The Core

If you’ve used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites you need to update it.

Just being extra cautious? They say no encrypted data was stolen, so why change your master password?

Better measure is to enforce two-factor auth, but that goes against both user wishes (still working on getting a certain someone to use it) and their business model (mostly a premium feature).

I'd definitely change your master password. Do you know what encryption they use? A $200 graphics cards can do something of the order of 2 billion guesses a second.. I've read of setups that do 100B+ second. I'd only feel relatively safe if my remaining portion of the entire password string is 16+ characters or more.

Perhaps the prize for a cracker is a little bigger, as they're not getting access to one account but many.

>relaxed

I read a bit more about it and it seems there is an 'extra' layer of security with this particular platform, the 100K iterations that are done.

http://blog.erratasec.com/2015/06/should-i-panic-because-lasthash-was.html?m=1

Still, the cracking types are competitive and they look to compare % of the DB deciphered. Anyone that has a relatively insecure master password 'should' (in regards to dictionary or entropy) should change it.

>>the 100K iterations that are done

That's settable as well. I think the default is lower. But the key point being that the hash is rehashed so it burns extra CPU time making guesses.

100K times PBKDF2 is what LastPass uses on their servers for your stored data. On your local client the password iterations controls how many times your credentials is hashed using PBKDF2 before being sent to LastPass servers. The recommended value is 5000. I set it much higher than that, but you're right that the default is lower. PBKDF2 uses a hash called HMAC-SHA-256 as the hashing function inside PBKDF2. The recommendation is to use at least 10,000 iterations of the hash function for "stretching" (time-consumption) purposes to slow down even the GPU process of guessing. LastPass exceeded this recommendation a bit. Essentially they're using best-practices, and then some.

If I can use this instance to get my certain someone to enable 2-factor, I think we'll be more secure.

Well, in this case having 2FA enabled would more than double the security measures in place because in addition to overcoming all of the LastPass encryption they'd also have to have access to your local 2FA device to find out if their guess was correct. You really should have 2FA for everything that supports it. It's not always implemented in the best way, but when it is you're really stepping up the security of your accounts. It's such a small step to take.

In addition to the 2FA LastPass will let you limit the IP addresses you can connect from. You can even limit the access by country. And it's probably a good idea to block logins from Tor.

In the Advanced settings you can setup a separate security e-mail:

The security email address is a secondary email address that you can associate with your LastPass account. The security email address is meant to be used to receive your LastPass multifactor authentication emails and other security emails. Because the security email address is separate from ones that you use on a regular basis, and different than your account email address, its obscurity is intended to provide an extra layer of protection for your LastPass account

Set all that up and it's going to be real tough for the bad guys to even begin messing with your account, even if they managed to crack your password...which once you change, won't be of much use to them but an exercise of their GPU cycles.

Here's a handy list of about 100 popular sites that accept two-factor authentication, and how to turn it on:

https://www.turnon2fa.com/

Here's a list of categories they have on the site:

Backup and sync
Financial
Cloud computing
Communication
Cryptocurrencies
Developer
Domains
Education
Email
Gaming
Government
Health
Hosting
Identity management
Investing
Payments
Remote access
Shopping
Social media

I'd think you'd want all of them. It might take a bit to setup initially, but then you're done.

Yeah. They're handling security right from what I can see. They noticed some suspicious activity, locked everything down and took the precaution of notifying everyone for the worst case scenario regardless of the reputation hit they might take. There's no proof that anything was actually taken, but the possibility exists so they warned us. I see no reason to drop them due to this incident.

All of this does highlight, however, that the notes to your logins (not your Secure Notes, but the "notes" field) is not a place to store info you don't want to get out.

Which I was not aware of.... thanks.