Another LastPass Security Incident

Semple said:
I would guess they don't bother encrypting URLs a) because they're public anyway, b) they can't be used in anyway to identify an account holder, and c) they take up less storage space.
Click to expand...
I can't think of any good reason not to encrypt the URL. It's bad for privacy and now hackers can prioritize which accounts they want to try and crack based on the URL's.
 
Ice Tea said:
old.reddit.com

Lastpass • r/Lastpass

This is the place to discuss the program, "LastPass." It can be found and downloaded here: https://lastpass.com/ It offers password management,...
old.reddit.com old.reddit.com

This lot are hard to keep up with.
Click to expand...
www.theverge.com

The LastPass disclosure of leaked password vaults is being torn apart by security experts

“LastPass’s claim of ‘zero knowledge’ is a bald-faced lie.”
www.theverge.com www.theverge.com

Not good reading.

Guess I will have to move to a new password manager and change everything again. 1Password seems to be getting positive praise so will have a look at them
 
Eddie99 said:
I can't think of any good reason not to encrypt the URL. It's bad for privacy and now hackers can prioritize which accounts they want to try and crack based on the URL's.
Click to expand...

I can - storage.

If you've got a million people for example who all save their account details of www.facebook.com. if you encrypt the URL then you now need to store that a million times, a URL might only be a couple of bytes but multiply that by a good number of users and the size adds up. If it's unencrypted they only have to store the URL once.
 
Semple said:
I can - storage.

If you've got a million people for example who all save their account details of www.facebook.com. if you encrypt the URL then you now need to store that a million times, a URL might only be a couple of bytes but multiply that by a good number of users and the size adds up. If it's unencrypted they only have to store the URL once.
Click to expand...
It takes up 1 byte per character. If an average URL was 50 characters, and an average user saved 300 URL's, that would be 15,000 bytes or 15KB per person. If LastPass has 33 Million users it would be 461 GB of storage. That's absolutely nothing for a company the size of LastPass.
 
Last edited:
Semple said:
I can - storage.

If you've got a million people for example who all save their account details of www.facebook.com. if you encrypt the URL then you now need to store that a million times, a URL might only be a couple of bytes but multiply that by a good number of users and the size adds up. If it's unencrypted they only have to store the URL once.
Click to expand...

I know a good reason.....you advertise zero knowledge encryption then you should probably actually do that.
 
Eddie99 said:
It takes up 1 byte per character. If an average URL was 50 characters, and an average user saved 300 URL's, that would be 15,000 bytes or 15KB per person. If LastPass has 33 Million users it would be 461 GB of storage. That's absolutely nothing for a company the size of LastPass.
Click to expand...

It would be far less than that in reality. You dont need to store:
Http(s)
://
www.
 
Stretch said:
Are there better alternative to LastPass?

I’ve been thinking about moving to use exclusively Apple KeyChain but I’m unsure of the drawbacks. I understand it is now possible to use with windows but the integration might not be that great.
Click to expand...
Yes, not using Password programs and using entirely your memory. Your memory can't be hacked :D
 
Last edited:
I'm a Lastpass user, and I wasn't overly bothered about this, given what they've stated. I don't want to be bullish, but I think every convenient/easy password manager service out there is susceptible to hacks or breaches like this. I believe my passwords are secure, and I'm not going to go through my vault and change them all.

My master password was long and unique, and I mainly used random passwords and 2FA on every site I could possibly use it on.

I changed my master password a few days ago, which re-encrypts your vault (even though I haven't changed any site passwords or data held on them). So the re-encryption process seems a bit pointless really - but if you are a Lastpass user, do it anyway. Then change passwords on sites you use a common password on, if you are bothered enough to do so.

I would happily move to another password manager, with a tech firm with the investment in password security like Google/Amazon/Apple etc. if they offer an equivalent or better service that I can use on both Windows/Android mobile etc.
 
Last edited:
caff said:
I would happily move to another password manager, with a tech firm with the investment in password security like Google/Amazon/Apple etc. if they offer an equivalent or better service that I can use on both Windows/Android mobile etc.
Click to expand...

For a company that invests in password security you would think they would make it cross platform to target everyone but no they decide to keep it to their own platform.

For this very reason I stopped using them.
 
news.sky.com

Dixons Carphone fined after hackers 'targeted 14 million customers'

The company says it plans to appeal some of the findings of the investigation by the Information Commissioner's Office.
news.sky.com news.sky.com

caff said:
I don't want to be bullish, but I think every convenient/easy password manager service out there is susceptible to hacks or breaches like this.
Click to expand...

I have very mixed feelings as large breaches like lastpass (or the one above for example) have happened and will happen and the only control we have is to change our passwords as we have no control over all the computers that hold our personal information for billing and such yet its hard to ignore the feeling that lots of people have of Panic!, Panic! , Panic! , dig trenches, setup laser turrets, we are all completely ******!
 
Last edited:
Ice Tea said:
I have very mixed feelings as large breaches like lastpass (or the one above for example) have happened and will happen and the only control we have is to change our passwords as we have no control over all the computers that hold our personal information for billing and such yet its hard to ignore the feeling that lots of people have of Panic!, Panic! , Panic , dig trenches and setup laser turrets, we are all completely ******!
Click to expand...

IMO it doesn't matter if they tell us or not, a breach is a breach. Telling us gains a little trust but what goes on for real in the background nobody will ever know except some people working there. I always assume there's something going on in regards to stuff we can't see. I take breaches seriously and they shouldn't be happening.

They should have good enough devs to be able to keep the holes closed IMO. Password vaults should be 100% secure.
 
Last edited:
GaryTheSnail said:
They should have good enough devs to be able to keep the holes closed IMO. Password vaults should be 100% secure.
Click to expand...

If they can't make SSL https links 100% secure that started heartbleed then it doesn't give much hope for a 100% secure vault as SSL is the second biggest project on the internet, has the most amount of devs checking over the code and has had millions spent on it thanks to the likes of Google and Microsoft in security audits.

They always say the worst security is on the inside and that certainly true for Lastpass and SSL as both have been breached due to the dev side of things.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom