May 4, 2011

LastPass Security Notification

Update 10, May 16th, 3:20pm EST - Final update to this post, we'll make new posts going forward

Actions we've taken:
  • Multiple security experts and firms were brought in to help us, we've engaged one firm to do a further source code based review.
  • We're committed to doing several reviews per year and sharing the results of these reviews.
  • We've had some useful suggestions from the community -- we appreciate your input: https://lastpass.com/support_security.php
  • One example: to reduce the chance of phishing Iastpass.com was registered -- that's a capital i instead of an L. We've also purchased 1astpass.com
  • All non-core services have been completely removed from the LastPass network; LastPass now runs the web application and DNS servers only.
  • Forums, Helpdesk, etc are run offsite on 3rd party servers.
  • We're looking into moving our support tickets off our network too.
  • Amazon was utilized to send out the email notification; we're better able to send large amounts of email quickly in the future, and thank Amazon for working to spin us up quickly.
  • We've commissioned a write only off-site aggregated log server which can only be accessed via the console. This will allow us a guarantee that any logging is intact.

The good:
  • We were prepared to both disable accounts and force people through password changes, which was something we had planned for.
  • The steps we took protected all users, even those who used weak master passwords.
  • Having a live backup system proved invaluable for people who ran into issues, or forgot their new master password after changing it.

We made a number of tactical errors including:
  • Out of the gate, we inconvenienced a large number of people who knew their password were strong and therefore never could have been at any risk.
  • Massively underestimating the amount of media attention we'd receive. This had 2 effects: 1. Greatly increased the number of users attempting to change their passwords -- our plan was for people coming from new computers which is a small percentage of the overall user base per day that we could have handled; 2. Drove a big increase in new users as people interested in LastPass attempted to check us out.
  • We didn't have any previous IP tracking data on previously used computers for people without login tracking. This caused nearly all these people to face password change immediately.
  • We moved too slowly to shut down password changing once the system was under stress.
  • We weren't prepared to send large amounts of email quickly, especially after turning off a server. (Resolved going forward w/ Amazon)
  • Some of our customers were unfamiliar with logging into LastPass in offline mode, panicing a number of them.
  • Blogger (who we use for blog.lastpass.com) had some downtime through the event.

Additional changes coming:
  • Our next release will make it clear how to login offline from the login dialog.
  • We've purchased a large amount of additional server capacity so we can handle extreme load events better in the future.
  • We'll be utilizing the 'from a new location' capability in a few new security features.

Update 9, ~11am 05/09 EST:

Many users are changing their password and then determining they can't remember it, a number have also run into issues with password changes and want to go back, you can now do this yourself without contacting us: https://lastpass.com/revert


Update 8, ~9am 05/07 EST:

We enabled password change to greater percentages overnight and now to all users. Again please note that there is no need to panic, all accounts were put into a locked down mode of only allowing previous login locations or verify via email, until password change.

We're asking any users that have current issues with a password change to use https://lastpass.com/revert to restore you from backups. Many have been people forgetting what password they changed to so make sure you practice that new password a number of times after you change it.

We appreciate your patience, we'll continue to update with any changes.

Update 7, ~6pm 05/06 EST:

Everyone should be able to login (after verifying your email if you are coming from a new IP). We've begun allowing all premium users and a percentage of users to go through password change.

Please note that there is no risk in waiting if you can deal with verifying by email when you use a computer at a new place (IP).

If you experienced an issue with a password change and want to be restored from backups we can do that too and will provide a URL to do it shortly.

Update 6, ~10:30am 05/06 EST:

If you have been experiencing an error contacting the server, please try logging in both via the plugin and the website - you should now gain online access. If you still see an error, please open a support ticket or email support@lastpass.com, if you haven't already done so.

Currently we're not allowing users to change master passwords until our databases are completely caught up and we have resolved outstanding issues. We will update our users via the blog when it is possible to do so.

Thank you for your continued patience.

Update 5, ~1:30am 05/06 EST:

We've added the option for you to say that you know your master password is strong and to avoid password change, we apologize for not having that available when we announced.

We've identified an issue with roughly .5% of users that impacted their master password change, and will be contacting you tomorrow rolling you back to before the change.

Our focus right now is on ensuring we can resolve users with issues, we'll continue to provide updates here.

Update 4, ~10pm EST:

Joe's interview with PCWorld covers more details on what happened, what our thought process has been, and what this means for our users: http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html.

We continue to work as quickly as possible to address user support.

Update 3, ~4:30pm EST:


Logging in offline should be working everywhere if you have logged in using that client before, if you're having problems with this please attempt to login via the website: https://lastpass.com/?ac=1 that should now take you through an email process to enable your current IP.

If you're having problems getting your data with pocket, make sure you're selecting to login to the local file, not logging in at LastPass.com.

If you changed your password and are now having problems we'll help with that too, please email us if that's the case and include your LastPass email address.

For those who haven't been prompted, and have continued to use LastPass without issue -- we've judged the risk to be low if you're using the same IP -- we're only raising the issue once that changes.

Finally if you have issues with password changes please email us at support@lastpass.com, we can revert you, or we can pull data from backups, but please try LastPass Icon -> Clear local cache first.

Update 2, 2:15pm EST:

Record traffic, plus a rush of people to make password changes is more than we can currently handle.

We're switching tactics -- if you've made the password change already we'll handle you normally.
If you haven't the vast majority of you will be logged in using 'offline' mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you'll see the bar).

As load lowers we'll increase the percentage of people being sent through email validation / password changing.

For people experience problems please email us at support@lastpass.com -- we have seen a few reports of bogus data post change, we think this is due to you downloading a stale copy and if you go to LastPass Icon -> Clear Local Cache and try again it should work.

You can access your data via LastPass in offline mode or by downloading LastPass Pocket : https://lastpass.com/misc_download.php (choose your OS).

---

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.

We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.

For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.

We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.

Again, we apologize for the inconvenience caused and will continue to take every precaution in protecting user data.

The LastPass Team.


Update 1:

We're overloaded handling support and the sheer load of password changes is slowing us down. We've implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know you'll be on the same IP without loss of security, and due to this overloading we think that's prudent to wait.

We're asking if you're not being asked to change your password then hold off -- we're protecting everyone.

1,486 comments:

  1. Well I have done it, no more lastpass!!

    Now I'm relying on the only storage facility that is the best

    My Brain...

    ReplyDelete
  2. Does any of you guys know if there is away to close the lastpass account?

    ReplyDelete
  3. I don't see what all the fuss is about. Everyone that uses LP should surely know it's only as good as the master password and that by having a weak password can potentially compromise all the passwords that LP stores for you, hence strong/long master password is better!

    Stop all the fuss and rants. If you used a weak master password then that's your own fault and not LP and you deserve this wake up call.

    As an aside I haven't had any problems with LP lately, was using it in offline mode yesterday and that's about the only issue, with the exception of not being able to change my master password due to server load, but since I have a strong password, I can wait to change it.

    Anyone got any thoughts on those who used the grid two factor authentication, are they less exposed, equally exposed do you think?

    ReplyDelete
  4. That's what I would be interested in too.
    Is there anybody around that had a chance to log in?

    ReplyDelete
  5. Why is it every time I login into lastpass within 5-10 seconds i get a red banner "you lastpass session appears to have expired please re-login"

    This is very frustrating how do i force lastpass not to try and access your server can i just tell it to be off-line, until you fix your problems?

    Please help very frustrated at the moment
    Max

    ReplyDelete
  6. I get no prompt to change my password, and clicking on settings just results in an error that you are too busy.

    So how do I change my master password?

    ReplyDelete
  7. So let me get this straight....Last pass was hacked and the obvious thing for me to do is change my master password, but you are preventing me from doing that.

    WTF is wrong with you people?

    ReplyDelete
  8. "LastPass - The Last Password You'll Ever Need"
    I'll change it in "LastPass - The Best Morons Are in Its Team"

    2 days and still login problems.
    What kind of service is this that can't protect users' passwords!

    SHAME ON YOU!!!

    ReplyDelete
  9. Still same error.. keeps telling me to change password, wont let me in!!!!

    ReplyDelete
  10. Do you guys rely so faithfully on a closed-source encryption? You are fool. Even serious encryption systems (i am talking of programs such as OpenSSH and algoriths like RSA) suffered inconsistences and errors. And algorithm code was under everyone's eyes.
    Now imagine using a closed source system developed by god-knows-who.
    Some parts of this project MUST BE open-source. Not the entire web site, not free. But open source, of course.

    ReplyDelete
  11. Is there any reason why I can't log on to www.lastpass.com with firefox as it boots me out then says I need to log in again. If I try it in IE it works fine?

    ReplyDelete
  12. So the first I know of this is I can't login when I reboot so I ask for a password reminder. Then I come here. Everything else apart, when I try and login on my machine I get

    "An error occurred while attempting to contact the server. Please check your Internet connection.
    login.php: invalidresponse: "

    ReplyDelete
  13. @Alessandro said
    "Do you guys rely so faithfully on a closed-source encryption? You are fool."
    Lastpass uses 256 bit AES encryption. One of the oldest and most tested standards.
    It is the same standard used by the government.
    http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

    ReplyDelete
  14. How do I change master password,keep getting message server too busy and this is since yesterday.

    ReplyDelete
  15. I know that there have been a lot of posts, but this might be helpful to anyone creating a new password. I found it via Gizmo Richards' techsupportalert.com (Great site, best freeware list with excellent reviews of programs). This article gives you an idea of how weak your password may really be, in terms of time it will take to crack a similar password (hours vs. millions of years [literally]):

    http://www.baekdal.com/tips/password-security-usability

    ReplyDelete
  16. "We've added the option for you to say that you know your master password is strong and to avoid password change, we apologize for not having that available when we announced."

    And what about those of us who responded early and are now locked out? Where is the option?

    "We've identified an issue with roughly .5% of users that impacted their master password change, and will be contacting you tomorrow rolling you back to before the change."

    I received an email stating that my password changed was rolled back. Nice, but utterly incomplete. My account is still stuck in the limbo of your password reset loop. Attempting to log in at your web site just sends me to the password reset page. Gawd, what incompetence.

    ReplyDelete
  17. I finally got it working by following these steps

    tvtechgirl.blogspot.com/2011/05/fixing-lastpass-errors.html

    Hope this helps some of you

    ReplyDelete
  18. This comment has been removed by the author.

    ReplyDelete
  19. I know that there have been a lot of posts, but this might be helpful to anyone creating a new password. I found it via Gizmo Richards' techsupportalert.com (Great site, best freeware list with excellent reviews of programs). This article gives you an idea of how weak your password may really be, in terms of time it will take to crack a similar password (minutes vs. billions of years [literally]):

    http://www.baekdal.com/tips/password-security-usability

    ReplyDelete
  20. I have some issues with the way that this issue was handled (i.e. people with strong passwords shouldn't have been forced to change them). But, I have no doubt that you all were trying to do what was in the user's interest and I continue to have a lot of faith in you all and your service and will continue to use Lastpass as my primary password management service.

    ReplyDelete
  21. Well,

    I am still stuck here and I sent an email to support@lastpass.com but no reply. I can understand that LP is busy, but not having a well documented way to correct the situation is frustrating. For example what does offline mean? Turn off networking on my computer or LP has an option (I didn't see in the installed bits) that says work in offline. All I get (still) when I try to login to LP is that an error occurred. If this important, LP should consider adding an option to installed software an option that enabled offline mode and take corrective action.

    While I like LP and its convenience, it seems to me LP is not ready yet for cloud type environment - not functionally, but support wise and ability to handle massive outages. LP is perhaps not alone (as Amazon showed) but something it should ponder on seriously.

    ReplyDelete
  22. Thank you so much (SARCASTIC THANK YOU!!), just as a measure of safety I spent the last hour changing my passwords pretty much...EVERYWHERE, this looked too good to be safe, so long lastpass ad password managers, oh and also, thank you for helping me close so many accounts from sites I didn't even remembered having accounts at.

    ReplyDelete
  23. I emailed support last night to have my account rolled back. No reply from them, but my account appears to have been rolled back.

    Thanks!

    ReplyDelete
  24. Currently , offline mode only seems to be working in FF4x32, in chrome & ie it logs me off with "session expired"
    (win7x64)

    ReplyDelete
  25. Well.... I'm DONE with LastPass!!! This is unacceptable. I cannot login, I cannot delete my info, I cannot change my password... WTH!!!

    ReplyDelete
  26. Yeah. My account rolled back, but NONE OF MY BOOKMARKS THAT I HAD TO RELOAD YESTERDAY WERE THERE. AGAIN, ALL CORRUPTED DATA. I had to IMPORT THE DAMNED THING AGAIN AND DELETE ALL CORRUPTED DATA. I had finally gotten it all working right yesterday, and I have to do it AGAIN today? With my old password? Sheesh.

    Lastpass, you guys have a nice idea regarding a place to put passwords, but when there's a security breach, you have no idea how to handle it and alert your customers.

    Very poorly handled.

    ReplyDelete
  27. Ok, guys, this is getting ridiculous. I even can't login more than a minute from the IP, which I'm always using. I can't change my master password under account settings, even if I'm lucky enough to login via web (1 of 10 attempts are somewhat successful). I think that the explanation by LP is fine, but one thing worries me. If the say that the blobs are copied among password hashes ant salts, then bad guys can bruteforce all this offsite and get our credit-card data etc even if we change or LP master passwords. Lastplass, please elaborate!

    ReplyDelete
  28. I'm somewhat disappointed with the lack of communication about this issue. I went 3 or 4 hours yesterday with no idea why Lastpass wasn't working well, then I finally found this post after visiting the website to attempt to get to my vault. That being said, I don't fault anyone for this as it was obviously a situation that there are no protocols in place to handle.

    I would really love to see a "Lessons Learned" post after this is all over and done with. As an systems administrator myself, I'm thinking there is a lot of knowledge that you've gained from the situation that could benefit others.

    ReplyDelete
  29. I realize that this service by its very nature attracts the paranoid, because trusting souls wouldn't bother -- but yo, whiners, READ THE BLOG before you whimper. As others have pointed out, f you want a strictly local solution, LastPass is not for you. If you want a central service, you might choose to be HAPPY that LastPass has now been tested, and is proving both quick to respond and transparent to inquiries.

    ReplyDelete
  30. This comment has been removed by the author.

    ReplyDelete
  31. I still cannot access my pages that are password protected without entering all information manually. Your re-enable fix does not work for the Safari browser. I can access my vault now, but have to manually insert login and password info from there to the appropriate web login pages.

    And I've been trying for 24 hours to change my master password but can't access the settings option to do so.

    This is getting a bit absurd. Please get your act together.

    ReplyDelete
  32. Lastpass, the only password you wish everyone would forget. All a bit scary as I have a lot of info including private notes. Maybe a well known password site is just too much temptation to hack. Maybe I need to store my passwords offsite on my computer, any suggestions?

    ReplyDelete
  33. I was under the impression that because all of my data was encrypted, that someone could walk out the doors with your DB servers and my data would still be safe.

    The weakness here appears to be with the master passwords (in some cases). Beyond a person compromising their own master pw or not using a strong pw, am I correct to assume those master pw's are still vulnerable?

    Wow, when this is over and the dust has settled the LastPass team better lock themselves in a room and conduct a through post incident analysis of this.

    No offense, but I'm not certain if I can trust LP moving forward.

    ReplyDelete
  34. I noticed problems yesterday.

    How do I know if i'm on the block IP list?

    I haven't been notified yet on re-setting my master password. I sent a support ticket in a few minutes ago.

    ReplyDelete
  35. LP -- Appreciate the honesty and caution. Yes it is a pain, but security is always a pain.

    ReplyDelete
  36. Lastpass automatic filling of username password does not work for Chrome. It does work in IE.

    ReplyDelete
  37. @Ian Spencer

    If you have a good master password you are safe.

    Even so I have Kee pass 2 as a back up system locally and I combine it with dropbox. That way I always have a fresh version of my password database on each of my computers and my smartphone. Works really well.

    ReplyDelete
  38. Offline isn't working. Can't change master password. Wouldn't have even found out about the problem if it wasn't for Slashdot, because I have received absolutely no communication from your company. I just signed up for your premium service about a week ago, and now I feel like I've totally been taken. Thanks for nothing, LastPass.

    ReplyDelete
  39. @Brian > Agree, I didn't find out about the Lastpass hacking until after hours of failed logins and unstable behavior, I went to Google and typed in "what the hell is wrong with Lastpass"

    ReplyDelete
  40. I'm not sure about all of what's been said here. I only have one problem. When I sign into last pass my chrome browser does not automatically pull my passwords into the websites.

    Am I missing something? It worked yesterday morning.

    ReplyDelete
  41. "We've added the option for you to say that you know your master password is strong and to avoid password change, we apologize for not having that available when we announced."

    Where do I find this option?

    ReplyDelete
  42. @David James I'm facing the same thing.

    ReplyDelete
  43. Initially I was quite worried by this, but if you do actually read up on what they are saying and how the sysrtem works it's actually fine, if you have a secure password.

