back to article Password manager LastPass goes titsup: Users locked out

Popular password management service LastPass went on the blink today, leaving users locked out of their accounts. Reg reader Tim Stephenson, head of IT at Liftshare, told us that the firm’s employees had experienced timeouts trying to access the site, browser plugins weren’t responding and users couldn’t authenticate …

  1. Robert E A Harvey

    Lastpass

    I thought lastpass was pretty good, but dumped it in favour of another method that did not depend upon other people's services or software.

    There are other password manglers out there and they all seem to me to lock your eggs up in thier basket. I suppose that is the nature of the beast.

    1. Gotno iShit Wantno iShit

      Re: Lastpass

      "There are other password manglers out there and they all seem to me to lock your eggs up in thier basket. I suppose that is the nature of the beast."

      Try a .txt file stored in a truecrypt volume. Sure it doesn't have all the conveniences of LastPass, KeePass or Firefox built in tools but nor does it have the failure modes. My eggs, my basket.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lastpass

        I thought TrueCrypt was recently busted wide open?

        http://www.theregister.co.uk/2014/05/28/truecrypt_hack/

        1. John H Woods Silver badge

          Re: Lastpass

          AC: "I thought TrueCrypt was recently busted wide open?"

          It's not quite as simple as that; version 7.1a might be fine :-)

      2. mythicalduck

        Re: Lastpass

        >Try a .txt file stored in a truecrypt volume. Sure it doesn't have all the conveniences of LastPass, KeePass or Firefox built in tools but nor does it have the failure modes. My eggs, my basket.

        How does a text file on an encrypted volume differ from something like KeePass, which is an encrypted XML document? If the encryption failed on either (data corruption etc.) you'd be boned.

        1. Gotno iShit Wantno iShit

          Re: Lastpass

          Duplicate post deleted. No idea how that happened.

        2. Gotno iShit Wantno iShit

          Re: Lastpass

          KeePass keeps the data locally but the software is closed so as you say you're boned.

          LastPass keeps your data in the house of cards called 'cloud'.

          Firefox, bit of each I think but I confess I've not dug deeply.

          Truecrypt as a project seems to be dead but Truecrypt the storage format and Truecrypt the software (7.1a) isn't, so far these have stood up to independent scrutiny. Since the volume format is open and documented there are other programs that can open a truecrypt volume. If Truecrypt the software became untrusted I can use something else to get my data back. If Truecrypt the storage format gets busted I can simply use 7.1a to migrate my data to a new container.

          1. Sir Runcible Spoon

            Re: Lastpass

            For a company with such a high impact if something should fail it's amazing that they don't have any global resiliency.

            Cowboys.

          2. Anonymous Coward
            Anonymous Coward

            Re: Lastpass

            there's KeePassX - open source & cross platform

            1. Old Handle
              Linux

              Re: Lastpass

              Regular KeePass is open source too. As far as I can tell, KeePassX is just a fork that exists mainly for historical reasons.

          3. Guus Leeuw

            Re: Lastpass

            Uhm, noshitman, KeepAss' software is perfectly open: one can download the source code right from their website...

            Or, maybe I'm mistaken, and you mean something with "KeePass keeps the data locally but the software is closed so as you say you're boned."

          4. Alan Edwards

            Re: Lastpass

            > KeePass keeps the data locally but the software is closed so as you say you're boned.

            There is other software that can read KeePass files e.g. KeePassDroid on Android, KyPass on IOS. The decryption algorithm must be out there, so you can migrate to something else if necessary.

          5. mythicalduck

            Re: Lastpass

            "KeePass keeps the data locally but the software is closed so as you say you're boned."

            KeePass is closed? WTF are you talking about? Source code is available, and can be downloaded from http://keepass.info/download.html, just scroll down to "Other Downloads and Resources"

          6. djnapkin

            Re: Lastpass

            Keepass software is not closed - the source code is freely available. I had a look through it recently, when I was musing about running up a copy on my own website as an emergency thing when travelling. More to it than I had expected.

      3. psychonaut

        Re: Lastpass

        spot on - thats what i do.

        yawn...another cloud, another failure.

        thought all this was supposed to be autofailover, zero downtime stuff?

        why is it still so crap?

        1. Phil O'Sophical Silver badge

          Re: Lastpass

          why is it still so crap?

          Like every outsourced service, there's a reason why it's cheaper than doing it yourself: because it doesn't get done very well when you do it on the cheap. Beancounters never learn.

          1. psychonaut
            Mushroom

            Re: Lastpass

            @phil

            fair comment - i did mean cloud in general though - wheres all the autofailover stuff? why doesnt it work? multiple data centres, clusters, failover etc etc...this has been in development for years and years hasnt it? or does it just not work? ive been in small business IT for 10 years now so i am well out of the big toys stuff, but we were doing this at neverfail nearly 20 years ago.

            as for truecrypt, well, sure maybe the version later than 7.1a are suspect, but to who? even if 7.1a can be cracked, who by? anyone that interested in my stuff can just break into my office or my online backup,crack my wifi pass and jump on the network, tunnell in from next door.....the nsa could do it at will probably, so could gchq? big deal - i dont care. they arent interested in me, if they are, they arent going to find anything worth having.

            i use 7.1a anyway. then i back that encrypted container up to carbonite. i have the last 5 versions stored on carbonite. i also have a local windows image backup with versioning. its not expensive, and i know where my stuff is. if the shit really hit the fan in the office, ive got instant access to my cloud backup. if something happened to that at the same time, then i guess ive got (and all of humanity) more to worry about than some passwords, like running for cover from the tsunami/nuclear winter/metoer strike...hence the icon

          2. Anonymous Coward
            Anonymous Coward

            Re: Lastpass

            it doesn't get done very well when you do it on the cheap. Beancounters never learn.

            They learn well enough: If the service is outsourced, then management wrath will strike far away when things do not work. It's the risk-free option.

