LastPass Password Locker Has Been Compromised – But Don’t Freak Out
Web Services
The online password manager stores all of a person’s passwords in one location, creating a single point of failure. However, with this newly-discovered breach, it seems unlikely hackers, so to speak, broke the bank.
LastPass says there is “no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed.”
LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
Forbes says the use of “per user salts” means an attacker would have to attempt to crack each encrypted master password individually. ”Further, because a user’s password is hashed thousands of times before being sent to LastPass, and is again hashed 100,000 times before being stored, guesses can’t be done at significant speed,” LastPass spokesperson Erin Style told the magazine.
Company officials posted a notice, stating, "We are confident that our encryption measures are sufficient to protect the vast majority of users.”
CSO explains that this suggests, given enough time and processing power, it is possible the attackers could obtain your passwords. In reality, it’s more likely you’ll hit the lotto several times before the attackers are successful.
But the possibility is still there.
So, the recommendation is to change the master password on your LastPass account and set-up two-factor authentication.