LastPass was hacked: Here's what you have to do

LastPass put enough layers of security on your password vault that this breach isn't the end of the world. (But you should still change your master password.)

LastPass put enough layers of security on your password vault that this breach isn't the end of the world. (But you should still change your master password.)

The password-storage maker LastPass announced the worst possible news for a company in its business on Monday: its password database was breached and user account information stolen. Because LastPass allows central storage and synchronization of your data store--the "vault" of passwords and other information you use with its app and website--someone being able to suss out your master password would seemingly have access to all your secrets.

Fortunately, LastPass seems to have employed enough layers of security in the right way that even this scale of failure shouldn't rebound on you. Let's review what risk you're exposed to if you're a LastPass user, and what steps you should take to reduce those.

Round and round we go

Early password-storage software on desktops and smartphones was hampered by both the low computational power available and implementation issues. In a report in 2012, digital forensic software firm Elcomsoft found flaws in 17 smartphone password-management apps, some severe. (Some of those problems were mirrored in desktop versions, too.) That report spurred fixes and development, and companies became smarter or more thorough. That paid off in this breach.

Passwords have to be stored in a manner in which they can't easily be recovered, whether in an operating system, for a website, or protection an app's data storage. Every kind of system that uses a password for authentication or access employs a one-way process--unless the outfit running it is negligent.

Many websites almost certainly still use a simple method. They take your password, run it through what's called a hashing algorithm that performs intensive mathematical operations on it, and produces a result (a "hash") that can't be reversed: knowing the hash doesn't reveal the original password.

Whenever you login, your password isn't checked against a stored password. Rather, the site or service runs whatever you entered through the same hashing process and tests the result against the stored has. If your freshly entered text when hashed matches the previously calculated one, you're legit.

When ne'er-do-wells steal password files, they don't immediately get access to passwords. They need to perform cracking operations, working their way through common passwords (based on many large previous public thefts) and into common words and combinations. Crackers don't go through every possible combination; they pick the most likely ones first. For instance, if asked to enter a word with mixed case, a number, and punctuation, people are more likely to enter Apple1! than ec7*JH43(k; crackers now follow these sorts of paths to harvest more results.

A well equipped desktop PC with a high-end graphics card (or several) can churn through billions of password tests per second--yes, per second. Companies like LastPass build in layers of protection to slow them down.

First, LastPass uses a "salt," which is text that's combined with a password so that when it's hashed, all of the identical passwords for user accounts have different hashes. "aa" + "Apple1!" is very different when hashed than even "aA" + "Apple1!".

Second, the company uses an algorithm that doesn't just hash once, but many times. The default for LastPass on the client side--in a native or Web app--is 5,000 rounds.

Third, when you log into LastPass on the website or via a sync client, the password still isn't sent. Instead, your locally hashed password is sent in that form to the server, where it's run through another 100,000 rounds.

This isn't just for show. The estimate I can come up with for all of that combined cracking with about $10,000 of graphical processor units (GPUs) about 30 passwords per second instead of billions. An Ars Technica expert thinks it's even lower: about 10 passwords per second.

Now, we have to factor in the fact that some people's password hints may allow specific accounts to be targeted ("my password is my first name plus a one"), and that determined crackers might gain access to or have bought (or stolen) 1,000 times the power of the rig I'm using for rough estimation.

But the odds of mass decryption are very low, and if you're a LastPass user, you can make them even lower.

What you can do

LastPass says in its blog entry, "Encrypted user vaults were not compromised." This is a critical fact because changing your master password will immediately make the stolen password information useless. If crackers had stolen vaults, they would be able to churn on them forever or return to them to the future and crack them with more advanced or powerful technology. Since people often don't change passwords for years at a time or forever, that could have still been a risk.

LastPass also advises changing your password at any other account for which you use the identical password. Because email addresses and password hints were stolen, crackers who compromise one account will try for others. However, unlikely, it's good to make these changes. (Also, if you use LastPass or similar software, you can easily avoid using the same password twice or more.)

The benefit of second-factor authentication also remains in effect. The information stolen from LastPass doesn't let a cracker who recovered your password gain access without the token you need to generate on a device or in an app to which you have access. (LastPass conceivably has kept secure the seeding information used for second factors.)

When setting a new master password, you can avoid the often bad advice about selection that advises something that's hard to remember and type. The notion is that coming up with something short and complex is better than something long and simple. This is incorrect.

A set of three or more words that are unusual together is more secure than a short complex password that you invented yourself. Because you can't store LastPass's master password in LastPass, you should think of a way to make a memorable result. Some experts suggest phrases or unlikely conjunctions: you were running in the woods and stubbed your toe when you saw a unicorn becomes "runs stubbed unicorn". It would take on the order of a quintillion password checks to get to that result.

LastPass wasn't just lucky. Their preparations paid off. I'm looking forward to learning more about just how their systems were penetrated, and I hope in the interests of transparency, the company will provide more details. But it's nice for once to see that an ounce of prevention was worth a million tons of cure.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags breachhackpasswordsElcomsoftLastPassbeca

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Glenn Fleishman
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?