Change your LastPass passwords now

Forums › Off topic › Change your LastPass passwords now

freitasm

BDFL - Memuneh
63580 posts

Uber Geek
+1 received by user: 14062

Administrator

Trusted

Geekzone

Lifetime subscriber

# 175057 16-Jun-2015 07:54

According to the LastPass blog:

"We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

Interestingly I have just installed Intel's TrueKey on my laptop and Android devices today...

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

1 | 2 | 3 | 4

14788 posts

Uber Geek
+1 received by user: 2751

Trusted

Subscriber

# 1325467 16-Jun-2015 08:09

3 people support this post

Keepass 2. I keep the encrypted database on Dropbox, I can access it from home, work, or Android using this app (or the online app version).

davidcole

4409 posts

Uber Geek
+1 received by user: 679

Trusted

# 1325494 16-Jun-2015 09:23

One person supports this post

timmmay: Keepass 2. I keep the encrypted database on Dropbox, I can access it from home, work, or Android using this app (or the online app version).

yeah +1. Would rather my db as least if mostly controlled by me. For a while I was putting in to SVN at home. Where now I use dropbox, working on the theory they'd have to hack dropbox and keypass to get into it.

Previously known as psycik

OpenHAB: Gigabyte AMD A8 Brix, OpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10 Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex ,NextPVR Metadata Agent and Scanner for Plex

xpd

Chief Trash Bandit
9588 posts

Uber Geek
+1 received by user: 1634

Mod Emeritus

Trusted

Lifetime subscriber

# 1325496 16-Jun-2015 09:26

Little bit concerned about their system........ logged in to change my password - system says I last changed my password a year ago....but I only did it start of this year.
Changed the password anyway, and it comes up telling me I last changed my password 23 hours ago.

Not encouraging....

I would use a "local" system such as KeePass etc, but Im useless at keeping track of such things and would lose the file in my archives :-p

XPD / Gavin / DemiseNZ

Server : i3-3240 @ 3.40GHz 16GB RAM Win 10 Pro Workstation : i5-3570K @ 3.40GHz 16GB RAM RX580 4GB Win 10 Pro Console : Xbox One

https://www.xpd.co.nz - Games, geeks, and more. Now on BigPipe 100/100 and 2Talk

davidcole

4409 posts

Uber Geek
+1 received by user: 679

Trusted

# 1325499 16-Jun-2015 09:28

xpd: Little bit concerned about their system........ logged in to change my password - system says I last changed my password a year ago....but I only did it start of this year.
Changed the password anyway, and it comes up telling me I last changed my password 23 hours ago.

Not encouraging....

I would use a "local" system such as KeePass etc, but Im useless at keeping track of such things and would lose the file in my archives :-p

That's why you put it on dropbox. Means it's accessible everywhere, and you can get the smart phone app as well.

mdf

2230 posts

Uber Geek
+1 received by user: 686

Trusted

Subscriber

# 1325500 16-Jun-2015 09:29

Just deleted my (unused for a year) LastPass account.

I've been using PasswordBox for a while - Intel bought the company at the start of this year to make TrueKey. It's got a really clever way of dealing with passwords on mobile devices (although in hindsight I pretty seldom log on to anything password-y on mobile anyway). Also has a semi-creepy digital will thing - you can nominate someone to get all your passwords when you die.

SumnerBoy

1664 posts

Uber Geek
+1 received by user: 188

Subscriber

# 1325502 16-Jun-2015 09:30

+1 for KeyPass (with DB stored on locally hosted OwnCloud server).

sidefx

3281 posts

Uber Geek
+1 received by user: 984

Trusted

# 1325503 16-Jun-2015 09:32

Another vote for keepass combined with dropbox here. There's even a windows phone app for it.

Geektastic

12867 posts

Uber Geek
+1 received by user: 4305

Trusted

Lifetime subscriber

# 1325510 16-Jun-2015 09:40

One person supports this post

I use One Password and Drop box. Works very well across desktop Macs, laptop and iPhone.

fizzychicken

286 posts

Ultimate Geek
+1 received by user: 70

# 1325533 16-Jun-2015 09:49

3 people support this post

I'm sticking with Lastpass. After an (admittedly difficult) setup learning process, I have everything in a manner that works best for me and is easier for me to use and maintain than Keepass (because I suck at syncing anything or maintaining too many things). This ended up being;

