The Core
Why We Are Here => Hardware & Technology => Topic started by: bill on June 16, 2015, 12:42:22 AM
-
Agrh. Not fun to wake up to this news. LastPass issued a security notice saying that account email addresses, password reminders, server per user salts, and authentication hashes were compromised. I'm not too worried about my account contents, but it's a bit of a pain to have to acclimate to a new master password.
https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
-
If you’ve used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites you need to update it.
Just being extra cautious? They say no encrypted data was stolen, so why change your master password?
Better measure is to enforce two-factor auth, but that goes against both user wishes (still working on getting a certain someone to use it) and their business model (mostly a premium feature).
-
All that was accessed was email addresses, password reminders, server per user salts, and authentication hashes. So, the only thing that could possibly be compromised here is the master password to your account if, and this is a big if, the bad guys could guess your password quickly. If you change the master password, then the salt and hash changes and they're left with useless data (your old password).
Every LastPass user gets a different salt and hash for their password. Therefore, there are no master rainbow tables the hackers could use. They'd have to bruteforce each and every user, which would be extremely time consuming, and nearly impossible if you're using a difficult master password. the suggestion that you change your master password is more of a suggestion in the eventuality that someone at sometime was able to get your individual account and figure out your password.
-
I'd definitely change your master password. Do you know what encryption they use? A $200 graphics cards can do something of the order of 2 billion guesses a second.. I've read of setups that do 100B+ second. I'd only feel relatively safe if my remaining portion of the entire password string is 16+ characters or more.
Perhaps the prize for a cracker is a little bigger, as they're not getting access to one account but many.
-
I am relaxed about this.
Perhaps naively.
But my master password cannot be guessed. Even with the clue, it does not narrow it down to anyone but me.
So really, if they knew I was using lastpass before, they had my email address anyway.
also, I have secondary auth for banking, and almost anything else is just stuff. The might be able to embarrass me by posting on Facebook. Loose clients for me, but gain themselves?
Ah, of course, they could hack loads of sites for links :)
-
>relaxed
I read a bit more about it and it seems there is an 'extra' layer of security with this particular platform, the 100K iterations that are done.
http://blog.erratasec.com/2015/06/should-i-panic-because-lasthash-was.html?m=1
Still, the cracking types are competitive and they look to compare % of the DB deciphered. Anyone that has a relatively insecure master password 'should' (in regards to dictionary or entropy) should change it.
-
>>the 100K iterations that are done
That's settable as well. I think the default is lower. But the key point being that the hash is rehashed so it burns extra CPU time making guesses.
In terms of encryption, I thought I had read it was SHA 256 rehashed multiple times, but when I went looking I couldn't find confirmation.
If I can use this instance to get my certain someone to enable 2-factor, I think we'll be more secure.
At this point having LastPass or a primary email address (one used for password resets) not protected with 2-factor is just plain foolish. I know Bill has opinions on which 2-factor is better, but I feel like any 2-factor gives a huge bump in security and the number of people who are going to crack both a strong password and your crappy second factor is not much different than the people who can crack a strong password and a really good second factor.
-
>>the 100K iterations that are done
That's settable as well. I think the default is lower. But the key point being that the hash is rehashed so it burns extra CPU time making guesses.
100K times PBKDF2 is what LastPass uses on their servers for your stored data. On your local client the password iterations controls how many times your credentials is hashed using PBKDF2 before being sent to LastPass servers. The recommended value is 5000. I set it much higher than that, but you're right that the default is lower. PBKDF2 uses a hash called HMAC-SHA-256 as the hashing function inside PBKDF2. The recommendation is to use at least 10,000 iterations of the hash function for "stretching" (time-consumption) purposes to slow down even the GPU process of guessing. LastPass exceeded this recommendation a bit. Essentially they're using best-practices, and then some.
If I can use this instance to get my certain someone to enable 2-factor, I think we'll be more secure.
