Overclock.net › Forums › Industry News › Software News ›  [BETANEWS]LastPass has serious flaw called 'LostPass' -- your passwords and more are at risk
New Posts  All Forums:Forum Nav:

[BETANEWS]LastPass has serious flaw called 'LostPass' -- your passwords and more are at risk - Page 14  

post #131 of 144
Quote:
Originally Posted by Ksireaper View Post

You can easily spot the people that have never had any experience with network or computer security. Writing down your passwords is the dumbest thing you can do. Ever. massive security violation right there.

Not always. It all depends on the situation and implementation. A typical employee doing this is totally stupid and its a sack worthy offense, but as a private user it can be beneficial if you have a safe for example or a hiding place, remember you dont have to write an exact password down just a hint for yourself or a few characters. Security can work well with obfuscation.


In fact just an encrypted usb pen with a file on is fairly better than most other cross platform solutions. Pens are dirt cheap and you can have two or three for redundancy, encrypting the pen takes all of 15 seconds and is just one master password on insertion to open the device. You can do the same to a microSD and even have that on your phone.


smile.gif




Its just too damn easy to sign up for every service,app,cloud whatever thing these days before remembering there are sound alternatives.
Edited by Pip Boy - 1/20/16 at 11:25am
post #132 of 144
Quote:
Originally Posted by randomizer View Post

FWIW, lastpass was hacked in 2015. The attackers gained access to email addresses and encrypted master passwords. Only the email addresses are of any real use.

Do you know if any of them ended up in personal harm, be it, financially or identity theft? And if they did, do you think Last Pass becomes liable for that and could be held accountable for damages?
post #133 of 144
Misleading article. This isn't a flaw with lastpass.. it's people being idiots and falling for phishing attacks. Every single service has this "flaw" if you want to call it that.

If I am reading right, this is just a script that a website would install and then fake a lastpass message while having you enter in your information. I dunno about you but I have my lastpass setup in a way that if a random website asked for my password, and especially my auth codes, I'd immediately know something is up leave the site. There's zero reason I would need to enter in any of that information when browsing the web.
Quote:
Originally Posted by Shaded War View Post

I had someone tell me LastPass was so great and I should use it, but I didn't buy into it. The whole idea of it seems idiotic. May as well just use the same password for every single website while your at it because once they can figure out or hack your LastPass, the have everything anyway.

Sorry, but no.... Using the same PW for every website is the worst thing you could possibly do. The only thing worse would basically be just giving your PWs out to random strangers.

If you use lastpass without ANY form of secondary authentication, then you have a point, but no one with common sense is going to do that. There are 4-5 authentication layers you can add to your account, and even the free ones are good enough to stop someone even if they have your password.

It's extremely rare for a civilian to get "hacked", they'd most likely need to piss someone off pretty bad. People who claim they got hacked 99.9% of the time got a virus, and/or phished. There's no difference here, nothing can save you from user error.
Quote:
Originally Posted by randomizer View Post

FWIW, lastpass was hacked in 2015. The attackers gained access to email addresses and encrypted master passwords. Only the email addresses are of any real use.

Everything was heavily encrypted and last I heard the master passwords were not taken but they suggested a PW change anyway. All lastpass owners were immediately acknowledged of the breach.

