LastPass Is Breached: Do You Need To Change Your Master Password?

Ryan Dube 18-06-2015

If you’re one of the thousands of LastPass users who’ve felt very secure using the Internet thanks to promises of nearly unbreakable security, you may feel a little less secure knowing that on June 15th, the company announced that they detected an intrusion into their servers.


LastPass initially sent an email notice to users advising them that the company had detected “suspicious activity” on LastPass servers, and that user email addresses and password reminders had been compromised.

The company assured users that no encrypted vault data had been compromised, but since the hashed user passwords What All This MD5 Hash Stuff Actually Means [Technology Explained] Here's a full run-down of MD5, hashing and a small overview of computers and cryptography. Read More had been obtained, the company advised users to update their master passwords, just to be safe.

The LastPass Hack Explained

This isn’t the first time LastPass users have been concerned about hackers. Last year, we interviewed LastPass CEO Joe Siegrist Joe Siegrist of LastPass: The Truth About Your Password Security Read More following the Heartbleed threat, where his reassurances set users’ fears at ease.

This latest breach took place late the week before the announcement. By the time it was detected and identified as a security intrusion, the attackers had gotten away with user email addresses, password reminder questions/answers, hashed user passwords and cryptographic salts Become a Secret Steganographer: Hide and Encrypt your Files Read More .



The good news is that the security of the LastPass system was designed to withstand such attacks. The only way to access your plain-text passwords would be for the hackers to decrypt the well-secured master passwords Use A Password Management Strategy To Simplify Your Life Much of the advice around passwords has been near-impossible to follow: use a strong password containing numbers, letters and special characters; change it regularly; come up with a completely unique password for each account etc.... Read More .

Due to the mechanism used to encrypt your master password, it would take massive amounts of computer resources to decrypt it – resources that most small or mid-level hackers don’t have access to.


The reason you’re so protected when you use LastPass is because that mechanism that makes the master password so hard to obtain is called “slow hashing” or “hashing with salt.”


How Hashing Works

LastPass uses one of the most secure encryption techniques in the world, called hashing with salt.


The “salt” is a code that’s generated using a cryptography tool – a sort of advanced random number generator The 5 Best Online Password Generators for Strong Random Passwords Looking for a way to quickly create an unbreakable password? Try one of these online password generators. Read More created specifically for security, if you will. These tools create completely unpredictable codes when you create your master password.

What happens when you create your account is the password is “hashed” using one of these randomly generated (and very long) “salt” numbers. These are never reused – they’re unique for every user and every password. Finally, in the user account table, you’ll find only the salt and the hash.


The actual text version of your master password is never stored on LastPass servers, so hackers don’t have access to it. All they were able to obtain in this intrusion are these random salts, and the encoded hashes.

So, the only way LastPass (or anyone) can validate your password is:

  1. Retrieve the hash and salt from the user table.
  2. Use the salt on the password the user types in, hashing it using the same hash function that was used when the password was generated.
  3. The resulting hash gets compared to the stored hash to see if it’s a match.

These days, hackers are able to generate billions of hashes per second, so why can’t a hacker just use brute-force to crack these passwords Ophcrack - A Password Hack Tool to Crack Almost Any Windows Password There are a lot of different reasons why one would want to use any number of password hack tools to hack a Windows password. Read More ? This extra security is thanks to slow-hashing.

Why Slow-Hashing Protects You

In an attack like this, it’s really the slow-hashing part of LastPass security that really protects you.



LastPass makes the hash function used to verify the password (or create it) work very slowly. This essentially puts the breaks on any high-speed, brute-force operation that requires speed in order to pump through billions of possible hashes. No matter how much computational power The Latest Computer Technology You Have to See to Believe Check out some of the latest computer technologies that are set to transform the world of electronics and PCs over the next few years. Read More the hacker’s system has, the process to break the encryption will still take forever, essentially rendering brute-force attacks useless.

On top of that, LastPass doesn’t just run the hash algorithm once, they run it thousands of times on your computer, and then again on the server.

Here’s how LastPass explained its own process to users in a blog post following this latest attack:

“We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash.”

The LastPass Help Desk has a post that describes how LastPass utilizes slow-hashing:

LastPass has opted to use SHA-256, a slower hashing algorithm that provides more protection against brute-force attacks. LastPass utilizes the PBKDF2 function implemented with SHA-256 to turn your master password into your encryption key.

