LastPass Breach and an idea to help

prime
prime
Community Member

LastPass had another breach, well, maybe. https://appleinsider.com/articles/21/12/28/lastpass-master-passwords-may-have-been-compromised

We get an email saying there is a new device logging in from 1Password, whenever we sign into a new device. How about taking that email a bit further with an “approve or deny” and when we click deny, it blocks that IP Address?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Kakkoister2
    Kakkoister2
    Community Member

    That would be great, again though it just show's how rock solid the combination of the secret key and MP is in 1P. I for one wit that combo, don't really have a worry.

  • michaelwayne
    michaelwayne
    Community Member

    It would be good if the 1PW gave us a response to this situation also reported couple of days ago.

    https://palant.info/2021/12/29/how-did-lastpass-master-passwords-get-compromised/

    A good overall clear positive informational reply to all users of 1PW would set 1PW at the top of customer service and consumer care.

  • michaelwayne
    michaelwayne
    Community Member

    It would be good if the 1PW gave us a response / view to this situation also reported couple of days ago.

    https://palant.info/2021/12/29/how-did-lastpass-master-passwords-get-compromised/
    https://blog.lastpass.com/2021/12/unusual-attempted-login-activity-how-lastpass-protects-you/
    https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/

    A good overall clear positive informational reply to all users of 1PW would set 1PW at the top of customer service and consumer care.


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided

  • XIII
    XIII
    Community Member
    edited December 2021

    LastPass now claims that sending those mails was a bug and that there is no breach.

    On a high level LastPass and 1Password work the same: they don’t know/have your master password and encryption using that password protects the binary blob they do have. However, once an attacker gets your password it’s game over…

    PS: the Secret Key may have some value here?

  • XIII
    XIII
    Community Member
    edited December 2021

    How about taking that email a bit further with an “approve or deny” and when we click deny, it blocks that IP Address?

    Quite similar to 2FA Apps that require you to approve a login attempt by pushing a approve/deny button after getting a push notification.

    AgileBits has always stated that this offers no extra protection (for 1Password), so I doubt this is something that will be added?

  • Hi all,

    1Password isn't impacted by the recent credential stuffing attempt on LastPass. LastPass itself doesn't appear to have been compromised, and according to them, the security alerts that were sent out were accidental. With that being said, 1Password protects you against similar credential stuffing attacks in the form of the Secret Key. Your Secret Key is long, random, and unique, which ensures that guessing attacks won't work on a 1Password account: About your Secret Key

    Both your 1Password account password and your Secret Key are required in order to decrypt the data within your 1Password vault, and so an attacker without both, in full, would be unable to compromise your 1Password account. 1Password also offers optional two-factor authentication, which would protect you even if an attacker somehow acquires both your account password and your Secret Key at once.

    Ben

  • jmjm
    jmjm
    Community Member

    I think we all appreciate the extra security a 1P account gains with the Secret Key. That being said it for sure would be worthwhile for the account holder to be informed that 'someone' has attempted to gain access to the account using the correct MP (even though the account has not been breeched due to the lack of the SK).

  • [Deleted User]
    [Deleted User]
    Community Member

    @jmjm 1Password has no way of knowing whether an attacker has the correct master password. Account access is granted to someone who has the correct master password and secret key. Neither are sent to the server and the two are combined on the client side as part of the secure remote password protocol. If the attempt fails then the server doesn't know whether the master password was wrong, the secret key or both. It only knows that someone has the email address you use to login to 1Password.

  • jmjm
    jmjm
    Community Member

    I kinda thought this @rootzero. I guess in essence the MP+Secret Key is 'just' a very long/complex password.

    And so unlike with the recent incident of LP, a 1P user might never be aware that one's MP is somehow "out and about" on the internet as the SK limits any potential damage.

  • warpspeed
    warpspeed
    Community Member

    I'd like to see the option enable review/approve logins from new devices. Via email and/or push to mobile/desktop app.

  • @warpspeed we do indeed send email notifications when there's a sign-in from a new device. 👍

    In terms of approving new devices, does 2FA support alleviate some of the concern there?

    We of course want 1Password to be as secure as possible, and are happy as always to have your feedback on specific scenarios you might encounter.

  • warpspeed
    warpspeed
    Community Member

    @PeterG_1P 2FA support can, and does to some degree. I'm aware that email notifications are sent, and they're great. But what would be nice is if there was an option for those emails to have Approve and Deny buttons. Along with an option to push something like that to an existing app on a mobile or desktop device. Similar to the way Apple do it with their MFA code. But... don't do the MFA code bit, just the approve or deny when valid credentials and key are supplied.

  • Thanks for the suggestion, @warpspeed. :)

    Ben

This discussion has been closed.