LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 06-15-2015, 06:26 PM   #1
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
LastPass compromised. - Change your Master Password NOW


https://threatpost.com/lastpass-netw...d-reset/113324
 
Old 06-15-2015, 06:31 PM   #2
Keith Hedger
Senior Member
 
Registered: Jun 2010
Location: Wiltshire, UK
Distribution: Void, Linux From Scratch, Slackware64
Posts: 3,190

Rep: Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866
personally I always thought services like this was just an accident waiting to happen, if you store your passwords securely on your local machine it must be a better idea than having them all on some public server that is advertising to the hacker world ' Hey look I've got all these passwords, come and get them!'

I use an encryped sql database for mine and only run the mysql server when I actually need to access the information.
 
1 members found this post helpful.
Old 06-15-2015, 06:34 PM   #3
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,297
Blog Entries: 24

Rep: Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255Reputation: 4255
<sarcasm>But lookee! How convenient! An' I don't even have to think about nuthin'!</sarcasm>

Last edited by astrogeek; 06-15-2015 at 06:36 PM.
 
Old 06-15-2015, 06:37 PM   #4
Keith Hedger
Senior Member
 
Registered: Jun 2010
Location: Wiltshire, UK
Distribution: Void, Linux From Scratch, Slackware64
Posts: 3,190

Rep: Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866
You windows user you
 
Old 06-15-2015, 08:02 PM   #5
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
Quote:
The attackers, however, did compromise LastPass account email addresses, password reminders, per-user salts, and authentication hashes.
So in other words, they did actually take good security and passwords weren't divulged since they were hashed. Having salts exposed seems like it exposes it to rainbow tables but otherwise as long as users change their pass, nothing was really compromised except user emails. It also looks like they used a difficult cipher so it'll take awhile to find out what the master passwords are.

So the real loss was email addresses were leaked.

I don't use lastpass but it still looks like a useful service. Definitely a better option then using a simple pass for everything. Not to mention rather then needing to change hundreds of passwords, the only one that needs to be changed is the master one.
Of course, critical ones (bank) should also be changed.
 
Old 06-16-2015, 11:33 PM   #6
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 11,333

Rep: Reputation: 5379Reputation: 5379Reputation: 5379Reputation: 5379Reputation: 5379Reputation: 5379Reputation: 5379Reputation: 5379Reputation: 5379Reputation: 5379Reputation: 5379
Yeah, the hackers didn't get any passwords because LastPass was doing things right. I'm not a user, but my confidence in them has increased after hearing this.
 
Old 06-17-2015, 01:14 PM   #7
TomBoyle
LQ Newbie
 
Registered: Jun 2015
Posts: 5

Rep: Reputation: 0
I use ccrypt to encrypt my text file with my user accounts and passwords and when I need to generate a strong password I use an alias like
Code:
alias gp="tr -dc [:graph:] < /dev/urandom | head -c 15 | xargs -0"
For my important accounts that has my financial information, I'll change the passwords every six months or so. One thing is certain, nothing is fail proof. We have to be proactive even though it's an inconvenience at times.
 
Old 06-17-2015, 04:45 PM   #8
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian Stable and Unstable
Posts: 1,943

Rep: Reputation: 542Reputation: 542Reputation: 542Reputation: 542Reputation: 542Reputation: 542
LastPass doesn't even have the master password, AFAIK. All they have is the encrypted file, not your master password. Password reminders might be of some help to hackers in some cases, but if you really need a reminder of your LastPass password, you're not doing it right. I've never given them a reminder, so it won't help anyone. And the email address I use for it is a throwaway. GMail addresses are plentiful and free, and useful for some things, such as this.
 
Old 06-17-2015, 06:45 PM   #9
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374

Original Poster
Blog Entries: 37

Rep: Reputation: Disabled
my password reminder there is F**k you
 
Old 06-17-2015, 08:15 PM   #10
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,639

Rep: Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653
well if your password IS
"MargaretThatcheris110SEXY"

a VERY VERY GOOD explanation

http://blog.erratasec.com/2015/06/sh...thash-was.html
 
Old 06-18-2015, 11:46 AM   #11
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,861
Blog Entries: 4

Rep: Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995Reputation: 3995
Quote:
Originally Posted by John VV View Post
well if your password IS "MargaretThatcheris110SEXY" ...
It means either that you are Blind, or that you are Utterly Mad, or that you are Poor Mr. Thatcher.

As for me, I ordinarily either use the "Keychain" service of something like OS/X, or a more-transportable tool such as PasswdSafe. With the latter, a file containing the encrypted content can be moved among multiple systems, say, phones, all of which can read it. (But I have had some transportability issues.) PasswdSafe in all of its implementations is, I believe, open-source.
 
  


Reply

Tags
again?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
forgotten/compromised password for localhost username root newbie2linux2 Linux - Newbie 4 02-20-2015 03:11 AM
[SOLVED] Can I get LastPass to work with Konqueror? Adol Linux - Software 2 05-14-2012 06:01 PM
Firefox master password: how secure is it ? PlatinumX Linux - Security 3 08-27-2009 06:29 AM
master password - firefox 1.5 dajomu Linux - Software 1 12-30-2005 12:25 PM
thunderbird master password en -height darkleaf Linux - Software 0 01-06-2005 05:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 06:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration