It’s not a major breach, but after LastPass “discovered and blocked suspicious activity” on their network last Friday, they’re requiring everyone update their master passwords. Announced on their blog and in email sent to users, LastPass says they didn’t find any evidence that actual stored passwords were stolen, but they did notice user email addresses, authentication hashes, password reminders, and server per user salts were “compromised.” LastPass said in a blog post:
“We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
In order to ensure hackers aren’t attempting to access your account, LastPass is now requiring that any and all users logging in from a new device or IP verify their accounts by email. That is, those that don’t already have multi-factor authentication enabled (and you should and you and you can learn more about that here). Lastly, anyone using weak, dictionary-based passwords or using the same password as their master on other sites… yeah, don’t do that. Update.
[LastPass]
The Irony?
…what’s the opposite of wrinkly?
Brilliant!
anyone stupid enough to use that deserves being hacked. Why would you use a cloud password manager.
So you don’t have to manually copy the info between all your devices.
This is the reason why I would never use a service like this. Now the only need to hack one site to have access to al your passwords.
They still need an authentication code though don’t they? Which means they need both my password and my phone. That seems pretty secure. The alternative (for me anyway as I value convenience almost as much as security) is to have a small number of weaker passwords, since I want to be able to remember them if they’re not going to be auto-filled.
It’s essentially a hash of a hash of a hash. Even if you manage to break into their servers and still information, you would only have bits that are “theoretically” impossible to piece together.
No they don’t. They keep encrypted copies of your already encrypted passwords. Even if they did crack the lastpass database password, they’d still need your master password to see your data.
Second Last Pass. The Second Last Time You’ll Be Logging In.