If you use LastPass to store your passwords, you probably got an email yesterday reporting that hackers stole some data from the LastPass servers. Here’s the official announcement.
There are many things to worry about in this world. This is not one of them. The bad guys don’t have your passwords.
Trust LastPass. Use it with confidence.
Securing your passwords is serious business. As a precaution, you should do four things.
(1) If you’re paranoid, change your LastPass master password. You do not have to change any other passwords.
(2) Do not forget your LastPass master password.
(3) You’re listening, right? Do not forget your LastPass master password.
(4) Be wary of messages in the next few weeks that appear to be from LastPass. The bad guys got email addresses and they may send messages trying to fool you.
If your master password is reasonably long and complex, you’re not really at risk.
If, however, your master password is simple, or if someone could guess it from your “master password reminder” at LastPass, then change your master password – log into www.lastpass.com and click on Account Settings on the left. That’s what LastPass and security experts recommend.
The design of LastPass continues to make it a safe place for your confidential information. It’s elegant once you get your head wrapped around it.
LastPass never has your master password in any form. Literally, there is no file on its servers that holds master passwords. The bad guys could storm the building and take control of the company and they still couldn’t get your master password.
LastPass never has your other passwords, either. All it ever knows about you is that you trust it with an encrypted blob of letters and numbers.
Here’s the simplified explanation.
• Open the LastPass program on your computer and it shows you your passwords.
• Close the program and your master password is used to encrypt your passwords, producing an encrypted blob of gibberish.
• The encrypted blob is the only thing that is sent to LastPass. It never gets your master password at all, and it never gets your passwords in any form that can be read. It gets gibberish.
• When the encrypted blob is sent to LastPass, it is stored with everyone else’s encrypted blobs, but not until LastPass has done more – a lot more – to encrypt them more deeply and lock them behind more mind-bogglingly complex master passwords. The bad guys did not get into those vaults.
• When you open LastPass on a different computer, the blob is synced to the other computer. The master password is then used to decrypt it on that computer – and voila! there are your passwords.
LastPass explains its architecture here, and there are some details about the additional encryption done at LastPass here. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.” Hash with salt, got it. Tell you what, let’s take it from security experts like Krebs On Security and the resident password expert at Ars Technica who agree that LastPass is an industry leader in protecting data and the hack has not exposed you to any significant amount of risk.
The bad guys got email addresses and password reminders, and some of the underlying cryptographic material. If they wanted to target your account out of all the LastPass accounts in the world, and if you had a simple master password, and if your master password reminder was something they could look up (“name of elementary school”) and if they worked on your blob and only your blob for a long, long time with powerful computers, they might be able to crack it. That’s not very much exposure.
All companies are vulnerable to hackers today – just ask Sony, or Target, or the federal government. LastPass deserves credit for its reaction. It has been proactive about disclosing the hack and notifying users, and it has put additional security into place. You may have to log in again or respond to an email to verify your account. Despite the news this week, LastPass continues to be the safest place to store passwords and confidential information.
Just make your master password nice and complicated, and don’t forget it, okay?
After reading the Lastpass web page/press release, it got a bit confusing with all the self-appointed experts making judgements in the comments section of their blog (and then other readers making counter-judgements on those judgements).
Your article was a lot more helpful.
I hope you can keep writing more articles that explain security breaches – I think you did this with Heartbleed a while back and I liked that as well.
When I saw the email from LastPass yesterday, I did panic – but then I thought “Just wait and don’t do anything yet – Bruce will have useful information about it tomorrow.” Thanks for always providing clear and timely information about the tech world issues that matter to me. I appreciate it.
Thanks! I was going to procrastinate but my lovely bride suggested gently that timeliness is a wonderful thing. She is wise, as always. Cheers!