There are pros and cons to using a password manager [view related posts]. The biggest pro is that it helps keep all of our passwords organized and safe. The biggest con is that if the password manager is compromised, and the master password gets into the wrong hands, all of our passwords are compromised.

Password management company LastPass has been tackling several security incidents over the past few months. On August 25, 2022, LastPass informed its customers that it discovered unusual activity within its environment and determined that “an unauthorized party gained access to portions of the LastPass development environment…and took portions of source code and some proprietary LastPass technical information.” At that time, LastPass assured customers that their Master Password had not been compromised and didn’t recommend any action.

On September 15, 2022, after obtaining additional information in the investigation (this is how investigations go), LastPass stated that “[w]e can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.” Good news. Nonetheless, changing a Master Password after a close call is worth considering.

On November 30, 2022, LastPass announced that it “detected unusual activity within a third-party cloud storage service.” After an investigation, LastPass “determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.” LastPass assured its customers that their passwords “remain safely encrypted” and recommended that users follow its best practices.

On December 22, 2022, LastPass issued another notice advising customers that a third party was using information obtained from the first two incidents to copy “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” In addition, “the threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted fields such as website usernames and passwords.”

LastPass warned customers that the threat actor “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took,” though to do so “would be extremely difficult.”

LastPass recommended the following:

As a reminder, LastPass’ default master password settings and best practices include the following:

  • Since 2018, we have required a twelve-character minimum for master passwords. This greatly minimizes the ability for successful brute force password guessing.
  • To further increase the security of your master password, LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
  • We also recommend that you never reuse your master password on other websites. If you reuse your master password and that password was ever compromised, a threat actor may use dumps of compromised credentials that are already available on the Internet to attempt to access your account (this is referred to as a “credential stuffing” attack).

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.

If you or your company use LastPass, consider adhering to the recommendations given by LastPass in response to the incidents. You may wish to consider changing your master password as well.