I see where LastPass password security company has fallen victum to the hacking community. Anyone having passwords with them ought to change them. Here is an excerpt from them: The hackers were able to make off with the email addresses of everyone who uses the service, along with password reminders, authentication hashes and server per user salts. Of these, the most troubling are the authentication hashes, as this is what LastPass uses to determine that you’re you, and have permission to access your account.According to the company’s blog, even with the authentication hashes in hand, it would be virtually impossible for a hacker to actually breach your account and get into your password safe. That is of some comfort, but of course, the company was supposed to be essentially unhackable to begin with, so take that with a grain of salt.What You Should DoAbout the only thing that’s absolutely required is to change your Master Password. That way, if LastPass is wrong about the hackers not being able to use the authentication hashes to break into your password safe, they’ll be using the wrong password – it will render the hashes irrelevant.As an added security precaution, the company has locked accounts down, so that if you’re not accessing your account from a trusted IP address you’ve used before, you’ll also have to take the step of verifying your email. According to the company’s website, the data that the hackers got shouldn’t put your other passwords at risk, but you’ll definitely want to change your Master Password. No further action should be required, but if it is, you’ll be getting detailed instructions from LastPass.

Never put anything important in the cloud.

This is relatively old news at this point, but the reasoning in your post behind changing your master password is flawed. The master password is used to protect the encryption key for the password vault - where all your various passwords are stored. If the intruders got a copy of the vaults, changing your master password after the fact will have no affect. That will only create a new encrypted copy of the vault stored with LastPass - the old encrypted copy using the master password whose hash was stolen remains unchanged. It would remain vulnerable to offline brute force attack. But because each password has a unique salt (a bit of random information added to a password to defeat dictionary attacks) added to it the intruders cannot brute force every stolen password - each password would take a ridiculous amount of time and computing power to break. LastPass has more information on the breach here.

An excellent reason not to store anything really important online. If a company like LastPass can be compromised, then basically anything can be compromised. IMO anything sensitive should be kept locally.

There is an important distinction in the OP that the main stream media seem to miss or conveniently forget for ratings purposes. Lastpass passwords were NOT breached. The company was breached and encrypted master password hashes were taken. Although Lastpass will likely not admit their security posture publically, in all reality the contents of the vaults are likely stored in a secondary more secure network that only the servers that authenticate the master password on would have access to. Breaching the servers hosting the vaults would require penetrating multiple layers of security, like getting into the inner rings of the Pentagon. Lastpass as stated publically that the vaults were not part of the breach, thus there is no risk of an old copy of the master password being used later to get into a stolen copy of the vaults.As mentioned in the news users are not at immediate threat of data theft, but are being told to change master passwords incase they find a way to crack the passwords from the information that was taken. Further if you have 2 factor authentication enabled, it would even more difficult to get access to the passwords.With that said, their advice is obviously sound to change the master password on Lastpass and any other site that you use that same password on, this is not another Sony or Target, it only could be if a hacker finds/found a flaw/bug in their systems to gain access before people change their master passwords.

I have been trying to find a good password program that is local, on my computer or a jump drive.

LastPass security company | Good Sam Community

joebedford
Nomad II
Jun 25, 2015
Never put anything important in the cloud.
bwanshoom
Explorer
Jun 25, 2015
This is relatively old news at this point, but the reasoning in your post behind changing your master password is flawed. The master password is used to protect the encryption key for the password vault - where all your various passwords are stored. If the intruders got a copy of the vaults, changing your master password after the fact will have no affect. That will only create a new encrypted copy of the vault stored with LastPass - the old encrypted copy using the master password whose hash was stolen remains unchanged. It would remain vulnerable to offline brute force attack. But because each password has a unique salt (a bit of random information added to a password to defeat dictionary attacks) added to it the intruders cannot brute force every stolen password - each password would take a ridiculous amount of time and computing power to break.

LastPass has more information on the breach here.
fj12ryder
Explorer III
Jun 25, 2015
An excellent reason not to store anything really important online. If a company like LastPass can be compromised, then basically anything can be compromised. IMO anything sensitive should be kept locally.
rwbradley
Explorer
Jun 25, 2015
There is an important distinction in the OP that the main stream media seem to miss or conveniently forget for ratings purposes. Lastpass passwords were NOT breached. The company was breached and encrypted master password hashes were taken. Although Lastpass will likely not admit their security posture publically, in all reality the contents of the vaults are likely stored in a secondary more secure network that only the servers that authenticate the master password on would have access to. Breaching the servers hosting the vaults would require penetrating multiple layers of security, like getting into the inner rings of the Pentagon. Lastpass as stated publically that the vaults were not part of the breach, thus there is no risk of an old copy of the master password being used later to get into a stolen copy of the vaults.

