Lastpass customer data vaults stolen
Discussion
Hopefully everyone was using really strong master passwords:
https://www.bleepingcomputer.com/news/security/las...
https://www.bleepingcomputer.com/news/security/las...
I haven't used them for a number of years but if I was a normal individual I don't think I'd be too worried unless I'd gone to the trouble of using a password manager with a really crappy master password.
Might be worth trying your master password on https://haveibeenpwned.com/Passwords.
Thing is if you knee jerk and change to a different product there's little guarantee it won't be them next.
Might be worth trying your master password on https://haveibeenpwned.com/Passwords.
Thing is if you knee jerk and change to a different product there's little guarantee it won't be them next.
bhstewie said:
I haven't used them for a number of years but if I was a normal individual I don't think I'd be too worried unless I'd gone to the trouble of using a password manager with a really crappy master password.
Might be worth trying your master password on https://haveibeenpwned.com/Passwords.
Thing is if you knee jerk and change to a different product there's little guarantee it won't be them next.
I don't think feeding your Master Password into any website is a good idea.Might be worth trying your master password on https://haveibeenpwned.com/Passwords.
Thing is if you knee jerk and change to a different product there's little guarantee it won't be them next.
I used to use it, so just went and changed my master password to a long random string generated by what I now use, bitwarden. I have something like 500 saved passwords so don’t fancy changing them all, although I will now do my most important ones ie banking, ebay, paypal, email accounts etc.
The hackers certainly know what they’re doing.
The hackers certainly know what they’re doing.
Mr Pointy said:
bhstewie said:
I haven't used them for a number of years but if I was a normal individual I don't think I'd be too worried unless I'd gone to the trouble of using a password manager with a really crappy master password.
Might be worth trying your master password on https://haveibeenpwned.com/Passwords.
Thing is if you knee jerk and change to a different product there's little guarantee it won't be them next.
I don't think feeding your Master Password into any website is a good idea.Might be worth trying your master password on https://haveibeenpwned.com/Passwords.
Thing is if you knee jerk and change to a different product there's little guarantee it won't be them next.
Not really sure what to do about this. I'm confident in my master password and have 2FA for any financial log ins including my email but there are many without that. My main concern is that presumably whilst hackers don't have access to the passwords they do have access to username and email address, IP address etc... Increases the chances of phishing? But not sure how to limit that without changing to an entire new email address?
It's a judgement call but I don't think I'd consider haveibeenpwned any website and I also don't think anything bad is going to come off simply by checking if your master password is in any known databases of hashes that but each to their own.
If anyone is concerned about this at the very least I'd change master password and change passwords on email and other services that literally give bad guys access to your life to strong unique passwords as well as enabling 2FA on them if it isn't already enabled.
If anyone is concerned about this at the very least I'd change master password and change passwords on email and other services that literally give bad guys access to your life to strong unique passwords as well as enabling 2FA on them if it isn't already enabled.
CoolHands said:
I used to use it, so just went and changed my master password to a long random string generated by what I now use, bitwarden. I have something like 500 saved passwords so don’t fancy changing them all, although I will now do my most important ones ie banking, ebay, paypal, email accounts etc.
The hackers certainly know what they’re doing.
Long phrases apparently best as easy to remember and a long text string would take centuries to crack.The hackers certainly know what they’re doing.
TX.
CoolHands said:
I used to use it, so just went and changed my master password to a long random string generated by what I now use, bitwarden. I have something like 500 saved passwords so don’t fancy changing them all, although I will now do my most important ones ie banking, ebay, paypal, email accounts etc.
Have I misunderstood what's happened ? I read it that the Bad Guys have a snapshot of the password vaults, and can now run decryption algos at their leisure. If they crack your Lastpass master password as it was on the day on the snapshot was taken, then they have access to all of your account passwords from the same day.So changing your master password now offers no defence against what's happened - you have to change all the individual account passwords ?
Mr Pointy said:
bhstewie said:
I haven't used them for a number of years but if I was a normal individual I don't think I'd be too worried unless I'd gone to the trouble of using a password manager with a really crappy master password.
Might be worth trying your master password on https://haveibeenpwned.com/Passwords.
Thing is if you knee jerk and change to a different product there's little guarantee it won't be them next.
I don't think feeding your Master Password into any website is a good idea.Might be worth trying your master password on https://haveibeenpwned.com/Passwords.
Thing is if you knee jerk and change to a different product there's little guarantee it won't be them next.
Apparently it's not an issue if you have a decent master password anyway, I quote:
LastPass said:
Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data.
However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass.
If you do, "it would take millions of years to guess your master password using generally-available password-cracking technology,"
However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass.
If you do, "it would take millions of years to guess your master password using generally-available password-cracking technology,"
Newc said:
Have I misunderstood what's happened ? I read it that the Bad Guys have a snapshot of the password vaults, and can now run decryption algos at their leisure. If they crack your Lastpass master password as it was on the day on the snapshot was taken, then they have access to all of your account passwords from the same day.
So changing your master password now offers no defence against what's happened - you have to change all the individual account passwords?
Yes, that is correct.So changing your master password now offers no defence against what's happened - you have to change all the individual account passwords?
Mr Pointy said:
I don't think feeding your Master Password into any website is a good idea.
I don't think feeding any of your passwords into random websites is a good idea. Talk about an easy way to collect a shortlist of passwords to try - ask people to just type them in over here "just to check"!
Haveibeenpwned isn't a random website, it's got access to a huge list of compromised passwords and is owned by the renowned security bod Troy Hunt https://en.m.wikipedia.org/wiki/Troy_Hunt
and it's a useful tool if you aren't very security savvy. I personally use Enpass for. My. Password management, as only I have access to the DB.
and it's a useful tool if you aren't very security savvy. I personally use Enpass for. My. Password management, as only I have access to the DB.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff