LastPass: Users Don't Have To Reset Master PWDs 83
CWmike writes "LastPass on Friday rescinded its day-old order that all users of its online password management system reset their master passwords due to a database breach. In a blog post this morning, the company said it won't allow users to change master passwords 'until our databases are completely caught up and we have resolved outstanding issues.' In an e-mail to Computerworld, LastPass CEO Joe Siegrist said the company changed its plan in response to demands from users asking they not be required to reset their passwords. However, comments posted on a LastPass blog suggest that the company's decision may also be related to trouble some users appear to be having with the password reset process. The blog post acknowledged that it had 'identified an issue' with roughly 5% of users that reset their master passwords. The company said it would be contacting those users about a fix for the problem LastPass said earlier that passwords for its Xmarks bookmark sync, which it acquired last December, were not affected."
Re:This whole password issue is a problem (Score:5, Insightful)
Short answer: No.
Longer answer:
Biometrics might (or might not, depending on accuracy) uniquely identify you, but it neither proves that you were present (your fingerprint or retina might have been stolen, either as a copy or more directly!) nor that you authorize access to whatever resource a password might secure (e.g. you might be dead or otherwise impaired and someone else slides your fingerprint or retina or DNA over the scanner).
Biometrics are convenient and still feel cool, but for really important resources, they increase danger rather than decrease it. For example, imagine that a billion USD is protected by your retina scan; I expect some folks would consider it reasonable to relieve you of your eyes (or even your whole head) for access to that much money.
On the other hand, using them as a username replacement (which still requires some other authentication like a password, and perhaps some two-factor mechanism like an RSA token) makes all kinds of sense. Just don't confuse "identity" with "authentication".
See also http://www.schneier.com/blog/archives/2009/01/biometrics.html [schneier.com] and many other pertinent comments by Bruce and others.
Re: (Score:2)
(your fingerprint or retina might have been stolen, either as a copy or more directly!)
If your retina were stolen, I would think that would pretty much guarantee that you (at the very least) didn't authorize it...and has a degree of certainty on the not present bit. Though, I'm sure there's some twisted individual out there willing to lose an eye for the heist of a lifetime (taking, for the example of the $1B).
Re: (Score:3)
Re: (Score:3)
One word for you: torture. If someone is willing to cut your head to get access, I'm sure they have some 5 dollar wrench lying around to help them get your password.
http://xkcd.com/538/ [xkcd.com]
Curious (Score:2)
Re: (Score:3, Informative)
I'm sure they have backups. If you have Pocket, you can actually backup your passwords by exporting to an encrypted .XML file, and access them locally.
It's not a bad idea to keep your own backups, in addition to your offline browser storage,
even though Lastpass has them stored 'in the cloud', better safe than sorry.
2 factor auth with Yubikey/USB token is also a good idea, as they encrypt the passwords not only with your master pw, but also with the hash of your authentication tokens
Re: (Score:2)
I believe they have a way to change your master password. So, what they'd likely do is decrypt the various keychain files using your old password (which you'd have to enter to change it), and then they re-encrypt with the new password.
Generally, passwords are pretty weak unless you follow specific protocols in how you set them up (passphrases, unusual chars, misspellings). I'd rather they used a public-private keypair, but then that would be cumbersome for users.
Re: (Score:3)
Re: (Score:2)
From their password recovery page [lastpass.com] (I checked since I was curious after you raised the point):
LastPass has added support for an optional way to store a disabled One Time Password (OTP) locally on your computer in case you forget your Master Password. This feature allows account recovery for those who want it without revealing your password to LastPass.
You can choose not to save this disabled One Time Password by launching Preferences from the LastPass icon menu, and selecting the Advanced tab. If you decide to disable the local OTP, your only recourse if your password hint doesn't help is to delete your account and start over. If you disable the preference after creating one, it causes the One Time Password to be deleted off LastPass' servers.
This makes it sound like they save the One Time Password on their server, and it decrypts a file stored only on your local PC that either contains your master password, or possibly as hash of it (I'm guessing at the implementation here). Or possibly it saves a keyfile to your PC that decrypts a separate (and separately encrypted) copy of your data.
