LastPass Breach -- Comments?

WFA · June 2015

http://www.wired.com/2015/06/hack-brief-password-manager-lastpass-got-breached-hard/

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Piggy · June 2015

FYI. http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

justme12 · June 2015

LastPass, the popular password security tool used by consumers and companies to secure data, has been breached.

In a message posted to its website on Monday, LastPass CEO Joe Siegrist revealed that account email addresses and password reminders had been compromised, but it's unclear how many users it affected.

"In our investigation, we have found no evidence that encrypted user vault data was taken we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed," wrote Siegrist.

The company is notifying users via email and requiring those logging in from a new device or IP address to verify their account through email (unless the user has multi-factor authentication enabled).

Additionally, the company is advising users to change their master passwords.

However, as of this writing, some users received error messages when trying to change their passwords.

http://tinyurl.com/p7u6d2b

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

prime · June 2015

Just read this. When I was looking for a password manager, it was down to Lastpass and 1Password. 1Password won due to Lastpass was hacked once before and my info is on their servers.

prime · June 2015

I'm on Facebook and reading all th comments from BGR and other text site... 1Password might get some sales. My issue is how misinformed people are about this and don't get not all password managers are alike.

fourwheelcycle · June 2015

I previously used Dropbox for a variety of confidential file storage and transfer functions, but I stopped after they accidentally left their site wide open without password security for four hours on a weekend afternoon in June, 2011. I also used LastPass for about nine months before I switched to 1Password a year ago - now I'm glad I made the change.

Fortunately, I only have to sync my 1P5 keychain across several computers and an iPad within our own home wifi network. I store 1P5's keychain on our Time Capsule, so I don't need to use Dropbox or Apple's iCloud, which are ultimately vulnerable to hacking (even though I understand 1P data is very well encrypted).

spacemn_spiff · June 2015

This is sad news. I guess I should switch to wifi sync instead of Dropbox. Are there instructions to transfer the vault from Dropbox to local drive for wifi sync?

Does 1password support two factor authentication?

Plato · June 2015

I certainly don't wish bad things on your competitor but the hack certainly demonstrates the benefit your philosophy regarding storage location and associated protection of the passwords.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Stephen_C · June 2015

Please note that I've merged all similar posts into one thread so that we can keep together any discussion on the subject.

Stephen

AGAlumB · June 2015

Hey, guys! I'm still getting up to speed on this myself, but suffice to say that it's sad day for us all when things like this happen -- whether it's an account or service breach, or "just" personal information being leaked. :(

Even though it would mean giving up a lot of really great things that have happened to the internet in recent years, sometimes I really wish that we could go back to a simpler time. But that's probably just me being Nostalgic Old Guy ("Back in my day...") and having a knee-jerk reaction to yet another unfortunate instance of "business as usual" in the digital age. And frankly, there will always be cyber-miscreants of all kinds (no helping that!) so we need to maintain perspective and stay positive.

These sorts of things will -- unfortunately -- continue to happen to good people, but we can at least all take stock and learn what lessons we can to be smarter and more vigilant going forward.

In the end, I really appreciate the community we have here and the concern and respect shown for both the competition and their customers. Makes for much nicer reading than Xbox versus PlayStation forum flame wars. ;)

AGAlumB · June 2015

My issue is how misinformed people are about this and don't get not all password managers are alike.

@prime: Agreed! And I don't mean 'misinformed' in a derogatory way. No shame in not knowing, and that's why we try to spread the word ourselves and appreciate it so much when you do. Honestly, a black day for LastPass is a black day for 1Password and password managers (and security!) in general, as it can scare people away from using any of them to be more secure.

I'll have to investigate this further, but from what I understand LastPass users who use a unique password for each site will still have an advantage over those who don't use a password manager at all.

I previously used Dropbox for a variety of confidential file storage and transfer functions, but I stopped after they accidentally left their site wide open without password security for four hours on a weekend afternoon in June, 2011.

@fourwheelcycle: I understand the hesitation and respect your choice. After all, the reason we have Wi-Fi Sync in the first place is for our customers who either can't or won't sync using a cloud service!

This is sad news. I guess I should switch to wifi sync instead of Dropbox. Are there instructions to transfer the vault from Dropbox to local drive for wifi sync?

@spacemn_spiff: Yes! But it's also important to note that your 1Password data is end-to-end encrypted, so 1Password simply doesn't depend on the sync service to protect your data. A cloud breach still requires the attacker to have your Master Password to decrypt your data. :)

Does 1password support two factor authentication?

No! Since 1Password isn't a centralized service, it doesn't authenticate you. Rather, your data is encrypted, and you need to use provide your Master Password to have it decrypted.

And so more to my last point, if 1Password were authenticating through a cloud service they would have to have to be able to validate your Master Password -- preferably with a salted hash -- and this could make them a target for attackers to get at your data. AgileBits simply does not have your Master Password, in any form. So if you were to tell us your Master Password (Don't) we couldn't tell you if it's the right one to authenticate you anyway!

Also, we don't have your data. ;)

I certainly don't wish bad things on your competitor but the hack certainly demonstrates the benefit your philosophy regarding storage location and associated protection of the passwords.

