#Lastpass Hack mitigation:
If you're a Lastpass user, even if you're planning on leaving, it'll take some time to do so.
1. Enable MFA, preferably a good one like hardware keys or authenticator apps.
2. Lock down LastPass access to only the countries you expect to be in in the near term. You can do this through the web advanced settings tab.
3. Prohibit access from tor networks unless you're typically using them.
4. Increase your 'password iterations' value to something OVER 600,000.
#cososec
@0x56 Sure thing. Another note for those not technically-inclined... if you look at your LastPass advanced configuration (under Account Settings/Show Advanced Settings) and see that your Password Iterations setting is one of the legacy defaults (e.g.1, or 500, or anything less than 100,100) then YOU are the low hanging fruit. Not only do you need to bump up iterations to a minimum of 300,000 (or better yet, 600,000 as @0x56 suggests), but you REALLY SHOULD change all passwords that matter ASAP.
@codeWhisperer @0x56
Never having used LastPass, I'm curious why increasing iterations would take any significant time.
On #Bitwarden you just log into the web vault, and change the setting. All logged-in devices are deauthed until you manually log into them again
But see the 'solution' post here that explains why increasing the *length* of your master password is much more effective than increasing iterations in resisting cracking:
@voltronic @codeWhisperer - increasing the iterations makes it that much more expensive to brute force. Current OWASP recommendations is 600,000 or more. Increasing the length of the password makes it harder to crack (assuming no hashing collisions)
The reason (this is my theory) it takes so long is that it had to reencrypt everything, most likely individually.
@0x56 @voltronic For that reason, I like to back up my vault first. Which can also be scary! Here's why: the only way to backup your vault (on your own) is to export it. Exporting it means you have a decrypted copy sitting in a CSV file. Which means that all of your passwords and other data are now exposed. So after I export, I immediately encrypt that file (I use 7Z but YMMV) and securely erase the original file. THEN I change my master password (or PBKDF2 iterations) as needed. (cont'd)