LastPass: Users Don't Have To Reset Master PWDs 83
CWmike writes "LastPass on Friday rescinded its day-old order that all users of its online password management system reset their master passwords due to a database breach. In a blog post this morning, the company said it won't allow users to change master passwords 'until our databases are completely caught up and we have resolved outstanding issues.' In an e-mail to Computerworld, LastPass CEO Joe Siegrist said the company changed its plan in response to demands from users asking they not be required to reset their passwords. However, comments posted on a LastPass blog suggest that the company's decision may also be related to trouble some users appear to be having with the password reset process. The blog post acknowledged that it had 'identified an issue' with roughly 5% of users that reset their master passwords. The company said it would be contacting those users about a fix for the problem LastPass said earlier that passwords for its Xmarks bookmark sync, which it acquired last December, were not affected."
Re:Curious (Score:3, Informative)
I'm sure they have backups. If you have Pocket, you can actually backup your passwords by exporting to an encrypted .XML file, and access them locally.
It's not a bad idea to keep your own backups, in addition to your offline browser storage,
even though Lastpass has them stored 'in the cloud', better safe than sorry.
2 factor auth with Yubikey/USB token is also a good idea, as they encrypt the passwords not only with your master pw, but also with the hash of your authentication tokens
Re:Maybe it's just me... (Score:3, Informative)
Yes, downloading and installing a vim plugin (or using vim in the first place) is indeed reasonably difficult for most people.
That's why PasswordSafe [ http://pwsafe.org/ [pwsafe.org] and http://sourceforge.net/projects/passwordsafe/ [sourceforge.net] originally written by Bruce Schneier http://www.schneier.com/passsafe.html [schneier.com] ] is what people need.
It doesn't solve every problem (e.g. key loggers and such things as might be on an untrusted system) but nothing does. It's a very simple, flexible, convenient piece of software that not only securely stores usernames and passwords, but URLs, email address, notes and more with the ability to copy/paste and/or drag/drop and/or autofill forms. Although it is mainly a Windows application, it's FOSS portable installs (e.g. U3) available. There is also a recent Linux port.
At the moment, I have 87 passwords in my primary passwordsafe file with related usernames, URLs, email, notes, password generation parameters, password expirations and more, all stored in a convenient hierarchy where work, banking, retail, hardware and other types of passwords are grouped in a tree that makes sense to me. For folks with simple needs, the hierarchy is optional and the entries can all be a flat list.
Sony's latest debacle has prompted me to wade through all my "important" entries (banks and such) and generate unique, random, secure passwords with expiration dates recommended by my PWsafe settings. Sadly, many of the accounts I created before I started using PWsafe used the same username and password combination for similar sites (e.g. retailers with CC info); I have now made my data much more secure with passwords I could never remember, except that PWsafe now remembers them all for me.