LastPass, the cloud-based password manager, has been hacked. If you use LastPass, it's probably time for a precautionary master-password change. It might also be a good idea to check out the other options for securing your account.
Password managers: Necessary evil or horribly insecure single point of failure? Discuss.
In IT Blogwatch, bloggers mutter, "Oh, ****."
Your humble blogwatcher curated these bloggy bits for your entertainment.
Eric Ravenscraft reports:
Bad news first, folks. LastPass, our favorite password manager (and yours) has been hacked.
…
Your stored passwords [weren't] stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. MORE
And Christopher Boyd adds:
On the off-chance you reused your LastPass master password on another site...you should alter all affected logins – password reuse is a major problem and not one to be taken lightly.
…
LastPass has a lot of additional security options in place and you should be making the most of them. MORE
LastPass CEO Joe Siegrist 'fesses up:
On Friday, our team discovered and blocked suspicious activity on our network.
…
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. MORE
So should we panic yet, Graham Cluley?
If you chose a weak master password, or if it isn't very long, then it might be possible for an attacker to crack it through brute force.
…
LastPass...is advising users to immediately change their master password. ... Furthermore, if you are not already doing so you really should enable multi-factor authentication on your LastPass account. [But] don't panic. The sky is not falling. MORE
But things are running slowly, as JD Jansen explains:
The danger in a password manager stored centrally on a server is not just the central point of attack, but, as we’re seeing now, when everyone tries to change their password no one can change their password. MORE
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or itbw@richi.uk. Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.