was constant crashing of the computer, BSODs, loss of ALL passwords, etc. I guess 1st thing you need to do is fix your computer and learn to make backups. password management software does not cause crashes, BSOD and "loss of ALL passwords". Incompetent users do.
said by Mele20:I don't do the mobile internet thing and I keep a written list of passwords near my desktop computer. Mobile computing is simply something of so called "convenience" that really is not that convenient. nowhere in any of the previous replies or mentioned links anybody even remotely saying anything having to do with "mobile internet".
Of all security measures, having a physically written down passwords is the worst thing you could do.
--
Check out my awesome city of MxxTopia »mxxtopia.myminicity.com/ind or »mxxtopia.myminicity.com (the more people visit, the bigger it is) |
|
| reply to MxxCon
Re: LastPass Security Notification After the last lastpass XSS attack, I got rid of it and just use Keepassx now. Sure, it's not *quite* as convenient (it doesn't automatically fill forms), but it doesn't take much longer to enter the username/password. I would rather have the password database encrypted on *my* machine and not have to worry about some scripting attack stealing the password from the browser.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999 |
|
 jp0469JP
join:2000-12-13
Rochester, MA
kudos:1 | LastPass also encrypts the data on your machine and then uploads it to their servers. Your master password is not stored on their server so your encrypted data is useless to a hacker unless they can brute force your master PW. Personally I think LP is doing the right thing even though this "anomaly" has not been confirmed to be an attack. They are getting chastised for it though by a lot of people who appear to be reacting to the headline without reading the whole story. |
|
|
|
MxxCon
join:1999-11-19
Brooklyn, NY | reply to KodiacZiller
said by KodiacZiller:I would rather have the password database encrypted on *my* machine and not have to worry about some scripting attack stealing the password from the browser. you are being unnecessarily paranoid without understanding that situation.
*All the encryption is done locally on your own computer
*No one but you ever gets the key to decrypt your data and the creators have gone to great lengths to ensure this
*When you log in your email address and password are joined together although your email address is sanitized slightly by being converted to lower case and having whitespace removed
*A hash is then taken of this string using SHA256
*This is now your cryptographic key that your system uses to encrypt and decrypt your data
*All the data held by LastPass is encrypted
*To identify yourself to LastPass they add your password to the previous hash they obtained by hashing your password and email address and then hash this string
*This hash is your unique ID
*Then you send your unique ID and username to LastPass to identify you and since this contains your password hashed into it twice, no one can produce this key but you
*So LastPass never gets your cryptographic key
*They never even save your unique ID on their servers
*Instead when you create your account they create a unique 256 bit token to save with your account
*Then when you login they take your unique ID add it to the unique 256 bit token and hash it then this is used to find your data Listen to »twit.tv/sn256 for an hour long details discussion/dissection of how LastPass works.
--
Check out my awesome city of MxxTopia »mxxtopia.myminicity.com/ind or »mxxtopia.myminicity.com (the more people visit, the bigger it is) |
|
 jmorlanHmm... That's funny.Premium,MVM
join:2001-02-05
Pacifica, CA
kudos:4 | Does last pass have an option to store the encrypted passwords locally only, and not use their cloud?
Thanks. |
|
HA NutPremium
join:2004-05-13
USA | said by jmorlan:Does last pass have an option to store the encrypted passwords locally only, and not use their cloud?
Thanks. You can store passwords locally but I know of no way to prevent cloud storage. In my case, the cloud is why I want it. I want my passwords everywhere, not just on my pc. |
|
| reply to MxxCon
said by MxxCon:said by KodiacZiller:I would rather have the password database encrypted on *my* machine and not have to worry about some scripting attack stealing the password from the browser. you are being unnecessarily paranoid without understanding that situation. *All the encryption is done locally on your own computer
*No one but you ever gets the key to decrypt your data and the creators have gone to great lengths to ensure this
*When you log in your email address and password are joined together although your email address is sanitized slightly by being converted to lower case and having whitespace removed
*A hash is then taken of this string using SHA256
*This is now your cryptographic key that your system uses to encrypt and decrypt your data
*All the data held by LastPass is encrypted
*To identify yourself to LastPass they add your password to the previous hash they obtained by hashing your password and email address and then hash this string
*This hash is your unique ID
*Then you send your unique ID and username to LastPass to identify you and since this contains your password hashed into it twice, no one can produce this key but you
*So LastPass never gets your cryptographic key
*They never even save your unique ID on their servers
*Instead when you create your account they create a unique 256 bit token to save with your account
*Then when you login they take your unique ID add it to the unique 256 bit token and hash it then this is used to find your data Listen to » twit.tv/sn256 for an hour long details discussion/dissection of how LastPass works. I am fully aware of how it works, and I also know it is vulnerable to XSS scripting attacks. Just because the passwords are encrypted locally doesn't do much good in such an attack. From Mike Cardwell, who discovered the last XSS flaw:
quote:
Of course, the holy grail would be fetching the list of sites along with their usernames and passwords. I didn't achieve this, but I'm convinced it can be done. Fetching "https://lastpass.com/show.php?aid=THEID" (Where "THEID" is a site ID which can be found using the accts.php trick described a moment ago) gave me the encrypted versions of the login details. Even if you don't have the plugin installed, your browser somehow manages to decrypt and display them to you. Figuring out how to do this would have involved picking through obfuscated JavaScript.
This is why I am more comfortable using an offline password manager that doesn't have these problems. Keepassx is basically an AES-256 encrypted dumb database that doesn't have to interact with the browser.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999 |
|
 owlynPremium,MVM
join:2004-06-05
Newtown, PA
 ·Comcast
| said by KodiacZiller 
This is why I am more comfortable using an offline password manager that doesn't have these problems. Keepassx is basically an AES-256 encrypted dumb database that doesn't have to interact with the browser.
[/BQUOTE :I use a similar product, SplashID, which uses Blowfish encryption. I have a copy on my home PC, work laptop, and my BlackBerry. Synchroization works between the BB and any one other device, so I do have to keep one PC up-to-date manually, but it's not a big deal. |
|
MxxCon
join:1999-11-19
Brooklyn, NY | reply to KodiacZiller
said by KodiacZiller:I am fully aware of how it works, and I also know it is vulnerable to XSS scripting attacks. Just because the passwords are encrypted locally doesn't do much good in such an attack. From Mike Cardwell, who discovered the last XSS flaw: quote:
Of course, the holy grail would be fetching the list of sites along with their usernames and passwords. I didn't achieve this, but I'm convinced it can be done. Fetching "https://lastpass.com/show.php?aid=THEID" (Where "THEID" is a site ID which can be found using the accts.php trick described a moment ago) gave me the encrypted versions of the login details. Even if you don't have the plugin installed, your browser somehow manages to decrypt and display them to you. Figuring out how to do this would have involved picking through obfuscated JavaScript.
Then you are also aware that after this discovery LastPass implemented HSTS, X-Frame-Options, and CSP
If you don't trust these feature then you simply shouldn't login to any website regardless how you locally store your passwords.
--
Check out my awesome city of MxxTopia »mxxtopia.myminicity.com/ind or »mxxtopia.myminicity.com (the more people visit, the bigger it is) |
|