            1. Peter27x
              FAIL

              Re: Lastpass

              "They learn well enough: If the service is outsourced, then management wrath will strike far away when things do not work. It's the risk-free option"

              Well the reverse is also true, i.e. we can outsource to another company and pass the risk to them. it if goes wrong we're ok, we can blame them....

      4. asdf

        Re: Lastpass

        >"There are other password manglers out there and they all seem to me to lock your eggs up in thier basket. I suppose that is the nature of the beast."

        The PasswordMaker Firefox plugin doesn't require remote services as far as I can tell. Its cross platform (edge to firefox plugins) and open source as well.

        1. Sir Digby Chickendinner

          Re: Lastpass

          "The PasswordMaker Firefox plugin doesn't require remote services as far as I can tell. Its cross platform (edge to firefox plugins) and open source as well."

          If you are a premium user of LastPass, as a lot of the people affected clearly are, then you are login off line on your mobile device where your vault is stored locally. In fact the main reason to go premium is that you get the mobile versions included. So I think all of these people complaining that they could not get any work done actually *could* have done but chose not to, so the outage was not as much of a big deal as they are making out.

          That said, it looks like LastPass dealt with it really badly from a PR POV.

      5. asdf

        Re: Lastpass

        >Try a .txt file stored in a truecrypt volume.

        The problem is then you know the actual password (no deniable culpability for draconian UK password laws) and type it every time so any potential keyloggers get it also. With PasswordMaker you type a master password (which you can not store at all (enter each time), store in memory (until app close) or even store to disk (terrible idea IMHO)) and then it creates a unique password for each different site. The only real drawback is you have to keep good track of your PasswordMaker Firefox plugin install directory as its unique for each install and if blown away you lose access to your passwords until you reset them.

        1. asdf

          Re: Lastpass

          Just to clarify it creates a unique password for each website (based on one way hash of master password) which you use at first to create the password on the site (you can also control the domain of allowable characters in password) and then using the same master password it recreates the same password for the site when you revisit and tell it to fill the password field (and possibly having to enter the master password again based on how you decide to store it). Also unless you choose too look you generally don't even know the actual passwords for each site this way.

      6. Scorchio!!

        Re: Lastpass

        @ Gotno iShit Wantno iShit. I agree on the matter of True Crypt, though there is the question mark, it seems the earlier version may be safe. However and in addition I use Mirek W's PINs package (http://www.mirekw.com/winfreeware/index.html) which is free and sits very nicely in an encrypted container. In the past I used another free package called Oubliette (French for 'forget' I believe), but it has not been subject to development for some years. Mirek has a forum, is in reach, and the package is OSI Certified Open Source Software. It has a lot of very useful features, including 448 bit blowfish encryption, and a very good password generator, reminders when passwords are out of date, and so on. Alternatively Gibson at grc.com has a funky password generator.

        As to True Crypt, I keep an archive of all software that I use to enable reversion in the event of such problems. In addition I also keep backups of the appropriate *.tc files, on three separate systems, one my backup server the others being portable drives. When I travel I copy the True Crypt files to my notebook, and then back them up to the portable drives by rotation. I would use the massive USB drives that I have but don't have much faith in their longevity. That sort of traffic would probably cripple them.

      7. Jim 59

        Re: Lastpass

        Make sure that .txt file editor is not auto-saving backup copies outside of your encrypted volume.

    2. phuzz Silver badge
      Go

      Re: Lastpass

      I got a few login errors yesterday, but Lastpass keeps an (encrypted) offline copy of your data, so I could still get to my passwords.

      Sure, Lastpass is not the most secure system I could use, but it hits the sweet spot of convenience and security for me.

    3. Jim 59

      Storing your passwords on the Internet

      No.

    4. Scorchio!!

      Re: Lastpass

      I use Mirek W's PINs: http://www.mirekw.com/ It's open source and has quite a few useful features, including a Blowfish 448 bit encryption algorithm, complex password generator (including symbols), a file eraser and an awful lot more. Because it can be run from a USB stick this means I can double protect it by using encrypting the drive or creating an encrypted container.

      In the distant past I used Oubliette but it went into maintenance and then dead mode. I will never, ever let someone look after my passwords. It is still available, or was when I checked a year back.

  2. uncle sjohie

    Working fine

    It's working fine here in the Netherlands. (12-08, 15:49 CET)

    1. Anonymous Coward
      Anonymous Coward

      Re: Working fine

      Working fine here in the UK all day too.

      Did we just wobble a bit closer to a nearby parallel universe or something - you know, one where Ebay owns LastPass?

      1. Bumpy Cat

        Re: Working fine

        UK here - it was sluggish this morning, but seems to be responding now.

      2. James O'Brien

        Re: Working fine

        Swear to god if eBay buys out LP I will find you and beat you with my keyboard for making that statement.... Nothing good ever comes out of eBay buying companies....

  3. Anonymous Bullard
    Facepalm

    Who didn't see this one coming?

    1. Anonymous Coward
      Anonymous Coward

      only..

      Everyone who uses their service, that's who!

  4. Destroy All Monsters Silver badge

    Must be another dirty trick by P.U.T.I.N.

    Now at least I know why my browser startup took so long.

  5. batfastad

    Honeypot

    Let's just slide these black boxes in behind our SSL offloaders/load balancers. 5 mins downtime will be fine.

  6. Anonymous Coward
    Anonymous Coward

    Similar to where I work a few months back...

    <colo outage, all database monitoring tools have flatlined or are flashing red. Customer calls start coming in to Tech Support>

    Management to TS> Don't communicate on a downtime to clients!!! No global information email must be sent. Tell the customers that you have an "exceptional situation that only affects them" if they call

    TS> There is no current known problem. Everything is working just fiiiiiine... Oh, really? Let me check. Hum, there may be an exceptional slowdown at the moment though, I can see your account is a bit slow. We'll keep you informed <trollface.jpg>

    Cust 2>My system is down

    TS>There is no current problem we can see, monitoring seems good <iLied.jpg>

    <...snip...>

    Cust 96> I called 20 minutes ago, your exceptionnal and temporary problem is a lie, my friends also use your service, and they are up shit creek too...