What this means is that despite this recent security breach, your passwords are pretty much still very secure, even though your email address isn’t.

What If My Password Is Weak?

There is one excellent point brought up on the LastPass blog concerning weak passwords. Many users are concerned that they didn’t dream up a unique enough password, and that these hackers will be able to guess it without very much effort.

There is also the remote risk that your account is one of those that hackers are wasting their time trying to decrypt, and there’s always the remote possibility that they could successfully obtain your master password. What then?


The bottom line is that all of that effort would be wasted, since logging in from another device requires verification via email – your email – before access is granted. From the LastPass blog:

“If the attacker attempted to get access to your data by using these credentials to log into your LastPass account, they’d be stopped by a notification asking them to first verify their email address.”

So, unless they can somehow hack into your email account in addition to decrypting a nearly uncrackable algorithm, you really have nothing at all to worry about.

Should I Change My Master Password?

Whether or not you want to change your master password really boils down to how paranoid or unlucky you feel. If you think you may be the one unlucky person who has their password cracked by talented hackers who are able to somehow decipher through LastPass’s 100,000 round hashing routine and a salt code that’s unique just to you?

By all means, if you worry about such things, change your password just for peace of mind. It’ll mean that at least your salt and hash, in the hands of hackers, becomes useless.

However, there are security experts out there who are not at all concerned, such as security expert Jeremi Gosney over at Structure Group who told reporters:

“The default is 5,000 iterations, so at a minimum we’re looking at 105,000 iterations. I actually have mine set to 65,000 iterations, so that’s a total of 165,000 iterations protecting my Diceware passphrase. So no, I’m definitely not sweating this breach. I don’t even feel compelled to change my master password.”

The only real concern you should have about this data breach is that hackers now have your email address, which they could use to conduct mass phishing expeditions to try and trick people into giving up their various account passwords – or maybe they may do something as mundane as selling all of those user emails to spammers on the black market.

The bottom line is that the risk from this security intrusion remains minimal, thanks to the overwhelming security of the LastPass system. But common sense says that any time hackers have obtained your account details – even protected through thousands of advanced cryptographic iterations – it’s always good to change your master password, even if it is for peace of mind.

Did the LastPass security breach get you very concerned about the safety of LastPass, or are you confident about the security of your account there? Share your thoughts and concerns in the comments section below.

Image credits: penetrated security lock via Shutterstock, Csehak Szabolcs via Shutterstock, Bastian Weltjen via Shutterstock, McIek via Shutterstock, GlebStock via Shutterstock, Benoit Daoust via Shutterstock

Related topics: LastPass, Online Security, Password Manager.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    July 30, 2015 at 1:00 pm

    One thing has occurred to me. I myself use LastPass, and have been very satisfied with it. Here's what I thought of:-

    A lot of people worry about their 'personal' information getting into the 'wrong' hands. Aside from the obvious, i.e., none of us want other people using OUR bank accounts and cards to make purchases for themselves, leaving us to pick up the many of these people have 'dodgy', or extremely embarrassing personal info that they really DON'T want anybody else to know about?

    Just a thought...

  2. Anonymous
    July 15, 2015 at 7:17 pm

    I need to know about the master password, because i am still learning about it right where i am, and how to change it back when its been hacked.

  3. Anonymous
    June 23, 2015 at 3:20 pm

    I always get a good laugh out of these book read people. They no nothing about hacking or security. Any hacker worth his salt attacks at the bios level. He replace the nic bios with his own code, communicates with encrypted dns queries, and then does all of his work on the cpu and cache memory. These or out of sight from software and OSes and off of the bam. The only real security needed is to run continuous checksum audits on every bios present in your organization and then let your security software pick off the small stuff. Naturally, this would include smart phones but most book read IT departments are too lazy and stupid to care. Nuff said.

  4. Anonymous
    June 23, 2015 at 3:11 am

    I cannot for the life of me figure out why people will keep sensitive information such as passwords online. Then actually act surprised when said info is compromised. It's not a matter of if it will be's when.

