I ran across this article today:
In this case, it appears that LastPass is doing its job properly and is blocking password-stuffing attacks. But it should be a warning to everybody to never reuse passwords - especially one that is the master key to the rest of your passwords.
Yes, that sounds pretty bad.
I may be wading into deeper waters than I should, here, but systems like 1password have a randomly generated secret key that must be associated with a device before attempting to log in using the master password, which would seem to effectively nullify attacks like this. Does LastPass have a similar setup?
Not associated with a device but with your account. Essentially it’s an additional 36 or 38 character password…both it and your Master Password are required for original connection on a new device or on the web but once that part is done you only need the Master Password.
Right, yes, same thing. One master password per account, stored locally on trusted machines (or possibly just a hash stored locally).
I went and took a look at the LastPass security whitepaper:
My reading of this, specifically of the section labeled “New Device Verification”, indicates to me that LastPass does not use the secret key architecture of 1Password, and that adding a new device requires only control over an email address, a much lower bar than that established by 1Password, where adding a device requires access to the secret key, obtained via access to an existing device with that secret key stored on it. Specifically, it appears to me that it should not be possible to gain acess to a 1Password account using only email address, master password, and ability to intercept email sent to an address.
Please correct me if I’m mistaken!
I’ll leave it to much smarter people to address the technical question, but as a LastPass user I can say that being security-savvy enough to use a password manager but not security-savvy enough to use a unique master password is really something.
LastPass was all over Twitter last week, repeatedly insisting (as they state in the linked article) that they had not had a breach. As a user, it feels like they are splitting hairs, semantically. They would have made better use of their 280 characters to remind people to make sure their master password is unique and hard to guess.
There are probably a lot of users, like my mother, who might have had a password manager “forced” upon them by someone more knowledgeable. They’re not particularly security-savvy even though they use a password manager.
I don’t see it as splitting hairs. From the article headline, most people will assume that LastPass suffered a security breach. That was the first thing I thought until I read the article. The company needs to protect its reputation by reassuring people that it wasn’t in fact (another) breach. It’s best to be explicit rather than implying the problem wasn’t the company’s fault.
Forgot to post this earlier…