Well, in this case having 2FA enabled would more than double the security measures in place because in addition to overcoming all of the LastPass encryption they'd also have to have access to your local 2FA device to find out if their guess was correct. You really should have 2FA for everything that supports it. It's not always implemented in the best way, but when it is you're really stepping up the security of your accounts. It's such a small step to take.
In addition to the 2FA LastPass will let you limit the IP addresses you can connect from. You can even limit the access by country. And it's probably a good idea to block logins from Tor.
In the Advanced settings you can setup a separate security e-mail:
The security email address is a secondary email address that you can associate with your LastPass account. The security email address is meant to be used to receive your LastPass multifactor authentication emails and other security emails. Because the security email address is separate from ones that you use on a regular basis, and different than your account email address, its obscurity is intended to provide an extra layer of protection for your LastPass account
Set all that up and it's going to be real tough for the bad guys to even begin messing with your account, even if they managed to crack your password...which once you change, won't be of much use to them but an exercise of their GPU cycles.
-
Check. I was thinking not of the Lastpass reset email, but all the accounts where your account email is your password reset email and all the places where you can't have 2FA (Amazon is a major one that has CC info but no 2FA for the main Amazon store, just AWS). Any email address being used as a password reset for things like that should be 2FA
Which raises the question... which places do I care about and which ones don't I? I realize that depends. If you have a Twitter account worth $50K, then you need to protect it.
http://gizmodo.com/how-i-lost-my-50-000-twitter-username-1511578384
If, like me, you hardly ever post and couldn't care less if you lose it, why bother?
But I think a lot of people think that about say their personal email, forgetting that you can use it to get a password reset from your bank, which then gives them the keys to your financial kingdom. Or in the case of the Twitter guy, he didn't think his DNS settings on a domain he was only using to route email really mattered that much.
So... things that need to be locked down
- your password manager
- your email accounts that are linked to anything sensitive or linked to anything that is linked to something sensitive (banking).
- DNS
- server admin/hosting
- financials - banking, investments, pension funds
What am I missing? So many of these accounts don't have any additional verification still and in some cases the additional verification is an emailed code, so if your email goes, you're screwed.
-
Here's a handy list of about 100 popular sites that accept two-factor authentication, and how to turn it on:
https://www.turnon2fa.com/
Here's a list of categories they have on the site:
Backup and sync
Financial
Cloud computing
Communication
Cryptocurrencies
Developer
Domains
Education
Email
Gaming
Government
Health
Hosting
Identity management
Investing
Payments
Remote access
Shopping
Social media
I'd think you'd want all of them. It might take a bit to setup initially, but then you're done.
-
Will you keep using them Bill?
-
Yeah. They're handling security right from what I can see. They noticed some suspicious activity, locked everything down and took the precaution of notifying everyone for the worst case scenario regardless of the reputation hit they might take. There's no proof that anything was actually taken, but the possibility exists so they warned us. I see no reason to drop them due to this incident.
-
Which is how they reacted when they had evidence of an attempted intrusion a couple years (?) back even though they suspected that nothing was taken.
All of this does highlight, however, that the notes to your logins (not your Secure Notes, but the "notes" field) is not a place to store info you don't want to get out.
Yeah. They're handling security right from what I can see. They noticed some suspicious activity, locked everything down and took the precaution of notifying everyone for the worst case scenario regardless of the reputation hit they might take. There's no proof that anything was actually taken, but the possibility exists so they warned us. I see no reason to drop them due to this incident.
-
All of this does highlight, however, that the notes to your logins (not your Secure Notes, but the "notes" field) is not a place to store info you don't want to get out.
Which I was not aware of.... thanks.
-
All of this does highlight, however, that the notes to your logins (not your Secure Notes, but the "notes" field) is not a place to store info you don't want to get out.
Which I was not aware of.... thanks.
Good tip.