    • Anonymous
      June 23, 2015 at 3:48 pm

      I use LastPass for convenience. I'm supposed to have strong, random, and unique passwords for each website, which I do. As of last count I have ~750 website/password combinations. So unless I go to the trouble of creating 750 strong passwords in an indestructible notebook that I tote around constantly, Lastpass is a pretty good compromise.

      Re: sensitive info online. Your SSN, VIN, bank account #'s, account numbers, CC numbers, driver's license and passport #'s, and mother's maiden name are already out there. They're in government and retail databases, which have been breached. The only thing standing between Joe hacker and placing an online order on your CC is that password.

  5. Anonymous
    June 22, 2015 at 10:57 pm

    What I think is that this was an attempted to steal the data of one (or more) specific account. The mass hacking was just to shadow this fact and the account that was targeted.

  6. Anonymous
    June 21, 2015 at 10:39 pm

    If it's a good password that you like, you can always change it back. :)

  7. Anonymous
    June 19, 2015 at 2:59 pm

    One thing that seems to have been ignored by everything I have been reading is the "user email addresses, password reminder questions/answers" that was stolen. With this information it may be possible for someone to gain access to other accounts. I would think that a minimum people should change the password reminder questions and answers for their various accounts along with enabling 2 Factor Authentication.

    • Bruce Epper
      June 22, 2015 at 8:44 am

      The information the got from LastPass were user email addresses, the password hint on that account (if there was one), salts and the hashed password. LastPass doesn't do the Q&A thing on their site. If you forget your password, you can click a link to see the hint you provided. That is it.

      In order for the hackers to get access to your other accounts, they need the contents of your vault which does not appear to have been compromised - unless you have used the same email address, set up an obvious hint which pretty much gives away your password, and used the same password on multiple sites, you have nothing to worry about.

  8. Anonymous
    June 19, 2015 at 1:47 pm

    I have now read a few articles on the LastPass breach and what puzzles me is that they all concentrate on the need (or not) to change the master password, but not one mentions changing the email address linked to the user's account.

    It seems to me that if you change that to another email address as well as changing the password (I did both even though I also use 2FA), then it doesn't matter if the bad guys do somehow decipher the password - without the right user name email address they won't get past first base.

    Am I missing something?

    • Anonymous
      June 19, 2015 at 4:00 pm

      That thought occurred to me as I speculated that I might now start getting spam at that address and have to change it. I think you might be right.

      • Anonymous
        June 23, 2015 at 3:54 pm

        Spam is the least of my concerns. Your email is kinda like your public key. But since so many sites offer password resets through email, that's the weakest point (should your email be compromised). My suggestion would be change the PASSWORD on your email to something hardcore (20+ digits of random mixed case, numbers, symbols).

        And then if the spam bothers you, switch to Gmail or another service with a Bayesian filter ;)

        • Anonymous
          June 24, 2015 at 11:03 pm

          Yes, I have an email address I use only for LastPass, and it has a long and complex password. Other accounts that are important to me also have email addresses that aren't used elsewhere and are protected by strong passwords.
          In the case of LastPass, you can't access your data by means of a password reset: your data is encrypted using your existing password and cannot be decrypted without it. Other accounts could indeed be at risk this way. It makes me cringe when I see password advice that suggests your email account doesn't need as strong a password as your financial/online shopping accounts.
          And yes, I like Gmail too ;)

  9. Anonymous
    June 19, 2015 at 12:57 pm

    I've been using LastPass for quite a few years now, and have always found them to be incredibly secure. This article only bolsters that.

    Personally, as someone who works in the IT Security industry, I won't be changing my master passphrase. However, I have changed my email address and deleted the unique alias I used on my LastPass account. :-)

  10. Anonymous
    June 19, 2015 at 12:50 pm

    There's only two passwords I have to remember, my LastPass password and my email used for LastPass, the rest of them are stored within my Vault. If there is a security breach in any of the services, I always change the password for that service, regardless of whether I think my password is strong or the service is secure. Why take the risk? I also have TFA for my LastPass account.

    Another interesting point in the article got me thinking. If LastPass uses an extremely secure encryption technique, hashing with salt, why aren't the other services use it? Or are they? Is it very difficult or expensive to implement?

    • Bruce Epper
      June 22, 2015 at 8:46 am

      Other sites such as Google, Microsoft, Yahoo!, banks, etc. use similar methods. You normally don't see it an forums and blogs since they are not holding "secret" or financial information, but anything that presents itself as a large target will have tougher security measures in place.

