Another day and another breach, this time of the password database LastPass. The service announced that its systems have been compromised on its official blog yesterday. The unknown attackers have made off with server per-user salts and authentication hashes. In plainer terms, the encrypted master passwords of an unknown number of LastPass users have been exposed, and the password databases secured with those master keys are potentially at risk.
As a result of this breach, LastPass will be prompting its customers to update their master passwords. It'll also require users logging in from a new device or IP address to verify their accounts by email. Furthermore, the company recommends that users enable multi-factor authentication for added protection.
Users of the service should have ample time to change their master keys before the bad guys can work out the hashed versions, though. LastPass took steps to protect those passwords in the event that its systems were compromised. The company hashes each master password with the PBKDF2-SHA256 algorithm, which is designed to protect passwords and thus is extremely slow to process. LastPass' implementation of PBKDF2 uses 100,000 rounds of iterative hashes on its servers, along with extra rounds of hashing on the client side.
Despite this breach, I would still recommend LastPass and other password database solutions. Passwords have never been weaker. The risk of a breach like this is worth it to mitigate the many other risks that come from not using a password database.