What does seem clear is that you are correct in so far as they CANNO
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Maybe it's just me... (Score:1)
...but am I the only one who is very hesitant about storing my precious passwords "in the cloud"? I use this gvim gpg plugin [vim.org] to encrypt my passwords, on my own terms, and I make them accessible to myself by any number of ways that I control.
Is this so incredibly difficult to do for most people that they must depend upon others to maintain their personal data?
Re:Maybe it's just me... (Score:4, Insightful)
Yes.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
This gives me local storage on each of my machines plus
Re: (Score:3)
Yes, downloading and installing a vim plugin (or using vim in the first place) is indeed reasonably difficult for most people.
Re: (Score:3, Informative)
Yes, downloading and installing a vim plugin (or using vim in the first place) is indeed reasonably difficult for most people.
That's why PasswordSafe [ http://pwsafe.org/ [pwsafe.org] and http://sourceforge.net/projects/passwordsafe/ [sourceforge.net] originally written by Bruce Schneier http://www.schneier.com/passsafe.html [schneier.com] ] is what people need.
It doesn't solve every problem (e.g. key loggers and such things as might be on an untrusted system) but nothing does. It's a very simple, flexible, convenient piece of software that not only securely stores usernames and passwords, but URLs, email address, notes and more with the ability to copy/paste and/or drag/drop
Re: (Score:2)
Re: (Score:2)
Even that wouldn't work for many people, since they also want to use it on an iP{hone,ad}.
Re: (Score:1)
Differences from one website to another make it very hard to automate username & password login. Some web sites (especially some that are nuts about Flash and Web2.0) make it hard just to type them in. However, for 90+% of websites and applications, drag&drop works great; for copy/paste works too. You don't have to select the text and then copy it, just select the entry you want and click a button to copy username to the clipboard (then paste it with keyboard or mouse clicks) then click another butt
Re: (Score:2)
In addition to keeping it on your USB stick, there are also versions for just about every mobile device out there.
Re: (Score:2, Insightful)
Ok, that's neat and all... but where's the iPhone/iPad/Blackberry app to access the 'gvim gpg' password store on the go? Where's the browser plugin to auto-login and automatically fill forms based on the gvim gpg datastore?
Re: (Score:2)
...where's the iPhone/iPad/Blackberry app to access the 'gvim gpg' password store on the go?
I thought it was for our benefit that Apple does not permit libre software on the iPhone/iPad, and that anyone who does not want to pay the Apple tax should just turn to "the cloud" to deliver their applications.
Re: (Score:2)
Ok, that's neat and all... but where's the iPhone/iPad/Blackberry app to access the 'gvim gpg' password store on the go? Where's the browser plugin to auto-login and automatically fill forms based on the gvim gpg datastore?
Rolling your own is a bit more work (yes, I have to fill in the passwords myself, rather than using autofill [and who knows where *that* data might be cached]), but at least I don't have to worry about a 3rd party telling me that I have to change my secure passphrase...and then changing
Re:Maybe it's just me... (Score:4, Interesting)
Does your GVIM data get stored somewhere that is accessible to you no matter where you are? And if it is, then it's most likely accessible to someone else if they were to hack you. Point being, nothing is completely secure AND easy. From the sounds of it though, LastPass has a system in place to secure the passwords, although I'm unsure how that can work with a "Lost Password" scenario that MorderVonAllem talks about in another comment.
Re: (Score:2)
The contents are encrypted with their GPG key. If they have their GPG key and the encrypted files, then yes they can get access. If I need access to a particular password, I load the file into GPA's clipboard utility, decrypt it, then copy/paste the password over to where it is needed (or type it).
Personally, I store my encrypted files inside a version control system and use that to keep multiple systems in syn
Re: (Score:2)
Personally, I store my encrypted files inside a version control system and use that to keep multiple systems in sync. Which solves the "keeping multiple systems up to date" problem, unless it's a system where you can't do version control.
