Password service warns users to change their, yep, passwords
Source: AP
By BRANDON BAILEY
SAN FRANCISCO (AP) A web service that promises to help people keep their passwords secure has reported hackers may have obtained some user information although not actual passwords from its network.
LastPass, which stores multiple passwords in encrypted form, warned Monday that it had detected "suspicious activity" on its own computer system. That led to the discovery that some users' email addresses, password reminders and encryption elements were compromised. The company said its investigation found no evidence that individual passwords or user accounts were breached.
The company is advising users to change their LastPass master passwords, which are used to retrieve encrypted individual passwords for the users' other online services or accounts. But it said they don't need to change individual passwords for all their accounts.
Read more: http://bigstory.ap.org/article/ed500c65c8a041b780754b849cd22fd4/password-service-warns-users-change-their-yep-passwords
dballance
(5,756 posts)Spitfire of ATJ
(32,723 posts)They need to come out with one specific to passwords.
Under "Name" I put in the site, "Address" is user name, "Phone" is password.
Ruby the Liberal
(26,219 posts)They recommended staying away from online services, and to use an offline-only version on your PC or phone. They recommended keepass (I think is the spelling) so I use that. If they can access a phone or PC, even that may not be safe - but at least they would have to go through a few more hoops to get to it.
Nihil
(13,508 posts)If you want to use a password manager, KeePass is as good as any (and better than some)
but the best approach is to combine stored data (be it in a diary, address book, spreadsheet
or shopping list) with your own mind - write down a starting letter and maybe the length of the
pw but use your mind to link it up with the account rather than writing that down too.
That way, if you forget, you have your own little "password hint" and if your storage is in
any way compromised (or stolen) then at least they haven't got the bits that are in your head!
Ruby the Liberal
(26,219 posts)Xithras
(16,191 posts)They pulled the password hashes, the salt data, and the reminders for the account master passwords. The Lastpass hashing routine is one of the strongest used in the web world (more than 100,000 hashing rounds is standard), which makes it exceedingly difficult for unauthorized users to do anything with the data. It's possible (but unlikely) that someone might be able to reverse engineer a password out of it, but we're talking about some serious computing time just to get a master password to an account that may or may not contain anything of interest. The request to change your password is mostly just a precaution.
It's possible that some exceptionally stupid people may have put their passwords into their password hint fields, and THOSE people just had their passwords leaked, but those people are dumb and were insecure long before this hack.
SheilaT
(23,156 posts)on someone else's hard drive is ever a good idea.
Gloria
(17,663 posts)and I ditched Carbonite...just use external drives and USBs.
Can't avoid having info on the web entirely, ie, webmail via Comcast...but that's as far as I will go.
And when on the phone discussing business....it's a landline...no way I would ever use a mobile phone when discussing
bank accounts, credit cards, etc. and having to give a number out...
drray23
(7,638 posts)it is local on your device but you can sync the crypted file via dropbox. they have versions for pc, macs , androids and iphone.
skepticscott
(13,029 posts)that they can guarantee the security of your personal information on a computer connected to the internet is lying.
George II
(67,782 posts).....I wouldn't even post pictures or any documents on any of the free "clouds" available now.
uppityperson
(115,681 posts)Jesus Malverde
(10,274 posts)Another reminder why it's a bad idea to use cloud based password solutions.