[IgorPartola]

LastPass FTW! The attacker will reverse my password just to find a bunch of unusable bits :). What would be even cooler is an API on top of LastPass that sites like Zappos could hook into to force a behind-the-scenes change of passwords, similar to revoking a compromised certificate. Essentially, since there is some lead time after the breach is discovered and before the attacker manages to crack the long, random passwords, their efforts would be futile by the time they are done since all LastPass passwords would have already been changed.

Or we could just stop using passwords everywhere and not have this problem again. Anybody? Anybody?

Disclosure: I have no affiliation with LastPass beyond being a satisfied user.

[martingordon]

I used to have three different passwords of varying complexity that I shared across sites.

When Gizmodo's database was compromised and I didn't know which password I used there, I decided to stop using the same set of passwords everyone and started generating and storing my passwords using 1Password. It's a little annoying to use on my iPhone (particularly having to type my long master password on the soft keyboard), but it's dead simple to use on the desktop and I recommend it to everyone. I still have some sites that use my old passwords, but 1Password's Smart Folders let me search my passwords for those and I plan on changing those today.

(I haven't used LastPass so I can't comment on how it compares to 1Password)

[reidmain]

This is exactly what I do and I've switch friends and family over as well.

Whenever they bring up the perceived inconvenience (which goes down on the desktop with practice) I simply remind them how much time they will waste if one of their accounts is compromised.

Sure their foursquare (or pick another random service that doesn't hold EXTREMELY important data) account isn't that important but when it uses their Gmail address and has the same password they are just begging for trouble.

Also this gets them out of logging on to their Gmail and Facebook accounts from public computers. They still don't fully understand the possible problems but at least now it is such an inconvenience they just use their own devices.

[Donald]

> What would be even cooler is an API on top of LastPass that sites like Zappos could hook into to force a behind-the-scenes change of passwords

How would Lastpass protect against an attacker masquerading as the third party website? (Especially considering this feature would be used when a website finds itself compromised.)

[IgorPartola]

Maybe an API is an overkill in this case. Instead, a simple web service with a twist: Zappos has a private key and LastPass has the corresponding public key. Now, if Zappos.com is compromised and the breached is discovered and fixed, their CEO/CTO/head security guy grabs the private key and authenticates to LastPass, telling them that he is in fact who he says he is, and finally triggers the massive automatic password reset. Obviously, this will not work if the private key is compromised, but then again, our whole web security paradigm is "trust that the website owner knows what s/he is doing", so this is already a step up.

Or, as I mentioned, let's do away with passwords. Anyone can have your public key so long as your private key stays private.

[tedivm]

Well, lastpass doesn't store the passwords on its servers in a way that they could just change. From my understanding the database is only decrypted on the client machines when the master password is entered.

Still, the idea of a service for handling this makes sense. Rather than one based on a single vendor, a simple API for querying compromised domains would handle it. Then the lastpass extension can call that api for a list of the user's domains and see if anything needs to be changed. Being more general (just giving out information about recently compromised sites) also seems more useful, in that people would do a lot of different things with it.

[rationalbeats]

Except when LastPass was compromised last year...

[forensic]

FFS! It wasn't compromised, not remotely. The incident last year is what convinced me I could trust last pass.

[mike-cardwell]

There was also the XSS flaw in Feb last year that allowed an attacker to retrieve your email address, your password reminder, the list of sites you log into and the history of your logins, including which sites you logged into, the time and dates you logged into them, and the IP addresses you logged in from.

https://grepular.com/LastPass_Vulnerability_Exposes_Account_...

Their reaction to this flaw was exemplary though, and LastPass is a lot more secure now because of it.

[rationalbeats]

Well they said that their database was compromised and they were not sure what was accessed.

So I stopped using them after that incident.

It was a while ago I don't remember the particulars, but I do remember they said they were not sure if someone stole everyones password so everyone should change their master password to be safe. So I deleted my account to be safer.

[Confusion]

  Well they said that their database was compromised

No they didn't.

  I don't remember the particulars

Then why do you make such explicit claims about what happened? They spotted a traffic anomaly on their network and went into complete paranoid mode. It is completely unknown, even to them, whether someone unauthorized accessed their database or whether they just couldn't account for some traffic on their internal network.

I don't know anyone else that monitors the traffic on their network to detect unauthorized access and I know many companies that don't. That's already a huge plus and it makes me trust them with security in general all the more.

[newman314]

For that reason, I find the 1Password model more suited to my tastes. Using Dropbox to sync, it works just as nicely and I'm not beholden to a third party central database (LastPass).

[lelele]

So what? As long as your master password was strong, your data was safe.