We’ve recommended the LastPass password manager for some time as a great way to use unique, complex passwords without having to remember each individual one.
Today, LastPass released a statement that:
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
We’ve been reporting on internet hacks for a while now (see Security in the new Internet); and this breach of LastPass is significant. But it doesn’t really change anything: hacking is inevitable for everything at some point. Even though Lastpass was hacked, here’s a very important point if you use Lastpass. I’m going to make this large print to make sure you get it:
Your passwords are still safe.
Yep, a hacker got into a LastPass server, but they stole the equivalent of the LastPass mailing list. True, they also got password reminders (which are available relatively publicly anyway) and authentication hashes (which are checked each time you enter your password).
If your master password for Lastpass is a simple dictionary password, you were already at high risk–that risk has gone up ever so slightly. If you use a strong password, it doesn’t affect you much.
Moral of the story, it’s a good idea to change your LastPass master password. (make sure it’s long, complex and unique). We recommend you do that once a year anyway. But be glad that you only have to change one password, because everything else is still very safe.
Addendum: When the heartbleed bug swept across the internet, we recommended you change basically every password on every website where you have an account, because most of the internet was affected by heartbleed. Other times, we’ve recommended you change your password for a specific site and any other websites where you used that same password, which is why you should use unique passwords for every account you have. Lastpass simplifies using unique passwords on every site, which effectively sandboxes your accounts.
Regardless, it’s still a good idea to switch up all your passwords every year or so.