LastPass offered the convenient deal of guarding all of your user information and passwords in a neat, secure fashion. However, even the cloud-based password manager seems to have issues. Due to a LastPass security breach which occurred on Friday, users are now being urged to change their master passwords.
According to LastPass’s blog post, no encrypted vault data was retrieved by hackers and no LastPass user accounts had been accessed during the breach.
Despite this, some information (including password reminders, email addresses, server per user salts and user authentication hashes) had been compromised.
Even if LastPass’s staff is confident that to sensitive information has been compromised during Friday’s attack, the security breach itself is enough to scare users away. The password manager’s blog post insisted that its encryption measures were well suited to withstand such an attack.
“The vast majority of users” were protected, the blog post read, especially since authentication hashes are re-enforced with 100,000 rounds of server-side PBKDF2-SHA256.
“As an added precaution, we will also be prompting users to update their master password,” LastPass advised.
Users have already received notification emails informing them of Friday’s security breach and recommending that all change their master passwords. However, the blog posts underlines that users SHOULD NOT modify their passwords until receiving the notification email.
Users will also have to verify any new devices via email or two-factor authentication.
Experienced hackers can, usually, crack master passwords given time and determination. The more complex the password, the harder it is for an attacker to crack that specific catchphrase. Luckily, even in the case of weak passwords (dictionary-based versions, such as annaroberts1, mustang or 1234567), LastPass insists that there is nothing to fear.
“We are confident that you are safe on your LastPass account regardless.”
The password manager does recommend changing the password, though.
Yet even if LastPass acted promptly when faced with the security breach, it did disappoint many users who only heard about the security breach via unrelated sources (such as Twitter, Reddit or Facebook). Official emails from LastPass came later on.
“I’m not annoyed that you got breached, I’m annoyed that as a paying customer, I found out about it via Facebook,” one LastPass user commented.
Of course, during the master password panic, many users experienced additional problems such as getting locked out of their corresponding accounts.
Image Source: winsupersite.com