Categories
Blog

LastPass Security Incident

Important Security Updates for Our Users

Over the past week, we have worked with Google security researcher Tavis Ormandy to investigate and fix reported vulnerabilities. W e apologize for the delayed response as we’ve been conducting a thorough investigation on these reports in an effort to provide as much detail to you as possible.

Categories
Blog

LastPass Cyberattack Response Worked as Designed

LastPass Cyberattack Response Worked as Designed
Cyberattack response
worked as designed

Here’s what I’d like to see in the news media: “LastPass quickly detected, contained, evaluated the scope of the incident, and secured all user accounts. LastPass cyberattack response worked as designed.”
My confidence and trust in this service has only increased after this incident:

LastPass Security Notice

Categories
Blog

LastPass Notice of Security Incident

As an avid fan and user of LastPass, I’ve been following this story with great interest:

We want to alert our community to a recent security incident & the actions we're taking to protect users. We are emailing all users now, but more information can also be found on our blog:

Posted by LastPass on Monday, June 15, 2015

 

Commenter epixoip, commenting in this ARS Technica article assesses the incident thusly:

Not much to sweat about here. Lastpass is doing things correctly, and their response is perfect.

If we could trust computers to keep secrets a secret, then we wouldn’t have to worry about protecting sensitive data at rest. But we can’t, so we do. Password databases can be compromised through a myriad of vectors — up to and including physical theft — and you have to plan for the eventuality that your database will be compromised. How you protect the data in the database is what really matters, and this is precisely why we have password hashing, and this is also why the threat model for password hashing starts with a compromised password database. Think of password hashing as an insurance policy. The stronger the password hashing is, the more time you buy for yourself and your users in the event of a breach: time to identify and contain the breach, time to notify your users, and time for your users to update their passwords.

Lastpass definitely understands this, as their password hashing is top-notch — possibly the strongest we’ve ever seen, especially for a company of this size. 105,000+ rounds of PBKDF2-HMAC-SHA256 is definitely no joke.

So while it never looks good when a security company is compromised, there are a lot of positives here:

– They quickly identified, contained, and evaluated the scope of the breach
– They promptly notified users about the breach (within 72 hours)
– They are certainly doing proper password hashing (strong insurance policy)
– Vault data obviously isn’t stored on the same system as authentication data, evidence of strong segmentation

All in all, Lastpass is doing things correctly, and I will definitely continue to support them.

 
 

Categories
Blog

Rublon — Beautiful Two-Factor Authentication for WordPress

Rublon — Invisible Two-Factor Authentication
Rublon — Invisible Two-Factor Authentication

I’ve been incorporating two-factor authentication wherever I can in my digital life, and mobile apps like Google Authenticator can make it a snap to implement, especially with easy QR code verification. But until now I hadn’t found a solution I liked for WordPress, having tried a number of different plug-ins, only to later uninstall. Enter Rublon, a mobile authentication app I saw reviewed (along with several other apps) on the Torque website, by contributor Jay Hoffmann.  The Rublon app and its WordPress plug-in work perfectly for my purposes, easy to implement and very similar feel to the Google Authenticator process. It’s an additional security layer on top of your existing log in authentication, and with the Trusted Devices feature, you only need to set it up once in any given Web browser, and you can forget it… highly recommend.

Rublon — Invisible Two-Factor Authentication 
 

Categories
Blog

Apple ID Now Allows Two-Step Verification

Apple - My Apple ID
Apple – My Apple ID

Apple now offers optional two-step verification for Apple ID, the key to an Apple account, which controls iOS devices, iCloud, iTunes and Apple Support. Google already has two-step verification, and this feature goes a long way toward making online accounts stronger in the current “threat landscape,” as security experts say.  With the new Apple feature turned on, both a password and a four-digit verification code sent to an iOS device will be required to allow sign-in. All cloud storage services should follow suit. Read more:

Increase the security of your Apple ID with two-step verification

Apple ID: Frequently asked questions about two-step verification for Apple ID

Categories
Blog

Taking The Plunge With LastPass

Password Management

What with the “Cloud” coming and all… I’m going to finally give this a try. “All data is encrypted locally on your PC… automatically synchronizes your data – access it from anywhere at anytime.”  And so far, wow… extremely cool technology. And they’re local, too… fun!

LastPass – Password Manager, Form Filler, Password Management

“We’ve taken every step we can think of to ensure your security and privacy. Using an evolved host-proof hosted solution, LastPass employs localized, government-level encryption (256-bit AES implemented in C++ and JavaScript) and local one-way salted hashes to give you complete security with the go-anywhere convenience of syncing through the cloud. All encrypting and decrypting happens on your computer – no one at LastPass can ever access your sensitive data. LastPass’ Security Challenge also allows you to identify weak account data and provides suggestions for significantly improving your online security.”