    The real problem I guess is that the salt values were potentially exposed along with the hash results.. Maybe they should have been on a different server to the hashed results, which assuming the system detected the weird transfer early enough from one server could have automatically locked down the other server to prevent both parts going walkies.

    ReplyDelete
  44. Please stop implying users with less-than-strong password are idiots and deserve to be hacked.

    IF THE SYSTEM WAS NOT ALLOWED TO BE HACKED AND THE EMAIL AND SALTED PASSWORD HASHES TAKEN, IT WOULD NOT BE AN ISSUE.

    Any hacked accounts are still ultimately the fault of LastPass.com and their poor choices of the externally hackable Asterisk server, its connection to the "secure" data store, etc.

    LastPass.com's handling of this has been proper, but it is ultimately THEIR fault.

    ReplyDelete
  45. I appear to be up and running today. I downloaded Pocket and Mobile last night as backups on / from my home machine just in case. Looks like I won't be needing them but now I have a backup plan moving forward just in case.

    ReplyDelete
  46. After reading Arthur P. Johnson's post above, I hope his account is the one that gets hacked, that would be funny.

    ReplyDelete
  47. Hi LastPass.

    I would just like to say "thanks" to being paranoid with my data. I'm staying.

    ReplyDelete
  48. Followed these instructions
    http://tvtechgirl.blogspot.com/2011/05/fixing-lastpass-errors.html

    All working now. Thanks to Mark and SpoilerGirl

    ReplyDelete
  49. Its totally unacceptable that people can't change their master password due to Lastpass and their servers. Yet they still have the idiots defending them over this.

    ReplyDelete
  50. Thank you guys for being so honest and cautious.

    You mentioned that you save a password hash and salt - are we talking MD5 here? Any plans to move to an AES algorithm? Or am I just crazy talkin'?

    ReplyDelete
  51. I also thought Lastpass was claiming how secure the servers were because they used Amazons servers or something like that. Obviously its all lies. It shouldn't have been so easy for hackers to get any of this to piece it together.

    Its just as sickening they have people defending them over this.

    ReplyDelete
  52. Andrew (LastPass Customer)May 6, 2011 at 10:20 AM

    While this news was initially very disturbing, I actually want to thank the LastPass team for being so proactive. I have worked at many websites who have identified "anomalies" and then basically just ignored them once the risk was identified as low, without ever informing their user base. I actually feel safer having seen LastPass respond this way to this situation.

    I do think this situation has brought to light a few areas for future improvement:
    1) Now that this has happened once, it might be a good idea to more formalize a process to allow users to change their master password if this ever happens again without bringing your site to a halt.
    2) An independent security review by a consulting firm might be a good idea. No one knows everything about security, and a second independent look would put a lot of people's fears at bay.
    3) I use the grid multi-factor authentication method, but was surprised to hear you say that this fact did not protect me from this risk. Is there a way to keep this data in a separate location from my account? In fact shouldn't the salted and hashed results also be separated?

    Overall, anyone who uses a password aggregator knows the risk involved. The convenience that LastPass offers me is worth the risk in my opinion. I just hope the back lash from this incident does not make the LastPass team gun shy to report the next incident when it happens.

    ReplyDelete
  53. Thank you Lastpass for watching over my passwords. I had no idea what was going on, but was able to quickly read about the security breech and what was being done to correct the issues. I was unable to log into my sites for a brief time. It was a small price to pay to know that my information was still safe. I see a lot of people complaining. I commend Lastpass for acting quickly and locking it down to protect it's users. I will always use Lastpass.

    ReplyDelete
  54. Anonymous said...

    "I also thought Lastpass was claiming how secure the servers were because they used Amazons servers or something like that. Obviously its all lies. It shouldn't have been so easy for hackers to get any of this to piece it together."

    Can you not read? Who said they were hacked and if they were, what makes you think it was easy?

    ReplyDelete
  55. TBH Arthur P. Johnson is bang on with his comment. All services of this nature will be tested at some point and I think the Lastpass team have handled this very well, all things considered.

    ReplyDelete
  56. This comment has been removed by the author.

    ReplyDelete
  57. it was inevitable that such high value targets like Lastpass would at some point be subjected to a hacking attempt, hence why everything is encrypted. Therefore strong master password = no worries. Yes its a concern that hackers got in in the first place (how could that not be a concern?!), but thats exactly why its encrypted and people should relax and stop hyperventilating.

    For me LP is working normally, albeit i cannot yet change my master password. But you know what? I can wait, i'm not in a rush to change it (but i will) as i know my master password is strong since it's the weakest point in all this.

    What i expect from LP in the aftermath of all this is a) more details about what they have uncovered b) more robust security, perhaps getting outside security experts in c) a clear protocol/procedure for this WHEN it happens again (it will almost definitely happen again, its just a matter of time, regardless of what additional security measures are now put in place). There should be better communication to users of a potential breach - this needs improved instead of finding it out via various tech news sites. And there should be clearer instructions/information for users.

    I for one am pleased LP owned up to this, and will continue to use/pay for LP.

    ReplyDelete
  58. Thank you for the transparency.

    ReplyDelete
  59. When will we have access to our Account Settings? This is the second day I cannot make any changes to them getting the message "We are overloaded right now. Try again in an hour."

    ReplyDelete
  60. cannot change master password!
    overload error!
    help me!

    ReplyDelete
  61. :-! I'm done with lastpass.

    ReplyDelete
  62. For anyone else still having trouble, this worked for me -->> http://tvtechgirl.blogspot.com/2011/05/fixing-lastpass-errors.html

    ReplyDelete
  63. 1) LastPass needs to stop congratulating itself on how well it has handled this incident. It has not handled it well.

    2) Get rid of the BLOG approach to handling this. The blog includes each iteration of thinking and possible actions...most of which don't work at the moment.

    3) Just post what people should do NOW. Most users probably haven't even heard of this issue yet; they certainly don't need a detailed history of yesterday's non-fixes.

    4) The blog and forum posts by LP are full of insider jargon and incomplete recommendations. I

    5) The "solution" has been far worse than the problem.

    6) Think about what the heck you're going to do next time...and it had better be very different. Start with not congratulating yourselves at every turn.

    ReplyDelete
  64. To underscore my post above, LastPass has messages all over the internet in articles, on the LP Forums, and even in this blog that users must change their Master Password.

    But the latest instruction (Update 6) is that you are not allowed to change your Master Password at this time.

    What a horrible way to manage this issue. GET RID OF ALL THE OLD INSTRUCTIONS AND CLEARLY STATE THE CURRENT INSTRUCTIONS ONLY AT ANY GIVEN TIME.

    ReplyDelete
  65. I wonder how many people haven't heard about this because LastPass STILL HASN'T SENT ANY OFFICIAL NOTIFICATION OUT! The mishandling of this is just mind-blowing.

    ReplyDelete
  66. Thank you LastPass - for being up front about this incident. Even if it turns out to be nothing, I feel more confident that you guys take security seriously. Better safe than sorry.

    ReplyDelete
  67. Dear Lastpass Team,

    I know you do all what you can to fix this issue.
    I believe in your great service.

    Keep up the good work!
    Regards

    ReplyDelete
  68. why is this not more prominently placed on the front page? the main beef I had with the PSN breach was the way with which they tried to slide things under the table and hope no one noticed; you guys seem to be doing the same.

    Very disappointed, and likely will seek alternate ways of storing my passwords now.

    ReplyDelete
  69. Exactly the reason why I have asked you to support more SmartCards and other security tokens. Lot safer that way. PKCS#11 support please. The card you support is not widely used.

    ReplyDelete
  70. Thanks for not pulling a Sony on us guys. Hope everything works out fine. Keep up the good work!!!!

    ReplyDelete
  71. When is this going to be sorted out? I haven't been able to get into any of my accounts for nearly three days now and I'm paying. One Time Password won't work even though it's a browser I've been using with it for nearly a year now. What can I do?

    ReplyDelete
  72. Thanks for all the work on our behalf. Nothing, especially in the digital world, is perfect, but you're doing a great job at trying.

    Gizmo's Dad

    ReplyDelete
  73. You guys are doing an outstanding job for having a "better safe than sorry" way of taking care of your suspicions. I hope the company can move forward with a better product and understanding in the future. Experience like this is priceless. And for those complaining, first off, are you paying or using the FREE service? My bet is that you are not. Secondly, this goes to show everyone that nothing if foolproof. Back-up your data. If you have an option to do so, then do it, whatever it may be. I'll be sticking around. Good luck LP staff.

    ReplyDelete
  74. Just wanted to say Thanks! for making the decision to force all users to change their master passwords. No-one wants to impact customers due to some internal problem or oversight, but often when a potential cyber-attack is found, this is the proper course of action. However, most companies do not choose this route simply because it will upset some customers. Bullshit - cyber-security is a COMBINED effort of supplier and demander. The security of the system is more important than either party, so I applaud LastPass for making the risky but correct decision to get end-users involved.