    TS to Management> Can we make a bloody customer mailing to tell them there is an outage FFS, keep everyone informed, if not happy? We are in meltdown here with 35 mails and 90 calls in 40 minutes and we only have 300 customers in this country!

    20 minutes later, get the OK for a mail to all clients that a "temporary problem" affecting a "small amount of users" for "10 minutes" and that it "happned due to elements out of our control at our ISP" (aka, admins stuffed a planned upgrade that was not tested before or at least deployed on one machine at a time in a rolling upgrade rather than all at once).

    Looks like LastPass took a page out of our management's support handling policy

    AC because even if this is no longer management policy following a buyout, it's frowned upon talking about it.

    Even so, telling the customer's the truth does not hurt (much), and it's easier to tell the truth than remember continual lies about the uptime and availability SLA's...

    1. mark 63 Silver badge

      Re: Similar to where I work a few months back...

      right on.

      Thats almost as much fun as :

      "Yes we are aware of the problem , our engineers are working on it"

      (Engineers in a different town who never answer the phone, email or instant msgr )

      "How long will it be"

      "I cant say"

      can you ask them?

      no, cant get in contact with them

      this is system is always down!

      um.....

      what did I pay all that money for? can I speak to Roger the md?

      no im not allowed to put you through to anyone

      can i speak to to your manager

      no im not allowed to put yoiu through

      can you give me any idea how long the outage will be? hours? days?

      no im afraid theyre not telling me anything yet

      take a guess

      I cant because sometimes in the past its been hours , sometimes its been days

      your not a lot of help are you

      no , I'm really sorry , trust me I'm almost as pissed off as you are.........

      -------------------------------------------------------------

      .... so i left that job

      1. Anonymous Coward
        Anonymous Coward

        Re: Similar to where I work a few months back...

        > take a guess

        On the bright side, at that point your customer's expectations are right where you want them. :-)

    2. Jim 59

      Re: Similar to where I work a few months back...

      In the case of a major outage, customers prefer communication to actually fixing the thing. They are more bothered about being kept informed than they are about the outage itself. Took me many years to learn this.

      The customer prefers knowing that the outage will last 3 hours than not knowing how long it will last, and having it come back after 1.5 hours.

  7. S4qFBxkFFg

    Weirdly, it was usable from my phone (3) but completely unreachable from my office machine (which goes through JANET).

    Seems fine now though.

    edit: I could still log in to everything because it could still use its offline storage

    1. Anonymous Coward
      Anonymous Coward

      @S4qFBxkFFg: Did you realise you put your password into the "Name" box? ;)

      1. Sureo

        @AC Re. @S4qFBxkFFg: Did you realise you put your password into the "Name" box? ;)

        Actually its a great idea. It spares the nuisance of being told 'userid inot available' which can get tiresome after several tries. Click 'generate password', use the result as userid. Click again for a password. (Or not if you like to live dangerously.) Job done.

      2. Fink-Nottle
        Happy

        @S4qFBxkFFg: Did you realise you put your password into the "Name" box? ;)

        @S4qFBxkFFg's password is probably 'password' ...

  8. SVV

    Who trusts a third party with their authentication?

    And a third party with seemingly poor failover within their infrastructure?

    This is one thing I would never entrust to "the cloud" - ever.

    OpenSSO, CAS, heck even Active Directory if you really must are all reasonably easy to implement in house.

    I suspect quite a few IT managers are looking at the alternatives with some urgency right now.

    1. PhilipJ

      Re: Who trusts a third party with their authentication?

      the whole idea of sharing accounts and passwords with a 3rd party is ridiculous - why in the hell would you use a password at all, when you give it to anyone ?

      suckers, serves them right !

      1. Tim 11

        Re: Who trusts a third party with their authentication?

        so I presume you either just write all your passwords down on sticky notes, or you've written your own encryption software? compared to those alternatives, I'd take a third party solution any time

        1. Anonymous Coward
          Anonymous Coward

          Re: Who trusts a third party with their authentication?

          > so I presume you either just write all your passwords down on sticky notes, or you've written your own encryption software?

          Don't know about him, but I simply remember them. After all, I already speak a human language¹ with an "everyday" vocabulary of 30,000 to 70,000 words², so a few dozen more to learn are neither here nor there. :-)

          ¹ Six of them actually, but that is beside the point.

          ² Depending on whose numbers you believe.

          1. Someone Else Silver badge
            Facepalm

            @ AC -- Re: Who trusts a third party with their authentication?

            Don't know about him, but I simply remember them.

            Call me again when you reach the age of 60...

            (Fscking Millennials think they'll live for-fricking-evah!)

            1. Anonymous Coward
              Anonymous Coward

              Re: @ AC -- Who trusts a third party with their authentication?

              > Call me again when you reach the age of 60...

              How old do you think I am, my dear chap?

            2. F0rdPrefect
              Trollface

              Re: @ AC -- Who trusts a third party with their authentication? At the age of 60

              @ Someone Else

              Don't know about him, but I simply remember them.

              Call me again when you reach the age of 60...

              Well that was last September and I still remember them.

        2. PhilipJ

          Re: Who trusts a third party with their authentication?

          No, I use KeePass and synchronize my DB files manually once in a while.

          There is absolutely ZERO reason for me to enter all my accounts and passwords into some shady freaking website.

          1. Jim 59

            Re: Who trusts a third party with their authentication?

            I do the same as PhilipJ. Best way.

        3. tom dial Silver badge

          Re: Who trusts a third party with their authentication?

          KeePassX with the database on a USB key. I trust myself more than I trust the unknown provider of a remote service.

          1. Danny 14

            Re: Who trusts a third party with their authentication?

            The work ones are stored in an encrypted 7z file. Not the most technical solution in the world but it is portable and backed up. The password is a strung together sequence of things only I would know. For example, you could use a group of 5 telephone numbers (with a place name or something) and that is a hell of a password to try and brute force. "mywife36leftmeforablackman27ondecember25thintheyearofourlord2006" even with dictionary is quite a monster to brute force.

