LastPass hacked: Time to change the last password you'll ever need to remember

LastPass data has been compromised. Although there's no need to panic, you should probably change your master password.


Password managers are the solution to the impossible challenge of remembering every unique password combination for every website you have an account for. They can also feel like you're "putting all your eggs in one basket." Today's LastPass security breach highlights what happens when hackers attempt to get into your password manager.

LastPass notified users today on its blog that unauthorized users gained access to: LastPass account email addresses, password reminders, server per user salts, and authentication hashes. They did not, however, find any evidence that encrypted user vault data was taken nor that user accounts were accessed.

So what does this mean? LastPass has obviously long been a target for hackers, since the service stores users' password combinations for a wide variety of sites. This latest breach could be reassuring to you or cause you to rethink your password storing strategy. LastPass says they're confident their encryption measures sufficiently protect the vast majority of users. If you're a LastPass user, your password vault data is encrypted and secured by your master password, which hackers did not get, and by two-factor authentication, if you have that turned one (which you should. Two-factor authentication prevents access to your account data if accessed from an unknown device).

In short, if you're using a long, strong password and have two-factor authentication, you're probably fine. These are the two main recommendations for using any password manager, whether the data is stored on a cloud service, as LastPass' data is, or locally, as is the case with KeePass.

If you have a weak master password and/or don't have two-factor authentication turned on, though, the time to strengthen your password manager account is now.

LastPass is emailing users to update their passwords if they're weak or if the password is reused on any other site. As a "just in case" precaution, you probably should change your master password anyway and make it as strong, complex, and random as possible.

Unfortunately, LastPass hasn't been able to send its email notices to all users fast enough. I found out about the breach through a Lifehacker post, not from the company directly, and that's disappointing coming from a company whose sole purpose is to protect our most important data (even knowing the hurdles companies face when mass emailing its entire userbase). 

I don't think the security issues this breach raises are confined to LastPass and other password managers that store user data in the cloud. All password managers--online and offline--have a single point of vulnerability, your master password (and, possibly, what you use for your second factor in the two-factor authentication security) As the breach shows, though, the more walls you have between your password data and outsiders, the better. In LastPass' case, your password data is assumed to be secure because it's encrypted with a (hopefully) strong master password, and two-factor authentication further locks it down.

TL;DR: Don't worry. But change your master password just in case. And make sure you have two-factor authentication turned on.

ITWorld DealPost: The best in tech deals and discounts.