Another LastPass Security Incident

It's certainly more convoluted, fugly and doesn't really seem practical between multiple devices, being fickle i might hate it again in 10 mins and go back to mocking people. :P
 
ajf said:
Do special characters actually make passwords any more secure in reality, especially with the power of computers today, rather than just somebody sitting and guessing?
Even that EFF dice method only uses normal letters and words it seems.
Click to expand...

Yes, it substantially increases the complexity and entropy of the password.

Complexity is important as even long phrases with a theoretically high entropy can be broken quickly with a dictionary attack. For example the "correcthorsebatterystaple" password would be broken pretty quickly.
 
Last edited:
Energize said:
Yes, it substantially increases the entropy of the password, even long phrases can be broken quickly with a dictionary attack. Complexity is much more important than length.
Click to expand...
Eddie99 said:
password_strength.png
Click to expand...
 
I edited my post as you were posting that. That example has a theoretically high entropy but in practice it's effective entropy is far less than a much shorter random password.
 
Energize said:
I edited my post as you were posting that. That example has a theoretically high entropy but in practice it's effective entropy is far less than a much shorter random password.
Click to expand...
What do you mean by theoretically high entropy? If the words are generated randomly with dice the effective entropy and theoretical entropy are exactly the same.
 
Eddie99 said:
What do you mean by theoretically high entropy? If the words are generated randomly with dice the effective entropy and theoretical entropy are exactly the same.
Click to expand...

People talk about entropy, however they forget where the entropy/randomness comes from.

You can’t prove something is random, but you can prove where that randomness came from. You can prove if it was created by a quantum source (which infers it’s random) and you can then prove nothing is entangled thus the randomness is secret.
 
The issue with using defined characters is that the randomness is not a perfect distribution (add people’s choice of sequence of letters for example). Both the maths and the implementation are important for this reason. It’s why I would not use any of these small companies that simply use random code. Few have the knowledge let alone the ability to operate a service.
 
Last edited:
Having fun and games with this, tried logging into lastpass, nope, to the point of locking account. Got my secure copy of the password.
Still could not log in, now I know this password is correct, suspicious..
Tried recovering account multiple devices hit luck on my old phone, woop password changed.
Then can't log in on anything...... hah
So reverted that password change, got logged in on my laptop via a reset, except I cannot reset password as it says an error has occurred (after about 20 mins of re encryption)

I think I just delete my account at this point, I have everything saved out in bitwarden, but going to have to manually change everything it seems (700 log ins, will just do the important ones)
I have not set up 2fa on bit warden, it says "Some authenticator apps, such as Google Authenticator, do not automatically backup your 2FA tokens for easy migration to a new mobile device"
I thought the whole point of the google one was you can transfer to a new phone if you lose your phone etc!

Anyway I am glad I payed Lastpass £30 off quid for this experience, hah!
 
The irony is, just checked my emails to see a lastpassemail saying you changed your password, I even had the mrs check before saving it, still cannot log in (yes I tried another device in case, caps lock, fat fingers, witchcraft) shrugs, i've changed one log in anyway, 699 to go....
In fairness 698, I don't think I need to change the Blockbuster log in.....
 
Manbatius said:
The irony is, just checked my emails to see a lastpassemail saying you changed your password, I even had the mrs check before saving it, still cannot log in (yes I tried another device in case, caps lock, fat fingers, witchcraft) shrugs, i've changed one log in anyway, 699 to go....
In fairness 698, I don't think I need to change the Blockbuster log in.....
Click to expand...

Go through them and delete the ones you can get rid of, they go into the bin if you need them back. Make sure you deactivate/delete/remove/deactivate them on the site as well. That's a lot of sites to have accounts active for.
 
I use Bitwarden. I've got 2FA enabled on bitwarden itself as well as most sites that support it. I use Authy for the 2FA codes where available.

Is there anything I should do that means I'm not as screwed if I were to lose/break my phone?

I have bitwarden synced so I can access my passwords on my laptop too, but I'm guessing that's not much use if I lose/break my 2FA device. I'm not sure what the steps would be on the Authy side for a lost/broken device.
 
I see from online comments that apparently no company offering a password manager can truly offer a Zero Knowledge model as apart from account and billing administration they are tied by know your customer laws, not sure if that's a American thing or not?

And apparently Lastpass has always been open about not encrypting certain parts of the field information such as URL's, not that helps any of us if we start being flooded with phishing emails.
 
I would guess they don't bother encrypting URLs a) because they're public anyway, b) they can't be used in anyway to identify an account holder, and c) they take up less storage space.
 
You must log in or register to reply here.
Back
Top Bottom