    ReplyDelete
  75. This is ridiculous. I couldn't get to my online vault all day yesterday. Now I can get in but I can't do anything. I can't access my settings, I get a "sorry we're busy" message.

    LastPass says "We've added the option for you to say that you know your master password is strong" but they don't say where that option is.

    At least I was able to export my account and password information. I had to enter my master password to do that, and it was accepted. But I still can't log on to the site with it.

    This is totally FUBAR. Now that I have my account information, I'm going to uninstall LastPass.

    So glad I paid for a premium membership.

    ReplyDelete
  76. What if you discovered today that your PC was infected with a key logger, which was removed by antivirus software on a routine scan?

    ReplyDelete
  77. Looking forward to changing my password guys. I know your working on it, but some status or eta as to when we will be able to reset our master passwords would be appreciated.

    Thx.

    ReplyDelete
  78. I am travelling for the next few days and won't have access to internet and assuming the worst case scenario, by the time I will be back online my LP account would have been compromised and hence all the other linked accounts. I cannot change my password at the moment 'cause LP has disabled the same for now. I can wait but there should be an option to disable/lock/suspend my account and require it to change password on next login attempt. Please update if this is gonna happen.

    I have complete faith in LP and believe that whatever LP's doing is in the best interest of its users.

    Thanks!

    ReplyDelete
  79. the people that are moaning, what are you moaning for? surely you still had access to your passwords in 'off-line' mode via the browser plugins? was this not enough for your needs for the day? if you haven't been able to log on to the website, did you actually try the plugins for your browser?i had no problems with the plugins. only when trying to change my master password did i get the server busy error.

    ReplyDelete
  80. I STILL cannot enter the settings screen to change my password! WTF?

    ReplyDelete
  81. Hello, although I appreciate the straightforward way that this was handled, I think it sucks that I needed to google an answer to why I couldnt log in to my account. I never got a prompt just couldnt log in.

    ReplyDelete
  82. @arpit
    '......by the time I will be back online my LP account would have been compromised and hence all the other linked accounts.'

    this will ONLY happen if you have a weak, dictionary based password. If its strong, then you have nothing to worry about and change it when you get back, no big deal.

    ReplyDelete
  83. I'm assuming if I have Sesame enabled that is safe as the data for the 2nd factor authentication is kept on my USB stick? Or is Yubi Key the only safe item at this moment in time?

    ReplyDelete
  84. @b.dsign
    did you read the update 6 on this blog?! patience, you have nothing to fear if your password is decent enough.

    ReplyDelete
  85. Ironically all we did is wait instead of running around with our arms in the air screaming "Danger Will Robinson" and LastPass is working just fine today for us. Guess it pays to be patient and have backups of the data so we were not without it.

    ReplyDelete
  86. The people who are leaving LastPass because of this incident are the low hanging fruit, the idiots who don't understand how the product works, the morons who think a backup plan on their part isn't necessary, the retards who used a weak master password.

    GOOD RIDDANCE!

    ReplyDelete
  87. *Sigh* I think the hackers have better access to my account than I do now =/ The lack of information is actually worse than the hack itself. Welcome to cloud services, we will take your money up front, and you can just deal with what we feel like giving you.

    ReplyDelete
  88. "the people that are moaning, what are you moaning for?"

    We're moaning because the browser plugins aren't working for everybody.

    ReplyDelete
  89. "The people who are leaving LastPass because of this incident are the low hanging fruit, the idiots who don't understand how the product works, the morons who think a backup plan on their part isn't necessary, the retards who used a weak master password." The morons who don't leave are the drones who don't understand the importance of holding companies accountable for their actions. In not being prepared to handle a data theft, when you are in the data protection business, is unacceptable. LastPass should feel the wrath of their customers so that they understand this is not acceptable. So I would submit, that you are actually the low hanging fruit....the customers who will keep paying no matter how you are treated...but I would hazard a guess and say you probably aren't a paying customer anyways.

    ReplyDelete
  90. Is Lastpass going to give credit for people that have the premium package ?

    For instance our company uses a Yubikey along side our master passwords to access our info so the odds of our data getting stolen are slim to non.

    ReplyDelete
  91. My LastPass password is a 25 random caracters, letters, nomber and symbols, password generated by a password manager. Do I have to change my password?

    ReplyDelete
  92. "We're moaning because the browser plugins aren't working for everybody."

    And that would be the fault of YOUR setup. Not once during any of this was I left without access to my passwords.

    ReplyDelete
  93. 'The morons who don't leave are the drones who don't understand the importance of holding companies accountable for their actions. '

    yes LP is responsible for a breach on there servers, and this needs to be rectified with improved security. But your data is encrypted precisely incase this happened. No matter how good the security is, no matter what company it is, your details/info are only as good as the password YOU make. If your password is weak, then why the hell are you using LP, its not gonna miraculously make you safe and your a fool for thinking this. The weakest point with ANY encryption, no matter if its truecrypt, Keepass, 1password etc etc is the master password and if people don't realise this, then they should just stick to what they have been doing previously because a site like Lastpass WILL be hacked again in the future, its just a matter of time, so that they can target those with weak passwords.

    ReplyDelete
  94. I know there is all kinds of crazyness right now at the LastPass camp. But you guys are awesome. I have been using the free service for a while, but I am going to sign up for paid because I am so impressed with the candor and integrity of your business.

    So there are some issues right now, people freaking out about data. I have one secure password that I have to remember for lastpass's secure server. And thanks to that, I have lots of really really secure passwords I dont have to remember on many less secure systems. FTW.

    You all are doing a great job.

    ReplyDelete
  95. 'Not once during any of this was I left without access to my passwords.'

    i second this! not had any problems at all, didn;t rush to change my master password because i know i have a strong password. Had access to all my passwords.

    ReplyDelete
  96. "The morons who don't leave are the drones who don't understand the importance of holding companies accountable for their actions."

    LastPass has done a lot of things wrong with this incident, but they have also done a lot of things right. I fully agree with holding them accountable for their failings, but that does not mean I'm leaving.

    "In not being prepared to handle a data theft, when you are in the data protection business, is unacceptable."

    The fact that you find this unacceptable shows that your expectations are simply not aligned with reality. If yo have any friends in Infosec, ask them to help you re-align your expectations.

    "So I would submit, that you are actually the low hanging fruit....the customers who will keep paying no matter how you are treated."

    Nothing that I said says that I will stay with LastPass no matter how I'm treated.

    "but I would hazard a guess and say you probably aren't a paying customer anyways"

    And you would be wrong again, just like the rest of your comment.

    ReplyDelete
  97. no replys for my emails ,this company sucks!!!
    it will be the end of lastpass

    ReplyDelete
  98. "Not once during any of this was I left without access to my passwords."

    And I third this!

    ReplyDelete
  99. The grid, sesame or the yubikey helps protect your account online by requiring that 2nd physical authentication, but it's only an additional layer of protection. You can't use it in substitute for a strong password. A strong password is the first, and most important defense when guarding your Lastpass account, and frankly any account you own.

    ReplyDelete
  100. "no replys for my emails ,this company sucks!!!
    it will be the end of lastpass"

    WOW! out of 1.2 million customers you must be that special one. I mean after all you and only you matter. Are you paying our are you like most of the other whiners a FREE loader? Just wondering why you are that special one, even if you are paying that $12.00 dollars is a big investment so I guess you are a shareholder.

    ReplyDelete
  101. Could you post a walk through of how to eliminate LastGasp..er LastPass from my system so that it doesn't find my new passwords after I get done changing all of them individually? By the way, thanks for tasking me with this project and thanks for the worry, too.

    I really appreciate some smug tech punks making inflated claims about their abilities and jeopardizing my family assets. My mistake for trusting a bunch of wimps in rented cubicle space.

    At the end of the day (today) you guys produced the equivalent of an invasive and difficult to correct virus, and that with the potential for further harm.

    Take that mouse you have in your hand there, Skippy, and shove it up your ass.

    ReplyDelete
  102. I would like to thank Yuusharo for being the consistent voice of reason in this blog. Man has patience to put up with the nay sayers and not be an employee of Lastpass.

    I'm currently a free loader but next week I will be a fully paid member, after all of the turmoil settles down as I believe in this product/service. (And I have 30 years of IT experience to help me believe)

    ReplyDelete
  103. "So I would submit, that you are actually the low hanging fruit....the customers who will keep paying no matter how you are treated."

    I've paid for a premium membership for two years, and I absolutely will pay for a third. Lastpass is run by humans, and humans make mistakes. Just look at Microsoft, Google and Apple, and how even the big guys screw up every so often.

