> You can check for a compromised password the same way you check if a password is valid, both without having stored the original password in plaintext. You have a list of known-compromised hashes and see if the hashed password is in that list.
That would require them to store password hashes unsalted and using the same hash function & number of rounds as the online dumps of compromised hashes. If that's what's going on, then that would be good reason to immediately abandon said program.
Password databases are supposed to encrypted, so without the master password they also won't see see the rest of the hashes in the db to see if they reused the master password. So no, they won't know which passwords are compromised unless there are some absolute design disasters going on.
> None based on my experience with the service. Each time you login from an unrecognized device or IP, you receive an email and have to confirm the login.
Ok, that is good to hear. Still, they shouldn't have any way to really know which passwords are compromised. I guess they could have blanket-rejected all logins from unknown IPs and make the claim above (putting some PR spin on it). That'd be quite meh.
> No. And they probably won't ever be able to. And probably neither will anyone else.
Then they should not make a statement saying so, because it is bullshit until proven otherwise. If they don't know how these passwords got compromised, they should say as much. But they've determined:
"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services."
If that isn't bollocks, then I'm really curious how they determined anything. And if they actually didn't determine anything, then I really don't think they should post a statement like this.
> Well I can imagine a few things going on. Like that 60% reuse number in
> duh I was just connected through a VPN in Europe.
> I have seen people bullshitting here.
All plausible theories. If it were one or two people, I'd consider "user error" a very likely explanation for this (it wouldn't be the first time someone freaks out and it turns out to be nothing). But right now, 20+ different people on HN? To be fair, many of these are green (that's a bit suspicious but I'd totally understand wanting to protect identity when admitting your passwords may have been breached) but we also have quite a few old users.
I just have a really hard time believing such a number of pebcaks all of a sudden come in swarms and lie on HN about using a random password that was written down and never used anywhere else (or such). That would be unprecedented here. One or two, again I'd consider it, but this is too many for me. I think if people here reused their passwords, got it compromised, and were embarrassed about it, they probably wouldn't announce it at all or at least they wouldn't fabricate a lie. As much as I think there are dumb and embarrassed people out there, I just don't buy that everyone here is lying.
Also, reusing any random password is not at all the same as reusing your master password. I'm sure someone will reuse that too but it's quite different level. I reuse plenty of passwords for irritating services that mandate a login but which I don't care much for. I'd assume the frequency of reuse among technical users would be far less than 60%.
> As has been theorized elsewhere, it's very possible we're seeing early signs of the results of the log4j exploits.
That sounds again plausible, except for the cases of people who got theirs compromised even though they haven't used it in years. Who do you exploit to get the master password that was last typed in 2017?
Long running malware (including malicious extensions) on the users' PCs is also plausible but again I'd be a bit disappointed to learn that it's been going on for years and nobody noticed until now?
I'm also not betting on any one theory. I really hope we do get to the bottom of this though.
>That would require them to store password hashes unsalted and using the same hash function & number of rounds as the online dumps of compromised hashes.
Even if you don't have the precomputed hashes, you can still bruteforce using a wordlist.
>Password databases are supposed to encrypted, so without the master password they also won't see see the rest of the hashes in the db to see if they reused the master password. So no, they won't know which passwords are compromised unless there are some absolute design disasters going on.
You don't need access to the database to pull this off, just a wordlist obtained from prior dumps/leaks.
True. And I guess that's the only way LastPass could be certain these passwords have been reused (assuming everything else works as they say). If they did that, then IMO it would be very nice of them to point out which dump(s) these passwords were found in.
That would require them to store password hashes unsalted and using the same hash function & number of rounds as the online dumps of compromised hashes. If that's what's going on, then that would be good reason to immediately abandon said program.
Password databases are supposed to encrypted, so without the master password they also won't see see the rest of the hashes in the db to see if they reused the master password. So no, they won't know which passwords are compromised unless there are some absolute design disasters going on.
> None based on my experience with the service. Each time you login from an unrecognized device or IP, you receive an email and have to confirm the login.
Ok, that is good to hear. Still, they shouldn't have any way to really know which passwords are compromised. I guess they could have blanket-rejected all logins from unknown IPs and make the claim above (putting some PR spin on it). That'd be quite meh.
> No. And they probably won't ever be able to. And probably neither will anyone else.
Then they should not make a statement saying so, because it is bullshit until proven otherwise. If they don't know how these passwords got compromised, they should say as much. But they've determined:
"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services."
If that isn't bollocks, then I'm really curious how they determined anything. And if they actually didn't determine anything, then I really don't think they should post a statement like this.
> Well I can imagine a few things going on. Like that 60% reuse number in
> duh I was just connected through a VPN in Europe.
> I have seen people bullshitting here.
All plausible theories. If it were one or two people, I'd consider "user error" a very likely explanation for this (it wouldn't be the first time someone freaks out and it turns out to be nothing). But right now, 20+ different people on HN? To be fair, many of these are green (that's a bit suspicious but I'd totally understand wanting to protect identity when admitting your passwords may have been breached) but we also have quite a few old users.
I just have a really hard time believing such a number of pebcaks all of a sudden come in swarms and lie on HN about using a random password that was written down and never used anywhere else (or such). That would be unprecedented here. One or two, again I'd consider it, but this is too many for me. I think if people here reused their passwords, got it compromised, and were embarrassed about it, they probably wouldn't announce it at all or at least they wouldn't fabricate a lie. As much as I think there are dumb and embarrassed people out there, I just don't buy that everyone here is lying.
Also, reusing any random password is not at all the same as reusing your master password. I'm sure someone will reuse that too but it's quite different level. I reuse plenty of passwords for irritating services that mandate a login but which I don't care much for. I'd assume the frequency of reuse among technical users would be far less than 60%.
> As has been theorized elsewhere, it's very possible we're seeing early signs of the results of the log4j exploits.
That sounds again plausible, except for the cases of people who got theirs compromised even though they haven't used it in years. Who do you exploit to get the master password that was last typed in 2017?
Long running malware (including malicious extensions) on the users' PCs is also plausible but again I'd be a bit disappointed to learn that it's been going on for years and nobody noticed until now?
I'm also not betting on any one theory. I really hope we do get to the bottom of this though.