LastPass compromised?

Shit. Not a good past few weeks.

Dang. :( Do a lot of people use this?

Oh shit.

Edit: Actually, now that I read that, it’s almost certainly not a big deal for me. I just started using this service a couple of months ago (and now have a hard time imagining how I lived without it), so I hope I don’t feel compelled to dump it…

I like the tone of the blog post. “It’s probably not a big deal, but blah blah technical mumbo jumbo LOST YOUR SALTED PASSWORD AND THE SALT blah blah can’t be sure”.

Phone server on same network as DB server.

I use Lastpass on all my machines and what bothers me most about this is that they didn’t want to bother users by sending out an email notifying them about this and forcing a master password change. Please, if you are storing all my passwords and you think you may have been compromised, bother me with an email.

Man, and I JUST switched to 1Password last week. Lucky, I guess. Is anything secure out there? Anything at all?

Keepass in your dropbox.

To be fair, it looks like even if someone managed to get your encrypted blob from LP they still would need to crack it, which is nigh impossible unless you used a dictionary-ish word for your ultra secure master password (or maybe they happen to be the NSA).

I wonder if this also affects Xmarks which stores my passwords too.

Why would you ever store your passwords in another program? The very concept seems bizarre, imo. It’s like writing down your ATM pin on a card and keeping it in your wallet.

Because once you start using unique passwords for everything, you suddenly discover that you need many dozens, if not hundreds of them, and it becomes impractical to manage them by memorization or mnemonics.

You do have to be careful though, since now all they need to do is compromise your database through, say, a custom keylogger and now they’ve got all of your passwords. I haven’t heard of any such thing actually existing in the wild yet, but the risk will probably increase as they become more popular.

I use a password manager, but I’m paranoid enough that I only use it from my Linux box (the ‘pwsafe’ package), accessing it via SSH whenever I need to get a password.

It allows you to use unique passwords at multiple less than secure sites at the expense of having a single point of attack with highly complicated password. You get the benefit of only having to remember one complex password, and if any of the sub locations are compromised it doesn’t compromise any of the other sites.

Obviously if your master store is compromised you are SOL, though that is why you use a complex password on it and hopefully use secure storage.

It’s nothing like that. At all.

The key to hiding your PIN in your wallet is by writing a person’s name and then a fake phone number, the last six digits of which are your PIN. It’s foolproof!

This is the winner.

I’m also amazed that people would trust some random third-party start-up place with all their passwords. Something like KeePass, I can see, because it’s all under your control – but giving it over to a bunch of random dudes with a website? Seems to me that you’re better off using a small set of passwords that only you know than a large set that you’re sharing with random people.

1Password keeps it in your control as well. It stores the passwords in a file that I then keep in my Dropbox folder.

That’s what i do. For “random website w/ no credit card information associated” i always use the same password.

Personally, I think using a single password (or two) is worse. I don’t have the same level of trust for every single website I use. I just looked at my lastpass list of sites - I’ve got over a hundred sites in there. Many of which are crappy little startups like Twitter. I certainly don’t want to be using the same password on Twitter that I’m using for my online banking. Mainly because I don’t trust Twitter to not get hacked.

Do I trust Lastpass? Since security is their one and only business, yes I trust them more. Of course there’s still risk, but seems like the best solution to me.

If what they say is true, then I’m not too worried about this potential breach, as my password is not a dictionary word. Here’s hoping.