LastPass Is In the Midst of a Major Outage (zdnet.com) 73
LastPass has been suffering from a major outage as users are reporting being unable to log into their accounts and autofill passwords. What's odd is the company insists that everything is working properly, even though there's an unusually high number of users reporting issues. ZDNet reports: User reports about login issues have been flooding Twitter, but also the company's forum, Reddit, and DownDetector. Users are reporting receiving the following error when trying to log in: "An error has occurred while contacting the LastPass server. Please try again later." Both home and enterprise users are impacted. According to reports, LastPass' support staff has been either non-responsive, or denying reports of any technical issue happening at all. Despite issues being reported as far back as three days, the company has not updated its status page to reflect the incident, nor do they provided any type of explanation or useful help to their userbase.
According to multiple user on Twitter, the problems appear to impact only users with LastPass accounts dating to 2014, or prior. On DownDetector, a company spokesperson said the company was still investigating the incident, stating that there are no glaring issues with its servers -- which suggests the roots of this outage might be in a software component. "We are aware of and actively investigating reports from some LastPass customers who are experiencing issues and receiving errors when attempting to log in. At this time no service issues have been identified." Contacted by ZDNet, the company described the outage as "an isolated issue with limited impact" and said that "engineers are working to resolve the issue."
According to multiple user on Twitter, the problems appear to impact only users with LastPass accounts dating to 2014, or prior. On DownDetector, a company spokesperson said the company was still investigating the incident, stating that there are no glaring issues with its servers -- which suggests the roots of this outage might be in a software component. "We are aware of and actively investigating reports from some LastPass customers who are experiencing issues and receiving errors when attempting to log in. At this time no service issues have been identified." Contacted by ZDNet, the company described the outage as "an isolated issue with limited impact" and said that "engineers are working to resolve the issue."
No it's not. (Score:5, Informative)
This has been sorted already, you could at least link to an article that's up to date.
https://www.theregister.co.uk/... [theregister.co.uk]
Re: (Score:3)
More Stories about Last Pass (Score:3)
The Register includes a more stories about this at the end of each article. This which would indicate this sort of half denied outage is pretty common problem for LastPass.
Re: (Score:1)
Re:More Stories about Last Pass (Score:5, Insightful)
I almost modded this as funny, but then I thought you may be serious. And thought wow, this person must be a manager or VP of IT, because they are doing the single most dumbest thing I have ever heard. Let me guess, 2FA is useless also ?
In case of a fire where is your backup so you can get into your bank and order new cards, so you can ya know sleep on something other then a cardboard box down by the river? Is it in your parents office drawer upstairs?
Re:More Stories about Last Pass (Score:4, Insightful)
OP didn't claim 2FA to be useless, you put the words in their mouth.
The rest of your assessment depends on the value of the accounts secured that way. If it is forums, gaming stuff etc., then the destruction of these passwords has little value and the unavailability is only temporary. It just takes a lot of effort to reset the passwords everywhere, provided the password for the mail address behind these accounts is still known from memory, without the paper documentation.
Operating a business or saving cryptographic material that way would not be smart, that's where you're right. For the hundreds of mundane accounts of little relevance, pen and paper to save the passwords is not really that bad, provided the paper is secured against access by others and the passwords themselves are all different from one another and complex enough to withstand dictionary attacks. Even simple passwords written on paper in the home office drawer surely beat the most complex passwords not saved anywhere if the latter are reused across platforms.
Online threats to digital infrastructure are far far far far far more pervasive and successful than threats to pieces of paper locked in a drawer in the home office. It may seem utterly ridiculous and ancient, but consider the threat surface and the actors: a handful of the closest family and friends stealing from you without you noticing vs. the entire Internet hacking and bruteforcing away 24/7, most of them operating from some coffee shop in remote Ebonia and rural Durkastan.
We all have important bits of paper in our homes, and we're good at keeping them safe enough. Yeah if a fire breaks out, they're all gone. Bummer. If a fire breaks out a lot more than that is gone anyway and with insurance or not, the passwords to an online shopping site do not matter the least then.
Re: (Score:1)
We all have important bits of paper in our homes, and we're good at keeping them safe enough. Yeah if a fire breaks out, they're all gone. Bummer. If a fire breaks out a lot more than that is gone anyway and with insurance or not, the passwords to an online shopping site do not matter the least then.
As someone who has had to actually plan for such a disaster, I can assure you this opinion is utterly ridiculous, and makes an unfortunate incident into a life-changing catastrophe.
