Online password manager LastPass is in lockdown mode after the company discovered unusual activity on its network late last week. That activity turned out to be hackers who got away with user email addresses, password reminders, server per user salts, and authentication hashes, according to LastPass.
The good news is it appears hackers didn’t get away with anyone’s encrypted password vaults. Still, it certainly sounds like a bad breach, but the consensus among security experts is that it could’ve been a lot worse.
First of all, LastPass is currently defending against potential account theft by requiring email verification—or multi-factor authentication if enabled—whenever a new login comes from an unknown device or new IP address. An attacker would need access to your email account or authenticator app on top of cracking your LastPass master password to get in.
Speaking of which, cracking that master code is going to take a long time unless your LastPass password is unbelievably weak, such as 1234LastPass or something similar. To crack your master password, hackers first have to get past your authentication hash—which includes 100,000 rounds of PBKDF2-SHA256 hashing—on the LastPass servers. Hashing uses an algorithm to convert one string of text into a longer string so that is difficult to reverse engineer and discover what the original text was.
One security expert told Ars Technica that he’s so confident in LastPass’ hashing that he doesn’t even feel compelled to change his master password.
That said, LastPass is nothing if not prudent, and the company will soon prompt all users to change their master password.
So what’s a LastPass user to do? Is it time to give up on this popular password manager and switch to something else? As a paying user of LastPass I’m not taking that drastic step, but here are a few things you should do.
Enable multi-factor authentication
This is the most important step you can take if you haven’t already. Even if the worst happens and hackers get your master password, they’ll still need the authentication code to access your account if you have two-factor authentication enabled. Multi-factor authentication isn’t important just for LastPass—you should be using it on any site that offers it, including social networks, email accounts, and so on.
Beware of the phish
With hackers in possession of the email addresses of LastPass users, at least some of us are likely to see phishing attacks. This is when attackers send a phony email dressed up like an authentic message from LastPass. The difference is this email will ask you to click a link and change your master password—something you should never do.
Never, ever click on a link in an email asking you to change your password. Chances are that link will take you to a fraudulent version of the LastPass site that exists solely to steal your login credentials.
Change your master password
That said, LastPass will be asking all users to change their master passwords in the near future. I take that to mean we’ll be notified via the LastPass mobile apps or browser extensions. We are confirming this with LastPass, but to reiterate, do not change your password by a following a link contained in an email or, instant message.
UPDATE: A LastPass spokesperson confirmed that the master password change alerts will happen via the browser extensions and mobile apps over the next few weeks.
Also, if you’ve used your LastPass master password on any other site—you shouldn't do that, by the way—you should change it there as well.
Be careful with your password reminder
Security specialist Martin Vigo discussed the LastPass breach on his personal blog. (Ironically, Vigo is about to do a talk on hacking LastPass.)
Vigo advises you not to bother filling out your password reminder on LastPass. Let’s say your password was MMxy80pyt. You probably thought it was smart to make your reminder, “My Mare’s xylophone is 80 playing years today.” Now, it doesn’t sound like such a great idea with that sentence in the hands of the bad guys.
The problem is LastPass requires a password reminder. To skirt around the requirement without potentially giving too much info to would-be hackers, just add something like “the password I entered just now” or something similar. Then keep a real reminder (or the actual password) written down on paper and secured at home.
Finally, while it’s sad to say, this probably won’t be the last breach LastPass has to deal with. In fact, the company already dealt with a potential breach four years ago.
Thanks to all that personal data LastPass houses—including login details for banking sites, and in some cases even credit card data—the service is a prime target for hackers. However, thanks to LastPass’ high level of salting and hashing and its pretty good transparency (at least so far), any user with a strong password and multi-factor authentication enabled should be able to ride out these occasional breaches without much worry.