So, if someone compromises your version control system, or one of your computers, they could grab the encrypted file. And maybe the encrypted GPG secret key file.
Then it's just a matter of brute forcing the GPG passphrase...
Re: (Score:2)
And assuming he used one of a decent length that is not a concern
Re: (Score:1)
And assuming he used one of a decent length that is not a concern
And assuming you used a Lastpass master password of a decent length, it's not a concern that someone will be able to brute-force the encryption on the RSA 2048-bit key to get the private key required to decrypt Lastpass' AES256 encrypted blob.
Re: (Score:2)
Tony? Is that you?
Re: (Score:1)
I keep my passwords in a KeePass file in my Dropbox account. I can access them pretty much anywhere, and the only way they're getting stolen is if someone cracks both Dropbox's security and breaks my KeePass password. I assume Dropbox would let people know if they were hacked, so I'd have plenty of time to change my passwords before the KeePass security fails, assuming it ever does.
Given the very large number of passwords I have to keep, this is certainly a better solution than reusing the same few (my ol
Re: (Score:2)
Is this so incredibly difficult to do for most people that they must depend upon others to maintain their personal data?
Do you even have to ask?
Not to be elitist or condescending, but most end users can be likened to toddlers, just able to take enough steps to move themselves around but still desperately in need of others to take care of them and give them an environment they can survive in. When they do not get what they want, they throw tantrums and scream and cry until either they get what they want or someone hands them a shiny distraction that makes them completely forget what exactly they were demanding. It is u
Re: (Score:3)
Do you run your own mail server? Most people don't. Now get it over it, we use GMail. Same thing as using other web based services.
There is a big, BIG difference between deciding that it is not worth your while to run a mail server, versus being unable to do so.
Re: (Score:3)
Do you run your own mail server? Most people don't. Now get it over it, we use GMail. Same thing as using other web based services.
There is a big, BIG difference between deciding that it is not worth your while to run a mail server, versus being unable to do so.
I would go one further and say it's an even bigger difference between wanting someone else to run your mail server, versus wanting someone else to remember your passwords for you.
It's also pretty telling when the users of such a service actually beg to keep their original passwords after being told those passwords are compromised.
Re: (Score:2)
Re: (Score:2)
I don't for monetary reasons (would need to pay for a relay, since I have a dynamic IP and my ISP doesn't provide their own relay).
Re: (Score:2)
Not to be elitist or condescending....
You know, saying "not to do x" immediately before doing x doesn't make it any better. You might as well say "Not to be racist, but [insert ethnic group here] should learn their place."
Re: (Score:2)
Not to be elitist or condescending....
You know, saying "not to do x" immediately before doing x doesn't make it any better. You might as well say "Not to be racist, but [insert ethnic group here] should learn their place."
The difference is greater than it may seem. While a real elitist or a truly condescending person may be glad and feel vindicated because this is so, the GP seemed to share my regret that the average has been reduced to this. I don't consider that elitist, racist, condescending, etc... I consider it a willingness to call things what they are and to focus one's energies on how to improve and be part of the solution.
If you don't wish to see it that way, then dismissal becomes an attractive option. Doesn't
Re: (Score:2)
You know, going with my racism example, a racist would say he's just calling things the way they are too. Saying "not to be condescending" doesn't make someone any less of an arrogant prick, if they then go on to call the majority of people a bunch of screaming mindless toddlers.
Re: (Score:2)
(I try to keep things ASCII as much as possible when it comes to this, because that way you can fax / print / email the contents of the text file without having to do any binary/text conversion for fax/print.)
I store my password files in a version control system, wh
Re: (Score:1)
...but am I the only one who is very hesitant about storing my precious passwords "in the cloud"? I use this gvim gpg plugin [vim.org] to encrypt my passwords, on my own terms, and I make them accessible to myself by any number of ways that I control.
Is this so incredibly difficult to do for most people that they must depend upon others to maintain their personal data?
I use Lastpass but not for "precious passwords". I could care less if they steal all my web forum logins etc. The important ones like online retailers who have personal info, banks, etc. I store in my head.