I use LastPass to generate gibberish for those fields on other sites. What's my mother's maiden name? */d3*mQ<!23Gp ::)
-
I use LastPass to generate gibberish for those fields on other sites. What's my mother's maiden name? */d3*mQ<!23Gp ::)
I do that too and a couple of other things that I am now leery of. My reading of all this is Lastpass does an amazing job with compartmentalizing data so that passwords are on separate machines from account login URLs (based on the last suspected intrusion and their reporting of it) for example.
I realized in reading around about this that I'm sometimes using notes in ways for which they were not designed and that means I'm potentially defeating some of the security measures LastPass takes on my behalf. So Secure Notes are secure, but I think Notes are less secure, more similar to the protection on your account URLs than on your password and username.
I'm not 100% certain on that, but reading between the lines, I think the conservative assumption is to assume that your Notes are safer than 99% of the places you would keep them (Dropbox, Google Docs, email, etc), but not as secure as your password.
-
Actually, I might be wrong about that
https://forums.lastpass.com/viewtopic.php?f=12&t=171945&p=569945&hilit=notes#p569945
I have no idea who jpenny84 is and I haven't found anything official.
For example, the help page for Secure Notes says (my emphasis)
Since all sensitive data is encrypted locally on your computer with the key that only you know before it is sent to LastPass, you can store your most sensitive data with the knowledge that is it is completely safe.
https://helpdesk.lastpass.com/secure-notes/
I can't find anywhere official that tells me whether or not the Notes on a normal login are considered sensitive and whether or not they have the same level of encryption and what level of compartmentalization they have from other data.
My concern is less with encryption than with compartmentalization. One of the main strengths of LP, according to my possibly incorrect understanding, is that passwords and usernames and "other data" are on three different sets of machines. What I worry about with Notes is that if the notes have enough info to allow for a login, they might be stored together with the "other data" which would include the account URL. So you're defeating LP's compartmentalization of data.
It's like if you're running a spy network and you have three separate cells that don't communicate with each other so if you bring one down, you can't bring all three down. And then you assign them all the same PO Box somewhere to get their mail.
Could be totally wrong, but until proven wrong that's the assumption I'm operating under.
-
BTW, not to beat this to death, but if you are changing your master password, it's worth reading this first
https://blog.agilebits.com/2011/08/10/better-master-passwords-the-geek-edition/
[edit - the above link is a decent article, but the wrong one]
https://blog.agilebits.com/2011/06/21/toward-better-master-passwords/
[/edit]
-
I realized in reading around about this that I'm sometimes using notes in ways for which they were not designed and that means I'm potentially defeating some of the security measures LastPass takes on my behalf. So Secure Notes are secure, but I think Notes are less secure, more similar to the protection on your account URLs than on your password and username.
I'm not 100% certain on that, but reading between the lines, I think the conservative assumption is to assume that your Notes are safer than 99% of the places you would keep them (Dropbox, Google Docs, email, etc), but not as secure as your password.
I think you're getting confused here. During the breach announced July 15, one of the elements that was leaked was password reminders (a type of notes field). Some people will put some really revealing info in there that might help password crackers guess their master password. Some people will even put their password in there! That password reminder data was not encrypted by LastPass.
They separate your master password hash, e-mail, and password reminder, salt, etc. from the main encrypted blob of your account, which contains all your data. Secure Notes, and the notes you add to password records, and everything else inside your LastPass account is all hashed and encrypted locally on your machine and sent to LastPass as one big encrypted blob of data (which they further hash). There's no difference in encryption because everything is all lumped together in one blob, then encrypted.
Secure Notes are a great place to store info. When I travel I'll take a photo of my passport and visa documents and tickets and save it to a Secure Note. Then I can access that from anywhere if there is an issue. A Secure Note allows attachments. A regular password record has a Notes field, but doesn't allow attachments. That's the only major difference between the two.
-
I think you're getting confused here.
I think I was too ;-)
Thanks for the explanation.