Regarding the recent security incident: My master password is stored in my LastPass vault. Perhaps not best practice, I know. Two questions: * In light of the recent security incident, does this create an added risk? * If so, what actions should I take? * Change the master password? * Change all passwords? * Delete the master password from the vault? * Other?

nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Home
General

Question about recent security incident: Master Password stored in vault

Richard Van Hoesen

Regarding the recent security incident: My master password is stored in my LastPass vault. Perhaps not best practice, I know.

Two questions:

In light of the recent security incident, does this create an added risk?
If so, what actions should I take?

Change the master password?
Change all passwords?
Delete the master password from the vault?
Other?

Find more posts tagged with

Accepted answers

alexurc

There is no additional risk that your master password is stored in your vault. It would be an encrypted blob just like everything else. They would need to brute force your master password in order to read anything in your vault, so if that happens it's a moot point that your master password is stored in your vault.

A good reason anyone should be very concerned right now would be if they were using a weak master password of low complexity.

All comments

alexurc

You should absolutely be changing all of your passwords you had stored in your vault. Consider any data you have ever given to LastPass to be completely compromised at this point, whether or not the attackers will eventually be able to decrypt some (if not all) of the vault. You have to assume its all compromised, as the attackers have shown themselves to be quite sophisticated.

Additionally, due to the amount of personally identifiable information that was stolen in plaintext (Full Names, Billing Addresses, IP Addresses, URLs) you should likely institute a credit freeze on yourself through the 3 major bureaus. (Equifax, Transunion, and Experian). They all have online portals in which you can easily do this.

If you have been keeping any 2 Factor Authentication codes in their Authenticator app you should change them immediately and use a different app.

Sorry for the bad news but I am taking all of the above steps I've just told you, it stinks but this is what LastPass did to us because they have shown themselves to be utterly incompetent.

Richard Van Hoesen

Thank you for that general advice.

However, I am looking for specific information and advice on the question of the *additional* risk that is posed by the fact that my lastpass master password is stored in lastpass. Hopefully a lastpass admin can reply to this request.

alexurc

There is no additional risk that your master password is stored in your vault. It would be an encrypted blob just like everything else. They would need to brute force your master password in order to read anything in your vault, so if that happens it's a moot point that your master password is stored in your vault.