On Monday, password manager LastPass said that unknown hackers had broken into its servers, making off with user email addresses, password reminder answers, and even encrypted master passwords. The company, which promotes itself as the "last password you have to remember," allows people to store all their online passwords in one vault, accessed by a master password.
LastPass CEO Joe Siegrist said the company discovered the breach on Friday, and is "confident that our encryption measures are sufficient to protect the vast majority of users." The company has taken some precautions, he added, and encourages people with a "weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!)" or those who used their "master password as the password for other websites" to update their LastPass master password right away.
At Fast Company, Glenn Fleishman mostly agrees with LastPass's assessment that most accounts are safe, "so long as LastPass's description of how it holds user data is accurate and well implemented." But Joseph Bonneau, a cryptology researcher at Stanford, tells Wired that "this is still pretty bad," especially for people with weak passwords. "If they can brute force any master passwords, the attackers could extract password vaults and decrypt them for lots of users or some high value targets."
What pretty much everyone agrees on is that you need a really good master password. And it doesn't have to be a string of random gibberish, either. If you're looking for guidance, maybe Edward Snowden can help.