With the latest breach at LastPass I was eager to listen to Steve Gibson on his latest Security Now Show #512 and see what he advised.
- What may have been lost were email addresses, password reminders, per user salts, and authentication hashes. None of the bulk encrypted data was lost.
- Under Password Iterations (Advanced Menu) – change it from 5000 to a random number of five or six digits with no zeroes and the first digit should be greater than two – like 59463. Note – even though you get a message from Lastpass not to go above 20000, I didn’t experience any significant delay.
- Lastpass also adds a per user random SALT – which makes the account even more secure.
- Lastpass is also protecting us by preventing anyone from logging in from a new computer or IP address and will require confirmation via email.
- Steve still recommends changing your Lastpass password in case everything was stolen and you had a weak password to start. It’s interesting that Steve changed his password even though I know he had a very secure password.
- Steve still recommends using Lastpass.
- Two factor authentication would help if somehow they did figure out your password.
- Steve also recommends writing down you Master Password and keeping it somewhere safe – like your wallet, but make a change to it so that it’s not exactly the same.
- Leo LaPorte also adds a long number to his password to make it even more secure or you can also just add extra characters to the end of your password to make it harder to crack.
- If you haven’t already, setup two-factor authentication in LastPass.