After a disaster of any size or severity, minutes matter. Even if it's only your home office that burned, you're facing hours or days on the phone with customer support reps trying to prove that you are who you claim, without having access to the normal channels to validate your connected identity. Sure, you can reset your passwo
Re: (Score:2)
You will notice that in the real world, 80% of all humans operating a digital device do not take the most basic safety precaution that isn't forced or pushed upon them. Not. One. No backups, no 2FA unless mandated by law (EU online banking) or forced-upon by the manufacturer (SIM cards), no password diversification, no password complexity, little password length, passwords chosen from the dictionary, no security updates unless done automatically by the device, passwords in text files on the device they're t
Re: (Score:2)
In case of a fire where is your backup so you can get into your bank
It's called ID. You turn up in person at the bank and lo and behold, they can replace all your stuff. I'm guessing the moral here is don't run out of your house in your underwear and bring your wallet.
Re: (Score:2)
That is assuming you have time to get a wallet or purse. I don't know where you live but homes here are often wood, they go up pretty farking quickly. As a victim of a house fire, I can tell you, you are not searching for a wallet and pant, your getting your kids and S/O and maybe pets and getting your ass out of the house.
Re: (Score:2)
Doubt that ZDNet or Slashdot have people on duty 2 (Score:5, Informative)
Re: (Score:3)
Doubt that ZDNet or Slashdot have people on duty 24x7
TL;DR: Slashdot has people on duty 24x7
Article post stamps:
05:31
04:50
04:10
03:30
02:50
02:14
01:22
00:41
23:00
20:00
17:00
13:30
11:30
10:50
10:10
09:30
08:50
08:44
08:10
07:30
06:50
06:10
Time to take a backup! (Score:5, Insightful)
Yes, it's an overly alarmist and already outdated headline. But please, treat this as your latest reminder that no matter what password manager you use*, personally performing regular backups of your password database is crucial. Your LastPass client kind of does this when you log in, but AFAIK doesn't offer a local export option, so in the event that LastPass.com LLC (I think they're actually owned by some other company, but w/e) goes tits up, you're still quite fucked. Every month or three, download your password database AS AN UNENCRYPTED LIST and put it on a USB key with nothing else on it. For most of us, our password manager has become our single point of failure. Treat it with the appropriate respect and dread.
* If you don't use a password manager with unique passwords for each site, please treat this as your latest reminder that you've been hacked a dozen times and everybody has access to your everything now.
Re: (Score:2)
LastPass works just fine on the most recently used database if the service is down. You wouldn't be able to log in to a system where you hadn't used LastPass before (duh!) but on any system where you had ever used LastPass, you'd have the database as of the last time you used it there.
And LastPass most certainly does have a local export option. (checking to make sure it hasn't been removed... Nope, still there.)
Re:Time to take a backup! (Score:5, Insightful)
or - use a local password manager (like keepass) and use that instead.
I might suggest Firefox's password manager but I'm not sure if that's stored locally or online. One website going down should not become a bottleneck for all your website access.
Re: (Score:3)
Re: Time to take a backup! (Score:1)
Re: (Score:2)
It's stored locally, thankfully. I back up mine frequently to external storage, just in case.
The files to back up are key4.db and logins.json from the profile directory, User->Roaming->Mozilla->Firefox->Profiles->Whatever.
Re: Time to take a backup! (Score:1)
Another password vault that encrypts and stores locally is Codebook. Yes, itâ(TM)s closed source and must be bought for a modest fee, but I thought worth adding to the discussion here.
I have no relation to the developer except that this company also maintains an encrypted extension to SQLite which is open source and has been around a while. My team used that encrypted database in a desktop app we developed about 7-8 years ago.
Re: (Score:3, Informative)
* If you don't use a password manager with unique passwords for each site
You make two claims here. One is accurate, one is horse shit.
And if you're using a cloud-based password manager, you come pre-hacked. You have no secrets.
Re: (Score:3)
Firefox's password manager is pretty darn good, and seems to employ a far better security model than any other manager. If I recall correctly, the account has one password, and each device itself has its own session key. Compromising one device doesn't compromise the account password in any way. Also, compromising Mozilla's synchronization server doesn't compromise your regular passwords (though it can compromise your account password). Additionally, your passwords are secured locally by your master pas
Re: (Score:2)
Depending on the physical security context, a paper notebook can also be effective.