            You can even email the 7z if you like - to multiple accounts. Saves relying on a service hosted "somewhere" that could die at any time.

        4. Anonymous Coward
          Anonymous Coward

          Re: Who trusts a third party with their authentication?

          Third party _local_ solution. No connections to anywhere, ever.

          That is acceptable. A random cloud somewhere (not even continent specified)? No way.

          Totally trivial for local (to server room) law enforcement to come and confiscate everything, including all of my passwords as encryption isn't that good it holds against government.

          If they come and confiscate my machine I'm in trouble anyway, not a major problem. Basically a terrorist suspect is enough to confiscate all the machines from a server room. Only will is needed and it's easy to arrange if the result of the harvesting operation is millions of passwords to even more systems.

          Something NSA would do, just like that.

    2. GreyWolf

      Re: Who trusts a third party with their authentication?

      @svv.

      "This is one thing I would never entrust to "the cloud" - ever."

      I see you got two downvotes immediately. That'll be one from the NSA, and one from GCHQ. Both of those love it when people put important stuff "in the cloud".

      If you are ever in the same shower as an NSA or GCHQ person, don't drop the soap.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who trusts a third party with their authentication?

        > If you are ever in the same shower as an NSA or GCHQ person, don't drop the soap.

        Never say no to free sex.

      2. SVV

        Re: Who trusts a third party with their authentication?

        I rather suspect the downvotes came from "password manager" companies myself, but I'd be intrigued to see what the IP addresses in the server logs showed up...........

        The 3 examples I gave are all things I've worked with at various companies, and they all did what they needed to do pretty well in terms of implementing single sign on. And I rather suspect that all these reputable companies would have quite happily co-operated with "the authorities" immediately had there been a need at any point, so I hope people see my post as being in favour of good industry standard solutions and a rejection of cloud good / in house bad thinking rather than any tinfoil hattery.

        Either that, or it's Active Directory fans who really can see the forest for the trees (and owe me an upvote in return for my AD gag here)

      3. VinceH

        Re: Who trusts a third party with their authentication?

        "I see you got two downvotes immediately. That'll be one from the NSA, and one from GCHQ. Both of those love it when people put important stuff "in the cloud".

        They'd love what I saw a week or so back: a password database that took the form of a Google Docs spreadsheet. I expressed my concerns at the perpetrator, but it was pretty much a waste of breath.

    3. phuzz Silver badge

      Re: Who trusts a third party with their authentication?

      I trust a third party more than I trust myself not to screw something up somewhere.

      I'm guessing the downvotes came from people who are as fed up of "OMG cloud == bad" as they are of "cloud == best everything!". "Cloud computing*" just the client-server model writ large, and it can be implemented poorly or well. As a sysadmin it makes a difference to me if I can get physical access to a machine or not, but as a consumer, not so much.

      * Although whoever came up with that name should probably be locked in a room and forced to listen to it repeated over and over again, until it's lost all meaning.

  9. Steve Todd

    I like the 1Password approach

    1) let the user keep their master copy on one of multiple cloud services

    2) encrypt the h*ll out of this.

    3) keep local copies (also encrypted), and try to synchronise with the master copy when used

    That way you're never without access, even though in some circumstances it may not quite be up to date.

    1. Pet Peeve

      Re: I like the 1Password approach

      That's exactly how lastpass works. If you can't get to the server, it uses a cached copy of the password blob on your hard disk.

      1. Tom 35

        Re: I like the 1Password approach

        If that's how Lastpass works why are people saying it's down? Unless it's responding with garbage that prevents it from using the local copy. There should only be a handful of people who changed the password on one device and then tried to use it on another device.

  10. Anonymous Coward
    Anonymous Coward

    Bring that &#*$ in-house.

    Lastpass is NOT an enterprise app. Just because someone glues on federation or some hastily implemented SSO, does not make it World Class.....and now you know it. Their very response shows they are little more than kids with a toy with which they are growing bored.

    Try CyberArk, or if you insist cloud, OneLogin (and no, I don't work their either).

    1. Anonymous Coward
      Anonymous Coward

      Re: Bring that &#*$ in-house.

      > Lastpass is NOT an enterprise app. Just because someone glues on federation or some hastily implemented SSO, does not make it World Class

      "Enterprise"? "World Class"? Same sentence?

  11. Anonymous Coward
    Anonymous Coward

    Who in their right mind relies on external 'anything' without some fall-back provision to keep the company up and working?

    1. Adam 1

      You must be new here. Hi, I am Adam 1.

  12. John H Woods Silver badge

    Why trust any third party?

    I wouldn't trust a third party with my passwords, but I hadn't even considered availability!

    I'm sure there's more elegant ways of doing it, but you could reuse a reasonably secure but memorable password with a memorable nickname for the site you need it for, e.g.:

    echo -n 'considerdollarbaseready fARSEbook' | sha256sum - | base64 | cut -c -24 | head -1

    MDlkNDIwNGZiZTNlOGI1NmQ5

    As long as you have a shell and some standard utils, you can reconstruct the password.

    1. d3rrial

      Re: Why trust any third party?

      why not use "considerdollarbaseready fARSEbook" as password directly instead of hashing it first? It's not like you're adding anything to the password, that would make it safer, by hashing it

      1. Pet Peeve

        Re: Why trust any third party?

        I assume the first part is a fixed password (using the xkcd "Correct Horse Battery Staple" method), and the second part varies by site. Years ago I saw a bookmarklet that did something like this too. It's a potential single point of failure, and it's unfortunate that the encoding method limits the entropy by character since you can't have any special characters, but at the size shown, it seems to be pretty solid.

        1. Pet Peeve

          Re: Why trust any third party?

          Following myself up - the output from sha256sum is hex bytes, giving you a terrible 4 bits of entropy per output character, and encoding it in base64 doesn't help the situation.

