Another day, another hack ...

The hacker stole a large amount of personal information (https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/) including (encrypted) hashes of passwords. Brute forcing the hashes will be very resource intensive, especially if LastPass's implememtation was good, but it's not impossible (https://www.ionos.com/digitalguide/server/security/rainbow-tables/).

So, if you were using LastPass as a password manager, it would be a good time to change your passwords:

Rather than changing all your passwords, how about simply changing your LastPass 'Master Password'? That will re-encrypt your vault - so even if the bad guys do manage to find your old master password, it won't do them any good.

Or migrate to a new password manager. I moved from LP to BitWarden when LP killed multi-device support in their free offering.

Having said that, I am reminded of a very old saying: "If builders built buildings the way programmers write software, the first strong breeze would destroy civilisation."

Because the hackers have the hashes of all the passwords.

Hi All


For some some people, using a password manager in a double mode mode is something to consider.


Have a look at the link here (https://www.allthingssecured.com/tips/password-security/double-blind-password-strategy/)if you are interested.


Philip

Hmmm. I read the article as saying the bad guys got the hashes of the master passwords for every user's password vaults. Hence my previous post.

IF the bad guys got the contents of everyone's vaults as well, then yeah, it's a world of pain.