    In the end, my passwords, my data, are *MY* responsibility. Whether I use an offline password manager and figure out how to synchronize the data across all my devices myself, or I use Lastpass and maintain an offline backup of my vault every Sunday, I take great care to ensure that there is always a copy of my data on at least two different systems, one of which I control 100%.

    Everything that has happened with Lastpass today is nothing more than a sobering reminder that we continue to depend on cloud services more and more each day, but we should never rely upon them to always be around. Whether its photos on Flickr, comments on Facebook, or passwords on Lastpass, you must always assume those cloud services will one day go down or even disappear. If you're only copy of your data is stored on those services, that's no different than only storing them on your personal hard drive and having it die, leaving you with no data and no backups.

    So yes, Lastpass made a mistake - a temporary mistake that should remind all of its users to make regular backups of your own, personal data, and to utilize cloud services where it is appropriate. Never leave yourself in the dark.

    ReplyDelete
  104. OK, Scott - at $12/year that works out at 3c per day multiplied by lets say 5 days = 15c. Hell you can come over to may place & I'll refund you if you are that hard up. PS I live in Cape Town, South Africa. Let me know if you need directions

    ReplyDelete
  105. ...that said, I think Lastpass should take a more active roll in encouraging their users to make those regular backups. Perhaps schedule the plugin to give a little reminder every so often to backup to an encrypted XML, or even have one automatically emailed to each user once a week. Lastpass never has the key, but they do have the entire encrypted blob, and frankly that's all they should have.

    I hope to see improvements in the browser plugins regarding offline mode and the offline cache in the future, as well as some sort of automatic backup system for users. That way, *no one* will be left in the dark, and no one would even have to think about it.

    ReplyDelete
  106. 'Could you post a walk through of how to eliminate LastGasp..er LastPass from my system so that it doesn't find my new passwords after I get done changing all of them individually? By the way, thanks for tasking me with this project and thanks for the worry, too.'

    if you need a walk through on how to uninstall a simple plugin and/or application on your computer, then you have no business using LP and don't understand the product at all.

    Your data IS ENCRYPTED. Does anyone want to post a definition of what that actually means?! If you had a decent password, then no matter what was taken (IF anything was taken!)your fine, no need to worry, no need to change your password (but you probably should at some point). If you have a short or dictionary-based password then you should be worried. Makes me wonder if the people getting all hyped up on here were silly enough to have dictionary-based passwords......

    ReplyDelete
  107. Got It!

    ENCRYPTED

    The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text.

    ReplyDelete
  108. "At the end of the day (today) you guys produced the equivalent of an invasive and difficult to correct virus, and that with the potential for further harm."

    Oh anonymous, how your poignant remarks must make the developers cry. After all, they probably care so deeply about comments coming from people whose math skills and comprehension of thereof consist of multiplication using the "ten finger" technique.

    Why don't you run along now to protect your vast assets you've been able to amass using your vast intellect. I mean, the bad guys could come after your food stamps (or, heaven forbid, your '86 Yugo).

    ReplyDelete
  109. Too bad, cant trust it any more, have deleted my profile and gone back to managing my own security and data.
    Not being able to change my password quick enough is just not good enough

    ReplyDelete
  110. I remind everyone that this is just a precautionary move. It has never been determined that Lastpass was hacked.
    Even if it was, the amount of data we are talking about would equate to about 100 users email and hash data. That is out of 1.2 million people!
    If you happen to be one of the 100, you need not worry unless you had a weak Master Password.
    Even though it is just a possibility and even though it is likely only a dozen or so users may be vulnerable, Lastpass has taken some pretty drastic steps to protect their data, knowing doing so would open themselves up to some pretty bad press.
    I call that impressive.

    ReplyDelete
  111. People using the Yubikey with LastPass are also being forced into the offline mode when that is pointless.

    ReplyDelete
  112. The only thing LastPass really did wrong was to treat their users like they had brains. A big corporation would've just kept it quiet (e.g. Sony) - as nothing of value was really lost here, and no-one's account was actually compromised. Hundreds of actual minor breaches and losses of data occur every day, and the public is never informed.

    If you want to worry about something, worry about the fact that there are banks that store your passwords in plain text on their ancient, patch-lagged servers, not about the potential loss of a few salted hashes, that are worthless by now (and due to their nature, were less than useless to begin with).

    ReplyDelete
  113. How is anybody sure that the system is not compromised? Perhaps changing your master password is more dangerous than leaving it alone. The stolen passwords have to be cracked. If the intruders have rooted lastpass, any change to your password will be known to the perpetrators instantly.

    ReplyDelete
  114. @Bob Armstrong: Nope, since only a salted hash of your password leaves your machine. The whole point of LastPass is that they don't store anything useful (and the only attack would be a very theoretical, and computationally intensive attack on the salted hash of the master password)

    ReplyDelete
  115. "People using the Yubikey with LastPass are also being forced into the offline mode when that is pointless."

    So people with Yubikey should be able to add to the load of the servers and to hell with everybody else!

    The issue isn't really the breach but the load on the servers bringing it to its knees. (everything needs to be rehashed while people change their passwords) This is equivalent to a natural disaster and everybody trying to use their cell phones at once bringing the cell towers down.

    ReplyDelete
  116. Don't know if this's been asked: Were password hints breached.

    ReplyDelete
  117. For those that don't even know what the product they're using does:
    http://en.wikipedia.org/wiki/Encryption

    'In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted).'

    ReplyDelete
  118. hey... LP is back up for me... cool...

    cheers

    ReplyDelete
  119. Anonymous said...

    "Don't know if this's been asked: Were password hints breached."

    It is not known if anything was breached. If it was, it doesn't matter, all the data on the servers is encrypted.

    ReplyDelete
  120. @Yuusharo said...
    "The ... yubikey helps protect your account
    online by requiring that 2nd physical
    authentication, but it's only an additional
    layer of protection. ... A strong password
    is the first, and most important defense..."

    Yuusharo, honest query: if I have a yubikey,
    why do you think it matters how complex my
    password is? Even I use 'dog' as my
    password, it doesn't matter how many times
    they try to log in with it without having the
    Yubikey.

    ---

    @Anonymous said...
    "It has never been determined that Lastpass
    was hacked. Even if it was, the amount of
    data we are talking about would equate to
    about 100 users email and hash data."

    Read it again: they have an unexplained
    anomaly which could have allowed ALL the
    hashed passwords and email addresses to be
    taken AS WELL AS less than 100 data blobs.

    ---

    @Yuusharo said...
    "Lastpass never has the key, but they do
    have the entire encrypted blob, and frankly
    that's all they should have."

    As I indicated before, and according to the
    CEO, they have: your unencrypted email
    address, your hashed password, a random
    encryption key unique to your account, the
    unencrypted URLs, and data blobs with your
    site usernames and passwords.

    ReplyDelete
  121. I just want to tell you good luck. We're all counting on you.

    ReplyDelete
  122. @Yuusharo said...
    "The ... yubikey helps protect your account
    online by requiring that 2nd physical
    authentication, but it's only an additional
    layer of protection. ... A strong password
    is the first, and most important defense..."

    Yuusharo, honest query: if I have a yubikey,
    why do you think it matters how complex my
    password is? Even I use 'dog' as my
    password, it doesn't matter how many times
    they try to log in with it without having the
    Yubikey.

    ---

    @Anonymous said...
    "It has never been determined that Lastpass
    was hacked. Even if it was, the amount of
    data we are talking about would equate to
    about 100 users email and hash data."

    Read it again: they have an unexplained
    anomaly which could have allowed ALL the
    hashed passwords and email addresses to be
    taken AS WELL AS less than 100 data blobs.

    ---

    @Yuusharo said...
    "Lastpass never has the key, but they do
    have the entire encrypted blob, and frankly
    that's all they should have."

    As I indicated before, and according to the
    CEO, they have: your unencrypted email
    address, your hashed password, a random
    encryption key unique to your account, the
    unencrypted URLs, and data blobs with your
    site usernames and passwords.

    ReplyDelete
  123. @Bob "How is anybody sure that the system is not compromised? Perhaps changing your master password is more dangerous than leaving it alone. The stolen passwords have to be cracked. If the intruders have rooted lastpass, any change to your password will be known to the perpetrators instantly."

    Lastpass does everything in its power to make sure that they *never* see your master password or decryption keys, and therefore can't store it anywhere. The only information they store is your local user-generated authentication token, which is made up of your email+master password hashed together, then take that result and hash it again with your master password (super secure and irreversible), a remote-generated authentication token that's created on LP's servers when you create your account, and your encrypted password vault. None of this information reveals anything about your master password or the data inside, and none of it can possibly be used to decrypt any of your data. It is technically impossible for Lastpass or anybody else to decrypt your account without your password.

    We don't even know if anyone actually breeched lastpass's security. All we know is an anomaly occurred, and LP was trying to be proactive just to be safe, even though it is technically impossible to steal your data. Remember: even if Lastpass itself is compromised, your data never is, nor can be. This is by design.

    So relax, wait a few days, then change your master password. Not because your data is in danger, but just out of good habit and practice.

    ReplyDelete
  124. i am getting "Your settings could not be updated" error after trying to reset the master password. I believe other users have encountered same issue.

    ReplyDelete
  125. Repeat after me: I WON'T PUT MY SENSITIVE DATA IN THE CLOUD ANYMORE.

    Repeat again...

    ReplyDelete
  126. Guess you did not read the top of the page that says update #6

    Currently we're not allowing users to change master passwords until our databases are completely caught up and we have resolved outstanding issues. We will update our users via the blog when it is possible to do so.

    ReplyDelete
  127. Quote:

    "At the end of the day (today) you guys produced the equivalent of an invasive and difficult to correct virus, and that with the potential for further harm."

    Really? Let's see. I downloaded an app that was supposed to enhance security, lo and behold sometime thereafter it prevented me from doing some stuff on my computer and it was really difficult to get rid of. I had to change a lot of passworded accounts.

    Yup. I guess I agree.

    ReplyDelete
  128. It's amusing that everyone is panicking and trying to change passwords immediately. That's what caused the whole thing to crash in the first place - now nobody can get into account settings. Good job, folks.

    And if you saved your bank and credit card logins and other highly secure logins on LastPass - you're doing it ALL wrong.

    Saving it in the cloud is convenient, but not 100% secure. You have to ALWAYS be ready for it to 1) get hacked 2) lose your data.

    That's just the nature of the web. You gain convenience, but lose security.

    Backup regularly, have a strong master password, and save crucial financial logins locally on Keepass.

    LastPass is still the best password service, and I trust them even more after how transparent they were with what was a 'potential' breach. Better to be paranoid than assume it was nothing and shove it under the rug. Well done.

    ReplyDelete
  129. I wish you would have mentioned the potential security breach when you asked me to change passwords. I thought it was just a calendar-based prompt. Since I didn't recognize it as a problem, I opted to keep my old password. Had I known there was a perceived issue, I would have acted differently.

    ReplyDelete
  130. How strong is a masterkeyword with a common word followed by two or three numbers? Is it neccesary to change this? The LP security challenge ( https://lastpass.com/index.php?securitychallenge=1&fromwebsite=1&lpnorefresh=1 ) said it is 84% secure but other password checkers say it´s critical.

    When will it be possible to change the master keyword. Is it a good idea to delete some critical Passwords (Amazon, eBay, ...)?

    A User from Germany

    ReplyDelete
  131. "Repeat after me: I WON'T PUT MY SENSITIVE DATA IN THE CLOUD ANYMORE.

    Repeat again..."

    Nonsense... Repeat after me: Put your sensitive data anywhere but for heavens sake BACK IT UP!

    ReplyDelete
  132. you all are idiots.

    things on server can always been hacked so don't store critical data on the internet

    ReplyDelete
  133. User from Germany,

    Should be sort of okay, but your best bet is to choose a password of at least 16 characters, as randomly as possible and include special characters as well. You may try to remember a sentence:

    "You miss 100 percent of the shots you never take.
    — Wayne Gretzky"

    As a password this would become:

    Ym100%otsynt.-WG

    Easy huh? And strong as can be!

    ReplyDelete
  134. "you all are idiots.

    things on server can always been hacked so don't store critical data on the internet"

    Right, and your computer at home is safe as can be huh? Now who is an idiot?

    ReplyDelete
  135. @SecGuy "Nope, since only a salted hash of your password leaves your machine. The whole point of LastPass is that they don't store anything useful (and the only attack would be a very theoretical, and computationally intensive attack on the salted hash of the master password)"

    Nope, if LastPass was somehow rooted and compromised, a change to the code on the website and would allow a hacker to harvest the user's password when he types it in. If their server is that compromised, then it would be more of a risk to change your password than to leave it as it was.

    ReplyDelete
  136. This is getting old! When are you guys going to fix this crap!

    ReplyDelete
  137. "you all are idiots.

    things on server can always been hacked so don't store critical data on the internet"

    That's the whole point - when using LastPass, no-one is putting sensitive data on the internet. Were handing LP's servers blobs of useless entropy, not passwords, usernames or anything else in a readable form.

    But that is beyond most people's comprehension, judging by the comments to this post.

    ReplyDelete
  138. @Anonymous
    "Nope, if LastPass was somehow rooted and compromised, a change to the code on the website and would allow a hacker to harvest the user's password when he types it in. If their server is that compromised, then it would be more of a risk to change your password than to leave it as it was."

    Nope since the Lastpass people obviously know there has been a problem I seriously doubt that they would not detect this or just leave a rooted server running.
    Nor would they advise a password change.

    ReplyDelete
  139. Hi,

    I just was able to reset my password. The password reset took place successfully. Now when I login, none of my uid & passwords in place. I just see the url of all the sites that I had used LM.

    What is going on? Where is my uid & password?

    ReplyDelete
  140. "Nope, if LastPass was somehow rooted and compromised, a change to the code on the website and would allow a hacker to harvest the user's password when he types it in. If their server is that compromised, then it would be more of a risk to change your password than to leave it as it was"

    I'm just going to quote Yuusharo, since blogger doesn't have a nifty way to link to a comment:

    Lastpass does everything in its power to make sure that they *never* see your master password or decryption keys, and therefore can't store it anywhere. The only information they store is your local user-generated authentication token, which is made up of your email+master password hashed together, then take that result and hash it again with your master password (super secure and irreversible), a remote-generated authentication token that's created on LP's servers when you create your account, and your encrypted password vault. None of this information reveals anything about your master password or the data inside, and none of it can possibly be used to decrypt any of your data. It is technically impossible for Lastpass or anybody else to decrypt your account without your password.

    We don't even know if anyone actually breeched lastpass's security. All we know is an anomaly occurred, and LP was trying to be proactive just to be safe, even though it is technically impossible to steal your data. Remember: even if Lastpass itself is compromised, your data never is, nor can be. This is by design.

    So relax, wait a few days, then change your master password. Not because your data is in danger, but just out of good habit and practice.

    ReplyDelete
  141. @Anonymous
    "I just was able to reset my password. The password reset took place successfully. Now when I login, none of my uid & passwords in place. I just see the url of all the sites that I had used LM."

    Try clicking on the lastpass icon and go to "tools/clear local cache" Log off and log back in.
    That may help

    ReplyDelete
  142. --Bob said "How is anybody sure that the system is not compromised? Perhaps changing your master password is more dangerous than leaving it alone."
    --then Yuusharo said "Lastpass does everything in its power to make sure that they *never* see your master password"

    True enough, but if they have been hacked then this may not be true.

    You can enter your password into the login form on their web page, so if they've been hacked then the hackers could simply steal it from that form instead of hashing it before sending it.

    ReplyDelete
  143. @Yuusharo "Remember: even if Lastpass itself is compromised, your data never is, nor can be. This is by design."

    unless they crack your password in which case they can just log in as you or decode your data blob if they have it

    ReplyDelete
  144. "True enough, but if they have been hacked then this may not be true.

    You can enter your password into the login form on their web page, so if they've been hacked then the hackers could simply steal it from that form instead of hashing it before sending it."

    Assuming one actually went and logged in on their site (instead of doing it on the browser plugin), you do have a point.

    But that kind of a modification on their server would be painfully obvious (since the actual LP authentication mechanism would need to be replaced with a plain, dumb login form and a way to harvest the input), in which case they would just take the site down. A more subtle, ultra-sophisticated, non-intrusive rootkit would only be able to harvest the useless junk we feed the servers. :)

    ReplyDelete
  145. '@Yuusharo "Remember: even if Lastpass itself is compromised, your data never is, nor can be. This is by design."

    unless they crack your password in which case they can just log in as you or decode your data blob if they have it'

    which if you had a strong password you wouldnt need to worry about!

    ReplyDelete
  146. WTH!?? I changed my password and now ALL of my data is gone and there are foreign characters in my profile! This is total bull crap. Why should I pay for a service that dumps my data? I can't access a ton of sites which I used LastPass to generate my password. I am pissed!

    ReplyDelete
  147. @b.dsign

    " WTH!?? I changed my password and now ALL of my data is gone and there are foreign characters in my profile! This is total bull crap. Why should I pay for a service that dumps my data? I can't access a ton of sites which I used LastPass to generate my password. I am pissed!"