  11. Anonymous
    June 19, 2015 at 8:45 am

    Okay, there's the article on lifehacker to change the master password of lastpass after the breach, so I changed the password. If I were to read this article sooner, I wouldn't change my staggering 2241 days old master password :)

  12. Anonymous
    June 19, 2015 at 5:32 am

    God to know but I suspected that, I did try to change my master password, but I forgot it, my hint means nothing to me so I have not ben been able to change even that . I figure if my hint means nothing to me it probably won't to the hacker either!.


    • Anonymous
      June 19, 2015 at 12:59 pm

      ...and what if you need to log in to a new device? All your passwords will be useless. I'd try REALLY hard to remember that password if I were. If you can't, export your passwords and start again. Otherwise, you could end up losing all your passwords!

  13. Anonymous
    June 19, 2015 at 3:57 am

    I'm confident in LastPass after this attack mainly because of how thorough they were with information and how quick they were with notification. This wasn't some credit card company's "yeah, we were hacked three months ago and didn't wanna look bad," as soon as LastPass knew, we knew.

    As for my password, I probably won't change it unless I think of another "perfect" one or if activity on my email starts looking fishy to suggest I'm being specifically targeted. I'm a small fish, no fame, no money, the only reason go after me is random chance.

  14. Anonymous
    June 19, 2015 at 3:38 am

    If your original password was weak, there is a slight chance the bad guys could get it.
    If you left a password hint that would give someone else a good shot at guessing your password, there is a chance that the bad guys could get it.
    However, LastPass is blocking attempts to log in from unfamiliar devices without verification via your email (or 2FA if you have it enabled), so even with a weak password your data is still probably safe. Nevertheless, if you have a weak password, or an overly obvious password hint, it wouldn't be a bad idea to change your password as a precaution, preferably to a stronger one. Make sure your hint is cryptic, or don't leave one at all.
    If you had a strong password to start with, and you did not save a password hint that might give it away to someone else, you have little to worry about.

  15. Anonymous
    June 18, 2015 at 8:03 pm

    I to would like to keep my old password. It took me 2 years to remember it by heart. It is very very safe. Now I am asked to change it. Evidently Last Pass does not have secure passwords. Kind of stupid not to have secure passwords. Isnt it Last Pass ?

    • Ryan Dube
      June 18, 2015 at 9:28 pm

      What do you mean LastPass doesn't have secure passwords?

      • Anonymous
        June 18, 2015 at 9:54 pm

        The only way to get info from Last Pass is that they have insecure Passwords.
        My password said it could not be cracked in 1000 years. There for Last Pass had an easy to crack password.

        • Anonymous
          June 19, 2015 at 1:07 pm

          Brian, either you're an idiot, or didn't read this article. The article clearly states that it's extremely unlikely that the bad guys won't decipher your password.

          Plus, LastPass has absolutely nothing to do with your password. So much so, that if you forget it, you can't get back into your vault. If you pick a weak passphrase, that's your fault, not LastPass'.

          Also, don't believe what you read on those password generator sites. 1000 years, is rubbish, modern computer can crunch numbers extremely quickly, and they could figure out most passwords pretty quickly. If you want to be secure, use a passphrase, not a password.

          Reading your comment back, do you think that the LastPass servers simply has a weak password and a cracker guessed it? Come off it! This was clearly an APT, so much more than a script kiddy with a brute-force tool.

        • Anonymous
          June 19, 2015 at 1:08 pm

          ...and enable 2 factor authentication.

  16. Anonymous
    June 18, 2015 at 6:42 pm

    What I find confusing from Lastpass email notice was whether we are merely encouraged to change our master password -- or we will be forced to? I like my current one and would rather not change. Anyone know?

    • Ryan Dube
      June 18, 2015 at 9:29 pm

      Encouraged - not required. In fact there are many people who simply trust the security system at LastPass so much that they aren't bothering (as mentioned in the article).

      • Anonymous
        June 18, 2015 at 11:28 pm

        Good to know, thanks, Ryan.

      • Anonymous
        June 22, 2015 at 9:59 pm

        That's good. I'm running out of birthdays from my family members.