"Two factor" where one factor is on a phone, and the other factor is... also on the phone, I'm not convinced there are effectively two factors. It requires a hardware device to get a real second factor. And I'm not sure if retaining the password when you have that is even worth the gain in most cases. But locking a password manager with a hardware device seems reasonable.
Re: (Score:2)
Normally one should be using a local master password with Firefox's password manager. For passwords stored on the device, you have basically two factors: device's key and the database itself (which may or not be secured highly -- not sure on Android), and your local master password.
For the encryption on Mozilla's servers, you use your account password, which you shouldn't be accessing often, so it can be a non-brute-forceable one. Also, assuming Mozilla itself is not compromised, the account offers OTP 2F
Re: (Score:1)
Mass hacking (Score:2)
Both are horse shit.
You are also guilty of equine fecal matter.
If the amount of time and hardware required to hack into an account exceeds the value of the information retrieved, it's stupid to try to hack into that account in the first place.
You also are making wrong assumption. You are assuming that hacker will target each one account individually and attack it manually.
Thing is, most of the time, attacks are mass-scale and fully automated.
- The whole database of a horrendously badly designed password manager might get broken into and stolen. Your credentials happen to be there in the middle even if nobody in peculiar has any interest into your account in peculiar.
- Said password collection might end
Re: (Score:2)
Both are horse shit.
You are also guilty of equine fecal matter.
If the amount of time and hardware required to hack into an account exceeds the value of the information retrieved, it's stupid to try to hack into that account in the first place.
You also are making wrong assumption. You are assuming that hacker will target each one account individually and attack it manually.
Thing is, most of the time, attacks are mass-scale and fully automated.
- The whole database of a horrendously badly designed password manager might get broken into and stolen. Your credentials happen to be there in the middle even if nobody in peculiar has any interest into your account in peculiar.
Except there's no database with my stuff in the middle. Each account is encrypted separately. There's no way to decrypt "the whole database" with some "mass-scale and fully automated" process.
There's too much horseshit in this discussion.
Do you have ANY idea how LastPass works? (Score:2)
Well, no, because they're not stored in plain text anywhere. All the attackers get is some meaningless ciphertext that, with the right key, decrypts to my credentials. Good luck getting that key... it never leaves my system.
What password collection? You don't have any passwords, ju
End-to-end work... *when implemented correctly* (Score:2)
Shut up and go learn a few things (such as how end-to-end encryption works) before posting again, please.
You might have noticed from my numerous other post that I know a thing or two about end-to-end encryption.
The question whether every single last one start-up that is eager to surf on the general population paranoia and blows all its VC money on advertisement and sponsoring influencers' videos on Youtube is actually competent to implement it correctly, is an entire different question. Note this part, that you even cited in your reply :
Re: (Score:2)
Re: Time to take a backup! (Score:3)
Funny how I've been "hacked" for so long, but they never do anything untoward. I must have real nice hackers.
Re: (Score:2)
Your LastPass client kind of does this when you log in, but AFAIK doesn't offer a local export option
Yes, it does. Both CSV and encrypted.
Click the Lastpass Menu in Chrome|Account Options|Advanced|Export
Re: (Score:2)
What if I use unique passwords for each site but don't use a password manager?
Sounds fine, but why wouldn't you? Do you dislike productivity apps?
Why should I ever trust a password manager that I didn't write?
Because you or people you trust have reviewed its source code.
A gpg encrypted text doc backed up to remote servers is good enough.
Yep. But again, why would you do things the annoying way? Why not use a program to manage that file?
And if I can't remember a unique password, then the site wasn't very important was it?
haha what
Re: (Score:2)
Why should I ever trust a password manager that I didn't write?
Because you or people you trust have reviewed its source code.
In a hypothetical ideal world where everyone is an expert programmer, the program you are running is guaranteed to be generated from exactly the source code you (or your trusted proxy) reviewed, and you can afford to re-execute your code-review every time the program is updated, that might be practical.
In the real world:
1) You don't have access to the source code
2) If you did, you don't have time to read through it all
3) If you did, you probably wouldn't be able to detect a security hole / bug / back-door e
Re: Time to take a backup! (Score:2)
Or, you know, you could use a password manager that is open source and doesn't use their own dubious cloud storage solution, like PasswdSafe.
I know there's a slight extra convenience in using things like LastPass, but there is no way I'd ever trust a for-profit company with all my passwords.
