LastPass Separates From GoTo 43
LastPass, the password manager company, has officially separated from its parent company, GoTo, following a series of high-profile hacks in recent years. The company will now operate under a shareholder holding company called LMI Parent.
LastPass -- owned by private equity firms Francisco Partners and Elliott Management -- has faced criticism for its handling of the breaches, which resulted in the theft of customer data and encryption keys. The company has since enforced a 12-character minimum for master passwords to improve security.
LastPass -- owned by private equity firms Francisco Partners and Elliott Management -- has faced criticism for its handling of the breaches, which resulted in the theft of customer data and encryption keys. The company has since enforced a 12-character minimum for master passwords to improve security.
Wait, encryption keys were stolen? (Score:3)
Wait, encryption keys were stolen? I thought it was only the encrypted data that was stolen, which, for the foreseeable future, is worthless.
Re: (Score:3)
Well, there is password managers and then there is things that pretend to be password managers. LastPass is in the second group.
Re: (Score:2)
I beg to differ. Lastpass data is encrypted on the client. There is no way anyone can use the stolen Lastpass data without the encryption key, barring some breakthrough like quantum computing.
But, still, the fact that the data was stolen more than twice is concerning, but it's a testament to their successful security model for the actual storage of passwords and data.
Re: (Score:2)
Hahah, no, I just happen to know how cryptography works.
Stolen encrypted data is worthless.
Password cracking is an option, but the chances of breaking passwords is very small.
Nice ad hominem you used, there.
Re: (Score:1)
Password cracking is an option, but the chances of breaking passwords is very small.
There really is nothing I need to add here. You _are_ stupid and have no clue how things work in the real world.
Re: Wait, encryption keys were stolen? (Score:1)
Password cracking is easy because the majority of people uses a short, guessable password (insert correcthorsebatterystaple XKCD here).
With a $500 GPU you can guess close to 2M dictionary variation passwords per second (that is dictionary words with things like 0 and o replaced). The LastPass may be 12x hashed or whatever they say it is, it is relatively trivial for 8 character passwords.
Re:Wait, encryption keys were stolen? (Score:5, Informative)
PKBDF2 is used to iterate password attempts to attempt bruteforcing. Over time, as computing power has increased, the number of PKBDF2 iterations needed to effectively deter bruteforcing has increased. As of Feb 2023, that recommendation was 600K iterations of PKBDF2 with SHA-256. LastPass did 101K - on newer accounts. It originally started at one. In June of 2012, they increased it to 500, and in June of 2013, to 5,000 iterations. The recommended minimum iteration count as was 1000 in 2011 by security experts. July of 2018 they increased it to 101,000 - but despite saying they would retroactively increase older accounts, they never did, at least not consistently.
Compounded with the fact that the genius designers at LastPass did not consider the URI to be sensitive info, huge for data breaches. The account email was unencrypted (had to be), so when combined that vault for coopjust@example.org has a login for say, the website of a particular financial institution - that becomes tremendously useful for either attempting bruteforcing of other password leaks (credential stuffing lists), to use in tandem with other data leaks (address, phone) for social engineering, or to decide if there's so many juicy sites like cryptocurrency exchanges that it may be worth using distributed computing to crack a vault. Indeed, LastPass users had their crypto keys stolen after the breach [cybernews.com].
With the average password having only 40 bits of entropy, the time to crack a 500 entropy password vault would be less than $750 in computing time these days (Wladimir Palant has an excellent writeup on the entire breach [palant.info]). When enhanced by the unencrypted URIs making it obvious which vaults may be more worthy of attack for that computing effort (combination of sites and how weak the PKBDF2 setting was), then unscrupulous people can selectively target what they want to bruteforce.
The entire thing is a trainwreck, LastPass has consistently fucked up from a security perspective, and should be utterly discarded as a company worth trying. The whole thing started in terms of the breach in them allowing a critical engineer to just log into his work VPN/servers from a non-corporate owned home PC running an outdated version of Plex. Their security promises are hollow and illusory. Run, don't walk.
Re: (Score:2)
I always thought that the idea of the client being a browser extension was a terrible idea too. If it's a separate app then at least it's outside the browser processes. In fact when Lastpass got started, Firefox was still single process and using the extremely insecure old plug-in system, and Google Chrome was brand new.
