Hacker News new | ask | show | jobs
by tim333 1640 days ago
I just tried logging into my LassPass (not used for a while) and I entered the password wrongly (I capitalised one letter) and got an email "Someone just used your master password to try to log in to your account from a device or location we didn't recognize."

Maybe it says someone used your master password even if they didn't? It gave the IP as Islington which is kind of correct.
2 comments
gregsadetsky 1640 days ago
I think that password case is a separate issue. If I remember correctly, many online services do "secretly" accept mixed cases for the same password (because users make more mistakes than they realize and it would be "annoying" to be too strict)

If you didn't receive a "Someone just used" email (with an IP that's completely geographically off from where you are) that's a good sign, of course.

link
zdragnar 1640 days ago
I tried pushing back on just such a request once, pointing out it made of of the password "security" requirements pointless (use mixed case letters).

"But famous company X does this, it is really convenient for users!" was all the response I got. All I could do at the time was (internally) shake my head.

link
johtso 1640 days ago
Oh! If the messaging is the same regardless of whether the right password is used then that changes everything!
link
gregsadetsky 1640 days ago
When a wrong password is used, no email is sent out from my multiple experiments today.

I'm happy to be proven wrong, but I think that what's happening with @tim333 is that master passwords may be all lower cased (for example) before being hashed. Or maybe the password is hashed twice with the first letter upper and lower cased.

Here's what I found from a quick google re: password case:

https://www.zdnet.com/article/facebook-passwords-are-not-cas...

https://security.stackexchange.com/questions/68013/facebook-...

"This is simply Facebook trying to provide a better user experience for those users who may have Caps Lock enabled, or whose devices automatically capitalize the first letter of the password."

link
eksployted 1640 days ago
I don't think that's the case. I went back and looked at the auth logs and there are many "failed logins" and one "Login verification email sent", which is the only one I got an email for.
link