Re: (Score:2)
I do this a little different: I use a keypass file synced with online cloud storage so I can access it across devices as long as they're internet connected. Each device, however, has a copy of that file . I backup a physical copy of that file to a flash drive, and in another location in a safe have a written copy of the password for that file- a password which is only used for that sole purpose, and is absurdly long, as well as instructions on how to use it ( In case I croak and family needs to get to thing
Bitwarden (Score:5, Informative)
For those who don't know, Bitwarden has become a viable competitor, is much cheaper, open source, can be self-hosted, and - the thing that got me to switch - LastPass is storing all the URL's that accompany your encrypted username/passwords in cleartext. For me, some of the URL's are themselves sensitive enough that nobody else can be allowed access to them. For instance, you can tell a lot about a server infrastructure at a client site by the URL's that access various services. Never give an attacker more information than you have to .
Downsides: 2FA on self-hosted Bitwarden is still being designed and the sharing mechanism takes a bit of training - it's almost like tagging shared items rather than the LastPass folder metaphor, which is easier for users to understand.
https://github.com/bitwarden [github.com]
open source password manager (Score:2)
echo above
password managers need to be open source and I personally think you should contribute something to them if you can (money or code/review)
also mozilla which has a pretty god track history with encryption :
a href="https://www.mozilla.org/en-US/firefox/lockwise/">https://www.mozilla.org/en-US/firefox/lockwise/
for ios, android etc etc
Other Options (Score:3)
Bitwarden is good, but I had a bit of trouble following its layout, especially in a multi-user environment. Here are a few others I tried and liked:
https://teampass.net/ [teampass.net] - Infuriatingly, its browser-based layout isn't responsive, but it's one of a handful of self-hosted options that offer mobile apps for both iOS and Android. All the usual stuff, plus an API if you want.
https://teampasswordmanager.co... [teampasswordmanager.com] - The one I actually landed on. It's not free (and it uses the Ioncube loaders to boot...), but it's chea
Re: (Score:2)
The problem with relying on little-known password managers is that, unless you're both competent to review their security (including cryptography) and have actually sat down to do that, or know and trust somebody for whom both are true, you have very little reason for confidence in it. Being open source doesn't mean a thing if nobody reviews the source; "many eyes" only applies if there are, in fact, many eyes bothering to read it.
LastPass, for all its warts (and they are many), has survived both extensive
Re: (Score:2)
We actually had a c suite meeting today to choose bit warden. The 2FA for self host was nearly a deal breaker, but as you said, they are actively working on it, and for now we can manually police use of 2FA. :( who have now just sold to a private equity firm. Prepare the lubricant Last Pass users!
The other big down vote for lastpass was their purchase by LogmeIn,
Re: (Score:2)
The other big down vote for lastpass was their purchase by LogmeIn, :( who have now just sold to a private equity firm. Prepare the lubricant Last Pass users!
I've been very happy with LastPass for about 10 years now, but if the new owners give me good reason to, I'd switch to BitWarden. It seems to be a solid product as near as I can tell, but I have no particular reason to go through the effort of switching.... Yet.
Re: (Score:2)
Single point of failure (Score:5, Insightful)
Personally, I wrote my own secure password manager which lives outside of the browser. No, it's not passwords.txt
Re: (Score:3)
While I would love a credit card device that holds everything and is easily (or manually) portable between a diverse set of clients, it still seems essentially impossible/impractical. When even copy/paste can’t be trusted, it is a very hard problem to solve.
Still wish I could do more with something along the lines of a yubikey, but that seems to be fraught with issues as well. A literal keychain of dongles, tokens, and USB drives poses a number of issues.
Re: (Score:1)
Really? What about password reset? This is a problem only if you don't have an email client with a password stored in it. When I can't access my password manager I'm hardly screwed.
Re: (Score:2)
Personally, I wrote my own secure password manager which lives outside of the browser. No, it's not passwords.txt ;-)
So did i. It uses advanced technology that boils down to dissolved chemicals in a fluid matrix that gets in contact with a cellulose based storage medium using a spherical object that rolls over the medium to store the bits that i like to be stored.
It's very energy efficient as it uses zero electricity to function, both for storing and retrieving. The retention rates are hundreds of years. Making backups is trivially possible by repeating the procedure on a second medium. It's very safe as it's not connecte
Re: (Score:2)
While that's nice that you can write your own password manager, is it really safer? Are you an actual security expert?