Re: (Score:3)
No, not "Lastpass data", only "Lastpass passwords" are encrypted or were at the time of the latest breach. Most or everything else, including notes like URLs to authentication pages, are or were not, opening the doors wide for intruders to see where it might be worth to set brute force attacks going even if they couldn't get the actual passwords. And that is about the opposite of a "successful security model" except if you'd see success as getting the most money for the cheapest job.
Re: (Score:2)
Re: (Score:2)
That's weird because "secure notes" are stored under the very same encryption keys that are used to secure the entire Lastpass Vault.
I feel like this journalist is mistaken.
Re: Wait, encryption keys were stolen? (Score:4)
Re:Wait, encryption keys were stolen? (Score:4, Informative)
Combine that with LastPass' minimum password strength requirement only being 8 characters prior to the breach and you have a recipe for bruteforcing.
Even if you don't blame LastPass on people having weaker master passwords than they should (which if the point of client side encryption is that it does, your password manager should enforce a reasonably secure minimum standard), the lack of continuing PKBDF2 iterations left many accounts with stronger master passwords subject to bruteforcing. When combined with the fact that URIs were left unencrypted for vault items, it created a recipe for disaster in terms of bad actors knowing which vaults were likely to contain valuable credentials.
Re: Wait, encryption keys were stolen? (Score:1)
Migrate from LastPass (Score:4, Informative)
I lament how this may cause some to go back into the stone age with memorized-passwords rather than use a password manager. Password managers, by and large, are far more secure for the average user than the alternatives -- provided they're properly used. This means no reusing passwords on multiple sites, which is the #1 way people and companies get hacked.
Re: (Score:2)
I used to use and advocate LogMeIn until they priced home lab users out of their price range.
As an aside, I now use and advocate Splashtop and RemotePC instead of LogMeIn or whatever they're calling it now.
Re: Migrate from LastPass (Score:2)
Re: (Score:2)
Re: Migrate from LastPass (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You mean the fiscally mismanaged country willing to repeatedly issue bonds and within only a few years decide to make them worthless, attempting to force bond holders into a pennies-on-the-dollar deal multiple times, only to reissue new bonds and do the same thing over again?
Argentina deserves just as much fault in that series of events.
Re: Migrate from LastPass (Score:3)
GoTo Considered Harmful? (Score:2)
Edgar Dijkstra would be spinning in his grave if he was dead.
Re: (Score:2)
Re: (Score:3)
Edgar Dijkstra [linkedin.com] is alive and well. Edsger Dijkstra [wikipedia.org] sadly passed away in 2002.
LogMeIn buying Lastpass was the end of them (Score:2)
They ruin everything they touch.
Doubling pricing year over year while at the same time they stop investing in the product is their guiding principle.
And while the passwords stored was encrypted, some metadata was available in the stolen data with minimal encoding indicating the website addresses stored. Often those website URL contain sensitive info and it also indicates to the hacker if the data is worth investing in
Don't care (Score:2)
Re: (Score:1)
Or use keepassxc + keepassdroid with a webdav share to host a kdbx, backed by a second factors with yubikeys (nano and nfc), Booth offer great integration matching Lastpass' extensions, and the android/keyboard add-ons bridge any gaps. I just mount a davfs share to point the database file and everything just works.
I'd trust that over any stack hosted by a third party.
People still use Lastpass? (Score:2)
Why would you use Lastpass when things like Bitwarden and ProtonPass etc exist?
Re: People still use Lastpass? (Score:2)
Following a series of high-profile hacks (Score:2)
Why is Lastpass storing your unencrypted passwords on a server?
Re: (Score:2)
Why is Lastpass storing your unencrypted passwords on a server?
Spoiler alert: They aren't.
Re: (Score:2)
“In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data [krebsonsecurity.com] for more than 25 million users”
Re: (Score:3)
Yes. There was unecnrypted data.
But the unencrypted data was not the passwords.
It's still not a good look for them, or good news, or anything but a fail on their part.
But its also not what you imply it was.
Why did you steal from the bank? (Score:2)
Because that's where the money is.
Increasing password length to 100 characters wouldn't help if the hackers are stealing directly from LastPass.+
Just as well (Score:2)
LastPass Separates From GoTo
Granted, this GoTo might not be as risky [xkcd.com] as others, but why chance it.
It doesn't matter (Score:2)
One year they wanted to charge me ~$30, when they had a deal that US customers could pay ~$3. They refused to match the offer, and insisted I either pay, or, they'd take my “Family Account” away. A week later I was on
With this also comes name change... (Score:2)
they will now be called Lastgasp.