On Friday, LastPass was attacked, and some data items were stolen. According to the company, there was no evidence that the invaders downloaded any encrypted user data, nor that they managed to access any accounts. Even so, if you use LastPass you should change your master password right now. Go ahead; you can come back and read the rest of this article when you're done.

LastPass founder and CEO Joe Siegrist posted a Security Notice on the company's website, explaining that "LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised." Siegrist states that LastPass's encryption measures should be "sufficient to protect the vast majority of users," but warns that anybody using a weak master password or recycling a password they've used elsewhere should choose a new master password immediately.

Just What Did They Get?
What could the attackers do with the data they stole? For the most part, not much. Some users' email addresses were exposed, but all that tells the attacker is that this person uses LastPass. "Server per user salts" sounds alarming, but it could be worse.

Like any remotely secure site, LastPass does not store your password. Rather, it runs the password through a hashing algorithm, a kind of one-way encryption. If the password you enter hashes to the same value that's stored, it's a match.

If attackers steal the stored hashes, there's no direct way to go back to the passwords. However, if the attackers know the exact algorithm used, they can run millions of possible passwords through that algorithm and see if the resulting hashes match what they stole.

To avoid this, secure sites "salt" the hash algorithm with data that the attacker doesn't have. Yes, the attackers captured some "per user salts," but LastPass uses additional random salt values, and other techniques designed to make matching those stolen hashed values so time-consuming as to be impossible.

Those Password Hints
The one item that really worries me is that the attackers apparently captured a collection of password reminders. The warning doesn't say whether or not these were matched to the corresponding account email, but if so, that could be bad, depending on the reminder.

I really hope anyone reading this is smart enough not to use a reminder like "Sally's birthday" or "My dog's name." But if you committed the security faux pas of protecting your data with a weak master password and a blatantly obvious password reminder, you could be in big trouble. You did change your master password already, right?

Added Protection
If you've wracked your brain to develop an insanely secure password that you can also remember, the last thing you want to do is go through that process again. In truth, periodically changing that master password is a smart security precaution, with or without the worry of stolen data; after a breach, you just have to bite the bullet. But there are other ways to enhance the security of your account.

Two-factor authentication ensures that somebody who steals or cracks your password still can't get into the account. Authentication requires both that password and something else, typically either a fingerprint or a code sent via your smartphone. And even the free edition of LastPass supports a variety of additional authentication factors, among them Google Authenticator, Toopher, Transakt, and Duo Mobile. LastPass 3.0 Premium lets you authenticate with your fingerprint, a YubiKey, or a specially prepared USB drive. Tw