Latest Breaking News

Omaha Steve

(99,765 posts) Mon Jun 15, 2015, 06:27 PM Jun 2015

Password service warns users to change their, yep, passwords

Source: AP

By BRANDON BAILEY

SAN FRANCISCO (AP) — A web service that promises to help people keep their passwords secure has reported hackers may have obtained some user information — although not actual passwords — from its network.

LastPass, which stores multiple passwords in encrypted form, warned Monday that it had detected "suspicious activity" on its own computer system. That led to the discovery that some users' email addresses, password reminders and encryption elements were compromised. The company said its investigation found no evidence that individual passwords or user accounts were breached.

The company is advising users to change their LastPass master passwords, which are used to retrieve encrypted individual passwords for the users' other online services or accounts. But it said they don't need to change individual passwords for all their accounts.

Read more: http://bigstory.ap.org/article/ed500c65c8a041b780754b849cd22fd4/password-service-warns-users-change-their-yep-passwords

13 replies

= new reply since forum marked as read

Highlight:

Password service warns users to change their, yep, passwords (Original Post) Omaha Steve Jun 2015 OP

Crap. I use that service. /nt dballance Jun 2015 #1

I use one of these... Spitfire of ATJ Jun 2015 #9

A few years ago, I asked our IT guys about password managers Ruby the Liberal Jun 2015 #2

Agree - avoid online services Nihil Jun 2015 #12

Good advice! nt Ruby the Liberal Jun 2015 #13

I'm a Lastpass user. They didn't actually get any passwords. Xithras Jun 2015 #3

I am not convinced that storing any of my information SheilaT Jun 2015 #4

I don't store passwords anywhere Gloria Jun 2015 #5

i use upm. drray23 Jun 2015 #6

Anyone who tells you skepticscott Jun 2015 #7

I don't know why anyone would store something like usernames and passwords with a third party.... George II Jun 2015 #8

Thanks for the notice, will need to do that as have used them uppityperson Jun 2015 #10

Doh! Jesus Malverde Jun 2015 #11

dballance

(5,756 posts)

1. Crap. I use that service. /nt

Reply to Omaha Steve (Original post)

Mon Jun 15, 2015, 06:41 PM

Jun 2015

Spitfire of ATJ

(32,723 posts)

9. I use one of these...

Reply to dballance (Reply #1)

Mon Jun 15, 2015, 08:52 PM

Jun 2015

They need to come out with one specific to passwords.

Under "Name" I put in the site, "Address" is user name, "Phone" is password.

Ruby the Liberal

(26,219 posts)

2. A few years ago, I asked our IT guys about password managers

Reply to Omaha Steve (Original post)

Mon Jun 15, 2015, 06:44 PM

Jun 2015

They recommended staying away from online services, and to use an offline-only version on your PC or phone. They recommended keepass (I think is the spelling) so I use that. If they can access a phone or PC, even that may not be safe - but at least they would have to go through a few more hoops to get to it.

Nihil

(13,508 posts)

12. Agree - avoid online services

Reply to Ruby the Liberal (Reply #2)

Tue Jun 16, 2015, 08:49 AM

Jun 2015

If you want to use a password manager, KeePass is as good as any (and better than some)
but the best approach is to combine stored data (be it in a diary, address book, spreadsheet
or shopping list) with your own mind - write down a starting letter and maybe the length of the
pw but use your mind to link it up with the account rather than writing that down too.

That way, if you forget, you have your own little "password hint" and if your storage is in
any way compromised (or stolen) then at least they haven't got the bits that are in your head!

Ruby the Liberal

(26,219 posts)

13. Good advice! nt

Reply to Nihil (Reply #12)

Tue Jun 16, 2015, 02:19 PM

Jun 2015

Xithras

(16,191 posts)

3. I'm a Lastpass user. They didn't actually get any passwords.

Reply to Omaha Steve (Original post)

Mon Jun 15, 2015, 06:51 PM

Jun 2015

They pulled the password hashes, the salt data, and the reminders for the account master passwords. The Lastpass hashing routine is one of the strongest used in the web world (more than 100,000 hashing rounds is standard), which makes it exceedingly difficult for unauthorized users to do anything with the data. It's possible (but unlikely) that someone might be able to reverse engineer a password out of it, but we're talking about some serious computing time just to get a master password to an account that may or may not contain anything of interest. The request to change your password is mostly just a precaution.

It's possible that some exceptionally stupid people may have put their passwords into their password hint fields, and THOSE people just had their passwords leaked, but those people are dumb and were insecure long before this hack.

SheilaT

(23,156 posts)

4. I am not convinced that storing any of my information

Reply to Omaha Steve (Original post)

Mon Jun 15, 2015, 06:54 PM

Jun 2015

on someone else's hard drive is ever a good idea.

Gloria

(17,663 posts)

5. I don't store passwords anywhere

Reply to Omaha Steve (Original post)

Mon Jun 15, 2015, 07:14 PM

Jun 2015

and I ditched Carbonite...just use external drives and USBs.

Can't avoid having info on the web entirely, ie, webmail via Comcast...but that's as far as I will go.

And when on the phone discussing business....it's a landline...no way I would ever use a mobile phone when discussing
bank accounts, credit cards, etc. and having to give a number out...