          Adding in "xxd" to turn the hex bytes back into binary gives much nicer results. I like Wood's idea quite a bit:

          echo -n 'considerdollarbaseready fARSEbook' | sha256sum -|xxd -r -p|base64|head -1|cut -c 1-24

          gTHDYfbTJYK0Sm5eI1W8mO+R

      2. Steve Davies 3 Silver badge

        Re: Why trust any third party?

        "considerdollarbaseready fARSEbook"

        Fails at least TWO common business password rules

        1) requires at least 1 Numberic

        2) Does not allow two characters next to each other that are identical viz 'oo'.

        Next?

      3. channel extended
        Happy

        Re: Why trust any third party?

        It allows him to use a long pass phrase to create a simpler password. You could even incule the website that you're visiting.

        BTW: Perhaps they should be labeled laughpass?

      4. Anonymous Coward
        Anonymous Coward

        Re: Why trust any third party?

        d3rrial wrote:

        "why not use "considerdollarbaseready fARSEbook" as password directly instead of hashing it first? It's not like you're adding anything to the password, that would make it safer, by hashing it"

        Because he does not know how the site stores the password, and there are plenty of lamentable examples. If they store a plaintext (or decryptable) version then this will make your 'root' phrase and method apparent, putting your other passwords at much greater risk.

        By hashing the 'password' the root is not revealed. There may still be security weaknesses - but this may be an adequate (for this user) compromise between security and convenience.

      5. John H Woods Silver badge

        Re: Why trust any third party?

        d3rrial: "why not use "considerdollarbaseready fARSEbook" as password directly instead of hashing it first? It's not like you're adding anything to the password, that would make it safer, by hashing it"

        Theoretically, of course, you are right. Practically, however:

        • some sites don't encrypt passwords (or may have compromised certs) - I don't want to compromise my master password
        • some sites limit password length: (a) the first 16 chars of the hash contain more entropy than the first characters of the password; and (b) all sites which use <=24 chars would have the same password, which I'm trying to avoid
        • some sites "enforce quality" which in practice means a minimum length and certain characters. By using base 64 (and tr where necessary) I can meet these rules without having to use those symbols or numbers in my master password (which, for any given length, reduces its memorability).

    2. A K Stiles
      Joke

      Re: Why trust any third party?

      Ah, but your generated password is too long / doesn't contain any of the required symbols / repeats characters within 3 spaces / must be changed every 29.497 days / breaks some other arbitrary and unhelpful rule on this particular service ...

      Still not trusting 3rd parties with my password management though!

      (and exactly what mechanism are various banks using to 'encrypt' my password in such a way that they can validate only characters 3,7 and 9 of my password anyway?)

      1. Jon Egerton

        Re: Why trust any third party?

        @A K Stiles

        "and exactly what mechanism are various banks using to 'encrypt' my password in such a way that they can validate only characters 3,7 and 9 of my password anyway?"

        Well they're either symmetrically encrypting it, or they're hashing every 3 digit permutation from your password and storing them all.

        Not sure which of these is worse though - suppose it depends on the salting really.

      2. channel extended

        Re: Why trust any third party?

        MD5?

    3. batfastad

      Re: Why trust any third party?

      Better...

      < /dev/urandom tr -dc _A-Z-a-z-0-9@\!\$ | head -c30

      1. Pet Peeve

        Re: Why trust any third party?

        You missed the point of what he was trying to do. Not to make a random password, but to make a pseudorandom one based on a secret key and site name.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why trust any third party?

          > You missed the point

          No, no. YOU missed HIS point. He's asking what about using "< /dev/urandom tr -dc _A-Z-a-z-0-9@\!\$ | head -c30" as the password. :-)

    4. Aus Tech

      Re: Why trust any third party?

      > "I wouldn't trust a third party with my passwords, but I hadn't even considered availability!" <

      Networking 201 (Cloud services - Password Management) - When using a cloud service for password management, ALWAYS ensure that you have a readily available local copy, so that, if for any reason you lose your Internet service, you and all of your co-workers can still continue to work.

    5. Jim 59

      Re: Why trust any third party?

      And when you have 78 "memorable" nicknames for 78 sites ? Still memorable ?

  13. Tim 11

    Keep Calm - you don't need network access to use lastpass

    if the lastpass server is down, the client just opens the local copy of the data - network connection is only needed to sync.

    this isn't really that big a deal

    1. Anonymous Coward
      Anonymous Coward

      Re: Keep Calm - you don't need network access to use lastpass

      Thats what I thought. It popped up to say connection lost but it didnt make any difference, I could still login to sites. This is really not the end of the world.

    2. Jon Etkins

      Re: Keep Calm - you don't need network access to use lastpass

      Mine won't - I'm dead in the water until this is resolved.

  14. Dave 27

    Lastpass can work in offline mode, I guess this is why I hadn't noticed there was a problem until I saw this article.

  15. GraemeD

    Upstream issue

    I think this and the Ebay issue is linked to an issue we discovered where Linx seem to be having issues. We had brown outs all over the place from our office, but was fine via Voda mobile.

    1. phuzz Silver badge
      Stop

      Re: Upstream issue

      We had a problem reaching launchpad.net around the same time, not sure how widespread that was.

  16. Suricou Raven

    I solved this a while ago:

    http://birds-are-nice.me/programming/password-device.shtml

    - No online store to be compromised.

    - The sensitive data consists of one numerical sequence of variable length, which you need to memorise. It needs to be pretty long, but it's only the one thing.

    - Unique password for every website.

    - Totally unhackable: Dedicated hardware, no network connectivity.

    - Device stores no data: If lost, may be replaced without loss of passwords.

    - Doubles as a serial TTY line monitor. Handy.

    - Mine generates eight-character passwords, but easily adapted to longer.

    1. Anonymous Coward
      Anonymous Coward

      Re: I solved this a while ago:

      I did see this some time back.

      I just use a purely software solution on my laptop: GnuPG.

