LastPass Users Should Change Their Master Password

Password manager LastPass suffered a data breach.  As far severity goes this is pretty minor, LastPass not only cryptographically encodes all their data they use a very slow hard to break form of cartography.  Still to be on the safe side change your password.

From ARS

LastPass officials warned Monday that attackers have compromised servers that run the company’s password management service and made off with cryptographically protected passwords and other sensitive user data. It was the second breach notification regarding the service in the past four years.

In all, the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses, LastPass CEO Joe Siegrist wrote in a blog post. It emphasized that there was no evidence the attackers were able to open cryptographically locked user vaults where plain-text passwords are stored. That’s because the master passwords that unlock those vaults were protected using an extremely slow hashing mechanism that requires large amounts of computing power to work.

“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist wrote. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”

By contrast, many sites have used extremely fast hashing algorithms that provide minimal protection. Despite the rigor of the LastPass hashing regimen, the job of cracking a single hash belonging to a specific, targeted individual would be considerably less difficult and potentially within the ability of determined attackers, especially if the underlying password is weak. To prevent such attacks, LastPass officials are requiring all users who log in from new devices or IP addresses to first verify their account by e-mail unless they have multifactor authentication enabled. As an added precaution, LastPass is also prompting users to update their master passwords. LastPass users who haven’t already done so should strongly consider enabling multifactor authentication.

Leave a Reply