LastPass hacked - change your master password

[ah123]

I know a bunch of people use LastPass as their password manager; LastPass was hacked, and even though LastPass , so this might interest you

Quote:

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised

Quote:

An email is also being sent to all users regarding this security incident. We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.
Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.

https://blog.lastpass.com/2015/06/la...y-notice.html/

[Azure]

I don't store that many serious passwords on LastPass, but some people store bank passwords and other stuff. Crazy if these guys get hacked.

[Flames89]

Quote:

Originally Posted by Azure

I don't store that many serious passwords on LastPass, but some people store bank passwords and other stuff. Crazy if these guys get hacked.

I thought that was the whole point of it. You can have a different long password for each website that makes them extremely hard to guess/hack

[cral12]

^Exactly - was looking at purchasing one of these apps/services short time ago - now wondering if should even bother!

[OldDutch]

Quote:

Originally Posted by Flames89

I thought that was the whole point of it. You can have a different long password for each website that makes them extremely hard to guess/hack

It is the whole point. I have LastPass and I really like it. The passwords were not compromised, but emails and password hints were. That is pretty bad, but my hints are garbage, since if I forget my one password then I deserve to live with the hassle of recovering everything.

I give them Kudos for being so honest and emailing me before the news story broke. I didn't change my password but turned two step authentication on. Probably the best security you can ask for.

[Russic]

Agree completely with OldDutch. This is why I don't use password hints with my 1password account. If I lose it, I just have to start over. I'd rather that then have any way for people to get in.

It's important to remember there isn't going to be a perfect system – you just have to go the route that you feel is best. Cral12 mentioned that this might be a reason to avoid these types of apps, and I get that. However, if the alternative is using 5 passwords over and over and over again, then I'd say even despite this problem the apps are a far better alternative.

[GoinAllTheWay]

Lastpass is awesome. Use it for both home and work. Beats the crap out of having login credentials saved on an excel sheet.

Love that you can customize random generated passwords. Can be as simple or complicated as you like.

[cral12]

Well, now that we're on the topic, what's the recommendation on:
lastpass versus 1password

[Inglewood Jack]

From what I've read, lastpass uses an extremely slow (aka 100,000+ iteration) hashing algorithm, meaning that even if they ever did get a hold of your vault, it would take decades to millennia to brute force even a single reasonably complex master password. The two exceptions to this would be if your master was something stupid like 123sex, or if the criminals have access to a working quantum supercomputer.

That combined with two factor, plus the new requirement of email verification when a new device is detected mean that you probably don't even have to worry about changing your master pass at all. using lastpass is still magnitudes safer than most other password control methods in my mind.

[Flames89]

I have 1password and it made me a total believer. It is linked up with my phone and browser so getting my password to any site only requires either two mouseclicks or two thumb taps. And this is for long, complex passwords.
I think the one exception though is that you will likely need to remember two passwords. Your 1password and then an equally original one for dropbox (if you chose to sync via dropbox). This means if you lose your phone and computer, etc., you can then get into your accounts.