      1. Suricou Raven

        Re: I solved this a while ago:

        That, or a truecrypt or crypto-loop device, are pretty good options. But you can't promise security because someone could still hack the laptop with something like a keylogger for the master password. That's why I went standalone. You couldn't hack that thing short of physical access, and even then you'd need to retrieve it a second time to get the data off as it has no network connection and no place to add one that wouldn't be noticed.

    2. Jim 59

      Re: I solved this a while ago:

      @ Suricou Raven great project, well done and will keep your accounts secure. There are a couple of things:

      As it is generating, not storing passwords, you still need to keep a list somewhere of the accounts you actually own. So that you don't forget you actually have an account at www.datsundrivers.com

      If you lose it, it will need to be replaced before you can re-generate a password and log in somewhere.

      If it is stolen, could it possibly be reverse engineered to get the master pin and thus the passwords ?

      Certainly fixes the key logging threat though, and ingeniously.

  17. lucyj

    Offline Mode

    my1login also has an offline mode so in the unlikely event we lose a data centre or a client loses their network connectivity, a local cache of their logins can still be accessed....I suspect, as with many programs, that user awareness may play a part in today's drama - has the user been educated there is an offline mode available? Has the IT Admin enabled that functionality? The software is only as useful as the amount of knowledge a user has - an unfortunate frequent occurrence these days, especially in larger enterprise deployments. User education is key.

  18. Anonymous Cowherder

    Been using this free service years. This is the first outage

    As per title, I use the free service, I had the offline notice this morning but didn't think too much of it as still had access to stuff.

    I've never given lastpass one penny yet their product has worked fine for me (as far as I can tell, they may be sending my credentials to bad people who are able to see all of my boring life play out for them too.)

    This is the first outage I have ever had with lastpass, that isn't a bad strike rate as far as I am concerned. Once in several years. Things I have paid for have had much worse failure rates.

  19. ADJB

    Clouds.....

    Clouds do seem to have this habit of raining on people.

  20. Christian Berger
    Facepalm

    It's even less secure than an unencrypted passwords.txt file

    Just think of it. For a foreign party (e.g. your local secret service) to compromise that unencrypted file, they need to compromise your local computer. Either remotely or via hardware access. If they can do that, it's trivial to sniff the master password you enter into one of those services to get to the other passwords...

    Additionally there is the thread of the service delivering malware. While Javascript usually cannot break out of the browser, it can surely send the password you enter to the service as well as decrypt your passwords locally. All of this can be done selectively for certain users, and US law probably can even force services into doing this without telling their users. If this is only done for a select few, chances are it'll never be detected.

    So seriously, instead of using such a service, it's far better to use a passwords text file.

    1. channelswimmer

      Re: It's even less secure than an unencrypted passwords.txt file

      > it's trivial to sniff the master password you enter into one of those services to get to the other passwords.

      It doesn't work like that, because that would be moronic. Instead the encrypted blob is sent to your PC, where the password is used to decrypt it in-app.

      1. Christian Berger

        Re: It's even less secure than an unencrypted passwords.txt file

        "It doesn't work like that, because that would be moronic. Instead the encrypted blob is sent to your PC, where the password is used to decrypt it in-app."

        Yes, if you are unlucky that app is just some Javascript on a web page which will be loaded anew each time you visit the page and can be tailored to you specifically. Since the CA model is broken, more sophisticated attackers can even replace it without the knowledge of the developer.

        If you are a bit luckier, you have an actual app, however that can still be updated by the developer... or whoever else has access to the chain of trust bringing you that code. Updates on todays operating systems are done in binary form making it extremely hard to see what has actually been changed. So it's completely plausible that you as the target got a special version which sends out your master password, along with the encrypted blob, to some 3rd party server.

        Software distribution is, unfortunately, severely broken on commercial systems. Even having a list of the source files that have changed between versions could make a big difference to the security conscious end user. Having access to the diffs could bring actual security, at least to educated users. It's comparatively easy to look at a patch in code.

    2. cappelli

      Re: It's even less secure than an unencrypted passwords.txt file

      That may be true from some password mangers but not for LastPass. Peep this: https://helpdesk.lastpass.com/getting-started/introduction/why-is-lastpass-safe/

  21. Stevie

    Bah!

    "We immediately started taking action to migrate the service "

    To a bunch of post-its stuck on the server cabinet sides.

  22. Anonymous IV

    "Redundant data centre"?

    "We have done everything we can to minimise impact and are working to get the redundant data centre up as soon as possible."

    If the data centre was redundant, then why is there a problem? Have I missed something?

  23. heyrick Silver badge

    Hang on...

    Am I missing something here?

    How are your passwords safe hosted on a third party server?

    Why does a password manager need to have any information leave your system?

    1. DropBear

      Re: Hang on...

      Why does a password manager need to have any information leave your system?

      Well, the problem is they haven't yet figured out a way to charge you a monthly fee otherwise...

      1. OmgTheyLetMePostInTheUK

        Re: Hang on...

        Go ahead and keep your passwords on your system if that is all you need. But I have a few machines that I need all of my passwords to be available from. And after trying about 6 different solutions in the past year, and dumping the first 5 in less than a month, I read about LastPass somewhere, and tried it. And now, I can go to any internet connected computer, and login to any of the sites that I need my passwords for. And every single password is longer than 10 characters and some are as man as 20 characters long.

        BTW, Last pass is free for 99% of the people. I just recently decided to pay the the $12 a year they ask for simply because it works well for me. I've been using it for free for a few months, and even at free is does everything I needed.

    2. Brangdon

      Re: Why does a password manager need to have any information leave your system?

      Many people need the passwords to be available from a variety of machines. Their desktop, their phone, their tablet, etc. That's why the (encrypted) password database needs to be synced across the internet.

    3. OmgTheyLetMePostInTheUK

      Re: Hang on...

      The password is encrypted BEFORE it leaves your computer as it goes to LastPass. So that part is not a problem.

      Portability is nice. It you need to login somewhere to pull something up, I can do it from any computer that is connected to the internet.

