SHOP PRODUCTS
Houzz Logo Print
justme4now

I Now Have A Password Cracker! WTF?

justme4now
10 years ago

Installed lastpass and Guess What?

Lastpass is 'Grabbing' other folks user names and passwords!

Every site that I have an account .. I have 'unknown' user names and passwords (to me) showing in the (Lastpass, auto-fill dropdown box)!?

Just for 'grins', I tried two of them (from the auto-fill login) on photobucket and .. they work!

This is on EVERY site that I have an account .. not just PB!

I am The Only One on this pc.

(Pretty cool for me .. 'Sucks' for them though)

Comments (21)

  • mikie_gw
    10 years ago

    Does it work here ?
    You have my permission to login with my name. If you see its password.

    But if you have it.. think of all the kids out there that probably know about that feature and how to activate it. Perhaps its only sharing other Last Pass user logins.

  • LastPassSupport
    10 years ago

    When you installed LastPass it ran a system scan looking for insecure passwords stored on your hard drive and then displayed them to you and asked you which ones you want to import into your LastPass vault.

    I can say with confidence that the unknown passwords you speak of are from the import above. This typically occurs if you weren't the original owner of your computer of its hard drive, or, if you ever let anyone else use your computer.

    If you have confirmed that the passwords aren't yours, I recommend that you:
    1) Delete the entries from your vault
    2) If you know the original owners of the passwords, notify them that they should change their password and use a password manager like LastPass to avoid accidentally leaving their passwords on other peoples computers in the future.

    Thanks,
    LastPass Support

  • Related Discussions

    Okay I have canned this stuff now what can I use it with??

    Q

    Comments (3)
    The caramelized onions are also a good addition to soups, they add a nice rich flavor, especially to beef or vegetable based ones. They are also a great addition to a french dip type sandwich or on a sub/hoagie. You could use them as filling for a loaf of bread, too, rolled up like a "swirl" or in a braided loaf. How about French Onion Soup? The pickled onions are good in salads, on burgers or other sandwiches or just to eat. Annie
    ...See More

    disabaled HP finger print sensor, don't have password

    Q

    Comments (4)
    Thanks for your suggestions. But this time I took the chicken way out and hauled the computer to our local Best Buy geek squad where I waited while the tech took care of things. After he listened to my problem, all he did was insert one of his premade CDs, followed a few directions on screen, and removed the existing password. Took only 10 minutes or so, and saved me a lot of gray hair while trying to remedy the situation on my own. Now I need neither a finger swipe nor a password. But, lest you're concerned, know that's fine for this machine. Nothing critical, sensitive or personal on it, only my teaching PowerPoints, all of which are backed up elsewhere. Thanks, again, for your willingness to help.
    ...See More

    I need to manage my logins and passwords

    Q

    Comments (3)
    In the login box, type first letter of login name .. then usually you get a dropdonw box with logins beginning with that letter .. highlight the ones you want gone & press the keyboard delete key. Or... You can delete them all/every1 as well as addresses and stuff at the ie options ..see link... Here is a link that might be useful: http://imm.io/fHKc
    ...See More

    Any one having problems creating a new password

    Q

    Comments (3)
    I am with Shiela. I don't want to either. After all the issues I went through... . I was just lucky to get on last time. I am pretty sure it is Boncrow who could not log on at all. jin
    ...See More
  • justme4now
    Original Author
    10 years ago

    I have owned this pc from right out of the box.

    When I installed lastpass .. I was able to view every password on this pc.

    I KNOW that lastpass is grabbing other peoples accounts .. simply because .. I know what user names and/or passwords I use.
    (I have ONLY two passwords that I ever use .. ever)

    Just as an example .. Two of the photobucket accounts are accounts that I have never seen before!
    I have never seen or uploaded any of the photos in those accounts.

    I have no idea how to contact the users of these 'ghost' accounts other than take a stab in the dark and use the user names and try gmail?

    To be clear on one thing .. I can't actually read the passwords of each account .. they are *** out but the auto-fill login takes me into the account site.

    This pc was brand new and I have even replaced the HD since then with a Brand New one.

  • jane__ny
    10 years ago

    That's scary. I was thinking of getting Last Pass.

    So much for that idea!
    Jane

  • not2bright
    10 years ago

    I wish the LastPass rep. would return and continue this thread. This is certainly an important enough issue that it can't be addressed with a quick "drive-by" comment to the effect that "everything's fine," if justme4now's experience is otherwise. I use LP myself and hope this is not a glitch that could ever land my personal accounts, usernames and passwords in the lap(top) of some unscrupulous character willing to compromise what I thought was safe !!

  • justme4now
    Original Author
    10 years ago

    I use AVAST PRO and also have 'paid for' network monitoring services so my first thought is/was probably wrong?

    I was worried that some kind of 'key-logger' or intrusive cookie might be at work?

    I have done complete system scans .. as well as a boot scan with 0 results.
    Malwarebytes, same result.

    I have used all of the user names and sent them by gmail .. no answers.

    Lastpass seems to be adding users to photobucket every time I log in too!?

    (Haven't tried my bank)
    Afraid to! 8(

  • Elmer J Fudd
    10 years ago

    What's an "intrusive cookie" ?

    Being unfamiliar with lastpass, I took a quick look. It strikes me as something about as useful as a battery operated soup spoon. And it's a program that's had several security incidents (per Wikipedia), talk about starting with something simple and making it difficult.

    So many of the problems that pass through the doors here seem self-inflicted. There are precious few of these utilities and add-ons that many of y'all use that are worth a bucket of spit, why bother? AND, if one of these miscellaneous programs is causing you heartburn or a problem, DELETE IT!

    Password management? How about pen and paper? Or, one password protected text file where you list them? Or, using one password globally and changing it periodically?

    Realistically, everyone probably has fewer than a handful of sign-ons that really matter (financial ones). The rest don't really offer much risk.

  • JustDroppingBy
    10 years ago

    I am a long time LastPass user, so let me briefly explain how this program works. LastPass stores your email address, an AES-256 encrypted data file, and your authentication token on their servers. The encryption key for your data file never leaves your device, so LastPass has no knowledge of it. This encryption key is produced by hashing your password and email address with a user specified number (default is 5000) of PBKDF2-SHA256 iterations. PBKDF2 is simply a key derivation function designed to make password attacks more computationally expensive. The authentication token that LastPass stores is produced by another SHA-256 hash of your encryption key. SHA-256 hash functions are not reversible.

    Bottom line, if you are viewing LastPass data, it was encrypted using your password, email address, and the number of PBKDF2 iterations that you specified.

    If you choose to use to follow expert advice and use unique, randomly generated passwords, password managers are a must for those of us that are not memory savants.

  • not2bright
    10 years ago

    JustDroppingBy (too bad your username isn't JustHangingAround... sounds like your input would be a wonderful addition to the knowledgeable people who already help out here !),

    How would you explain justme4now's experience ? (Assuming it's not a late-May April Fool's joke.) ;-) If it really happened, it doesn't make me feel very safe, thinking that someone 'out there' could install LP and find my passwords in his/her vault ! What if the person isn't the most honest person on the block ? Why would hackers have to go to any bother if LP is going to (inadvertently) hand my/our passwords to someone ? :-O

    This post was edited by not2bright on Fri, May 24, 13 at 18:52

  • JustDroppingBy
    10 years ago

    Thank you for the warm welcome not2bright! The most plausible explanation is the one put forth by the LastPass team member - the entries in question were captured by the import procedure during installation. Another explanation would be that someone gained access to justme4now's computer while he/she was logged on to LastPass and generated those entries. All encryption/decryption is performed locally, so you have to be logged in to LastPass in order to add, change, or delete any data. Modifications to your data file are transmitted to LastPass via an encrypted connection. There is no chance that your data would be commingled with someone else's, nor is there any chance that someone could read your data without having access to your email and password.

    My recommendation for justme4now is to set LastPass to auto logoff after a few minutes of inactivity or when the browser is closed.

  • not2bright
    10 years ago

    Thanks for your further input ! Very reassuring. :-)

    This post was edited by not2bright on Fri, May 24, 13 at 18:54

  • spike07
    10 years ago

    Are you saying that you are seeing usernames and passwords to accounts that are not in anyway yours - that are in fact accounts of unknown people (people you've never ever met or known in your life) via your lastpass software and are now able to log in to complete stranger's online accounts?

  • Pilm
    10 years ago

    Is it possible that the OP lets others use his/her PC, a family member, boy/girlfriend, etc? Or maybe leaves their PC sitting somewhere unattended, at work/school, etc? From what I'm hearing it sounds like the only way what they are reporting could be true is if someone has access to their PC, and they've already ruled out hacking (at least they think they have).

  • mikie_gw
    10 years ago

    Sounds like if I have a Last Pass account and visit a public computer that happens to have Last Pass or allows installs for the start up session .. I can login Last Pass and can walk away and later on or the next days have a whole bunch of other login/passw

    ords on my last pass account.
    heh. Use qnybodys computer that has last pass.. suddenly you have given them your login/pass info.

    This post was edited by mikie on Sun, May 26, 13 at 11:21

  • JustDroppingBy
    10 years ago

    Hi Mikie, your assumption is not correct. If someone has walked away from a public computer with LastPass logged in and you set down right behind them, you can access/add/delete/modify their data. Any changes you make to their data will be encrypted using a key derived from their password and email address. On the other hand, when you login LastPass using your email and password, LastPass retrieves data encrypted with a key derived from your login details. Simply put, you cannot access anyone's LastPass data without knowledge of their email address and password, unless you have gained access to their device while they are logged in.

    My recommendations:
    1. Get in the habit of logging out of LastPass when it is not in use.
    2. In case you forget to logoff, set your extension(s) to logout when your browser is closed and after a short period of browser inactivity. Set the website auto-logoff timeout to 5 minutes in your account settings.
    3. Always enable two-factor authentication.
    4. Assume the worst about public computers or any other computer that you do not have complete control over. Have a one time password or a set of one time passwords ready for use in case of emergencies.

  • DA_Mccoy
    10 years ago

    OK, somebody has to enlighten me. What is the benefit of of having any software or service monitoring, servicing, or storing my passwords? I personally think the whole premise is nothing more than an expansion of a user's vulnerability.

    I have to ask this to develop an informed position:

    JustDroppingBy,

    Since you registered here since the origination of this thread do you have any affiliation with LastPass in anyway, shape or form?

    DA

  • JustDroppingBy
    10 years ago

    I do want to correct one misstatement in my first post. Lastpass does not store your authentication token on their severs. They take your authentication token, combine it with 256 bits of random hex-hash salt created when you first set up your account, and then they hash that data and store it on their servers. When you authenticate, LastPass takes your authentication token, combines it with the random hex hash salt for your account, hashes it, and dynamically compares it to the hash they have stored. I apologize for the incorrect information.

  • JustDroppingBy
    10 years ago

    Hi damccoy. I have with no affiliation with LastPass whatsoever, and you are absolutely correct that password managers introduce an additional attack surface. The decision to use one depends on your password management philosophy. I use unique, randomly generated passwords exclusively because because I perform password recovery at work, and I understand the power of GPGPU cracking, and the quality of today's âÂÂwordlistsâ and rules.

    Someone mentioned using a shared password account for non-critical accounts earlier, but I don't want to potentially leak information that could be used to compromise an important account. Security question answers and other personal data immediately come to mind.

    A very short list of password manager advantages:
    1. Quality password managers decrypt entries only as needed, and they clear your clipboard and re-encrypt these entries after a very short period of time.
    2. If you store password data in a file, all your data is exposed in virtual memory when you decrypt that file. This data could be written to swap, automatic backups, or exposed after a crash.
    3. LastPass provides offsite backup for your data automatically.
    4. Quality password managers offer one time passwords in case emergency access via someone else's computer is needed.
    5. Lastpass can be configured to not store your password data locally, and to require two-factor authentication. Under this scenario, If someone did acquire your email address and password, they wouldn't be able to access your data without your two-factor device.

  • justme4now
    Original Author
    10 years ago

    Been away and just had a chance to see all the new posts.

    There are two people who live in this home .. me and my Better Half.

    I am 62 years old and the Better Half is 72.

    We live alone .. never have company and each of us have our own pc.
    She knows my passwords (which there are only 2) and I know her 2 passwords.

    There is NO chance that anyone has had access to this pc.

    I now have 3 more 'new' log-ins (Photobucket) that shouldn't be there!?

    The accounts are real accounts because I can log-in to each and there are real pictures (which I've never seen) in those accounts.

    Out of personal decency and morality I have NOT tried or Will try the accounts for any other sites .. other than PB.

    JM

  • not2bright
    10 years ago

    I would think this matter is important enough to contact LP tech support directly in order to confirm once and for all that justme4now's experience is 1) exactly as he described and 2) fixed by the LP developers. No ?

  • JustDroppingBy
    10 years ago

    I empathize with your concern and frustration justme4know!

    If you chose to keep track of login and form fill history during installation and still have the LastPass extension installed, log back into it, open your LastPass vault, then click on the down arrow at the very top of your vault between the LastPass icon and your email address. Select History. Do you see any logins from strange IP addresses or any logins at strange times?

    Irrespective of the above results, I have no good news for you. The entries in question were absolutely generated using your login credentials, and those credentials are compromised.

    My opinion is based on the extensive scrutiny LastPass receives from independent security researchers and third party auditors. The LastPass code that controls hashing and encryption in the non-binary extensions has been viewable and testable by the public for the past 5 years. I'm certainly not saying that LastPass is 100% bullet proof and will remain so forever. I am saying that the most plausible explanation at this point is that someone has obtained your login credentials.

    I would strongly recommend using Better Half's computer to change all your passwords in the quickest time frame possible. You must use an extremely strong LastPass master password. I can point you to quality random string and random word generators if you wish. Please be sure to delete all vault entries that are not yours. If you notice any strange entries appearing after making these changes, you'll want to consider the possibly that your computer has been compromised. Locate a computer security expert(s) you trust and ask for advice on how to proceed.