LastPass Security Notice

[wlanboy]

Text of the notice: https://blog.lastpass.com/de/2015/06/lastpass-security-notice.html/

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, jedoch, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

 

[Premiumn]

Never trust a third party password tool. Just goes to show that the old school pen and paper is so much better

 

[joepie91]

Never trust a third party password tool. Just goes to show that the old school pen and paper is so much better

Comparing to the wrong thing. It's not practical to copy sufficiently strong passwords from a piece of paper every time you need to log in somewhere, so you're likely to start using weaker passwords.

The problem here is with LastPass being a hosted third-party password tool. KeePass/KeePassX are just fine - they run locally, and you can audit the source.

 

[DomainBop]

Just goes to show that the old school pen and paper is so much better

Comparing to the wrong thing. It's not practical to copy sufficiently strong passwords from a piece of paper every time you need to log in somewhere, so you're likely to start using weaker passwords.

Plus, unless you live in a bubble with no other people around, there is the security risk that comes from having pieces of paper with passwords written on them sitting around, especially in multi-user environments like offices, schools, etc.