      I looked for something that does what LastPass does for years and this is he first password program or service that I have used for more than a month.

  24. channel extended
    Angel

    77nZMupqUnqgFSLbAF02RQAP

    This is my password, using the script below - Goodluck!!

    echo -n $1 | $(sha256sum - | xxd -r -p | base64 | head -1 | cut -c 1-24

    Put it in a script and the $1 passes arguments. Then it's just cut and paste.

    1. Pet Peeve

      Re: 77nZMupqUnqgFSLbAF02RQAP

      Don't go nuts using this as your main password method. It could definitely be improved, for example by using a keyed hash (sha256hmac would help), or if your machine has it, sha1passwd which does the whole pbkdf2 rigamarole on your input password, making it ridiculously hard to brute force.

      The idea of deriving passwords is a pretty neat one. Google played around with a similar idea I believe, and there's also the SQRL project which throws tons of slick crypto at the idea, but that requires stuff on the server side.

    2. OmgTheyLetMePostInTheUK

      Re: 77nZMupqUnqgFSLbAF02RQAP

      Congratulations! You just started speaking MARTIAN to 99.99% of the people reading this.

  25. Todd Harrison

    Which is why..

    I use B-Folders. Small and less well heard about, and I backup the file by syncing between fixed and portable devices.

  26. cappelli

    News Flash: Your passwords were available to you during the outage

    I had no problems accessing my LastPass passwords during their datacenter glitch today so I have to disagree with these postings. I disagree with the original Register article too as it fails to mention the multitude of ways that LastPass users can recover their passwords during a network outage.

    First thing to know: LastPass does not store your unencrypted passwords in the cloud. Your passwords are encrypted in a datafile, sometimes called a "blob" that is local on your device (e.g. laptop), with a copy of that encrypted blob periodically backed up to the LastPass server. They go into more detail at the link below but here's how LP describes this:

    "All encryption/decryption occurs on your computer, not on our servers. This means that your sensitive data does not travel over the Internet and it never touches our servers, only the encrypted data does."

    https://helpdesk.lastpass.com/getting-started/introduction/why-is-lastpass-safe/

    2nd thing to know: If you were setup with multi-factor authentication using something like the 3rd party 'Yubikey' product discussed on LastPass' site then you'd have had full access to your cyphers (encrypted passwords).That's why many of the premium users were unencumbered by their network outage today.

    Multi-factor authentication is one of the features of their premium service ($12/yr) but even the people using LastPass for free have a solution. LastPass offers 'Pocket' detailed here at the link below and this allows you to decrypt your password blob locally. Everyone should keep a copy of Pocket on their computers and on a USB key for backup.

    https://helpdesk.lastpass.com/lastpass-on-the-go-2/lastpass-pocket/

    It should also be said that LastPass doesn't have your MASTER password on their server either. Once again, there's no reliance on their datacenter to unlock your passwords. They store a one-way cryptographic "hash" of your master password only. Your passwords are local on your device and are unlocked using that hash. They can be unlocked other ways though too. They explain the "salted hash" concept that they use, where passwords never actually reside in their datacenter, at this link: https://lastpass.com/how-it-works/

    An even better explanation of the specifics outlined above is on the Security Now! podcast from a few years ago: https://www.grc.com/sn/sn-256.htm <-- fantastic detail on this one.

    Thoughts?

    --Athonia

  27. P. Lee

    One DC down and there's an outage?

    You need to "work on failing over"?

    If its true, its a rubbish system. GTMs, LTMs. We've heard of them. Apparently, not everyone has.

  28. Just Joe

    Title's a bit misleading

    When LP's back end servers go offline, the service does not suddenly become completely unusable. The only thing that changes, at least in the Chrome LP extension, is that the red icon turns yellow and it says it's having problems talking to the server, that it is putting me in offline mode for now.

    That's it. All of my passwords, fill forms, notes, etc are all still available because they are encrypted and decrypted locally on whatever device LP is running on. That's how it was designed. It doesn't require constant communication with the servers in order to work. About the only thing that doesn't happen when the servers go down is that it stops synchronizing changes, obviously. Once the servers come back online everything will go back to normal.

  29. shovelDriver

    Who Didn't See This Coming?

    Cloud services. It's all good until the sh . ., uh (electrical) storm hits. That's all understandable, though. Save a lot of money up front - which C-level can recoup as bonuses and such - while bumping up their stock options and retirement payout. Odds are they'll be long gone before the waste (. . . money . . .) hits the fan.

    Try SplashID. No, I don't work for them. Their latest edition gives you the option of keeping it local, synching to the cloud, or both at the same time.

  30. Jin

    Do not put all your eggs in a basket

    ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. And it is now demonstrated that we could be locked out. It could be considered mainly for low-security accounts, not for high-security business. Needless to say, the strength of the master-password is crucially important, if required in fewer numbers.

  31. Winkypop Silver badge
    Joke

    I don't get it

    How hard is it to remember: 123qwerty ?

    1. Hans 1

      Re: I don't get it

      Yeah, then you visit a German friend and you type 123qwertz, at the French mistress',you end up typing &é"azerty

  32. Jim Willsher

    I use eWallet. Software available for Windoze PCs and Andoid/IOS devices, with card-level sync between them all. No reliance on cloudy stuff, it's always to hand and under my control.

    The software is constantly improved and enhanced and it's cheap as chips. What's not to like?

  33. rndSheeple

    Opensource, not single point more like user chooseable

    https://clipperz.is

    Works by open source encrypting using javascript so they cannot decrypt your stored information. At least that's what they say and it's open source so perhaps might even be truish.

    Can be offline copied (it's an html page). Works in windows, linuxes, iOs devices (whether or not I would recommend accessing all your secure info there is questionable), at least. It's not really os / platform / browser specific.

    I will admit integrations are lacking, and not sure about organizational fitness, delegation etc.

    But their service going down will do F-all. Your computer breaking down will do F-all. Just keep offline backups off it somewhere, many places perhaps. Of course the solar storm EMP strike that sets us back into the stone age will break it by breaking every single storage and access node, so it must be bad software. Not resilient.