Even if there was a full breach and the hacker managed to do the near-impossible and break the encryption, any user with authentication is still 100% protection even without a password change. The others should have changed their PWs after the breach, which would be months (or years) before the encryption would be broken.
Edited by Murlocke - 1/20/16 at 12:52pm
The Leviathan
(20 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 6700k @ 4.7GHz MSI Z170A Gaming M7 12GB NVIDIA Titan X (Pascal) 32GB G.Skill Ripjaws V (DDR4 3200) 
Hard DriveHard DriveCoolingCooling
2x 1TB Samsung 960 PRO 193TB unRAID Server 3x 140mm Noctua NF-A14 Noctua NH-D15 
OSMonitorKeyboardPower
Windows 10 Pro x64 65" LG 65E6P (4K OLED) Ducky DK9008 Shine 3  Corsair AX860 
CaseMouseAudioAudio
Corsair Obsidian 750D Logitech G502 Proteus Sprectrum Denon X7200WA (Receiver) 2x Klipsch RF-7 (Front Speakers) 
AudioAudioAudioAudio
4x Klipsch RS-62 (Surround Speakers) Klipsch RC-64 (Center Speaker) 4x Klipsch CDT-5800-C II (Atmos Speakers) 2x SVS PB16-Ultra (Subwoofers) 
  hide details  
The Leviathan
(20 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 6700k @ 4.7GHz MSI Z170A Gaming M7 12GB NVIDIA Titan X (Pascal) 32GB G.Skill Ripjaws V (DDR4 3200) 
Hard DriveHard DriveCoolingCooling
2x 1TB Samsung 960 PRO 193TB unRAID Server 3x 140mm Noctua NF-A14 Noctua NH-D15 
OSMonitorKeyboardPower
Windows 10 Pro x64 65" LG 65E6P (4K OLED) Ducky DK9008 Shine 3  Corsair AX860 
CaseMouseAudioAudio
Corsair Obsidian 750D Logitech G502 Proteus Sprectrum Denon X7200WA (Receiver) 2x Klipsch RF-7 (Front Speakers) 
AudioAudioAudioAudio
4x Klipsch RS-62 (Surround Speakers) Klipsch RC-64 (Center Speaker) 4x Klipsch CDT-5800-C II (Atmos Speakers) 2x SVS PB16-Ultra (Subwoofers) 
  hide details  
post #134 of 144
This has NOTHING to do with Lastpass. This is a phishing attempt. The website will ask you to enter in your Lastpass password, and if you have 2FA authentication, it'll ask for that as well. I use Duo authentication, and Lastpass will remain logged in for five hours...at that point I will need to re-enter my password and re-authorize it with Lastpass.

How I've used Lastpass to ensure security:

5 hour log-in session (will expire after 5 hours and will have to re-authenticate)

Run monthly audit reports on all my websites, Lastpass will tell me what websites were hit recently with vulnerabilities and ask me to change those passwords.

Any password that has not been changed for six months, those get changed (whether manually or automatically)

Bank accounts require password re-entry...which will result in 2FA authentication again

Passwords for the most part are all over 32 characters, with symbols and numbers (where supported)
MSI EX625
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core 2 Duo P7350 MSI MS-1674 ATI Radeon HD Mobility 4670 4GB 
Hard DriveOptical DriveOSMonitor
Samsung 320GB Sony CD/DVD writer Windows 7 Home 64-bit 16" 1366x768 
  hide details  
MSI EX625
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core 2 Duo P7350 MSI MS-1674 ATI Radeon HD Mobility 4670 4GB 
Hard DriveOptical DriveOSMonitor
Samsung 320GB Sony CD/DVD writer Windows 7 Home 64-bit 16" 1366x768 
  hide details  
post #135 of 144
Quote:
Originally Posted by PostalTwinkie View Post

Or I am not an idiot and can remember my passwords.
Quote:
Originally Posted by PostalTwinkie View Post

The word stupid never came out of my mouth. If you want to have a conversation with me, have it, but don't put words in my mouth.

So people who can't remember multiple secure passwords off the top of their heads are idiots, but not stupid. Ok.
Because I Can
(16 items)
 
  
CPUMotherboardGraphicsRAM
i7 2600k Gigabyte Z68X-UD3H-B3 MSI 7870 TFIII (1245/1450) 16GB G-Skill 
Hard DriveHard DriveOptical DriveCooling
64GB Samsung 830 1TB WD Blue ASUS DVD+RW Corsair H60 
OSMonitorPowerCase
Windows 7 64-bit Ultimate 23" WS + 19" Seasonic X-750 CM Elite 430 
Audio
Logitech Z523 
  hide details  
Because I Can
(16 items)
 