Lastpass + YubiKey 2FA + vault is set so it cannot be accessed on unapproved devices/locations. The paid last pass account also allows for yubikey used on android via NFC.
I only know the master password and that is made from random letters numbers and wild chars, I do not know any other password stored as they are all max length available with wild chars (have fun brute forcing that or any associated hash) e.g. KdL3hPJTx@nOh*x?(8o/)NWgQ8W2-~~s9#ZuwOT>gXSG\vzTCBg_ZMD:b)mV5^c
any password stored requires the master pass to be viewed or used, this prevents the auto enter at the end of password population, which in turn allowed me to use a 'pin code' on each password so even if you somehow got my vault and decrypted everything...and got my password..you're still missing a bit I had to type in (that's even before you get to whatever 2FA I have on that service you are trying to log in to)
I dont store any bank account or financial login details in lastpass, those I am willing to remember and use SMS and an RSA token for 2 and 3FA.

Though it was a pain to figure out how to get to that point, once achieved it is a very easy and fast system to use which is secure enough for me (even if various parts are breached). Using Yubikey's second memory allocation allows for storing the main segment of any unstored password to allow for those to be sufficiently complex to prevent brute force.

https://keybase.io/fizzychicken

amanzi

Amanzi
921 posts

Ultimate Geek
+1 received by user: 110

Trusted

Subscriber

# 1325541 16-Jun-2015 09:58

I'm a long time LastPass user but am not particularly worried about this as my master password was fairly strong and not guessable. As a precaution I changed my account password and vault master password this morning anyway and I recommend that you do too, as well as take a look through the additional security settings available such as multi-factor authentication, geo-restrictions, trusted devices, etc...

For those suggesting switching to another cloud provider (even using Dropbox), you're no safer there than using LastPass. Any cloud system can get hacked and so your security for any of these systems is really only as good as your master password.

(btw - I posted this topic in the Cloud, SaaS forum, but guess I need to pay closer attention to the off-topic forum too?)

ojo

100 posts

Master Geek
+1 received by user: 10

# 1325549 16-Jun-2015 10:13

At least users have gotten the message

Tinshed

277 posts

Ultimate Geek
+1 received by user: 57

# 1325550 16-Jun-2015 10:15

I stopped using Lastpass a wee while ago (by letting my subscription lapse) - in favour of 1Password. Nonetheless I diligently logged on to change my password but received the message about servers being overloaded. Currently looking at how to "delete all" passwords as a precaution. Can't see how to do that or how to delete entire account, including all passwords. It would seem that this is obscure on purpose so people might come back to using Lastpass. I seriously annoyed at Lastpass. Clearly their brand reputation is in tatters - or at least I hope so.

*Update*. Found the Delete Account page - by reading the manual(!) - See https://lastpass.com/delete_account.php Hopefullly my account really is now deleted.

Tinshed
Wellington, New Zealand

xpd

Chief Trash Bandit
9588 posts

Uber Geek
+1 received by user: 1634

Mod Emeritus

Trusted

Lifetime subscriber

# 1325551 16-Jun-2015 10:15

sidefx: Another vote for keepass combined with dropbox here. There's even a windows phone app for it.

Which app ? Ive just tried 2 (WinKee and 7Pass) and both failed miserably - WinKee just kills my phone, and 7Pass uses "Skydrive", and dosent work.

XPD / Gavin / DemiseNZ

Server : i3-3240 @ 3.40GHz 16GB RAM Win 10 Pro Workstation : i5-3570K @ 3.40GHz 16GB RAM RX580 4GB Win 10 Pro Console : Xbox One

https://www.xpd.co.nz - Games, geeks, and more. Now on BigPipe 100/100 and 2Talk

kiwitrc

4123 posts

Uber Geek
+1 received by user: 842
Inactive user

# 1325639 16-Jun-2015 11:01

I would change it if only I could remember what it was....

xpd

Chief Trash Bandit
9588 posts

Uber Geek
+1 received by user: 1634

Mod Emeritus

Trusted

Lifetime subscriber

# 1325647 16-Jun-2015 11:16

ojo: At least users have gotten the message

Saw that, Ive logged in and out multiple times today with no issues at all :)

XPD / Gavin / DemiseNZ

Server : i3-3240 @ 3.40GHz 16GB RAM Win 10 Pro Workstation : i5-3570K @ 3.40GHz 16GB RAM RX580 4GB Win 10 Pro Console : Xbox One

https://www.xpd.co.nz - Games, geeks, and more. Now on BigPipe 100/100 and 2Talk

1 | 2 | 3 | 4