Most people I know use 123456 or password as their password everywhere then wonder how sh*t happens. If I ever get compromised at a sensitive site it's not because *I* didn't try, it's because I have no control over what happens to my 'net packets after they leave the router. Many sites really make me won
Storing passwords on some other person's computer (Score:1)
Re: (Score:2)
It isn't legal in the USA. At least in my view and hopefully that of every judge all the way up to the supreme court. I wouldn't for one second think that the US authorities wouldn't try it though and get away with it.
I'd be shocked if the US authorities could make a software vendor (or FOSS maintainer) modify code under court order. It screams first amendment (code is copyrighted speech after all). They could (potentially) bar a vendor or maintainer from announcing modifications to a code base (gag orders, etc.), but forcing them to make the modifications would be utterly unprecedented (to my knowledge).
Re: (Score:2)
Only works if they know who their target is. My parent discussed German authorities trying to find a user of an anonymity program. You're right that the point is moot if the investigators already know where to find the target.
same for Ubuntu, Windows, and SSL (Score:2)
Government and police can access anything in your cloud and on your machine if they want to: they can put trojans and keyloggers into your software updates and downloads, and they can fake SSL certificates and decrypt your encrypted traffic. And they don't just do that in the US, they do it in many countries. To protect against government intrusion into your data is very hard. A service like Hushmail is probably more secure than almost anything you can do yourself, even on your own harddisk.
order of magnitude (Score:1)
TFA says .5%, not 5%.
Neither Secure Nor Reliable. (Score:2, Interesting)
Certainly, high traffic web serving can benefit from "The Cloud", especially for those that don't have the money to support the kind of hardware and infrastructure.
But highly valuable and/or proprietary corporate or personal information? Nope...
Re: (Score:1)
Only there was no breach (Score:2)
There was no confirmed breach just suspicious traffic.And a lot of media hype. Almost all media misquoted the incident so the hole incident sounds more exiting.
And even if there was a breach: Unlike almost all other Cloud services Lastpass encrypts all data client site. Either by plug-in or JavaScript. Without the master password data is useless.
And no: master passwords where not stolen — as the media tells everybody — if your master password is weak then someone might guess it.
Only the master password? (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:3)
For the right reasons? (Score:1)
Based on that description, it sounds like they are saying users don't have to change their master password because their systems can't keep up with load, rather than because they've proven that user data isn't at risk.
Re: (Score:2)
Interesting you say that. SuperGenPass [supergenpass.com] is a client-side app in JavaScript for crypting passwords. It's just a bookmark with a bunch of JS. There is also a version that works on mobile phones too (the app is all javascript, no AJAX or server side), so you could use that on your phone if you're on another computer, or copy that to your own server if you're super paranoid
Re: (Score:2)
The reason to not use a local system is that many people are not restricted to just one system. I have 3 computers that I use on a regular basis, not counting my work PC. Portability/version controlling between the systems is not impossible to do on your own, but it is annoying just the same, and for most users, it is simply easier to use a centralized service.
There do exist usb key fob devices that can encrypt your password and store it on the key fob, that way all you have to do is put the key in your usb
At the end of the day (Score:1)
There are two pretty fundamental problems with lastpass.
1. The stronger the security the less usable the system is. They could require two factor and one factor could be a username password pair where the password is at least 24 bytes, no two bytes in a row. The second factor could be an RSA token, or their grid system for one time pads seems pretty solid to me. AES-256 blockmode encrypt the users data as one big struct with those keys and you have a data store that even if becomes completely public is l
Re: (Score:1)
LastPass gives the user the option to use all these security features (strong master password, authentication grid, fingerprint/card reader, hardware key), but they can't force the user to be secure.
The user is always the weakest link, but this doesn't mean that those who know what they are doing can't be safe.
An idea. (Score:1)
Re: (Score:1)
Here's an idea/question: Why can't Lastpass generate strong temporary passwords and send that to users?
It doesn't work that way. They would have to know your original master password in order to decrypt your database and re-encode it with the new temporary password. Since they do not know your master password, this idea fails.