@Plato: As I mentioned above, this is bad news for everyone in the security business. Not everyone ('normal' people -- the guy on the street who thinks Edward Snowden is the Wikileaks guy, etc.) understands how all of this works, and a vulnerability for one erodes trust in the public eye for all. And ultimately all philosophies or models have tradeoffs.

Sure, some folks will be motivated by paranoia to use 1Password to improve their security, but many more will simply throw up their hands and say "I give up." And that's a loss for all of us.

The more of us that raise the bar for our own security, the better for all of us collectively. I hope that one day we can get to the point where we're all so secure with our crazy-unique passwords for everything that the bad guys cut their losses and go back to making malicious banner ads in lieu of trying to steal personal information in aggregate.

But right now that dream still seems a long way off.

davaz3 · June 2015

The article about this breach was reported in today's NYTimes. I have two questions. How does the current version of 1Password for Mac keep our master password safe (at least safer than LastPass) and when will you go to 2-step authentication.

1Password Version: 5.3.2
Extension Version: Not Provided
OS Version: 10.10.3
Sync Type: Not Provided

prime · June 2015

@brenty great info. I know we can joke here, but we all as 1Password users shouldn't be so jump to put down another company. I told others this was one of the reasons why I didn't go with lastpass, because I feel I have more control over my data at 1Password. I use Dropbox, and I love it. I may switch to wifi, but I love having that "back up" in Dropbox in case of an emergency. I have my Dropbox set with 2 step verification also, so that's a help in protecting my files.

By the way, I love how my phone typed text and not tech... Darn phone.

fourwheelcycle · June 2015

To spacemn_spiff,

Brenty's comment above says Yes! you can switch to wifi sync and gives you a link, but you will find the link is only for wifi syncing between one of your computers and one or more iOS devices you may also be using with 1P.

This URL https://discussions.agilebits.com/discussion/comment/199693/#Comment_199693 links to a 1P Forum thread that includes a comment about how I accomplish wifi syncing for three Macs and two Windows PCs on our home wifi network. It also includes a (gentle) response from Drew-AG about why 1P generally does not recommend the approach I use. I have not encountered the latency or other problems that Drew-AG warns about and I find that my approach happens to "just work" fine on our home network, which is built around an Apple Time Capsule.

As I noted above, the point of my experimentation with home wifi syncing is to keep my personal info out of the cloud (including Dropbox and Apple's iCloud) whenever possible, despite the fact that 1P data is very well encrypted.

danco · June 2015

@davaz3

Basically, because the 1PW data is always under your control, there's no need for two-step authentication, and the master password is safe.

Now, if you choose to use a sync method such as Dropbox or iCloud, they could be breached but that would still not give access to your master password.

And you can just keep your 1PW data on your own computer, so no risk of a breach unless someone can gain access to that.

In between the two options (syncing in the cloud or keeping all data on your computer) are possibilities such as folder sync or wi-fi sync, which are local to you.

spacemn_spiff · June 2015

Thanks @fourwheelcycle, @prime and @brenty. First thing I am going to do is go with two step verification for Dropbox. If I am not comfortable with that then I will switch with Wifi sync.

I have one Windows PC, 2 iPhones and 1 iPad. Does the wifi sync need a PC or a Mac to sync, can it sync between two iOS devices on the same network without the PC?

Lamplighter · June 2015

@justme12 posted this link tinyurl.com/p7u6d2b
in which the CEO calls for Lastpass users to change their password.

If such a call were made for 1P, would that be a call to change the "master password",
or something more akin to and do-able like changing passwords among all of the "User - Password" logins ?

I understand we can now change the master password manually, but with some possible risk to our data.
Back when I was a new user, I failed to create a "good" 1P master password, would like to improve on it now.
So I'm wishing for an 1P-sanctioned method to completely handle it for me.

In a way, I'm asking if it raises the priority for Agilebits to create a (user-friendly and secure) method to change the 1P master password.

jpgoldberg · June 2015

@Lamplighter asked a very tricky question:

If such a call were made for 1P, would that be a call to change the "master password",

or something more akin to and do-able like changing passwords among all of the "User - Password" logins ?

For those who don't know the problem that lamplighter's referring to, a 1Password Master Password change does not have the security properties that people expect. It's a bad thing for a security system to not have the expected security properties and so it is something we need to address one way or another.

For the specific case, I find it hard to imagine a situation in which we would advise people en-masse to change their Master Passwords. I suppose I can duck the question that way. But while technically true that would be sidestepping the substantive question.

In a way, I'm asking if it raises the priority for Agilebits to create a (simple and secure) method to change the 1P master password.

A proper solution requires substantial changes in our data format. It's not a question of "priority", but of actually implementing a complex change in data format without breaking synchronization. And if we are going to change the data format, then there are other things we should do along with that. Rolling out a new data format is slow and hard, so no matter how much of a priority this is, it isn't something that is going to happen quickly.

hawkmoth · June 2015

This thread probably needs an explicit reminder about the differences in uses of the master password. 1Password isn't using it for authentication of identity, whereas eh the cloud based solutions are. Soemwhere I know there is a post about that; I'll see if I can resurrect it. This is germane to the question that comes up fairly often about two factor identification for 1Password too.

