#Lastpass Hack mitigation:
If you're a Lastpass user, even if you're planning on leaving, it'll take some time to do so.
1. Enable MFA, preferably a good one like hardware keys or authenticator apps.
2. Lock down LastPass access to only the countries you expect to be in in the near term. You can do this through the web advanced settings tab.
3. Prohibit access from tor networks unless you're typically using them.
4. Increase your 'password iterations' value to something OVER 600,000.
#cososec
@0x56 Sure thing. Another note for those not technically-inclined... if you look at your LastPass advanced configuration (under Account Settings/Show Advanced Settings) and see that your Password Iterations setting is one of the legacy defaults (e.g.1, or 500, or anything less than 100,100) then YOU are the low hanging fruit. Not only do you need to bump up iterations to a minimum of 300,000 (or better yet, 600,000 as @0x56 suggests), but you REALLY SHOULD change all passwords that matter ASAP.
@codeWhisperer @0x56
So I would recommend adding "Change your vault password to something longer" to the recommended steps for LastPass users. It's also much easier for non-nerds to do than the access restrictions (though I think those are excellent recommendations).
@codeWhisperer @0x56
Yuck. I just logged into my web vault to check this setting, and my iterations were only 5,000. #infosecfail
I increased to 800,000. That should keep the skids busy.
BTW, CodeWhisperer - are you aware that none of your replies threaded?
@voltronic @0x56 Sorry to hear about the iterations, but glad you found it. As for the threading, hmmm... no I was not aware. Maybe I am encountering a pebcak error. 🙂
I've just been hitting the reply icon, is that not correct?
@codeWhisperer
Hmm, your replies were not threaded yesterday but now they are. Maybe it was on my end.
@voltronic @0x56 This is a very good recommendation. Increasing iterations adds time needed to crack linearly, whereas increasing password length (generally) adds time to crack exponentially.
BTW, I said 'generally' because common sense still applies for password choice. Use at least 12 characters (15+ is better) and a mix of upper, lower and symbol characters. If you pick a password like letmein123 or col123456789 or qwertyuiop or a phrase containing only words you are already screwed.