    1. Charles 9

      Re: Opensource, not single point more like user chooseable

      But JavaScript can be subverted: switched out behind your back. That's why you can't trust it for encryption tasks.

  34. Anonymous Coward
    Anonymous Coward

    Storing data on da cloud

    When you store data on the cloud, you get everything you deserve ... the security services of the world appreciate. What happens when all passwords of your corp end up on pastebin?

    I mean, why would crackers hack corps when they could get much more cracking lastpass ? I imagine the motivation is there to break into there and since the window cleaners there have obviously never tested their "redundant" system, I imagine the corporate Administrator password there is either LastPass or L@$tP@$$.

    Been there, seen that all too many times ... I mean, the only times I was "told" (Yes, told! I ostensibly look away when clients type passwords) the enterprise administrator/sys(Oracle)/sa(Sybase/MS SQL) password of a company as an external consultant (!) was when the shop in question was 80+% Windows shop. And, the password was always either company or "most successful product" name.

    Anon for obvious reasons, though futile ... ;-)

  35. Hugh 3
    Stop

    ... but why not back up those LastPass beauties

    Might be worth noting that you can keep your LastPass encrypted data locally as a back up.

    Also worth remembering that you can then use that backup to access your password data without being online. So next time LP's servers need a tea break, you'll still be able to log in to stuff.

    Do a search for "offline-access-to-your-lastpass-vault" to get the details.

    Naturally I haven't got round to doing any of this myself and would have been mightily stuffed had the outage affected me. Nor have I kept a secured copy of my master password; if I get concussed & forget it; still stuffed.

    Life on the edge.

  36. Simon B

    spokesperson Amber Gott “We have been engaged with our provider the entire time ..."

    And to finish that dsentence for Amber:

    Meanwhile, we have been completely UNengaged with our entire customer base the entire time.

    Why do so many providers of services find it so difficult to say ASAP 'we have a problem, we're looking into it'.

  37. Fat-Boy-R-Dee

    Maybe a little research/sanity here ...

    I do not work for LastPass, but I am a long-time paying customer.

    1. Before you start bashing a cloud-based password manager, do your research ...

    http://lastpass.com/how-it-works/

    Nothing (except maybe meta-metadata) is stored in the clear in the LastPass cloud. Once you authenticate, the encrypted blob is downloaded and decrypted locally on your system. If you add a site, note, whatever, again, it's encrypted locally and then added to the cloud blob.

    Show me a cheap, roll-your-own password solution that supports multifactor authentication, one-time passwords, secure password sharing, and rollbacks, and I will buy VC stock in the company.

    2. Downtime this (for me) morning was pretty annoying, no lie ... but in 4 years this is the FIRST time I've ever experienced any hassle ... so for a darn cheap system with an offline fallback, this is pretty darn good. About the only thing I'd ask LastPass product management to do is to put in a "manual offline" option to force using the local copy ... but that has its own security issues as well.

  38. Cyberspy
    Paris Hilton

    Password Safe and the 'Paris Angle'

    I use Password Safe: http://passwordsafe.sourceforge.net/

    It's free, open source, and the file is stored locally on your PC, so it's always available.

    Although it's a Windows app, there are Linux and Android ports for those who want them.

    I back mine up to an online Subversion repository, so I can access the file where ever I am if necessary, but I keep local copies at work and at home so it's pretty much always available.

    Sorted!

    Trusting all your passwords to an external hosted service who can obviously access those passwords, and can deny you access to them (even if through accident/incompetence rather than malice)? Why, even Paris wouldn't do that!

    1. Charles 9

      Re: Password Safe and the 'Paris Angle'

      I combine KeePass with Dropbox (KeePass is GPL and Dropbox is free up to 2GB). Since the database is encrypted by your master key (password, file, or both), it can sit on the Dropbox safely (stealing or snooping it is useless without the master key) enabling you to retrieve it as needed. Dropbox automatically syncs the key with whatever other locations I choose. And KeePass is easy to get for just about any platform you'll need it.

  39. halftone

    Be fair

    At least LastPass is secure.

  40. Charles 9

    I personally think we need to move beyond passwords. Except that for any possible solution I can think of (my personal favorite concept is two-way unique key exchange per-site per-user which can be performed offline if necessary), there's always a snag: the better fool, so to speak.

  41. Piro Silver badge

    This is why you don't trust some service with your passwords

    Get a copy of KeepAss, and store the database somewhere you can always access. Several places, even.

  42. Faye Kane ♀ girl brain

    ==-

    Here's your "cloud" for you.

    I have no effing idea why anyone would be stupid enough to store their data on someone else's computer far away where a slow internet line is the only way to get it, as opposed to gigabit LAN. The NSA can see it, the hackers can steal it, and if you don't pay ransom every month, they hide your data.

    --faye kane ♀ girl brain

  43. Jeffrey Nonken

    KeePass + BTSync FTW

    That is all.

  44. OmgTheyLetMePostInTheUK

    I am a premium (paid) user of LastPass, and the only thing I noticed that was unusual on the 12th was that I needed to login to my account once. So I might have been one of the lucky ones, but it was no inconvenience at all to login once, and once I had done that, everything worked just fine.

    Two things about LastPass that I like... Actually, 3 now that they have figured out a way to change your lost master password. One is security. I have a unique password on every site I visit regularly. Secondly, if I go somewhere else, and need to pull something up, I can still use LastPass at that other location.

    I used LastPass for a few months on a free basis, and just recently paid the $12 for a year of premium. If you think you can find a solid password service that is better than LastPass somewhere else for $1 month, go for it. I don't think you will.

    I don't care who you are, every company has short outages. And when a company with lots of customers loses a data center, its ALWAYS going to over-load their customer service people. Google, Microsoft, Amazon... Biggest names in the business, and they have systems go down, and they rarely tell you what happened while they are fixing them. So this isn't just a Last Pass problem.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like