• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Lastpass hacked - do I need to change every single password?

O

OZ9000

Banned
I've changed my Master Password.

I've had 2FA enabled forever.

Is my system secure?

I have more than 400 saved passwords on Lastpass. Should I ideally be changing them all? 90% of them are the same very simple password that I use in throwaway accounts eg forums, registering to websites
 
Forsete

Forsete

Gold Member
blog.lastpass.com

Security Incident December 2022 Update - LastPass - The LastPass Blog

<h4><strong>Please refer to the <a href="https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/" target="_blank" rel="noopener">latest article</a> for updated information. </s[..]
blog.lastpass.com blog.lastpass.com

Look under "What Should LastPass Customers Do? "


  • Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing.
  • To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
  • We also recommend that you never reuse your master password on other websites. If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account (this is referred to as a “credential stuffing” attack).
Click to expand...

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.
Click to expand...
 
ManaByte

ManaByte

Gold Member
tumblr_oof7rk2NoA1vr26xwo1_400.gif
 
RJMacready73

RJMacready73

Simps for Amouranth
Way I figured who the fuck is gonna hack Google and I know whose behind Google, all these other programs... Could be anyone or anything
 
ReBurn

ReBurn

Gold Member
My company makes us use LastPass. I still use KeePass though. I keep my KeePass file on OneDrive so I don't lose it.
 
PonyStation4

PonyStation4

Member
What they have access to
-Vault data, including all the urls and notes you put in
-Name
-Email
-Address
-IP
-Phone #

What they don't have access to
-Your master password and passwords for individual urls

Unless you have an easy to guess master password, it could take thousands to millions of years to figure it out. Worst case scenario is they email and blackmail you for things such as having an account at Resetera
 
Sonik

Sonik

Member
OZ9000 said:
I've changed my Master Password.

I've had 2FA enabled forever.

Is my system secure?

I have more than 400 saved passwords on Lastpass. Should I ideally be changing them all? 90% of them are the same very simple password that I use in throwaway accounts eg forums, registering to websites
Click to expand...

Ideally you should never use an online service to save your password, ever. Never, ever. And yes, change your passwords, even if they're not compromised now they eventually will be
 
daveonezero

daveonezero

Banned
Sonik said:
Ideally you should never use an online service to save your password, ever. Never, ever. And yes, change your passwords, even if they're not compromised now they eventually will be
Click to expand...
using a password manager is better than using weak passwords.

It’s better than using a browser to save passwords.

Using a centralized server to access them is really not that big of a deal. All of these companies use open standard encryption and usually pass audits.

If you don’t want to have someone else’s server storing them you can self hose with bitwarden or keepass.

Generally it’s the best way to increase security and first step someone should take.
 
O

OZ9000

Banned
PonyStation4 said:
What they have access to
-Vault data, including all the urls and notes you put in
-Name
-Email
-Address
-IP
-Phone #

What they don't have access to
-Your master password and passwords for individual urls

Unless you have an easy to guess master password, it could take thousands to millions of years to figure it out. Worst case scenario is they email and blackmail you for things such as having an account at Resetera
Click to expand...
Lmao
 
O

OZ9000

Banned
The Cockatrice said:
Why do you have 400 passwords, how paranoid are you and is your tinfoil hat on?
Click to expand...
Over the last 10 years signing up to random forums or websites and logins for every goddamn service eg ubisoft, steam, blizzard, online retailers. Every website seems to want you to register.

I don't use any of them tbh.

I don't know if I have the willpower to change all these passwords. They're all the same and a very simple phrase.

However any website linked to finances or banking or online shopping I will certainly change the password. I'll also change my email address password.

I will assume it's very difficult to get in my vault because it's a 20 char password with a combination of lower case, upper case and special characters.
 
Last edited:
RoadHazard

RoadHazard

Gold Member
OZ9000 said:
Over the last 10 years signing up to random forums or websites and logins for every goddamn service eg ubisoft, steam, blizzard, online retailers. Every website seems to want you to register.

I don't use any of them tbh.

I don't know if I have the willpower to change all these passwords. They're all the same and a very simple phrase.

However any website linked to finances or banking or online shopping I will certainly change the password. I'll also change my email address password.

I will assume it's very difficult to get in my vault because it's a 20 char password with a combination of lower case, upper case and special characters.
Click to expand...

You're fine, they're not gonna spend years and years trying to brute force your specific master password.

This leak is obviously shit, but your passwords are only in danger if your master password is easily guessable.
 
Last edited:
nightmare-slain

nightmare-slain

Member
you'll probably be fine as i don't think they can actually see your login details (usernames/passwords) but i wouldn't take the risk. definitely change the passwords on your most important accounts at the very least. change as many passwords as you possibly can. 400 is a lot....

maybe take this opportunity to ditch lastpass. this isn't the first time they've been hacked. i highly recommend bitwarden. it's totally free (with paid options). it's worked on my PC (both windows + linux), my iphone, my android, and even in my firefox browser. i'm sure it also works in chrome/edge too. bitwarden is open source and if you're really concerned you have the option to self host it. i don't know how to do it so i need to put my trust in bitwarden to host it. i trust them far more than lastpass and even if it is ever hacked nobody is going to get my passwords unless they know my master password.

if you asked me my master password i wouldn't be able to tell you but i can type it out real fucking fast due to muscle memory. i do have it written down but i keep it locked away in a box.
 
Last edited:
You must log in or register to reply here.

Similar threads

[WSJ] LastPass, a Password Manager With Millions of Users, Is Hacked (No user data was compromised)
News Clickbait
46
3K
Jinzo Prime replied
I need help Gaf. Lost my 15 year old Psn
2 3
137
7K
BadBurger replied
Introducing Steam Families
Platform 2 3
143
5K
Topher replied
Cyberpunk 2077 Patch 2.1 Patch Notes Released
News 2 3
117
8K
DanEON replied
[PC Gamer] How Cyberpunk 2077 clawed its way back from disaster to complete one of the greatest redemption arcs in gaming history
Opinion News 2
99
6K
EDMIX replied
Top Bottom