LastPass Hacked, Change Your Master Password Now

[Chiefcrowe]

http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571

 

[mmntech]

I always go by the mantra that nothing is unhackable. That said, as a LastPass user, it's a PITA.

 

[balloonshark]

Who didn't see this coming? Is this the second time lastpass has been hacked?

Convenience comes at a price. Gaining access to tons of passwords is very tempting to some. Why take that chance?

Edit: They had an "anomaly" in 2011. https://blog.lastpass.com/2011/05/lastpass-security-notification.html/

 

[KillerBee]

Yea with so many public sites getting hacked including Lastpass again
I'm starting to agree with using a local password manager and forgo the convenience

https://twitter.com/kevinmitnick/status/610637696097124352

ofc the only downside is - there will be no major news story when my own machine is compromised
to let me know someone else may have my passwords

 

[John Connor]

I use PWD Hash for Mozilla variant browsers. It was developed by three people at Stanford. Much better!

 

[smakme7757]

Bit of a shame, but it's an online service. We all know this and yet we choose to use them. I thank Lastpass for letting us know what happened. Most companies wouldn't and most people take that as a sign they are bulletproof.

This is where 2nd factor really plays an important role.

However, all my truly private passwords; my offline encrypted backups and so on. They are stored in keepass

 

[John Connor]

Hell, My most trusted passwords are AES encrypted and the stored in an image. LOL My computers use Truecrypt. I use no less than 5 malware scanners (throw in detekt for good measure), sandboxie, Noscript, etc, etc. Because I know this computer should be air gaped.

 

[PliotronX]

I like the concept of PwdHash but what if a website is compromised and you need to change your p/w? Can PwdHash regenerate a new hash on the p/w?

 

[John Connor]

What I do is just add one digit to the password that you want changed. With one digit the whole password is different. So if you use 12345, just make the new password 123456 or 12345!, whatever. PayPal doesn't work with PWDhash for changing your password. I can log into PayPal with it though, but they must not like the F2 button. PITA, so I just use the pwdhash site and enter each digit by hand paying close attention to upper/lower case digits and zeros/O's.

Some site's may not like pwdhash, but they are rare. Sometimes you have to click in the box then press F2. Sometimes you have to enter your password then click outside the box to input it.

All in all it really is a good password generator. No keylogger will grab the password.

https://www.pwdhash.com/

 

[stockwiz]

Your master password was not exposed it was all encrypted information so there's no issue. I'm not changing my 32 character ASCII password as I don't believe there is any security risk. They'd still need my backup page plus phone to access the 2 factor authentication and the attempt would be intercepted in the log... nothing so far. I do have backup 32 character QR codes/passwords ready if necessary but I'm not ready to deploy them.

I got a couple of cheap used codecorp 2D barcode scanners dirt cheap off ebay.. normally $300 new they are found widely for around $20 still perfectly functional. I just scan the QR codes in to log into lastpass at home. Only keep the QR codes in wallet/safe deposit box. If wallet stolen, new QR code deployed.. so far I've never lost my wallet... along with my keys and phone they are the 3 things in life I have conditioned myself to keep track of.

The beauty of lastpass is I can make all my passwords long and nonsensical and not have to remember them. The only passwords that are not at 99% or 100% strength are sites that limit what your password can be. There are certain financial sites that ironically do this. One limits the password to 8 characters. Of course everything is going 2 factor authentication now anyways.

What annoys me are corporate rules that specify you must change your password every 3 months. With the way I have it set up, that is completely unnecessarily. With 2 factor authentication, doubly so. Luckily very few (actually zero I think) websites force this rule on you.. my workplace forces it.. I had some nice barcodes with random passwords set up but they changed the requirements to 12+ characters so I need to make new barcodes. Gonna just change the last character of the same password this time.

 

[Binky]

This hack caused me to enable the two-factor option on lastpass, but I still haven't changed my (very long) master password. I'll probably tweak it slightly soon.