LastPass Hacked! Change Master Password Now!
And enable the recommended two-factor authentication immediately. See article Hack of cloud-based LastPass exposes hashed master passwords.
I received the notification email this evening, though only have a test account with LastPass, and do not use it to store any of my personal passwords. In fact, I will not store passwords on any online service, as it potentially gives hackers that much more direct access to all your personal data/passwords in the event your master password is breached. Which should not be used without two-factor authentication.
Personally, I prefer a password management app such as KeePass, storing the encrypted database locally. Though passwords stored on virtually any app, even KeePass, can potentially be captured from malware such as a keylogger. Yet you have more options to protect the master password and password database locally. For instance, KeePass has the ability to input master password through Windows secured desktop.
Doing so, I was not able to breach the master password using a couple of popular keyloggers as a security test I ran some time ago. However, I was able to capture individual passwords from KeePass, when transferring them using Windows clipboard(copy and paste), or manually inputting them from a hard or soft keyboard.
Furthermore, I was also able to capture the critical credentials when logging in to LastPass from a browser, which allowed access to my test passwords stored online using a popular keylogger. Highlighting the importance of two-factor authentication. Yet can be of limited effectiveness in the event of a malware breach on the local system.
Surprisingly, I was not able to capture any passwords from keyloggers using Firefox's built in password database, which is what I'm using for online account access, except for banking/financial accounts. But does not mean its necessarily the most secured solution, as an undiscovered browser vulnerability could breach its password security. Which is why I keep Firefox password database and profile hardened using a separate strong 256 bit AES encryption.
Further highlighting the dangers of keylogger rootkit malware, which can be notoriously difficult to detect. None of my top rated AV software could identify or flag their activity. Only Malwarebytes Free was successful in doing so.
Keyboard encryption apps were also able to block password capture from the keyloggers I tested. However, they were only effective if the app loaded ahead of the keylogger. Otherwise, malware was able to capture the clipboard which rendered the apps useless. Which just emphasizes the importance of having a layered security approach to lock down your system, as there are no perfect solutions to guard against hackers.
I received the notification email this evening, though only have a test account with LastPass, and do not use it to store any of my personal passwords. In fact, I will not store passwords on any online service, as it potentially gives hackers that much more direct access to all your personal data/passwords in the event your master password is breached. Which should not be used without two-factor authentication.
Personally, I prefer a password management app such as KeePass, storing the encrypted database locally. Though passwords stored on virtually any app, even KeePass, can potentially be captured from malware such as a keylogger. Yet you have more options to protect the master password and password database locally. For instance, KeePass has the ability to input master password through Windows secured desktop.
Doing so, I was not able to breach the master password using a couple of popular keyloggers as a security test I ran some time ago. However, I was able to capture individual passwords from KeePass, when transferring them using Windows clipboard(copy and paste), or manually inputting them from a hard or soft keyboard.
Furthermore, I was also able to capture the critical credentials when logging in to LastPass from a browser, which allowed access to my test passwords stored online using a popular keylogger. Highlighting the importance of two-factor authentication. Yet can be of limited effectiveness in the event of a malware breach on the local system.
Surprisingly, I was not able to capture any passwords from keyloggers using Firefox's built in password database, which is what I'm using for online account access, except for banking/financial accounts. But does not mean its necessarily the most secured solution, as an undiscovered browser vulnerability could breach its password security. Which is why I keep Firefox password database and profile hardened using a separate strong 256 bit AES encryption.
Further highlighting the dangers of keylogger rootkit malware, which can be notoriously difficult to detect. None of my top rated AV software could identify or flag their activity. Only Malwarebytes Free was successful in doing so.
Keyboard encryption apps were also able to block password capture from the keyloggers I tested. However, they were only effective if the app loaded ahead of the keylogger. Otherwise, malware was able to capture the clipboard which rendered the apps useless. Which just emphasizes the importance of having a layered security approach to lock down your system, as there are no perfect solutions to guard against hackers.
