On Monday, June 15, LastPass officials warned that attackers have compromised servers that run the company's password management service and made off with some master passwords of users of the LastPass service.
You can read more detail about the attack here: http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords and here: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
There's lots of jargon in those article about algorithms, encryption, hashes, anomalies, multifactor authentication, vault contents, SHA's and GPU's. Enough to make your head spin! Here's the bottom line: the passwords you store on LastPass were not compromised, nor are they likely to be. However, the "master" password you use to log into the LastPass site could have been taken and exposed to hackers. LastPass has taken steps to protect your account in case the hackers try to log into your account with that master password, but if you are like most and you use the same password at many sites, you could still be vulnerable.
If you have a LastPass account, here's what we recommend you do right away:
- Change your master LastPass password
- If you used that same master password at other web sites, change those sites as well
- There is no need to change your password at every web site you store in LastPass, unless the password was the same as your master password in LastPass. Changing the master password will change the encryption keys associated with your stored passwords so they can't be compromised even if the hacker had your original master password.
- Set up Multi-Factor Authentication for your LastPass account.
What's that last one? Multi-who?
Multi-Factor Authentication
Multi-Factor Authentication is a technology that requires more than one "factor" to access an account. We often call these factors, "something I know" and "something I have". Usually you know your password, unless of course you have forgotten it. So what do we mean when we say "something I have"? This is usually some sort of thing that must be used in combination with a password in order to authenticate using that password. There are many ways to do this. Sometimes it's a key fob that displays random numbers. Sometimes it's a smart card you insert into a reader. Sometimes it is a fingerprint device. With LastPass, the easiest thing to do is to use an authenticator app on your Smart Phone. Both Microsoft and Google have free authenticator apps that are supported in LastPass.
You can find some documentation on how to set this up here: https://helpdesk.lastpass.com/multifactor-authentication-options/. If you have trouble getting it working, give NDYNAMICS a call. In the meantime, go and change your LastPass master password ... NOW!
What If I Use A Different Cloud Password System?
As of today, we only know LastPass was compromised, but that doesn't mean other systems couldn't be. However, there's no reason to change your master password today if you use something else. But it's always a good idea to change your master password frequently and set up some sort of Multi-Factor Authentication if that system supports it.