News LastPass user panic over possible server breach

Popular password manager LastPass acts on possible security breach.

http://www.bit-tech.net/news/bits/2011/05/09/lastpass-user-panic-over-possible-server-br/1

 

I use a password manager. It's called my brain and I keep all my passwords there. Of course that's not too hard when my password is "PASSWORD" for every site I use.

For anyone who missed the sarcasm above, just for the record I was kidding

 

TBH honest all these security breaches lately has made me a bit hopeless. Only few weeks ago I received e-mail from Play.com their account security had been breached. Then the PSN episode, and now this.

What should a honest consumer do, set up a fake ID for every online purchase since no one seem to be able to keep crackers at bay? I'm kinda tired of continuous credit card reroll.

 

seems everywhere is getting hacked recently. At least they dealt with it in a proper way though, unlike sony.

 

I wouldn't store any passwords online, keep a locally encrypted version if you cant remember them all, I use 'keepass'

 

This.

I would never trust an online password storage service. Locally-stored secure Keepass databases are a much better idea I think.

 

I use a spread sheet that is secured within True Crypt. Hack that one.

 

Guys, two tips:
a) Use top-up electronic-use-only cards and not your regular credit/debit card. You only fill up the account when you need to purchase something.
b) DO NOT store any card data online, if possible. Use software like PasswordSafe to keep the crucial data handy at all times.

Worked for me for last couple of years...

 

Pen and paper is my password storage system. I'm infinitely less worried about someone breaking into my home and happening across my cheat sheet than I am about someone hacking a distant server or even my local machine with that file labeled 'passwords'.

 

Good tips, but unfortunately not always applicable.

a)I'm not sure what you mean with "top-up electronic-use-only" card, but if I'd have to hazard a guess these mean cards like Visa Electron, right? Not too many site accept one.

Finnish banks do not offer virtual credit cards, either.

b)Again, not always possible. For example, Play.com requires you to register before making a purchase, and they insist on storing credit card data. After the hacking incident, I tried to remove my cc number bind to my account, to no avail. Can't unsubscribe from their mailing list, either. Serves me right I guess.

I'm using unique passwords for each account I have, but it really pisses me off that companies require me giving away personal info and then not bother to protect it properly. I'm not really happy with criminals in possession of my physical and email address, phone number etc.

 

Can't speak for our European cousins, but here in the UK I believe both Visa and Mastercard that I know of offer a kind of pre-paid debit card where you basically put credit on the card and then can use this securely for online purchases as you would a normal debit card.

Just done a quick check for those that might benefit:

VISA
http://visa.co.uk/en/products/visa_prepaid.aspx

MASTERCARD
http://www.mastercard.com/uk/personal/en/findacard/prepaidnew/index.html

 

What radziecki meant was a top-up cashcard, basically it's a top up card that you can buy in the shops and top up whilst in the shop, and useable online as it is a Visa debit card. A bit of a hassle to do but it is one of the safest ways to buy stuff online.

EDIT: What ^^^ said!

 

No such thing available here, though.

I did a check for both my Visa and Mastercard.

Well, there propably will be option for those now that hacking service providers and e-shops have become almost everyday occurence. Even my bank felt necessary to notify me on PSN issue, though no fraud has taken place, yet.

 

+1

 

waterboarding

 

This is not really the whole story - even if someone has hacked LastPass's databanks and grabbed files, they are of no use unless they can be cracked individually. LastPass don't store any of your data unencrypted - in fact, it's not possible for them to do so, and if you lose your LastPass password you're basically f***** because they've no way of retrieving it. So, for this to be a security issue:

1. LastPass' servers have to have been hacked. There's no evidence this has actually occurred - there's a system anomaly and LastPass are being paranoid about it because that's what we pay them to do.
2. LastPass users' data has to have been copied. Again, no evidence this has occurred.
3. The users' encrypted data has to be individually cracked, by brute force. My password is >15 characters long, containing upper- and lower- case letters, numbers, and symbols, in randomly generated order. That's 96 possibilities for each of the 15+ characters = 5.20402924666473e+31 combinations - a number equivalent to 52,040,292,466,647,300,000,000,000,000,000 potential passwords, or one order of magnitude over a nonillion. Cracking it by brute force using an i7 920 or similar would take quite literally tens of thousands of years.

Me? I'm not worried in the slightest. In addition to my password, my LastPass is encrypted using their Grid Multifactor Authentication system, which adds the complexity of a unique 26x9 code grid to any computer I haven't personally approved. I haven't done the maths on that too but it is another hurdle to the theoretical hackers getting my Facebook password.

Using LastPass means I can use different 15-character alphanumerosymbolic passwords for everything I use - so compromise of any one won't affect the others. Since even I don't know them, it's very difficult for them to be compromised. As far as I can see, you're much more likely to be in trouble by entrusting your data to people that aren't LastPass, like, er, PSN...

 

PEN AND PAPER. Honestly it actually works sometimes!

 

My advice is to simply let E-Merchants store all your credit card details online. However then ensure that all your credit cards are maxed out (to their respective limits). E viola - no E-fraud!

 

guys or there is a quick cheat, create a new account with same person as main account, make sure its debit only and dosnt allow over draws or credit, then just swap money to it before buying online, thats my way of dealing with it

what can a hacker do with a bank account with £1 in it

 

Keepass is way less convenient though, as I frequent a lot of sites that log you out automatically as the session expires (Amazon for example). Having to c+p all the time gets tedious, and I've been there.