    Calm down and clear your local cache, then log out and back in. That should fix your problem.

    ReplyDelete
  148. Another fake security site.

    What's new?

    ReplyDelete
  149. Dear LastPass,

    Just a thought. When users are selecting their password, run it through a simple algorithm to determine it's strength. If it is a simple, easily guessed password then give the user two options. Electronically acknowledge that the password is weak and puts them at risk or advise them to select a stronger password to ensure security. The user in this way is educated about proper password selection but is still free to choose a password an idiotic password and make an informed decision to assume the risk.

    ReplyDelete
  150. @Anon

    "Another fake security site"


    Priceless!

    ReplyDelete
  151. '
    @Anon

    "Another fake security site"


    Priceless! '


    Only if one lacks a brain.

    ReplyDelete
  152. My LastPass isn't doing anything. On any page that previously automatically logged me in, I have to type my information... why?.......... It says I'm logged in in google chrome... so what's the deal?...

    ReplyDelete
  153. This is ridiculous, you have a breach and we can't even get in and change our passwords. You guys couldn't have handled this situation any worse. As soon as you come back online I'm deleting my account and moving to a competitor.

    ReplyDelete
  154. I am back and running , except I am unable to change my password or any settings.

    ReplyDelete
  155. I must enter my password with each browsing session to log in. I know that this is a very basic question but is this to be expected at this time. Otherwise, I am having no problems. PS I still have my old password. Thanks

    ReplyDelete
  156. Quote: "I must enter my password with each browsing session to log in. I know that this is a very basic question but is this to be expected at this time."

    I have exactly the same question!

    ReplyDelete
  157. Update 5 says there is a way "to say that you know your master password is strong and to avoid password change." How?

    ReplyDelete
  158. announcing this news knowing it consequences.. makes me continuing using LastPass..

    ReplyDelete
  159. I received an email back from last pass support with a link that took me to a page to "re-enable pass account" and one of the two choices said the following "If you feel that you have a very strong current master password, and do not want to change it and acknowledge and accept the risks, click here." I do not know if this is helpful to you.

    ReplyDelete
  160. Everything seems to be working fine again. I had to logout of my offline access and just re-login to the plugin again. I went to Facebook and it auto-filled my details so I am very happy to have you guys working again, makes browsing of my daily sites that much more easier.. I have a good master pass but I think I'll change it anyways just to take the extra pre-caution.

    ReplyDelete
  161. I can't even get into my email. this is a disaster.

    ReplyDelete
  162. Lp was supposed to be THE most secure site on the web for me. By the very definition of it's purpose. In security, slight doubt = total compromise.
    Luckily I was never tempted to store bank and email.
    Now I store nothing, I'm out of here.

    ReplyDelete
  163. Please answer this that someone asked already:
    I thought the whole point of LastPass was that even if hackers were able to obtain bits of information regarding your account, none of it would be even legible. The passwords are encrypted, the information is encrypted, and LastPass even boasts that they don't keep our password stored on their server in any identifiable way. So why force a mandatory change of password when the system itself should protect us against attack?

    ReplyDelete
  164. "In security, slight doubt = total compromise."

    Only if you really don't understand the maths involved. There is no such thing as a "safe page on the web". You must assume that whatever is stored on the cloud WILL be compromised at some point. The point is that it doesn't matter. There's nothing there but useless junk.

    LastPass should've worded things differently, because most people can't fit anything more complex than 1+1 into their heads. But because they are honest and DO understand the maths involved, they will tell you that there's a chance (a supercomputer mined rainbow table, one-in-a-trillion kind of chance) of breaking the hash of an idiotic password like "dog". Which, again, would yield the cracker _nothing_ because the blobs weren't compromised. And people go nuts.

    Perhaps this will serve as an Internet literacy test. If you now want to go ahead and delete your account, you really shouldn't be on the Internet in the first place.

    ReplyDelete
  165. I am a premium user and STILL can't change my password. Update 7 seemed to indicate that this should be resolved now. I clearly appreciate the overly cautious approach of trying to protect our account, but it sure looks like this was also an interesting learning experience for everyone at LastPass. How about increasing server capacity so the next time around you won't have such a mess on your hands?!

    ReplyDelete
  166. "Please answer this that someone asked already:
    I thought the whole point of LastPass was that even if hackers were able to obtain bits of information regarding your account, none of it would be even legible. The passwords are encrypted, the information is encrypted, and LastPass even boasts that they don't keep our password stored on their server in any identifiable way. So why force a mandatory change of password when the system itself should protect us against attack?"

    All the data is encrypted but even the strongest encryption is only as strong as the password that protects it.
    LP is doing all this for the users who had weak master passwords.
    And it is strictly a "just in case" scenario.

    ReplyDelete
  167. I was fortunate none of my bank and other important login/passwords were NOT on Lastpass. It's just a matter of time before most sites will be hacked.

    As we speak, little devils are trying their best to do hacking over the world.

    ReplyDelete
  168. This PC country has got to hand out severe penalties for hackers, like 25 years in prison instead of some bleeding heart judge giving a slap on the hand.

    ReplyDelete
  169. This site will help you ensure a good strong password.

    http://www.passwordmeter.com/

    ReplyDelete
  170. Someone wrote: "You may try to remember a sentence:

    "You miss 100 percent of the shots you never take. — Wayne Gretzky"

    As a password this would become: Ym100%otsynt.-WG "



    Just don't mumble the sentence or move your lips while saying it in your head as you type each letter in!!

    ReplyDelete
  171. Just a note to say thanks, LastPass, for the way you're handling this. Joe mentioned that they "might have overthought it a bit" or perhaps they were being "paranoid", but for my money, those two responses are EXACTLY what I want from the people I trust to guard my security online. Couldn't ask for a more open, honest, and thorough response.

    Also, to echo what others have said, it might not be a bad idea to keep that critical email password in your memory banks as well, which is trivial, really. Who among us can't remember two passwords? If you can't, then I suggest you have bigger fish to fry than managing your passwords...

    In short, thanks for the good work, lp!

    ReplyDelete
  172. I am a premium user.. I ccannot get into my account for 2 days "sorry were busy right now" WTF

    ReplyDelete
  173. You guys suck, get me into my account!!!!!!!!!! I pay for this????

    ReplyDelete
  174. I am confirming I have updated Master password. I have logged on/off twice. It works.
    I salute you for being proactive and honest but please do not let this happen again...

    ReplyDelete
  175. I have been unable to login to lastpass for 2+ days now. For those who have blamed the users for causing the flood of traffic, you are displaying ignorance of the facts here. Lastpass forced all users, initially, to immediately change their passwords, which ultimately put us in the unfortunate position we are in now. Lastpass, and only lasspass, is responsible for the mess this has become. I will certainly cancel my account and determine a new password management approach after this fiasco is finally over.

    ReplyDelete
  176. I had some issues logging in, but downloaded the LastPass Pocket software, as advised on HERE and that allowed me access to all my sites, I will keep this as a backup now. That let YOU get on with doing what you needed to and I see things are on their way back up.

    People, please understand there are no INSTANT solutions, LastPass are working HARD to PROTECT your data, look at other LARGER companies like Sony, that did not do that, is that what you prefer, your data in other peoples hands, or a secure system, your data protected...ok there is a delay...ok yes that is inconvenient...but lay off the people at LastPass, they had YOUR best interests at heart when they took the action they took.

    All of us are learning something here I am sure, LastPass will handle this much better next time, we all learn from bad things and no doubt WE will handle things better next time, maybe we were TOO reliant on it JUST WORKING. Cut them some slack.

    Go get that Pocket software as it gives you access to all your passwords and data, as it is already backed up (encrypted) on your machine. You need NEVER be without your data ever again, no matter what issue happens at LastPass. Makes sense no?

    ReplyDelete
  177. @Anon "Lp was supposed to be THE most secure site on the web for me. By the very definition of it's purpose. In security, slight doubt = total compromise.
    Luckily I was never tempted to store bank and email.
    Now I store nothing, I'm out of here."

    Users need to understand what has happened here, and what may or may not have been compromised. Assuming the worst, someone *may* have figured a way into Lastpass's system and *may* have downloaded some data. What is it that they could have possibly taken? Well, let's take a look at what Lastpass has:

    --Your email address, which is public by nature.

    --Your authentication token generated by taking your locally-stored decryption key, which is your email and master password hashed, and then hashing that result with your master password again.

    --Your authentication ID, which is randomly generated when you create your account

    --Your encrypted vault

    Now, as you can see, Lastpass isn't even able to identify you without presenting the correct master password, which goes through several irreversible hashes, and even then, all you're given is your encrypted blob, which can only be decrypted locally by your machine.

