Originally Posted by Dragon
It's almost as if the article I posted comments that lastpass has security issues of its own and shouldn't be used? Especially when a user is talking about being hacked themselves.
This is an extremely silly conclusion to draw from the article you linked.
- Noticed irregular traffic coming from one server
- Immediately disclosed this
- Investigated and did not find any evidence to believe anything was actually hacked
- Based on the amount of the traffic, if data was stolen, it was a very low amount of data, probably fewer than 200 passwords (and thus probably fewer than 10 users)
- The passwords were all encrypted with your master password and per-password salts. LastPass does not know your master password, so even if their entire database is stolen, the hackers are not able to do anything with the data.
- Even if someone did steal all the info, they'd still need to crack your master password, which is supposed to be 12+ (the longer the better) characters and would essentially be uncrackable on their own. My master password is 15 characters including upper, lower, numbers, and symbols; which would have a state-space complexity of about 3.56 * 10^110 to crack. So even were my information stolen, it wouldn't have been cracked. My master password is not as secure as they recommend to begin with.
- LastPass sent out a warning to all users to have them change their master password
- They immediately added two-step verification
- They immediately had multiple external security audits.
So for you to read that and say "welp no such thing as security lastpass sux" is insane. LastPass followed responsible disclosure, it followed security best-practices, there was no evidence that any data was actually stolen, if data was stolen it was extremely limited, and regardless of how much data was stolen, it was useless.
Disclosure: I don't use Lastpass, I use 1Password.