Password managers are extremely convenient services that help with remembering the ridiculous number of passwords we have to deal with on a daily basis. However, what happens when the service itself is hacked and those passwords stolen? This very situation has happened to popular password manager LastPass, which is currently asking its users to change their master passwords.
LastPass CEO and co-founder Joe Siegrist posted on the company blog about the situation with the cyber-attack, although he does not sound too concerned with the stolen passwords. The LastPass system encrypts all stored information and strengthens it with a random salt and 100,000 rounds of server-side PBKDF2-SHA256. This, in theory, should prevent the stolen passwords from being decrypted and used; at least not in a time frame that would be useful to the attackers.
However, Siegrist has advised LastPass users to update and change their master passwords as a security measure – especially if that password has been used somewhere else. In addition to this, all users logging in from a new device must now verify their identity by email or multi-stage authentication.
LastPass is currently sending emails to all its users to remind them to change their master passwords. The company does not believe that the stored passwords should be changed because they were encrypted and are unlikely to be used by the attackers.