Edit: This should be consulted: Authentication vs. Decryption

littlebobbytables · June 2015

Hi @davaz3,

I've merged your query with an ongoing thread regarding this particular breach. I think you will find both brenty's post and jpgoldberg's post of interest based on your question. Should you have more queries please do ask :smile:

vels · June 2015

I read in the news that LastPass was hacked recently, as i understand it there product stored the encrypted passwords of their users on their server. There server was compromised and the passwords were stolen.

Does 1password store any customers passwords or are all users passwords stored on their local machines (unless they use dropbox, icloud etc to sync the encrypted passwords, in which case each user has their own setup for this so there is no centralised target.)

Could some body confirm this is the way 1password works or if there is any danger of the passwords being compromised in the same way as the LastPass ones ?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

danco · June 2015

Yes, you are correct in your understanding. Nothing is stored outside a user's machine unless they explicitly use Dropbox, iCloud, etc.

There is no centralised server to attack.

hawkmoth · June 2015

There is also a lengthy thread about this in the Lounge section of the forum, here.

Drew_AG · June 2015

Hi @vels,

I'm glad you're thinking strongly about the security of your data! I hope you don't mind, but I've merged your message into another thread about this in our "Lounge" forum (the same discussion from hawkmoth's link). Danco's answer to your question is correct, and you can find more information in the other posts here - in particular, brenty's post and jpgoldberg's post have a lot of good information.

If you have more questions about that, please don't hesitate to let us know!

kohls · June 2015

Just read that Last Pass was hacked! Please assure me that this won't happen with 1Password!

1Password Version: 5.4.2
Extension Version: 4.3.1
OS Version: OS X 10.10.3
Sync Type: Dropbox

Vee_AG · June 2015

Hi @kohls,

I've merged your post into this related discussion in our Lounge forum. Kudos for taking your data security seriously! You should find plenty of reassurances about 1Password's security in our comments in this thread, but let us know if you have any further questions. Cheers!

AGAlumB · June 2015

@davaz3: As I mentioned above, since AgileBits doesn't have your 1Password data (or your Master Password) there is no central place where one can authenticate once, much less twice.

I have one Windows PC, 2 iPhones and 1 iPad. Does the wifi sync need a PC or a Mac to sync, can it sync between two iOS devices on the same network without the PC?

@spacemn_spiff: With 1Password Wi-Fi Sync, a single computer (Mac or PC) acts as the server, while your iOS devices are clients that connect to it when you sync. Unlike Calvinball, these rules must be strictly observed. ;)

Does 1password store any customers passwords or are all users passwords stored on their local machines (unless they use dropbox, icloud etc to sync the encrypted passwords, in which case each user has their own setup for this so there is no centralised target.)

@vels: Your Master Password is never stored, regardless of where you store your 1Password data (except when you use Touch ID on iOS, which is protected by your fingerprint and device passcode).

To be clear, even if you sync your 1Password data, the Master Password is not stored or sync'd, only the data which you can then decrypt using your Master Password. It's like your car: wherever you move it, it doesn't have the key; but you can use the key which is necessary to unlock it, regardless of location.

Just read that Last Pass was hacked! Please assure me that this won't happen with 1Password!

@kohls: "1Password" is not an entity or centralized repository that can be the target of any attack. And AgileBits has neither your 1Password data nor the Master Password used to secure it; only you do!

Even if you sync your data, no one has the Master Password needed to decrypt it unless you tell it to them. The security of 1Password simply doesn't depend on where your data is stored. :)

Zendlakdavala · June 2015

LastPass, a service similar to yours, recently had a severe security breach. Should a 1Password user, such as myself, be concerned (for obvious reasons)?

Zend.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

AGAlumB · June 2015

LastPass, a service similar to yours, recently had a severe security breach. Should a 1Password user, such as myself, be concerned (for obvious reasons)?

@Zendlakdavala: As mentioned earlier in the thread, 1Password differs significantly in that your data is not stored on a central server, and AgileBits does not have it. 1Password is a product, rather than a service. Be sure to let us know if you have any other questions! :)

EAGLSPRGS · June 2015

Is 1P reviewing safety protocols so this does not happen to us? You guys are always on your A game but it makes you think this might happen to 1P. Scary .

Thanks!

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Drew_AG · June 2015

Hi @EAGLSPRGS,

I've merged your message into an existing discussion about this in our "Lounge" forum. I hope you don't mind!

The short answer here is that this same problem cannot happen to 1Password because your 1Password data is not stored on a central server. We don't have your data, so no one can steal it from us. By default, all your 1Password data is stored locally on your device. If you use the iCloud or Dropbox sync options in 1Password, then an encrypted copy of your data is stored in your iCloud or Dropbox account, but your master password isn't stored anywhere at all (except in your head).

You can find more information in the other posts in this thread. A good place to start is with brenty's post and jpgoldberg's post. If you have more questions about that, please don't hesitate to let us know! :)