Companies that make commercial password managers can afford to hire teams of people who dedicate their careers to security. Of course, that's no guarantee, but they are likely to be able to head off more security issues than you could all by yourself!
Re: (Score:2)
Bad. Really bad. (Score:2)
The entire concept of storing passwords "in the cloud" is fundamentally flawed. It is simply bad security. It adds complexity to what should be simple. Add shortfalls in promised performance and all the cloud-based password key rings are bad.
Re: Bad. Really bad. (Score:4, Interesting)
The entire concept of passwords is flawed. The recommendations for secure passwords (complexity+uniqueness+age) pretty much guarantee people write their passwords down somewhere, whether it's a cloud provider, a local encrypted solution with a single point of failure, or on a piece of paper.
I personally don't follow the guidelines on uniqueness. It's a better trade-off to me in security over writing down my passwords.
Re: Bad. Really bad. (Score:4, Insightful)
Re: (Score:2)
I have several "levels" of security. Stuff I don't care about
THIS. Oh noes, you got ahold of my free Pandora account! You changed all of my music tastes and shows! How am I eve going to live?
Versus banking: you're NOT going to find it anywhere, there's 2FA (not perfect but better than nothing), and you'll need the auth questions to enter OR need to steal a cookie on my computer. (Steal my phone and log in? Pfffft, you must be kidding; even *I* don't do that.)
Your system is Bad. Really bad. (Score:2)
It's really sad to see such terrible security advice parroted here, on a site nominally used by the tech-savvy, and then modded up. Re-using passwords anywhere, ever, at any level of security? You're being a moron. Even with 2FA on the "really important" ones.
If you can't bring yourself to trust the experts who have done extensive security reviews (and are far more qualified to do them than you, plainly) then may I suggest you please educate yourself on how any half-decent password manager works (hint: both
Re: Your system is Bad. Really bad. (Score:2)
So, you have one password that protects all your passwords and for some reason you think that's way better than a single password?
Ok, dude...
Entrusting your passwords to the cloud (Score:3)
Why fix it when you can deny it? (Score:2)
I remember InMotionHosting got hacked a few years ago and accounts were filled with spam links. They tried to blame the users, insisting everything was fine on their end. Denial is a stupid strategy. Just admit there's a problem and fix it. Though maybe denial is the default when the company doesn't want to issue refunds.
time to rebrand (Score:1)
Dependency on "The Cloud" (Score:4, Insightful)
Re:Dependency on "The Cloud" (Score:5, Insightful)
And *that* is why I continue to use KeePass [keepass.info] instead of a cloud-based password management tool.
Exactly.
People don't understand that something like KeePass is a better solution. It's very very VERY possible that the most important time you'll need a critical password is because some server on the other side of the planet isn't reachable. Keep your data local and that won't be a problem.
Really, why do people think "the cloud" is impervious to problems or that it'll never, ever go down?
You can use LastPass offline. (Score:5, Informative)
LastPass stores your vault locally (unless you tell it not to) after you log in. It synchronizes automatically through the server, but you can use it offline if you need to.
https://helpdesk.lastpass.com/... [lastpass.com] (scroll down and expand the section "Offline Access to your LastPass Vault")
Re: (Score:2)
Really, why do people think "the cloud" is impervious to problems or that it'll never, ever go down?
People like to think infrastructure just works. People shouldn't have to plan for the cloud going down, any more than they should have to plan for a power outage during a storm or a broken traffic light on their morning commute. When shit happens, it should get fixed, hopefully before anybody important really notices. That was life before the internet, and it will continue to be life after the internet. Oh, btw, lastpass has an off-line option -- nothing wrong with having an alternate commute route e
Keep all my passwords in the cloud (Score:2)
"Sure, I keep all my super-critical passwords in the cloud, what could possibly go wrong?"
Smarter than you think. (Score:2)
You don't, though. You keep a meaningless blob of ciphertext in the cloud. The passwords - either the ones stored in LastPass, or the master password used to derive the key to decrypt them - never leave your client.
Also, you can access your LastPass vault offline, if you've used LastPass on that machine before (and didn't tell it to delete the local copy). The server is just used for synchronization and accessing the vault from a new machine.
Re: (Score:2)
You don't, though. You keep a meaningless blob of ciphertext in the cloud.
Okay then, "Sure, I keep all my super-critical meaningless blobs of ciphertext in the cloud, what could possibly go wrong?"
They thought of that (Score:2)
Not surpisingly, Lastpass thought of most of the concerns being raised here: