The password storage company LastPass has issued a notice to users that they have detected some “suspicious activity” on their servers and are asking all users of LastPass to change their master passwords and perhaps enable two step authentication. If you use LastPass you should have received an email with details. Although they say that no data was compromised nor were passwords compromised or accessed, the attackers did make off with account email addresses, password reminders, server per user salts, and authentication hashes.
We highly, highly recommend that you change your master password if you’re a LastPass user. I did myself as soon as I heard of the security breach.
LastPass is an amazingly helpful tool and enables users to have more varied and secure passwords. I was guilty of often using the same passwords because so many sites require login information nowadays. However, this is a security no-no. I started using LastPass about 6 months ago and it’s been an extremely helpful tool. I can use a different password for every site, and the cross-computer compatibility means that I can have those passwords on my laptop AND my desktop.
However, storing all your passwords in one spot seems to be a bit of a security hazard, doesn’t it? Although it would seem that LastPass’s security standards are well above and beyond-the service uses a random salt and 100,000 rounds of PBKDF2-SHA256 encryption on the server end, it stands to reason that it could potentially become hacked at some point in time.
Krebs on Security wrote a very eloquent description of how LastPass’s security works and what the risks are. The thing about LastPass is that each user’s passwords are made unique by the addition of a unique “salt” into each of their hashes. Even if a hacker were to break the encryption, each user has different encryption. This makes going after a lot of passwords at once almost impossible.
The only downside to this breach is that users password reminders were stolen, which means that if you have an obvious password or an obvious password reminder, you may be at risk. This is why LastPass is encouraging users to change their master passwords or enable two step authentication. Although password reminders are only useful for targetted attacks, since the attackers got email addresses it’s possible that they could set up unknowing or unsavvy users for a phishing attack.
The attack seems relatively minor for now, and you probably won’t have any troubles. But it’s a good reminder that you shouldn’t use obvious password reminders, and you should change your master password on a regular basis. Also, don’t use an obvious password as your master password.