  
CPUMotherboardGraphicsRAM
i7 2600k Gigabyte Z68X-UD3H-B3 MSI 7870 TFIII (1245/1450) 16GB G-Skill 
Hard DriveHard DriveOptical DriveCooling
64GB Samsung 830 1TB WD Blue ASUS DVD+RW Corsair H60 
OSMonitorPowerCase
Windows 7 64-bit Ultimate 23" WS + 19" Seasonic X-750 CM Elite 430 
Audio
Logitech Z523 
  hide details  
post #136 of 144
Quote:
Originally Posted by mothergoose729 View Post

As soon as I get my server setup I am going to create my own python program that writes passwords to the data base, and does encryption and decryption client side. Keeping ones passwords safe has become quite the chore.

Check out PASS.
Quote:
Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

The password files can also be stored in a git repo if you wish.
Boinc Desktop
(14 items)
 
CrunchAholic
(8 items)
 
 
CPUMotherboardGraphicsRAM
AMD Ryzen 7 1700X ASRock X370 Taichi Gigabyte GTX 970 G1 HyperX Predator 
Hard DriveCoolingCoolingCooling
Hyper Predator M.2 Watercool Heatkiller IV PRO AM4 CPU Block EKWB GTX 970 GPU Block EKWB Coolstream XE 240 Radiator 
CoolingCoolingOSPower
EKWB Coolstream PE 360 Radiator Watercool Heatkiller 150mm Tube Res Gentoo Linux EVGA 850 G2 
CaseMouse
Thermaltake View 31 Tempered Glass RGB Edition Roccat Kone EMP 
CPUCPUMotherboardGraphics
Intel Xeon E5-2670 Intel Xeon E5-2670 Asrock Rack EP2C602 XFX RX 480 RS 
RAMHard DriveOSPower
64 GBs Samsung M939B1K70CHD-CH9 PC3-10600R Samsung HD322HJ Arch Linux Corsair AX1200 
  hide details  
Boinc Desktop
(14 items)
 
CrunchAholic
(8 items)
 
 
CPUMotherboardGraphicsRAM
AMD Ryzen 7 1700X ASRock X370 Taichi Gigabyte GTX 970 G1 HyperX Predator 
Hard DriveCoolingCoolingCooling
Hyper Predator M.2 Watercool Heatkiller IV PRO AM4 CPU Block EKWB GTX 970 GPU Block EKWB Coolstream XE 240 Radiator 
CoolingCoolingOSPower
EKWB Coolstream PE 360 Radiator Watercool Heatkiller 150mm Tube Res Gentoo Linux EVGA 850 G2 
CaseMouse
Thermaltake View 31 Tempered Glass RGB Edition Roccat Kone EMP 
CPUCPUMotherboardGraphics
Intel Xeon E5-2670 Intel Xeon E5-2670 Asrock Rack EP2C602 XFX RX 480 RS 
RAMHard DriveOSPower
64 GBs Samsung M939B1K70CHD-CH9 PC3-10600R Samsung HD322HJ Arch Linux Corsair AX1200 
  hide details  
post #137 of 144
Quote:
Originally Posted by jbmayes2000 View Post

If you are a last pass user and you find out they managed to actually hack Last Pass itself and used your info in a way that ended up causing financial problems or identiy theft, does Last Pass have some sort of policy about what they do in that scenario? Like are you "insured" in a way? Or how would they keep themselves from being sued?
That's called "indemnification" and probably not.

It's a huge liability to accept that part of a contract. You really only see that clause when dealing with companies.

Quote:
Originally Posted by mothergoose729 View Post

As soon as I get my server setup I am going to create my own python program that writes passwords to the data base, and does encryption and decryption client side. Keeping ones passwords safe has become quite the chore.
Warning to you.... Master developers and security experts already have a hard time getting encryption implemented properly.

