Change your LastPass passwords now

Forums › Off topic › Change your LastPass passwords now

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#175057 16-Jun-2015 07:54

According to the LastPass blog:

"We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

Interestingly I have just installed Intel's TrueKey on my laptop and Android devices today...

1 | 2 | 3 | 4

20575 posts

Uber Geek

Trusted

Lifetime subscriber

#1325467 16-Jun-2015 08:09

Keepass 2. I keep the encrypted database on Dropbox, I can access it from home, work, or Android using this app (or the online app version).

davidcole

6029 posts

Uber Geek

Trusted

#1325494 16-Jun-2015 09:23

timmmay: Keepass 2. I keep the encrypted database on Dropbox, I can access it from home, work, or Android using this app (or the online app version).

yeah +1. Would rather my db as least if mostly controlled by me. For a while I was putting in to SVN at home. Where now I use dropbox, working on the theory they'd have to hack dropbox and keypass to get into it.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

xpd

Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#1325496 16-Jun-2015 09:26

Little bit concerned about their system........ logged in to change my password - system says I last changed my password a year ago....but I only did it start of this year.
Changed the password anyway, and it comes up telling me I last changed my password 23 hours ago.

Not encouraging....

I would use a "local" system such as KeePass etc, but Im useless at keeping track of such things and would lose the file in my archives :-p

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

davidcole

6029 posts

Uber Geek

Trusted

#1325499 16-Jun-2015 09:28

xpd: Little bit concerned about their system........ logged in to change my password - system says I last changed my password a year ago....but I only did it start of this year.
Changed the password anyway, and it comes up telling me I last changed my password 23 hours ago.

Not encouraging....

I would use a "local" system such as KeePass etc, but Im useless at keeping track of such things and would lose the file in my archives :-p

That's why you put it on dropbox. Means it's accessible everywhere, and you can get the smart phone app as well.

mdf

3512 posts

Uber Geek

Trusted

#1325500 16-Jun-2015 09:29

Just deleted my (unused for a year) LastPass account.

I've been using PasswordBox for a while - Intel bought the company at the start of this year to make TrueKey. It's got a really clever way of dealing with passwords on mobile devices (although in hindsight I pretty seldom log on to anything password-y on mobile anyway). Also has a semi-creepy digital will thing - you can nominate someone to get all your passwords when you die.

SumnerBoy

2074 posts

Uber Geek

ID Verified

Lifetime subscriber

#1325502 16-Jun-2015 09:30

+1 for KeyPass (with DB stored on locally hosted OwnCloud server).

sidefx

3711 posts

Uber Geek

Trusted

#1325503 16-Jun-2015 09:32

Another vote for keepass combined with dropbox here. There's even a windows phone app for it.

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Geektastic

17942 posts

Uber Geek

Trusted

Lifetime subscriber

#1325510 16-Jun-2015 09:40

I use One Password and Drop box. Works very well across desktop Macs, laptop and iPhone.

fizzychicken

313 posts

Ultimate Geek

#1325533 16-Jun-2015 09:49

I'm sticking with Lastpass. After an (admittedly difficult) setup learning process, I have everything in a manner that works best for me and is easier for me to use and maintain than Keepass (because I suck at syncing anything or maintaining too many things). This ended up being;

Lastpass + YubiKey 2FA + vault is set so it cannot be accessed on unapproved devices/locations. The paid last pass account also allows for yubikey used on android via NFC.
I only know the master password and that is made from random letters numbers and wild chars, I do not know any other password stored as they are all max length available with wild chars (have fun brute forcing that or any associated hash) e.g. KdL3hPJTx@nOh*x?(8o/)NWgQ8W2-~~s9#ZuwOT>gXSG\vzTCBg_ZMD:b)mV5^c
any password stored requires the master pass to be viewed or used, this prevents the auto enter at the end of password population, which in turn allowed me to use a 'pin code' on each password so even if you somehow got my vault and decrypted everything...and got my password..you're still missing a bit I had to type in (that's even before you get to whatever 2FA I have on that service you are trying to log in to)
I dont store any bank account or financial login details in lastpass, those I am willing to remember and use SMS and an RSA token for 2 and 3FA.

Though it was a pain to figure out how to get to that point, once achieved it is a very easy and fast system to use which is secure enough for me (even if various parts are breached). Using Yubikey's second memory allocation allows for storing the main segment of any unstored password to allow for those to be sufficiently complex to prevent brute force.

https://keybase.io/fizzychicken

amanzi

Amanzi
1292 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1325541 16-Jun-2015 09:58

I'm a long time LastPass user but am not particularly worried about this as my master password was fairly strong and not guessable. As a precaution I changed my account password and vault master password this morning anyway and I recommend that you do too, as well as take a look through the additional security settings available such as multi-factor authentication, geo-restrictions, trusted devices, etc...

For those suggesting switching to another cloud provider (even using Dropbox), you're no safer there than using LastPass. Any cloud system can get hacked and so your security for any of these systems is really only as good as your master password.

(btw - I posted this topic in the Cloud, SaaS forum, but guess I need to pay closer attention to the off-topic forum too?)

ojo

167 posts

Master Geek

#1325549 16-Jun-2015 10:13

At least users have gotten the message

Tinshed

278 posts

Ultimate Geek

#1325550 16-Jun-2015 10:15

I stopped using Lastpass a wee while ago (by letting my subscription lapse) - in favour of 1Password. Nonetheless I diligently logged on to change my password but received the message about servers being overloaded. Currently looking at how to "delete all" passwords as a precaution. Can't see how to do that or how to delete entire account, including all passwords. It would seem that this is obscure on purpose so people might come back to using Lastpass. I seriously annoyed at Lastpass. Clearly their brand reputation is in tatters - or at least I hope so.

*Update*. Found the Delete Account page - by reading the manual(!) - See https://lastpass.com/delete_account.php Hopefullly my account really is now deleted.

Tinshed
Wellington, New Zealand