LastPass master passwords may have been compromised

Status
Not open for further replies.

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
225
the security model of lastpass is kinda outdated! look at the 1password security model . it requirers a secret key with 128 bit strength every time you want to login from a new device and the master password itself and even when the master password leaks it is used for local encryption not in the cloud. the security model of 1password is miles ahead of any other manager in the market. this incident is maybe because of what lastpass says an internal error but i myself dont trust them really shady company and really clunky password manager.
 

Dark Knight

Level 4
Aug 17, 2013
179
The reason this keeps happening to them is because the amount of users they have , if one is able to hack into LastPass the rewards would be far greater than hacking into a less known password service, so it doesn't really matter which service you use , if it stores your info online , eventually it will be targeted, the key is for the service to be prepared and protected which it seems LastPass never is.

Never store anything online that you cannot afford to lose.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
5,234
the key is for the service to be prepared and protected which it seems LastPass never is.
Let me try help and remind anyone else that can't fully grasp basic service email warning messages.

FHu-RMgq-Xo-AY7-VT.jpg


In basic plain English that means : the service worked as intended and no access or no bypass was made. If messages like that makes some people upset and more paranoid, they should avoid check Microsoft accounts. That would really make them loose it.
 

shmu26

Level 85
Verified
Honorary Member
Top poster
Content Creator
Well-known
Jul 3, 2015
8,178
25 million users or not, if you are paying a service to keep your credentials safe then it should be unhackable, doesn't matter if my account is the first to go or not, someones account will be the first to go is what matters.

It is not like this has not happened to them before and in the future I think we will eventually find this incident actually has but as of right now I think LastPass is just doing damage control.

I think it kind of silly they way you are playing it off ..... what if it was your account they decided to empty? probably wouldn't like it too much would ya?

LastPass has made Millions if not Billions of $$ storing peoples lives but yet cannot ever seem to get their house in order, use their service and you deserve whatever happens.

I would almost bet my bottom dollar the owner of LP doesn't even use his own service.
I don't pay for the service, I am on the free version.

Yes, there are people who have good memories, and don't tend to fumble and forget when under stress and time pressure. For them, the risk of an online password manager may be greater than the benefit of easy access to critical web services. It is the individual's decision when it comes to questions of risk management such as this.
 

Azure

Level 27
Verified
Top poster
Content Creator
Oct 23, 2014
1,629
Let me try help and remind anyone else that can't fully grasp basic service email warning messages.

FHu-RMgq-Xo-AY7-VT.jpg


In basic plain English that means : the service worked as intended and no access or no bypass was made. If messages like that makes some people upset and more paranoid, they should avoid check Microsoft accounts. That would really make them loose it.
People are mostly concerned about the part that says “someone just used your master password”.

It’s great that the access was blocked. But they still want to know how anyone managed to get their passwords in the first place.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
5,234
People are mostly concerned about the part that says “someone just used your master password”.

It’s great that the access was blocked. But they still want to know how anyone managed to get their passwords in the first place.
Rants, account deletions info and other service advertising along with crystal clear disinformation. Not what I would call and interpret as " concerned ".
 

Gandalf_The_Grey

Level 64
Thread author
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,347
We probably will never know what really happend.

The best users of LastPass can do is change their master password AND turn on 2FA.
Check your master password and your emailadres at "have i been pwned?".

Recently RedLine Stealer malware logs were added containing thousands of LastPass login pairs:

 

wat0114

Level 8
Verified
Well-known
Apr 5, 2021
363
Is 2FA really that necessary if a very strong - especially length - master pw is used? I ran mine through a couple different pw strenth test sites and the minimum time to crack it was a million years! I did assume this would be offline cracking. Honestly it seems like a lot of overreaction to this, though I'm one to talk, as this thread resulted in me switching to KeepassX(Linux) & Keepass 2 (Windows) :D
 

Gandalf_The_Grey

Level 64
Thread author
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,347
Is 2FA really that necessary if a very strong - especially length - master pw is used? I ran mine through a couple different pw strenth test sites and the minimum time to crack it was a million years! I did assume this would be offline cracking. Honestly it seems like a lot of overreaction to this, though I'm one to talk, as this thread resulted in me switching to KeepassX(Linux) & Keepass 2 (Windows) :D
In case a (master) password is leaked, 2FA is second level of defense against account takeover.
I have and advice others to enable 2FA on all important accounts like email, social media and passwordmanagers :D
 

wat0114

Level 8
Verified
Well-known
Apr 5, 2021
363
In case a (master) password is leaked, 2FA is second level of defense against account takeover.
I have and advice others to enable 2FA on all important accounts like email, social media and passwordmanagers :D
I agree 2FA indisputably adds security on the password, but I am really curious how long it take to crack a leaked 13-15 character, well hashed encrypted pw. I get the feeling 2FA is mostly >realistically< necessary only for much shorter passwords, say only 8 characters, although I know LP requires longer than this.
 
Last edited:

Gandalf_The_Grey

Level 64
Thread author
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,347
I agree 2FA indisputably adds security on the password, but I am really curious how long it take to crack a leaked 13-15 character, well hashed encrypted pw. I get the feeling 2FA is mostly necessary only for much shorter passwords, say only 8 characters, although I know LP requires longer than this.
I agree with your post, but the rumors say that they are leaked and used, highly unlikely, but again not real issue with 2FA.
 

cruelsister

Level 40
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 13, 2013
2,902
(note: this post is only directed to a LastPass user who may be rightfully and understandably concerned, as I'm certain that Old Hands here will find the below Intuitively Obvious and thus not needed).

The main issue with LastPass may be that the LP user may be defeating any security provided by LP by storing the master password locally. So see see this could be the case, try to open the Password Vault. If the vault opens in the default browser AND the login credentials are populated by the browser this obviously could be an issue if one is affected by a credential stealer (like Redline).

So for any LP users so effected (and want to continue with LP), best practice would be to:
1). Delete any reference to Lastpass in the browser password section
2). Change Password (duh...)
3). Store the changed login credentials locally (easiest thing here would be to create text file and save it somewhere on the drive as a password protected archive)
4). When going back into the vault, cut and paste the previously saved credentials. disregarding saving the same to browser
5). Always and Forever use an outbound alerting firewall as any keyloggers, credential stealer, etc will be ineffective if outbound connections are blocked for it.
 
Last edited:

JB007

Level 25
Verified
Top poster
Well-known
May 19, 2016
1,459
I'm wondering if antivirus suites' password managers are more secure ?
(Norton, Kaspersky, Bitdefender...)
 
  • Like
Reactions: Nevi

CyberTech

Level 38
Verified
Top poster
Well-known
Nov 10, 2017
2,720
Thanks @CyberTech
And do you know if it exists an easy way to delete all passwords stored in password managers (AV suites or softwares) ?
There is a way to delete passwords/notes/logins/etc list in the vault so it would take a long if you have alot of saved password item.
 
  • Like
  • Thanks
Reactions: Nevi and JB007

JB007

Level 25
Verified
Top poster
Well-known
May 19, 2016
1,459
There is a way to delete passwords/notes/logins/etc list in the vault so it would take a long if you have alot of saved password item.
If my understanding is right you mean that the only solution is to delete manually every password stored ?
If I close/delete my account , my passwords/informations are not deleted ?
 
Status
Not open for further replies.
Top