What Happened ?
On June 15, 2015 LastPass posted a blog posting on their website. Many people panicked as, like myself, they trust LastPass with their important account login information for their online life. To pick out a few key points…
- Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault.
- You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.
Was My Email Address Stolen ?
LastPass inform us that email addresses were stolen so continue to always be cautious about opening links that appear to be legitimate. Always visit the web site directly and do not click on links in emails unless you are 100% sure that the email is expected and legitimate. If you have only a tiny bit of doubt then visit the web site from your browser and not a link.
But How Was LastPass Hacked ?
It is important to remember that the continued breaching of computer systems is a part of our lives today. Almost weekly a new big data breach happens. It is a reality that some hackers do absolutely nothing but hack. They can dedicate themselves absolutely to working on breaching a system.
Some Hackers : Eat, sleep, hack.
Ultimately the response of a company and the full disclosure of what happened, what it means to consumers and what we need to do are the measure of a company.
A Hash Of Your Password
LastPass is a cloud service that stores password data but also, to facilitate giving you access to your data, it stores a representation of your password. This representation of your password is called a hash. It is important to note that it is not your password. A hash is a “one-way function” which means you can turn a password into a hash but not a hash into a password. The fact that hackers have a hash of your password from this breach means little unless you used that password on another online service and that service had the hash and password stolen together. What the hackers then have is knowledge that any service where they find that hash, they will know to try that password. In the case of the LastPass breach the password was not stolen for one key reason… the password NEVER leaves your computer. LastPass only ever receives and stores the hash of your password.
How Can I Change The Hash ?
Just change your password through LastPass. What the hackers then have is of no value to them. Bear in mind though if you used that same password on other online services then you absolutely should go and change the password there too. Use LastPass to give that service its own unique and strong password. You should never ever have the same password used in more than one online service.
Does Having Multifactor Enabled Help ?
ABSOLUTELY ! Even if hackers knew your password (which they don’t, see above) then they almost certainly do not have your phone or other device that you setup your multifactor authentication on.
Side Note On Multifactor Authenticators
I would recommend that after you have changed your password to something very strong (and very different) that you disable and re-enable your multifactor authentication. This will create new emergency recovery codes and invalidate any previous ones. There are absolutely no indications that recovery codes were in any way compromised but you are effectively resetting all of your security so that whatever hackers got is of absolutely no value to them.
I Do Not Have Multifactor Enabled
Go to https://helpdesk.lastpass.com/multifactor-authentication-options to learn more and enable it as soon as possible. Remember though that only a representation of your password was stolen so you still need to change your password but enabling multifactor will make your account incredibly secure.
Is The Cloud A Safe Place To Store My Passwords ?
Well, in the case of LastPass they are only storing a hash of your password and the encrypted blob of password data that was created on your computer and uploaded for storage and synchronization across devices. So, yes in the case of LastPass, it is a very safe place to store your data but only if you have a strong master password and have multifactor authentication enabled. LastPass are in the business of doing this right.
What Other Security Features Does LastPass Use That I Can Enable For Peace Of Mind ?
You can restrict where your account is allowed to login from…
You can restrict access to LastPass data from specific devices…
Make sure the button shows the world “Disable”, which means that the feature is enabled and prevents devices other than those listed from accessing your LastPass data.
Your “Feeling Safe” Checklist
So, you should be very secure and be able to sleep easy, knowing LastPass has your incredibly important data safe if…
- You have enabled multifactor authentication
- You only allowed countries which you know you will access your LastPass data from
- You have changed your master password (to invalidate the stolen hash). Look here for advice on creating a strong master password
- You are blocking new devices from accessing your LastPass data from mobile devices.
- Remember to temporarily disable this when you sign in from a new device. Re-enable after you have checked the Enable box for that device
Still Concerned ?
Get a full, deep, technical review of LastPass from an expert (Steve Gibson) on security at http://twit.tv/show/security-now/256. Be sure to visit http://wiki.twit.tv/wiki/Security_Now_256 and look at the Is LastPass Secure ? section.