A word about LastPass

By | May 7, 2011
Print pagePDF page

We’ve received several emails from readers who, like TC, use LastPass. It’s true that LastPass experienced a problem and a hacker or hackers may have breached some user files. Since LastPass is a cloud-based application, this is a serious matter. But in this era of the 24-hour news cycle, when we really looked into this breach, we discovered that only about 0.5% of users were actually affected. And yes, it’s true, if you were one of the 0.5% of users, it could be very serious. LastPass has notified those users who may have been affected by this breach and asked them to change their master password. It’s important to keep things in perspective, and to remember that while 0.5% of users may have had their data breached, 99.5% did not.

For those of you who don’t use LastPass, the master password allows LastPass users to access data from their personal LastPass Vault. This data consists of things like usernames and passwords – and anything else users have stored there (personal information, credit card numbers, etc.). So even though a hacker may have stolen 0.5% of the total user databases, they would not gain immediate access to the master passwords –  they are encrypted and hashed. Without the master password, hackers have no access to the user’s LastPass Vault.

And this serves, once again, a reminder of the importance of always using strong passwords.

Passwords are the key to your online security and the safety of your personal information. If you use LastPass and you have followed our advice to always use strong passwords, then even if you were among those 0.5% of users whose data was breached – the thief would have to crack you master password before he/she could access your data. If you used a strong password they’re not going to crack your password unless they want to spend years on you – and they’re not going to bother with it. You can be sure they’re looking for those with master passwords that are something like 12345 or “password”, or those who use common dictionary words like “orange” or “cloudy” for their master password.

We still recommend LastPass, and we continue to urge everyone to use strong passwords for everything. And for those who use Roboform – the newer versions of Roboform work in a similar way to LastPass. If you use Roboform – you should set and use a strong master password.

This excerpt is from a news story reporting on the breach at Last Pass…

“…Everything got a bit messy and some folks were apparently locked out of their accounts, unable to change their passwords (or even locked out after they’d made the switch).

LastPass says it has identified an issue with approximately 0.5% of users which impacted their master password change, and its focus is currently on resolving these problems.

The passwords themselves were hashed, a type of one-way encryption which means that if hackers have got away with password data, they’ll still have to crack it.

The only way to do that is to brute-force the encryption, which will only have a chance of succeeding with simple dictionary word passwords. Anyone who employed a combination of letters, numbers and other characters – a strong password, as it’s known in the trade – isn’t in any danger of being brute-forced.” You can read the entire article here. )

We still recommend and use LastPass – but only if you use a strong master password.

One thought on “A word about LastPass

  1. Ken Roberts

    Numbers and symbols are the key and other ideas which I will not speak of here because it would give a hint to help the hackers, something I do that was mentioned long ago in cloud eight news letter. simple pass words are not the greatest idea; if you have trouble remembering pass words I suggest you write it down and put it in your wallet or some other safe place, believe me the inconvenience will be much less then having your account emptied. It cost a little time from your day but if you use a simple one it will drain the money right out of your account into their waiting hands. Did I mention I hate thievery.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *