Lastpass Was hacked!

I can't imagine anyone is surprised.

 

The scope of the application would logically make it an attractive target to hackers. Who'd have thought?

 

Reporter: "Sir, how was Lastpass hacked?"
Lastpass Preident: "Our mainframe password was '1234'."

 

"That's amazing! I've got the same combination on my luggage!"

 

This is at least the second time.

 

But this same password has never been hacked on any of my other sites I use it on.

 

I wondered if anyone would get that! Best movie Ever!

 

At least 1Password keeps your files local.

 

I still trust lastpass. That being said, I changed my master password yesterday just in case.

 

Apparently you're vulnerable if you use a relatively simple master password.

 

Mine was and still is very long and complex. It's over 20 characters with numbers, upper and lower case letters and symbols

 

I'm pretty good. Using 1P all my passwords are unique, I recently migrated from using 16 to 24 character passwords. What frustrates me sometimes is when websites have over restrictive password rules which don't allow you to use a very secure one.

 

Why anyone would use a password manager that stores all your passwords on their servers is beyond me.

 

I haven't changed my master password, but I did finally add multi-factor using Google Authenticator. I'd been meaning to do it and I was already using 2-factor on my other important accounts, but just hadn't gotten around to understanding Google Authenticator and 2-factor with LastPass. Here is one article, but the LastPass and Google help pages were what I used to walk me through it. http://www.zdnet.com/article/lastpa...ortance-of-using-multi-factor-authentication/

 

Exactly! If something happened to their servers (natural disaster, terrorist action, etc.), how do the affected folks obtain their passwords? This breach is a perfect example of why one should never allow their passwords to be controlled by a others. And, whether you want to believe it or not, if you passwords are stored on someone else's server, those passwords are not under your complete control. I find it better to use a password manager that keeps passwords local.

 

and if natural disaster or hardware failure affects the local machine? Really you can move risk around, change the category but you can't eliminate it. If you want the convenience of being able to use the same set of passwords on several devices then you have to put your passwords somewhere they can be shared, else they can't be kept up to date etc etc...and convenient security is the best kind, then it gets used. Having them strongly encrypted on a server makes better sense than plain-text locally IMHO but as they are having to warn users with weak passwords to change them clearly some have used a weak link, those individuals are likely to have weak links in whatever security mechanism they use.

Any data the hackers harvested is time-decaying, they know that, they won't spend 5yrs trying to crack all the encryption, they will spend a few hours cracking the weak master passwords, use/sell the resulting data and move on...they apply the 80:20 rule like anyone else.

 

To be fair the poster your quoted didn't say use a plain-text local file. They recommended a password manager which stored the files locally, and they would be encrypted.

 

This is a definite issue (picture your house burning to the ground with all your technology). I use 1P and periodically make a copy of the (encrypted) 1P database on a USB stick which I keep in a safe deposit box. Your password collection does NOT belong in The Cloud.

 

Ha ha ha ha ha! A password manager that stores your passwords online. Who'd have thought hackers would want access to it? This is why you use 1Password on all your machines instead. I've never been a LastPass user and I find this breach hilariously obvious, and will still never be a LastPass user. Passwords belong with you, not with a 3rd party. I might get flack from LastPass users for saying this, but it's still the unfortunate truth, as this breach has proven. And they've been hacked at least once before (link), with the exact same type of hack (leak of master password hashes). Sure, it's possible to use LastPass completely safely if you have a super strong master password, and I could do that, but why bother when there's the completely offline 1Password instead? And most regular people don't choose strong passwords, so I imagine a lot of people will have to change their LastPass details now.

Let's hope LastPass are telling the truth and that they "only" lost the hashes for your master password. In that case, the only way the hacker can log in and get your actual website passwords is if they first figure out your master password and then log in to LastPass' servers with it. Changing your password would be necessary to prevent them from logging in, because whoever grabbed the hashes is right now running a dictionary cracker against them. People with common passwords like "dog" and "bird" and "cow" and "password" and "12345" will be popping up in their results, and they'll be able to log in to the LastPass accounts of those people.

So do all of these things right now:
1. Change your LastPass master password immediately and make it very strong (Suggestion: Use the password haystacks method with your own custom padding: https://www.grc.com/haystack.htm, or the Diceware* password system). Of course, you don't need to change anything if your password was already unfeasible to crack.
2. Change the password on any website that used the same login email address and password as your LastPass login details in. Because you can be sure the hackers will be trying any discovered password and email combinations on sites like PayPal too. Oh, and in the future, don't use your LastPass master password on any other sites, if you were actually doing that...
3. If your LastPass master password was super weak (a basic dictionary word or two, or a very common password like "Password54321"), I would also take the precaution of assuming the hacker has logged in to my LastPass account already and would be changing the passwords on *all* sites stored in my LastPass account.

PS: Obligatory Diceware* xkcd comic:



You can measure your diceware password strength at the GRC password haystacks page too. Regardless of what system you use, you'll want a password with a cracking time that will outlast your lifetime.

To put that sentence into perspective: If you already had such an uncrackable password, it wouldn't matter if the hackers got both the master password hash and the actual password database. It wouldn't even matter if they were the NSA and had a thousand working quantum computers. Given a sufficiently powerful password (one with strengths of at least "trillions of centuries" at GRC's "massive cracking array scenario" strength indicator), no living person will ever be able to crack your master password to decrypt any passwords, and any future person would just find passwords to ancient, long-dead sites like Facebook. ;-)

 

I just keep a second backup that I refresh weekly in a fireproof safe I have in the house with other various 'important' things inside it (passports etc).