LastPass Hacked, Change Your Master Password Now

A Former User

Got to the settings page then got this. Pretty annoying as a paying premium member.

A Former User

Others are saying that Servers are busy has been happening since 11am or so this morning. No signs of actually being able to change passwords yet, still getting the message.

Nic

@thecreativeone91 said:

How can they say the passwords for other sites where not taken? if they have the master passwords they have everything.

Apparently the database where the master password hashes are stored was compromised, but not the database that stores all of your actual passwords that are used to log into sites. I'm assuming they are kept separate both for security reasons, and because the encryption on your site passwords has to be reversible whereas the master password they can just store a hash.

A Former User

@thecreativeone91 said:

Got to the settings page then got this. Pretty annoying as a paying premium member.

Still not working but, hey they added graphics to it now.

gjacobse

Ouch - I've been considering using Password Card - if they are still around...

Which they are....

nadnerB

Well, I'm changing my password. I even considered moving away from LastPass but I think that's a bit extreme.

tonyshowoff

I didn't even know lastpass existed until reading this and so nothing of significance was lost... for me. I feel bad for anyone who does suffer because of whatever the issue here was. Being able to take a bunch of hashes really almost always is a result of an SQL injection, probably UNION SELECT to just pull down all of the password hashes. For god's sake escape your queries.

Nic

Everything I've read suggests that the encryption method LastPass uses means that even with the hashes and salts, brute forcing passwords would take a very long time, even with the weakest of passwords. As long as you change your password in the near future I'd say that you're safe.

scottalanmiller

Yes, cracking a good password hash is very non-trivial. Assuming that they have access to the Amazon cloud fleet, I'm guessing this is still quite some time to crack.

Dashrender

I agree with Nick and Scott - while this is not good, it's definitely not as bad as it sounds... the bad thing - non technical people won't understand why and they'll just crucify LastPass instead.

If I mentioned this to my boss she would kill my desire to push out this service to our users.

Ambarishrh

@Dashrender said:

I agree with Nick and Scott - while this is not good, it's definitely not as bad as it sounds... the bad thing - non technical people won't understand why and they'll just crucify LastPass instead.

If I mentioned this to my boss she would kill my desire to push out this service to our users.

Pushing last pass to users- is it as a suggestion to all users to manage their own pass or will it be used as a password manager for company use?

JaredBusch

Yeah, I was not even going to try and change passwords today. The last time this happened (2010 ??) the reset servers were completely overwhelmed.

Carnival Boy

@Dashrender said:

I agree with Nick and Scott - while this is not good, it's definitely not as bad as it sounds... the bad thing - non technical people won't understand why and they'll just crucify LastPass instead.

I'll include myself as non technical person here. It does further put me off hosted solutions. That's not the only reason I use on-premise (Keepass) as I didn't really like LastPass when I tried it anyway. I do store my Keepass databases in the cloud though, but that's a different risk.

Dashrender

@Ambarishrh said:

@Dashrender said:

I agree with Nick and Scott - while this is not good, it's definitely not as bad as it sounds... the bad thing - non technical people won't understand why and they'll just crucify LastPass instead.

If I mentioned this to my boss she would kill my desire to push out this service to our users.

Pushing last pass to users- is it as a suggestion to all users to manage their own pass or will it be used as a password manager for company use?

At this point it's a suggestion to users so they can manage their own passwords. A few have tried it so far, and like any password manager has quite a learning curve, it's going OK.

Dashrender

@Carnival-Boy said:

@Dashrender said:

I agree with Nick and Scott - while this is not good, it's definitely not as bad as it sounds... the bad thing - non technical people won't understand why and they'll just crucify LastPass instead.

I'll include myself as non technical person here. It does further put me off hosted solutions. That's not the only reason I use on-premise (Keepass) as I didn't really like LastPass when I tried it anyway. I do store my Keepass databases in the cloud though, but that's a different risk.

The sad fact of the matter is that unless you completely unplug yourself, you just can't avoid hosted solutions. I say sad, and others will say, what makes it sad? Life has so many advantages today because of the hosted/integrated solutions - this is a conundrum I haven't reconciled yet.