As mentioned in the news users are not at immediate threat of data theft, but are being told to change master passwords incase they find a way to crack the passwords from the information that was taken. Further if you have 2 factor authentication enabled, it would even more difficult to get access to the passwords.

With that said, their advice is obviously sound to change the master password on Lastpass and any other site that you use that same password on, this is not another Sony or Target, it only could be if a hacker finds/found a flaw/bug in their systems to gain access before people change their master passwords.
tvman44
Explorer
Jun 25, 2015
I have been trying to find a good password program that is local, on my computer or a jump drive.
SCR
Explorer
Jun 25, 2015
tvman44 wrote:
I have been trying to find a good password program that is local, on my computer or a jump drive.

The safest password vault is the one located directly behind your eyes.

Otherwise RoboForm works pretty well.
bcsdguy
Explorer
Jun 25, 2015
SCR wrote:
tvman44 wrote:
I have been trying to find a good password program that is local, on my computer or a jump drive.

The safest password vault is the one located directly behind your eyes.

Otherwise RoboForm works pretty well.

Thank you! I would never put my passwords on a website no matter what they claim.
bcsdguy
Explorer
Jun 25, 2015
bwanshoom wrote:
This is relatively old news at this point, but the reasoning in your post behind changing your master password is flawed. The master password is used to protect the encryption key for the password vault - where all your various passwords are stored. If the intruders got a copy of the vaults, changing your master password after the fact will have no affect. That will only create a new encrypted copy of the vault stored with LastPass - the old encrypted copy using the master password whose hash was stolen remains unchanged. It would remain vulnerable to offline brute force attack. But because each password has a unique salt (a bit of random information added to a password to defeat dictionary attacks) added to it the intruders cannot brute force every stolen password - each password would take a ridiculous amount of time and computing power to break.

LastPass has more information on the breach here.

This isn't my information, it is from Lastpass. So if it is flawed like you say, then it is their problem.
pconroy328
Explorer
Jun 25, 2015
bcsdguy wrote:
bwanshoom wrote:
This is relatively old news at this point, but the reasoning in your post behind changing your master password is flawed. The master password is used to protect the encryption key for the password vault - where all your various passwords are stored. If the intruders got a copy of the vaults, changing your master password after the fact will have no affect. That will only create a new encrypted copy of the vault stored with LastPass - the old encrypted copy using the master password whose hash was stolen remains unchanged. It would remain vulnerable to offline brute force attack. But because each password has a unique salt (a bit of random information added to a password to defeat dictionary attacks) added to it the intruders cannot brute force every stolen password - each password would take a ridiculous amount of time and computing power to break.

LastPass has more information on the breach here.

This isn't my information, it is from Lastpass. So if it is flawed like you say, then it is their problem.

They posted some updates. The last one I think was 16-June.
I'm a long time Lastpass user.
SCR
Explorer
Jun 26, 2015
bcsdguy wrote:
SCR wrote:
tvman44 wrote:
I have been trying to find a good password program that is local, on my computer or a jump drive.

The safest password vault is the one located directly behind your eyes.

Otherwise RoboForm works pretty well.

Thank you! I would never put my passwords on a website no matter what they claim.

You're Welcome. Robo is a handy program. Just a point of reference LastPass isn't what you would call a website. I've used it for years but only for the most mundane passwords, like this forum and others along with some junk email accounts.

I do believe that LastPass is safe but I'm a little upset with their slow roll out of notification that they had an incident. I happen to see it on a network news site three days after it happened. I didn't get an official notification for 5 days. Entirely to slow... and an eternity in the security field. They should feel quite embarrassed but I doubt they do. They did post it on their forum but it's not a place I visit everyday.

Some of the less important ones like my regular email accounts are in RoboForm. I've used that for years as well mostly for convenience.

The real important ones like financial accounts are behind my eyes and between my ears. Having said that I should add that I'm getting up there in years and may have to start relying more on RoboForm.. Things are getting a little mushy behind the eyes. :E

Now where did I put my keys..:h

Forum Discussion

LastPass security company

About RV Must Haves

Related Content

RV Security

Security

Campsite security

Warrenty Company

Insurace companys