team discovered suspicious activity on their network 6/12. In all, the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses. Although they harden your authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, you should change your password and add some multifactor authentication
to be on the safe side.
Despite the rigor of the LastPass hashing regimen, the job of cracking a single hash belonging to a specific, targeted individual would be considerably less difficult and potentially within the ability of determined attackers, especially if the underlying password is weak. Passwords are “hashed” by taking the plain text password and running it against a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse. The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash.
If you are using an easily guessed dictionary based password as described by Errata Security you should change your password. Although on a NVIDIA GTX Titan X, which is currently the fastest GPU for password cracking, an attacker would only be able to make fewer than 10,000 guesses per second for a single password hash using the password algorithm:
PBKDF2(HMAC-SHA256, sha256(PBKDF2(HMAC-SHA256, password, salt, rounds)), salt, 100000)
rounds = user_rounds || 5000 // the iteration count is user-defined. default is 5k
encryption_key = PBKDF2(HMAC-SHA256, password, salt, rounds) // this unlocks your vault
auth_key = sha256(encryption_key) // this is what is sent to the server for authentication
server_hash = PBKDF2(HMAC-SHA256, auth_key, salt, 100000) // what’s stored in the auth db