Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The LastPass security breach: What you need to know, do, and watch out for

Ian Paul | June 17, 2015
Online password manager LastPass is in lockdown mode after the company discovered unusual activity on its network late last week. That activity turned out to be hackers who got away with user email addresses, password reminders, server per user salts, and authentication hashes, according to LastPass.

Change your master password

That said, LastPass will be asking all users to change their master passwords in the near future. I take that to mean we'll be notified via the LastPass mobile apps or browser extensions. We are confirming this with LastPass, but to reiterate, do not change your password by a following a link contained in an email or ,instant message.

Also, if you've used your LastPass master password on any other site--you shouldn't do that, by the way--you should change it there as well.

Be careful with your password reminder

Security specialist Martin Vigo discussed the LastPass breach on his personal blog. (Ironically, Vigo is about to do a talk on hacking LastPass.)

Vigo advises you not to bother filling out your password reminder on LastPass. Let's say your password was MMxy80pyt. You probably thought it was smart to make your reminder, "My Mare's xylophone is 80 playing years today." Now, it doesn't sound like such a great idea with that sentence in the hands of the bad guys.

The problem is LastPass requires a password reminder. To skirt around the requirement without potentially giving too much info to would-be hackers, just add something like "the password I entered just now" or something similar. Then keep a real reminder (or the actual password) written down on paper and secured at home.

Finally, while it's sad to say, this probably won't be the last breach LastPass has to deal with. In fact, the company already dealt with a potential breach four years ago.

Thanks to all that personal data LastPass houses--including login details for banking sites, and in some cases even credit card data--the service is a prime target for hackers. However, thanks to LastPass' high level of salting and hashing and its pretty good transparency (at least so far), any user with a strong password and multi-factor authentication enabled should be able to ride out these occasional breaches without much worry.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.