【 以下文字转载自 USANews 讨论区 】
发信人: lczlcz (lcz), 信区: USANews
标 题: lastpass被黑了,用的人赶紧去改密码吧
发信站: BBS 未名空间站 (Mon Jun 15 19:09:40 2015, 美东)
One of the most popular password security companies just admitted it was
hacked
Cale Guthrie Weissman
Jun. 15, 2015, 3:27 PM
LastPass, a popular password manager program, just admitted it's been hacked.
In a blog post published today, LastPass’s Joe Siegrist writes, "The
investigation has shown ... that LastPass account email addresses, password
reminders, server per user salts, and authentication hashes were compromised
."
LastPass works by having users choose one strong master password that they
must remember. When they log into LastPass, they use this strong
authenticator to gain access to a list of all of their other passwords,
which are stored in encrypted form on LastPass' servers.
LastPass’ servers do hold a list of all of its users passwords, but because
they are encrypted (meaning they are heavily ciphered making it nearly
impossible to crack), it's highly unlikely any hackers would be able to
decrypt LastPass' password trove.
Further, the encryption and decryption happens on the users' devices,
meaning that LastPass has no way to access any of its users' non-ciphered
passwords.
It's important to note that this breach does not mean that hackers have full
access to the passwords of every LastPass user. What it does mean, however,
is that if users use a weak master password or have used the same password
for another website, there’s a likelihood that hackers could gain access.
To fix this, all LastPass users should change their master password if it is
weak. Also, users should implement multi factor authentication, making it
even harder for hackers to gain access.
Users, however, need not have need to change the passwords stored in
LastPass.