    By its very nature, Lastpass ensure that even if bad guys got 100% full physical possession of ALL of the data they store, virtually ZERO of it is of use to anyone, since its impossible to match any single encrypted blob to any one user account if you don't know the master password. Even if they could somehow match the data, which they can't, there's no way to decrypt the information since they don't have the keys.

    In other words, your data is completely safe. The system is designed in such a way so that Lastpass doesn't even trust itself. This is about as secure of cloud computing as you can get, perhaps computing in general. It's safe, secure, offsite, and compatible with just about every browser, OS and device on the planet.

    ...I really wish these guys would pay me, lol. Only joking. =)

    ReplyDelete
  178. It just proves how apparently easy it is for the hackers to get into the Lastpass servers. Despite everything Lastpass claimed in the past.

    And how do we know they aren't just downplaying it now, and its actually much worse?

    It don't matter whether you have a good password or not, you would still want to change it.

    ReplyDelete
  179. Using FFox got "error has been encountered when trying to load sites" when trying to login using mouse on screen keyboard but works/opens vault if i type password using computer keyboard or use my Kaspersky virtual keyboard.

    ReplyDelete
  180. completly screwed by last pass awsome, I have to verify by proving ownership of an e-mail address which has the password stored in last pass..... awsome so now I have no access to anything at all... and no ability to prove its my own account oh and you respond to my tech support request through my e-mail.... which I cant get into to recieve the reply to tell my how to fix my account.... awsome....

    ReplyDelete
  181. ALL of YOUR data is stored at LastPass in an encrypted form, even LastPass cannot access it. No one has stolen ANYONES data. Even if they got the files, they would not get access to the information inside as I understand it is encrypted twice making it as far as anyone can say, unbreakable by current methods of cracking. Don't let people lie to you. The untruths on this posting are ridiculous.

    ReplyDelete
  182. Update 7

    "Everyone should be able to login (after verifying your email if you are coming from a new IP)."

    Really? First you attempt to force a master password change and now you have an IP hoop. God, I wish you folks would get a clue.

    "Please note that there is no risk in waiting if you can deal with verifying by email when you use a computer at a new place (IP)."

    Damn, I'll verify the email as much as you want. Exactly how do I initiate that process? Where is the link?

    This afternoon I received a response to my support ticket. It states:

    "Please try to login again and let us know if you're still unsuccessful. Currently we're not allowing master password changes until we can get our servers fully operational and back online."

    You may not be allowing password changes, but you're still forcing it.

    My additional info to that ticket:

    Less than one minute ago I started Firefox 4. I was prompted by the LP plugin to enter my password. I entered my original password. LP then redirected me to the change password page on your site.

    That's it. That's as far as I get. Are you folks even reading these tickets?

    Pitiful. Absolutely, utterly pitiful.

    ReplyDelete
  183. If it was so secure as Yuusharo is claiming, they wouldn't have been worried about it.

    ReplyDelete
  184. @Anon "completly screwed by last pass awsome, I have to verify by proving ownership of an e-mail address which has the password stored in last pass..... awsome so now I have no access to anything at all... and no ability to prove its my own account oh and you respond to my tech support request through my e-mail.... which I cant get into to recieve the reply to tell my how to fix my account.... awsome...."

    Lastpass has a record of previous IPs which you have used in the past. Try logging in from home or work, where ever you normally use Lastpass. You can also log in with a one-time-password, if you have generated any.

    As far as your email, I believe almost every email system has a password reset option. They usually ask you to answer a secret question or they send a reset link to an alternate email address you've setup in the past.

    In the future, it would be wise to keep a copy of your passwords, especially critical ones like email, stored securely elsewhere. You can use tools like Lastpass Pocket to create offline backups of your vault, or something as simple as writing it on a post-it note and keeping it at home in a locked box.

    Remember what you're trying to accomplish, here. You *always* want to have a backup strategy with any kind of password manager. If you store all of your passwords in an offline password manager and something happens to that machine, you're SOL if you don't make regular backups anyway.

    ReplyDelete
  185. @Anon "If it was so secure as Yuusharo is claiming, they wouldn't have been worried about it."

    Frankly, I wish more companies were as paranoid as Lastpass. Sony takes 6 days of silence before alerting their users of potential identity theft, 6 precious days they could have spent calling their banks and be put on alert. A bank I used to use informed me by snail mail about a potential breech that took place nearly 2 months earlier from a store I used my card in, and didn't bother to send an email or a phone call to warn me about it.

    Lastpass's system is secure by its design, but by relying on good practice and habit, they're not taking chances. They're looking out for *you,* by being as open and honest as they can be. I trust them as much today as I ever have in the past. I just hope in the future they'll have the benefit of experience behind them so that they can handle situations like this much more gracefully.

    ...besides, its a good idea to be reminded to change your passwords ever so often anyway. Why not?

    ReplyDelete
  186. I changed my master PW with no issues today. Also have had no issues using LP in the last day other then not able to login to the server to share or change my PW yesterday. Today is fine.

    The risk is for people without strong master passwords, which is stupid to begin with.

    ReplyDelete
  187. LastPass assumes that it will be hacked eventually. If this was a hack, it won't be the last. The beauty of the system is that it is completely safe and secure IF IT IS USED CORRECTLY. If all the data was stolen from LP servers, it still wouldn't be any use to (unless someone happens to use 'PASSWORD' as their password, for example). The fact that LP is trying to bend over backwards to help protect users who DID NOT FOLLOW INSTRUCTIONS when they created their accounts and used WEAK passwords is to their credit.

    ReplyDelete
  188. @Meshach "The risk is for people without strong master passwords..."

    By the way, that is true all the time, not just today. Assuming everything else is done correctly, the one vulnerability that will always exist is guessing the password. If you use "dog" as your master password, your account is at risk just by a simple dictionary attack.

    Besides, you couldn't tell who had strong or weak passwords since everything is so heavily hashed with salt anyway. And again, without the keys, any data obtained would be useless, pseudo-random noise.

    ReplyDelete
  189. I can't change my master password in the http vault, damn it this is getting annoying as hell

    ReplyDelete
  190. Joel: "This is ridiculous, you have a breach and we can't even get in and change our passwords. You guys couldn't have handled this situation any worse."

    The worst they could have handled this situation was to not tell you about it at all. What do you think would have happened if they didn't tall you at all?

    ReplyDelete
  191. Everybody freaking out needs to calm down. Lastpass did you a favor by informing you of this small anomaly. Kudos to them.

    As far as your data is concerned, it's almost certainly still safe given the design of the lastpass system. Stop freaking out. Take a chill pill. relax.

    ReplyDelete
  192. only allowing the "paying" customers to change their passwords first? LOL that is absolutely pathetic. that's like saying "oh well since you didn't pay, we will let you take more a risk getting hacked first!" UNREAL! AFTER THIS IM DONE

    ReplyDelete
  193. I hate that expression "kudos".

    ReplyDelete
  194. @LastPassFail -- _No one_ is any unsafer by not changing your password -- we still lock you down to previous IPs, we needed a small group to start with and it seemed appropriate, we're starting to expand the pool more now.

    ReplyDelete
  195. Joe, all the best :) Is there a reason why the Chrome browser keeps telling me to purchase LP and not show any passwords?
    I found a workaround: Tools - Refresh Sites, after which it will inform me it can't log me in. After which I manually click LogIn and there I am... not a major concern, just a minor nuisance.

    I'll be patiently waiting till all the dust is settled, it'll get better I know :)

    We just moan because we care.

    ReplyDelete
  196. If the data is so amazingly safe as Yuusharo keeps trying to convince everyone, why do we need to change our password, EVER? Honest question, not bait. Someone has to be confused here as Yuusharo's comments don't match LP's suggestion to change our password. And it also doesn't match Joe's note that locking down the IP addresses is in any way be a good thing.

    ReplyDelete
  197. @LastPassFail -- "UNREAL! AFTER THIS IM DONE" "allowing the "paying" customers to change their passwords first?"

    What a loss, an un-paying customer going to take his bitching elsewhere.

    @Sophia-- "We just moan because we care."

    We just moan because we CAN. (fixed it)

    @Joe Siegrist -- I think you owe Yuusharo a lifetime membership for being the continuous voice of reason.

    ReplyDelete
  198. "If the data is so amazingly safe as Yuusharo keeps trying to convince everyone"

    called best practice, as using a good password in the first place

    ReplyDelete
  199. @Sophia-- "We just moan because we care."

    We just moan because we CAN. (fixed it)

    --- Too funny! I didn't want to say it :)

    @Joe Siegrist -- I think you owe Yuusharo a lifetime membership for being the continuous voice of reason.

    --- Seconded!

    ReplyDelete