Today LastPass, a popular password manager company, announced account email addresses, password reminders, and what are called “server per user salts” and “hashes” were compromised. Salts and hashes relate to the underlying authentication and encryption technique Last Pass uses to store passwords without really storing them.
Translation: Master passwords and actual passwords were not stolen, but some information was.
What it means for you: With this information hackers could theoretically, eventually, break in to specific accounts if they work hard enough.
What should you do?
1. Change your master password immediately. This is especially true if it is a “dictionary-based” one (eg: robert1, mustang, passsword1!) or if you’ve used that master password on other websites.
The LastPass CEO says, “We are confident that our encryption measures are sufficient to protect the vast majority of users.” But, they’re also taking extra steps to make sure all is well. They’re resetting master passwords and are requiring also be requiring users who are attempting to use their accounts from a new device or IP address to verify their account over email first.
A cryptography expert suggests using a password that is as long and as random as possible, to best protect your “password vault.”
2. It’s also a good time to enable two-step authentication if you haven’t done so. Two-factor authentication is much stronger than a single password. It works by asking you for something you know, like a password, and then something new, like a code sent to your phone (LifeHacker says, “Think of it like entering a PIN number, and then getting a retina scan, like you see in every spy movie ever made.”)
LastPass uses Google Authenticator and you can find instructions for setting that up here.
Given the hack, should you ditch a password manager all together? F-Secure’s Micke says you shouldn’t.
“Yes, you should keep using a password manager. Don’t let this incident scare you. It enables you to use stronger passwords on every service, and still be on top of it. A password manager does increase your security. But it is a component that you need to select carefully to ensure it doesn’t become the weakest link.”