Some guidelines of software development:
1) Don't roll your own encryption
2) Don't roll your own date functions
3) Don't roll your own threading

...unless you KNOW you're that good! thumb.gif

Quote:
Originally Posted by HITTI View Post

What eats me, if I read wrong correct me, this sean guy notified lastpass about this a while back and lastpass did nothing about the phishing attacks till this guy went public & released the code.

I purged my account and deleted my account. And I am a premium member too. Lastpass acted to late imo.
That's probably wrong....

Standard white hat process is company gets privately notified (November 2015).
Company acknowledge and confirms the issue (December 2015).
White hat waits a period (usually around 90 days) to provide time for a fix and then discloses. (January 2016).

It seemed like that all worked.... LastPass was ready with their mitigation announcement the same/next day.


The attack wasn't on the passwords themselves but a phishing attack and spoofed image....
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
post #138 of 144
Quote:
Originally Posted by DuckieHo View Post

That's called "indemnification" and probably not.

It's a huge liability to accept that part of a contract. You really only see that clause when dealing with companies.
Warning to you.... Master developers and security experts already have a hard time getting encryption implemented properly.

So contractually they would be free and clear of anything like that but do you think someone could successfully win a lawsuit? Or are you saying it would be thrown out due to the lack of indemnification?
post #139 of 144
It sounds like you should seek proper legal advice rather than asking on OCN.
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
post #140 of 144
Quote:
Originally Posted by jbmayes2000 View Post

So contractually they would be free and clear of anything like that but do you think someone could successfully win a lawsuit? Or are you saying it would be thrown out due to the lack of indemnification?

It would get thrown out because of this in their Terms of Use pretty much (I copied this directly from it btw)
Quote:
Indemnification.
You agree to indemnify and hold harmless LastPass, its contractors, and its licensors, and their respective directors, officers, employees and agents from and against any and all claims and expenses, including attorneys’ fees, arising out of your use of the Website, including but not limited to out of your violation this Agreement.

You are agreeing that by signing up for their services, you will not hold them liable for any damages that arise from the use of their services.
Mobile Powerhouse
(10 items)
 
Cosmic Red Chaos
(13 items)
 
Media Box
(9 items)
 
CPUMotherboardGraphicsRAM
i7 7700k Z270 Chipset GTX 1080 32GB (4x8GB) DDR4 2400MHz 
Hard DriveHard DriveHard DriveOS
Samsung 850 EVO M.2 250GB SSD Muskin Reactor 1TB SSD Seagate 2TD HDD Windows 10 
MonitorPower
17.3" 4K 330W Brick 
CPUMotherboardGraphicsRAM
Intel i3-2125 AsRock H67m Intel HD3000 G.Skill Ripjaws 16GB (8GBx2) 
Hard DriveHard DriveCoolingPower
WD 640GB Caviar Black 500GB HDD Noctua Low-Pro NH-L8I Silverstone 450w SFX 
Case
HTPC box 
  hide details  
Mobile Powerhouse
(10 items)
 
Cosmic Red Chaos
(13 items)
 
Media Box
(9 items)
 
CPUMotherboardGraphicsRAM
i7 7700k Z270 Chipset GTX 1080 32GB (4x8GB) DDR4 2400MHz 
Hard DriveHard DriveHard DriveOS
Samsung 850 EVO M.2 250GB SSD Muskin Reactor 1TB SSD Seagate 2TD HDD Windows 10 
MonitorPower
17.3" 4K 330W Brick 
CPUMotherboardGraphicsRAM
Intel i3-2125 AsRock H67m Intel HD3000 G.Skill Ripjaws 16GB (8GBx2) 
Hard DriveHard DriveCoolingPower
WD 640GB Caviar Black 500GB HDD Noctua Low-Pro NH-L8I Silverstone 450w SFX 
Case
HTPC box 
  hide details  
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
This thread is locked  
Overclock.net › Forums › Industry News › Software News ›  [BETANEWS]LastPass has serious flaw called 'LostPass' -- your passwords and more are at risk