Just checked my account, same pword. Happy days.
Password management system LastPass has reset users' master passwords as a precaution following the discovery of a possible hack attack against its systems. The move follows the detection of two anomalies – one affecting a database server – on LastPass's network on Tuesday that could be the result of a possible hack attack. …
Just checked my account, same pword. Happy days.
I'm not being asked to reset either
Hopefully there was no MITM being attempted instead...
from what I can gather they are only asking people to reset if they see a login attempt from an ip address you haven't used recently
Surely this company from the start new it would be a target for this kind of thing. Shouldn't the password guarding all your other passwords be required to be fairly strong?! My understanding of its point is to make password management easier - but requiring users to remember one strong password is not that big a deal.
With all people's eggs in one barsket, it's a bit obvious that this site would be a target.
Why the downvotes for peyton's comments FFS!
(Or is it because they suggested a Paris level of intellect and understanding on the part of the people who set-up and ran a system that allowed weak passwords and was so vulnerable to hacking that it was compromised twice independantly in a week?)
but its not critical...
It's only really an issue if a hacker manages to get hold of the encyrpted data, as then they can sit and try and brute force it offline..
However to download your encrypted data you need to enter the right password to their server (which is sent over as a hash, they don't have it).. but you only get 5 tries before they lock you out..
Pretty sure they're worried about people stealing the hash for the lastpass password, which they can then attempt to brute force offline and gain access to all the other passwords. It is critical in that case.
...even though I wasn't prompted to. It's simply not worth the risk having someone get access to such sensitive data.
Which is a relief.
They did the right thing. Properly functioning auditing detected the anomaly, they investigated and even though they can't prove it's a compromise took the decision to err on the side of caution before it became a full blown breach.
Much better than certain large consumer electronics companies I could mention.
Speaking of which can any readers remind me of my credit card expiry date and my EQ2 login details? Ta.
Your credit card expiry date is 08/11.
If you store your important logins on a remote server not under your control, the very best of luck to you. Some things are best not in the cloud.
Same with the little bit of paper, which was destroyed by the washing machine :'(
Interesting story, I wonder where the hate is? Surely after Sony's example, every organization that get's hacked should be subject to several stories that offer increasingly speculative worst case scenarios and bias against the organization that was hacked? Where are all the words of blame? Good lord, this is a password management company, they were a target the moment they commenced operation, and they know/knew it. Considering the service they offer, I can only hope that they quickly determine how someone got into their systems and do take the opportunity to improve their hashing.
So this is the site that wants you to store all their passwords with them?
Whoehahahaha! HihiHAAAAAAHAHAHAHAHAAAA Hi. HaHAAAAAAAAHAHAHA. Hihi, hi, hahahaha, hihihaha, hi, snirf (wiping eyes and blowing nose). And it's not even Friday yet. Hahahaha. Cough.
This deserves some sort of award..
"So this is the site that wants you to store all their passwords with them?"
Cloud mania again. I wouldn't trust any third party with my passwords for the security reason among others, and I'll continue to use Mirek W's PINs, which I carry around with me and use to access password protected files, and store in a True Crypt container when I travel:
I can use this even when my ISP or the LastPass provider is down.
In today's world, a password manager is an essential tool. They only way a person who is reasonably net-enabled could avoid the need for one, is to use the same password fo all sites (or some fairly easy to mangling). OK, some password managers can run in portable USB format, which is great - until you get a PC with a disabled USB port. So a cloud-based system is pretty nifty.
Given that LastPass is FREE, if you're so inclined, I don't think they're doing such a bad job. Certainly made my life easier. And having been hit by this myself, and unable to access my vault online, I am seriously impressed that they quickly posted a link to "LastPass Pocket" which allows you to access your locally stored cache.
systemd'oh! DNS lib underscore bug bites everyone's favorite init tool, blanks Netflix
Biting the hand that feeds IT © 1998–2017