Being a service that stores and organizes peoples passwords naturally makes you a high profile target for hackers. For the second time in four years LastPass has detected an intrusion into their network.
Currently there is no evidence of user’s password records or accounts being directly affected.
“The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,” the company said. “We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
Still the safe thing to do is to immediately change your LastPass master password. It is also a good idea to enable two factor authentication. Two factor authentication requires a user name, a password, and a one time use token to login. The token is typically generated by a special app on a smart phone, so logging in requires the possession of a physical device as well as the credentials. All critically sensitive data should be protected by two factor authentication. LastPass is compatible with several two factor services including Google Authenticator which is free to use. Instructions for setting up LastPass to work with two factor authentication can be found on their website.
I still believe the benefits of using a password manager, like LastPass, outweighs the risks of not using it. What happens when you don’t use a password manager most often is the reuse of passwords across multiple sites. Then if any of those sites are breached, and they will be, the hacker now has the password to get into all of your sites. I think that presents a far greater risk–and one harder to catch–than using products like LastPass.