Yeah, there was a series of anomalies a few months back that indicated a possible breach. LastPass tried to err on the side of caution and treated it like a data breach, which is the right way to handle this sort of thing. (Compare this to Sony's terribly reaction to the PSN breach, which was a true, full-out loss of actual secrets, something Sony never should have had in unencrypted form anywhere in their system.)WildAboutHarry wrote: I though Lastpass had some sort of security breach. Do you use it? How do you like it?
Because of the way the LastPass system is constructed, though, I was not concerned. Everything they hold is secured with extremely strong crypto. Crucially, all of this crypto happens on your own machine. (This is why if you forget your LastPass master password, you are completely SOL -- your secrets have never touched their servers in unencrypted form and LastPass itself knows none of your secret information.)
Since the worst case for this incident was that an attacker could have gotten hash data and email addresses, I wasn't worried.
I do two things that I recommend to others:
- I use an extremely strong master password.
- Set up LastPass to require multi-factor authentication (such as a grid card a la Treasury Direct or a USB key) for any new machines that attempt to access my data. That way if someone did try to guess my password, they'd need to provide an additional secret that I can physically secure. (And I won't be bothered for this from my home machines.)
I also recommend some form of anti-keylogging countermeasure to anyone, regardless of how they manage their passwords.
